thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
First, if you're a unix sysadmin or anyone running any web services that pass through a unix server, ow. Hope you've got overtime pay.

For anyone who cares to read more about the details of what the bug is and what it can do, etc, I refer you to Troy Hunt's post of yesterday ( http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html ).

If you're a normal person hearing about this, then then there are a few things you can and should do:

1. Check that your home wifi router is not able to be accessed via the Internet (usually for administration purposes). If that is on, and your router runs Linux (and many of them do), it's potentially a problem. Check your instruction leaflet for whether this can be on or not and turn it off if it is. Then check how to download the latest "firmware" for your router, in a few weeks time you'll want to do that. If you have any other devices that are accessible "via the Internet", you probably want to find out if they're Linux based and turn that feature off too.

2. If you're a Mac OS X user, if your machine only ever joins networks with trusted machines on it, you're probably safe for now. But just in case or if you ever join public networks, open System Preferences - Sharing. If Printer Sharing is on, you want to turn it off. if you're using an old version of Mac OS, you may have Web Sharing turned on, you also want to turn it off. New versions of Mac OS don't have Web Sharing, unless you're running OS X Server. If you have Remote Login active, just check that you do not Allow Access for All Users. Other than that, wait for Apple to issue an OS Software Update that fixes the problem.

3. If you're a Linux user, you probably want to run your Linux version's package updater right now. And again in a few days time, as the bash maintainers have not actually released a patch that fully fixes the problem yet.

4. This is a similar situation to the Heartbleed bug ( my PSA from last time - http://thorfinn.dreamwidth.org/tag/heartbleed ) in that web servers may potentially be broken into (it's even worse technically). You will need to confirm with website owners that they were either not vulnerable, or were vulnerable and have fixed the bug, then change your password on that service. Again. Yes, I know. Tiresome. Sorry. :-( It's probably best to just prioritise the important sites (net banking, and anything with serious personal consequences), and do those in a few days time.

5. If you use unique passwords for every site you log in to, that at least limits any potentially stolen passwords to sites that are vulnerable and lessens the urgency on changing every password you have. That's why, if you haven't already, now is the time to find a password keeper application to randomly generate new unique passwords for every single site you log in to and store them for you. If you're an Apple only person, the iCloud Keychain is quite good and free, otherwise I highly recommend 1Password ( https://agilebits.com/onepassword ). LastPass ( https://lastpass.com ) showed themselves to be reasonably good at security (and they support Linux). There are other options for secure password keepers, if people who use other good ones wish to mention them in comments, please feel free.
thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
Please Share Around: So, you may or may not have heard about "Heartbleed". A significant proportion[1], possibly 2/3rds of all "secure" web servers out there are currently essentially insecure (could be snooped on by anyone on the Internet), and this may have been the case since Mar 2012. The bug was publically announced on 7th of April 2014.

Right now, before you log in to any secure website (has the little lock icon), you should go here: http://filippo.io/Heartbleed

and enter the website name without the http or https bit, to check if the service is vulnerable.

If that doesn't work, try: https://lastpass.com/heartbleed (but that reports a lot of false "maybe"s, so it's not as useful).

If that still doesn't work, for an even more full on SSL test, go here: https://www.ssllabs.com/ssltest/index.html

If the service is reported as vulnerable - DO NOT LOG IN. Go and register a support complaint with that website, point them at http://filippo.io/Heartbleed and http://heartbleed.com/ and wait until they fix the problem. If you do log in and use the website, be aware that your login details (and anything else you send to/from that site) can be stolen by anyone on the Internet. Literally. It is that bad a bug.

Problematically, if you use smartphone apps that connect to a secure service at the back end, many of them may well be vulnerable, but you have no way of knowing. If you know what their website is, go test that, as they may be using the same service to provide their website.

Reliable secure service providers are starting to notify their customers of the situation and recommend changing your password.

