Google Analytics came along, and (thanks to the assumption that Google is great at everything) singlehandedly convinced many publishers to rely on Google Analytics instead of tools available to most publishers on their web servers. Granted, Google Analytics was easier to access and read, but it still didn’t provide as much raw data as most web developers and content pushers needed.

Then came Microsoft’s own analytics tool, tied to its beta advertising program, titled “AdCenter Analytics.” If you take a look at the html source for this page and look at the bottom, you’ll see that we’ve got both Google Analytics and AdCenter Analytics running, which provides us with a unique insight into how they both work. Keeping it brief, Microsoft’s tools provided far more usable information and was generally easier to navigate than Google Analytics, and while I use both, I’m likely going to keep using AdCenter for as long as possible, which brings me to the subject of its closure.

Microsoft put out this email to all AdCenter Analytics testers, which you can catch after the jump.

Dear Bryant,
The Microsoft adCenter Analytics^Beta team is announcing the end of the adCenter Analytics beta program. The program has been closed, but Analytics will remain available to you through December 31, 2009. Please note that all hosted services, data collection, and technical support will end at that time. If you would like to save your historical data, please use the export feature to download your reports before December 31, 2009.
The Analytics team wants to sincerely thank you for your participation and your contributions to the program. Our objectives at the outset were to serve the needs of small and midsize business customers, as well as evolve the Microsoft strategy to encompass web analytics.
The beta program was a success in every respect. The insights you’ve contributed through your use of the tool and your feedback have helped us immeasurably in shaping Microsoft’s future in web analytics. Your feedback has helped us confidently determine that we can serve advertisers and publishers best by offering a tailored solution that meets more specialized needs.
You can rely on our continuing e-mail support through December 31, 2009. We recommend that you use the coming months to evaluate your web analytics needs and begin searching for an alternative web analytics solution. Click here for a list of companies that offer comparable analytics solutions.
For additional information, visit the adCenter Analytics blog and its award winning content. The blog will be renamed “Insights and Analysis” and will remain focused on advertiser ROI and optimization.
Again, thank you for your participation. We appreciate your contribution.

Sincerely,
The Microsoft adCenter Analytics Team

[Many links removed. ~Bryant]

PROTIP: If you were a user of AdCenter Analytics, I’m going to suggest that you manually export the reports and keep using AdCenter Analytics until the closure date. The reports pushed out by AdCenter are some of the best and easiest to interpret reports available to web developers and content publishers. If you need more information, the Analytics Blog link above is the best place to look.

R.I.P, AdCenter Analytics. Even though you were likely just a massive data-mining project for Microsoft, you were one of the best tools I’ve ever used.

(Update: official statement appended to the end of the post)

I’m going to open this post by kindly asking you, the user, to go into the Windows 7 Action Center (Control Panel, System and Security, Action Center), clicking “Change User Account Control settings” and setting it to the maximum setting (“Always notify me when…”).

The reason for why I’m asking you to do this shouldn’t be a surprise. You may have seen the UAC posts by Rafael Rivera and Long Zheng (I’m giving more of the credit to Rafael since he actually brewed the proof of concept code). People saw their posts and immediately assumed that this issue is only relevant for users who download malware. Thus, you hear lots of users saying out loud with no apparent fear of embarrassment:

“La di da, so long as I’m not stupid with what I download, I should be fine!”

Right. Well, Microsoft basically recommends for users to install an antivirus because they don’t actually consider User Account Control to be a security feature. Anyone who knows the purpose of privilege management knows that any system which actively manages privileges is a security feature.

With this in mind, let’s take a look at why the UAC security flaw actually is a security flaw.

Update 2: Steven and Jon posted a second post about UAC today specifically addressing this flaw. Catch their response below the break.

The goal of security engineers is to minimize the number of attack vectors. That way, the likelihood of a path of attack opening up is slim. This also allows for security engineers to kill the attack vector until a patch is released for the vulnerable application or component.

So, before actually continuing this post, lets quickly answer this question: What’s a silent attack vector? Basically, if there exists a path for malicious code to quietly hijack a computer (to hijack a computer without the user’s knowledge), it’s a silent vector of attack.

In Windows Vista, attacking a user-mode app isn’t going to completely fry your system. At the most, that one user account might be roasted, and this is easily fixed by logging into the default Administrator account and creating a new account from there. Any attacks which try to slam kernel-mode resources trigger an immediate UAC prompt as a last minute defense, which a user can simply deny, thus blocking the attack.

