CAN-SPAM one year later: more spam than ever. Spam has more than doubled from 15 billion messages in 2003 to an estimated 35 billion in 2004. Is anyone really surprised? From the article: “The FTC says the goal of the act was never to cut down on spam but to give recipients control via the opt-out component.” Hmm, that might be part of why groups like Spamhaus were calling it the “You Can Spam” act. (via The War on Spam)

Webroot identifies the Top 10 “Most Unwanted” Spyware programs, using the “P-I Index…. P is for prevalence, I is for insidiousness.” The “winners” include pop-up generators, keystroke loggers, autodialers and the like. (via Aunty Spam’s Net Patrol)

Finally, there are several fixes and work-arounds for the pop-up window spoofing vulnerability I wrote about last week. There’s the all-inclusive method: close all other browser windows. Netcraft reports that Opera has issued a fix (7.54u1) and Safari is safe if pop-up blocking is enabled. I just got an email indicating that KDE has released a fix for Konqueror (expect that to start hitting distributions this week). No word yet on Firefox or IE, and while Microsoft has its monthly patch day tomorrow, I wouldn’t expect this to show up quite that soon.

Looking up past a bronze statue of a woman, seen from behind, toward an ornately carved balcony set in the wall of a stone building with three levels or peaked windows and doors. Vines trail from a wooden walkway the next level up from the balcony. It seems that the city of Verona wants people to text-message “Juliet” (of Romeo and…) [note: originally linked to Reuters] instead of writing notes and sticking them to the walls with gum. (Too bad it wasn’t in Singapore.) Apparently the notes are damaging the walls of the 13th-century building, and they want to set up a screen and have people send text messages to it using the phone.

There’s a small courtyard with a balcony, a gift shop, and a statue of the Shakespearian heroine. According to the article it was originally an inn, but has long been associated with the Capulets. “Acquired by the council a century ago, it was officially designated ‘the house of Juliet’ in 1935.” I don’t recall seeing any notes on the walls when I was there in 1999. Either I’ve just forgotten, or it really has gotten worse in the last five years.

Here’s an online security story to freak you out: Security firm Secunia has found a loophole [Edit: originally linked to Yahoo! News] in basic browser window handling that can let any site plug its code into a pop-up window generated by any other site. That’s not just ads, that includes pop-up help files, password dialogs, you name it.

They even have a demonstration: Start the code going on their site, open up Citibank, then click on a button on the Citibank site and it’ll open a page from Secunia.

And it works in every major browser, for the simple reason that it uses standard functionality that no one has questioned until now: The ability to open a page in a particular frame or window. All you need to know is the name of that window, and you’re set. As long as it hides the toolbars (SOP for pop-up windows of all stripes), the user will never notice. There is a workaround, at least for Firefox and Mozilla users, but it’s ugly: prevent sites from hiding the location bar.

Actually, the functionality has been questioned before: last July, when Secunia found a similar problem in frames. The solution for that was to prevent a page in one window (or tab) from accessing frames in another. But it’s a little more challenging to decide which pages should be allowed to update a top-level window.

In the short term, sites wanting to protect themselves from being hijacked can probably help by randomizing the names of their pop-up windows. In the long term, browsers are going to have to figure out how to separate windows that should have the ability to load new pages from windows that shouldn’t, knowing that they’ll undoubtedly end up breaking some websites in the process.

(via The War on Spam)

CNET has posted a write-up of AOL’s new Netscape prototype based on Firefox, as well as a screenshot. It seems to be a combination of Firefox + theme + bundled extensions… plus a mode that embeds Internet Explorer for compatibility.

There are some nice ideas: adapting Firefox’s RSS capabilities to create a headline ticker, for instance, and the Firefox team has been talking about bundling extensions since it was called Phoenix. As for the embedded IE mode… on one hand it provides a convenient solution to the biggest criticism laid on all non-IE browsers: they don’t render pages exactly the way IE does. But it comes at the cost of all the security risks inherent in IE itself. It does remind me of the “View with Gecko” option Konqueror used to have (and probably still does on some systems).

But the clutter… The sheer number of buttons, icons, widgets etc. in that screenshot is staggering. Even after installing the web developer extension I don’t think I have that many buttons on Firefox. 3+ buttons on the tab bar, 3 icons on each tab…. I hope that CNET was just enabling every feature they could find to get them all in one screenshot, but if AOL is trying to bill it as “easier” than Firefox (which was created with a simple user interface as a design goal), they’ve got to try another approach.

Update (via WaSP): It seems BetaNews has more information on the dual-engine setup. Apparently they do have security settings to mitigate the IE issues… but then so does IE, and we all know how well that’s worked. Also, another screenshot, which looks even more cluttered than CNET’s. I think this will be a browser that requires you to run it maximized at 2000×1500. (Also of note: Firefox developer Blake Ross’ Open Letter to Netscape and Henrik Gemal’s collection of screenshots.)

Further Update: MozillaZine has posted a more thorough review.