If you know a service has been vulnerable to this bug, it is very much in your interest to change your password the moment it is fixed. Now is the time to find a password keeper application to randomly generate new unique passwords for every single site you log in to and store them for you. If you're an Apple only person, the iCloud Keychain is quite good (I'm told) and free, otherwise I highly recommend 1Password ( https://agilebits.com/onepassword ). There are other options for secure password keepers, if people who use other good ones wish to mention them in comments, please feel free.

If you have too many sites to check them all, you might want to prioritise. Here's [personal profile] skud on why You don’t need to change all your passwords.

You can take this one very seriously - Bruce Schneier, pretty much the top person regarding computer security, says '"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.' - https://www.schneier.com/blog/archives/2014/04/heartbleed.html

ETA: A "big sites" hitlist of who you *should* change your passwords with: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

[1] ETA: Something like 6-10% of all sites, judging by this scan - Here's a list of 627 sites that were vulnerable on 8th April: https://github.com/musalbas/heartbleed-masstest/blob/b72a87558bfe37cd40327ec8b72386a2a2b99c69/README.md#627-of-the-top-10000-sites-appeared-vulnerable-on-april-8-1600-utc
thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)

There's been a new wave of people acquiring iPhones around me, either the 3GS or the 4. I have an older iPhone Fu post, but it's time for an updated version, more focused around usage tips and newer functionality that's available. This is a pretty long post, but do take the time to read it sometime, especially if you're new to the iPhone.

Also, if any of this post is confusing, tell me about it? I'm hoping that this is readable for non-geeks. :-) If there's something you don't understand, it's me, not you, please let me know so I can work out how to explain it better!

Usage Basics

Smartphone Security

Firstly, if this is your first "smartphone", please note, this thing is a small portable Internet Connected computer, not just a phone. As a result, you need to plug it into a real computer with iTunes installed on a regular basis to:

  1. automatically make a backup of your iPhone's data so it can be restored if something goes wrong;
  2. Check for software and security updates and install them on your phone.

For more info on computer security for non-geeks, see my post Computer Security Alerts for End Users - Be Alert, Not Alarmed. Also, I recommend against "jail-breaking" your phone unless you understand what it does and fully understand the potentially bad security implications of doing it. If you don't know what jail-breaking is, probably best to stay away from it.

In addition, do set a phone Passcode (or password if you want to be ultra secure - see Settings - General - Passcode Lock - Simple Passcode). It's going to have a lot of personal data on it, plus it's your phone, so requiring a passcode helps prevent others getting access to your personal data and phone if you accidentally lose the phone.

Usability

Secondly, after playing with it for a short while to get familiar with the relatively obvious things, go to Apple's iPhone Tips. That's pretty much the one-stop shop for all the iOS (Apple's Mobile Operating System - runs on iPhone, iPod Touch and iPad) interface features that aren't immediately obvious. Good information on things like rotation locking, camera focus control, etc. Some of this stuff doesn't apply to iPad yet, iPad is still on iOS version 3.2, iPhones/iPod Touches are up to iOS version 4.0.2.

A few things that page doesn't mention are:

  • Reorganising Apps: Once you have downloaded a number of apps, you'll probably want to move them around or group them in folders to make them easy to find. On the phone, you can touch-and-hold on an App's icon, which will start all your apps going wibbly wobbly, give them a little "X" to delete, and make them draggable. You can then drag them around and release to drop. Drop an app on top of another app to create a folder which you can rename. You can also do this quicker and easier in the iTunes "Apps" tab of your phone whilst it's plugged in. Note that you can pull apps on and off the bottom bar, so you can choose what you want as your "always available" 4 apps.
  • Multi-Tasking: The multi-tasking interface is brought up by "double press" of the home button. That brings up your recently-used apps at the bottom bar. Swipe left (touch left, drag right) to go to the "iPod Control". Swipe right (touch right, drag left) to see more recent apps. If you touch-and-hold, that will cause the app bar to go wibbly wobbly just like reorganising your apps. The little X icon causes an app to be removed from the "recent apps" and therefore to "quit" if it happens to be running in the background.
  • Voice Control: Hold down the home button to access Voice Control. See Apple's Voice Control Info for more details, but it's fairly self explanatory.
  • FaceTime: Wi-fi video calls, iPhone 4 only. See Apple's Face Time Info for how to try it. May not work with some wifi connections due to firewall issues. Works well for calling someone down the other end of the house actually. :-) I expect this will become available over 3G at some point, but data charges are still too insane and the Telcos are just not ready for it yet.
  • iPhone Settings: On the iPhone, go to the Settings app and look through it when you have some time. There's a lot of stuff in there that you may wish to configure, and it's also a centralised location for application configuration information. If you don't understand something, it's usually okay to leave the default setting there.
  • In App Purchasing: In addition to buying Apps, some Apps have the option of purchasing "upgrades" or "items" within the App to get you additional features or suchlike. I recommend turning this off unless you specifically encounter a situation where you need it. Settings - General - Restrictions - Allowed Content - In-App Purchases - "Off".
  • iTunes Configuration: Plug the iPhone in, select it in the left hand bar in iTunes, and go through the rather a lot of tabs that then pop up. There's a lot of configuration there for what you want to synchronise, etc. You can also right-click (or ctrl-left-click) the phone to bring up a little menu to take an immediate backup or similar. Double-click the "iPhone" label in the left hand bar and you can give your phone a nice name.
  • iTunes Synchronisation: I recommend turning off synchronising Mail and Calendar and Contacts using iTunes, and using Google Mail, Calendar and Contacts synchronisation on the iPhone directly instead. See the "Cloud Life" section below for details of that.
  • iTunes Library Apps Updating: Do regularly go to iTunes - Library - Apps - Check for Updates in order to update your applications to the latest versions.

iPhone 4 Case Program

Due to "antennagate", if you buy an iPhone 4 before 30 Sept 2010, you are entitled to a free case (Apple iPhone Case Program Info). The actual iPhone 4 antenna story is that with no case and with your thumb on the gap, the antenna is still as good as iPhone 3G.

That said, a case is good anyway for protection. I've drop-kicked my old 3G across a road, and without a case, it would've taken serious damage. With the case, no problem. For details and reviews of the free cases you can choose between see: iLounge: iPhone 4 Case Program or Macworld: Free iPhone 4 Cases.

Telco/ISP Fu

If you received your iPhone from a Telco in Australia, it comes network-locked so you can't take it anywhere else. Fortunately, thanks to the fact that we have very good consumer protection laws, provided you got it on a post-paid plan, you can ring up your carrier and tell them to remove the network-lock from your phone. They are required to do that for free - some of them may try to charge you a fee, don't let them. Threaten them with an ACCC complaint if they try.

Depending on your plan, you may or may not have "tethering" available to you. If you do, you can turn it on and off on the phone in Settings - General - Network - Internet Tethering. (That option isn't visible if tethering is not available to you on your carrier's plan). If it's on, simply connect your phone to your laptop whilst you're out and about, and voila, your laptop is internet connected.

Settings - General - Usage tells you how much mobile data you're using, go to that screen and hit "Reset Statistics" at the start of your billing period, so you can check if you're going to go over. Your carrier usually has some kind of website where you can go to check your data usage. If you're with Optus, get the "My Account Optus" app. The "Consume" app for the phone also lets you get much of this data.

Get Wi-Fi on your home internet connection (and please secure it with a password), and configure your phone to use that when you're at home, to save on mobile data usage.

Cloud Life

There are two main options for synchronising data on your phone with your computer (particularly calendar and address book). The first option is to synchronise using iTunes - this means the information is compared when you plug your iPhone into your home computer, and updates are shared only at that time.

The second option, if you want changes to your data to be synchronised without needing to plug the phone into your computer, and you want access to email from anywhere, you will need to set up a "Cloud" service. This service will use the internet to synchronise your data, but it will use your phone plan's internet data allowance to do so. You will also need to set your home computer to synchronise with the "Cloud" service.

There are essentially two available to you:Google or Mobile Me.

I'm actually using Google for Mail and Calendar; and Mobile Me for Address Book, Find My iPhone and iDisk; but there's no real reason to use both.