Mind you, if a malicious bit is determined, it can keep spamming you with UAC prompts if you click No, and you’ll have a hard time bailing out of them to resume your work, but even then, it’s only isolated to one account so long as you keep denying it. Just kill the power to the computer, reboot into the default Administrator account and create a new account for yourself.

Now that we’ve discussed why UAC is actually useful in Windows Vista, here’s the problem with Windows 7’s default UAC setting:

If a security hole is found in any user-mode application, that application can be infected and used to silently attack the system through keystrokes used to disable UAC when the user is away from the computer. This is, of course, why I call this security flaw an Exponential Silent Attack Vector Multiplier.

No matter what the application is, since keystrokes can be faked on explorer due to its “medium integrity” level of trust, any attack vector available through any application, process, what have you, can now be used to deliver a malicious payload which can completely take over the entire computer as opposed to just one user account.

It’s not just about what a user clicks anymore. All of a sudden, Windows 7 is now at risk from drive-by downloads in any browser, buffer overflow bugs in any application, or any other way of seamlessly delivering and executing a simple script to emulate keystrokes. Quite literally, the number of attack vectors increases with the number of applications installed.

• Got a .psd file which takes advantage of a flaw in Photoshop? There goes Windows.
• Got an .odf file which takes advantage of a flaw in WordPad? (Yes, WordPad, since it can also open ODF files) There goes Windows.
• Got an IM client which renders jpegs improperly and someone’s display icon contains an exploit? There goes Windows.
• Got a browser which is susceptible to drive-by downloads? There goes Windows.
• Got an mp3 which exploits a hole in Windows Media Player? How about a stream with malicious content which exploits a hole in QuickTime? What about a malicious podcast feed which can bust through the Zune Software or iTunes? There goes Windows.

The list of examples isn’t limited to the list above. Prior to this new “non-invasive” UAC, the number of silent attack vectors was limited to any flaws in elevated Windows components. Thanks to this flaw in UAC, the number of attack vectors is now effectively limited only to the number of vulnerabilities in applications available for Windows. (read: way more than in Windows alone)

What’s the important thing to learn from this? If it can be executed and has a exploitable hole, thanks to this flaw in UAC, it can serve as a vector of attack.

This flaw is so ridiculously and utterly bad that it brings us right back to the times that people used XP with an unprotected administrative account. This essentially negates any benefit that UAC gives to the user.

Solution for the end user? Well, like I stated when I opened this post, max out UAC on Windows 7 the immediate second you finish installing it and do not connect Windows 7 to the internet until you do. Yes, you should be that paranoid; this flaw needs to be resolved immediately. If this really is by design, Microsoft screwed up.

I can’t wait to hear the explanation for this one. I love Windows 7, but when a team closes a report on a critical demonstrated security bug as “by design,” I don’t know what to think.

Update: For now, an official Microsoft spokesperson gave the following exact statement regarding the issue: “We’re investigating and continue to thank everyone who provides feedback on the Windows 7 beta.”
Look out for an update to this issue… hopefully soon. I know Charles Torre of Channel 9 fame had a UAC interview planned, but I don’t know where that went.

Update 2:

With this feedback and a lot more we are going to deliver two changes to the Release Candidate that we’ll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation.

Source: E7

I’m doing this because many people have contacted me during the course of PDC to find out what I would recommend doing in order to get the most out of PDC and other similar events, so I’ll almost definitely put up posts like this after every single major event which I attend.

You can catch the list after the break, though here’s the quick summary:

Virgin America: Overrated.
The Omni Hotel in Downtown Los Angeles: Amazing.
AMD: Awesome, even if afflicted by some minor foibles.
Microsoft: Wonderful with most everything this time around.

The Airline: Virgin America.
My thoughts: Overrated.

There’s a number of problems I experienced with Virgin America, from Customer Service to seating to the entertainment system, among other things. Mind you, the atmosphere was pretty good, and the few things that did work on the entertainment system actually seemed to work pretty well (with the exception of Doom, which ran at a pathetic 3 frames per second, literally). However, that’s basically where the list of good stuff ends. Here’s what went wrong:

• Legroom? Non-existent.
• The “Red” entertainment system is still in beta, and super-hyped features such as cross-seat chatting were not in the build seen on my flight to LA.
• Satellite TV was ridiculously broken. For a flight which had zero clouds above it, this shouldn’t have happened.
• Movies didn’t play.
• Games were boring overall.
• Exit seats charge a premium… why? What if a premium-paying person is too weak to open the exit door?
• Customer service is worth nothing.

There’s an interesting scenario which serves to justify the last point: This couple happened to win four VIP  tickets for the Clippers v. Nuggets game Friday night from the venerable Jennifer Ritzinger (runs by the name of Ritzy on Channel9) but the pair only needed two tickets, so they gave me the other two. In effect, I won two VIP tickets.

Unfortunately, the game is Friday night, and my flight is Friday morning. Unlike my experience with The Omni (which I’ll describe after this), Virgin America seems to have a comparatively stubborn policy. I tried to elevate my case, but I was told I was already at the supervisor. After a 7 minute wait, all I get is an unsympathetic late night “supervisor?” So much for that.

Unsympathetic CS reps generally do a company in for me unless they can make up for it through an insane feature offering. Virgin America, quite flatly, didn’t. I hope this changes soon; I’ll probably never again get the chance to hit a sports event as a VIP in my life.

Edit: The second time I called, the other rep (Tony) was much better with describing why they’d be unable to help, but it still got me nowhere, and the logic didn’t make much sense as hotels have to deal with the same things (regarding booking and such).

I’ll almost definitely resume flying with Southwest again for MIX or PDC next year (depending on which one I attend)

The Lodging: The Omni Hotel in Downtown Los Angeles
My thoughts: Amazing.

It all comes down to this: everything was managed beautifully while Sandro and I were away from the room. The 195USD per night price may be steep for people (ironic given how it’s a discounted PDC price), but it’s worthwhole when split with someone else. The room is fairly generic, but it’s the experiences which make things great.

• Room Service actually does a good job without stealing things, which is a first in my experience.
• The shower always has hot water, and the toilet always flushes without messing up (these little details matter)
• The wifi, though it asks for a fee, can easily be obtained for free and runs at speeds of 11/11 MB/s synchronous. The only limits are likely the radios themselves.
• You’re given a chocolate mint before coming back every night, along with a card with the next day’s weather.
• Everything has been clean.
• Customer service is understanding.

To demonstrate the last point: The Omni extended to me a late checkout after seeing my VIP tickets in-hand. The late checkout would normally cost 99USD, but The Omni’s management team did it for free with no hassles. This is supremely unlike my experience with Virgin America’s customer service.

The Hardware Guys: AMD
My Thoughts: Awesome, even if afflicted by some minor foibles.

AMD’s PR guys routinely send me equipment to use, which I return (unlike most of the others who get stuff from them) back to them after the event for which I borrowed… said equipment. This time, after getting invited on very short notice  for PDC 2008, AMD still managed to pseudo-sponsor what we stand for and fire a Phenom 9950 and an ATI 4870 my way for the event with overnight shipping the day before/day of my flight. I wasn’t able to use any of it this year, but AMD definitely showed that they care about the communities out there. In the end, the equipment still goes back to them (or you guys, as was the plan after MIX had the GPU in that box not failed), but it’s great to see a company which still cares for the enthusiast community.

The Event: Microsoft
My Thoughts: Wonderful with most everything this time around.

Microsoft is one of those bureaucratic organizations which happens to have limbs which are unaware of what the other limbs are doing. Sometimes, this impacts their products and technologies quite negatively, but then again, PDC 2008 definitely brought a welcome change. This year’s event was far more laid back than previous events I’ve been to; the PR teams (Waggener Edstrom being the primary one) were very accomodating with my requests, even if only such accomodation was present solely in their attempts to answer my questions, and the employees I spoke to were very open with their topics. Shout-outs go to Chaitanya Sareen, Rebecca Deutsch, and Dan Polivy for wonderful interviews on Wednesday, Thursday, and an unknown future date.

No Microsoft event is an event without a generous allotment of parties, and PDC 2008 was no exception. Besides a hefty number of press receptions, there were also many other general receptions for PDC attendees on Monday, Tuesday, and Wednesday. On the other hand, when times got serious, the presenters still knew how to present their topics. All in all, Microsoft did a good job here this week, as did the guys at WaggEd (at least for my causes)

That’s about it in terms of who deserves praise and who deserves less business. We still have two videos and an audio interview coming up over the next week, so be sure to stick around.

Don’t invest money in flimsy Zune holsters or belt clips. If your jeans have snug belt loops, you can just use those. Your Zune probably won’t slip out of it, but that depends entirely on how snug the fit is. Don’t try this with a 30, 80, or 120GB Zune.

(Image from my utterly ingenious friend, Matt Boehm.)