Mobile Me is quite good, and the major point-of-difference is the "Find My iPhone" web service, where you can log in and make your iPhone beep even if it's on silent, see where it is on a map, send it a message, and potentially remote-wipe it if you want to do that. It's pretty good insurance if you're the sort of person who might leave their phone somewhere accidentally. If you choose Mobile Me, I'll let you sort that out the cloud life, Apple gives you pretty good instructions, I think.

If you're starting fresh and/or don't want to spend money, I recommend using GMail and Google Calendar and GMail Contacts, as they are free and also work just fine.

Google Cloud Setup Details
  1. If you don't already have mail and calendar set up, do that at https://mail.google.com/ and https://calendar.google.com/ respectively.
  2. See GMail Managing Contacts Help for setting up GMail Contacts. Make sure you upload or enter all your existing contacts to there before you try and synchronise things.
  3. Follow this help page on Enabling IMAP in Gmail to turn on IMAP.
  4. Set up your iPhone using instructions from here Mail, Calendar, & Contacts: Set Up Your Apple Device for Google Sync Help
  5. Set up your computer to sync your email using IMAP too: GMail IMAP help
  6. And for syncing your Calendar to your computer too: Google Calendar Sync Help
  7. And if you're using a Mac, Apple Address Book Google Contacts Sync Help tells you how to synchronise your Address Book to Google Contacts. I'm not sure if there's anything available under Windows to synchronise the computer's address book directly to Google Contacts (someone let me know if there is).

Websites to find Apps at

There are quite a few more, but these two are the best in my opinion:

App Recommendations

...giant list of apps... )
thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)

If you use a computing device that is not maintained by a corporate IT department, you need to know that your device is likely vulnerable to security issues. It doesn't matter whether it's a Mac, a Windows PC, a Nokia Phone, an iPhone/iPad, an Android phone, a Windows Mobile, a Linux laptop, an XBox or Playstation, all computing devices have security issues from time to time. What does differ a little is how quickly they get fixed, and how quickly you can find out about them and install the fix, and the type and scale of problems, but really, the take home message is that all computing devices have security issues.

If you own a device that connects to the Internet in any way (and pretty much everything does now), then you have a device that can be potentially be hacked by any random other person on the Internet. If that happens, you are really stuffed. Your computer (or phone, or whatever) will be used to conduct all kinds of illegal activities (like hacking other people, sending spam, etc), all your personal data can be made public leading to identity theft, online banking theft and worse,

Ultimately you, as the end user, need to be informed. If you don't even know that your computer/phone/games console/whatever might have a security problem, that means it is sitting there waiting to be hacked and controlled by someone else.

The first place you should be looking for timely information is a known security updates publisher. For normal people, I highly recommend the Australian Government's Stay Smart Online Alert Service (AusCERT funded by gov.au) and the US CERT: Non-technical users page.

US CERT and AusCERT also have much more detailed alerts, which are more focused at professional systems administrators than for "normal" people. If you have the time and inclination, I recommend AusCERT.

I know those security updates may look daunting and confusing for many people, especially ones not involved in the IT industry. Please, really, really, take the time to learn enough to understand what the security updates mean and how to take appropriate action, and get informed about the computing devices you use, at least enough to know how to update your Operating System and any Software you use. Use Wikipedia to search out any terms you don't understand, ask around any computer geeks you know for help. We want you to stay safe, I promise.

The main things you need to care about on any given security alert is:

  1. Does it apply to you (does the Operating System match one you use, and/or is it about Software you use)?
  2. Do you need to do anything (is there an "update your software here" link in the update, or other instructions)?

If the answer to both of those is yes on any given security alert, then please, go and update whatever needs updating. If you don't, your computer will remain vulnerable to a known security exploit - which means that at some point in time, your computer will eventually be hacked by some bad person, leading to all the issues above.

So please, for your own safety, Be Alert, not Alarmed. The world needs more lerts.

Edit: This post was originally written before the existence of the Stay Smart Online Alert Service, which was launched shortly afterwards. The post has been edited to recommend non-IT experts to go there first, rather than directly to US/AusCERT.

thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)

TLDR version

Most Internet traffic is not encrypted at the moment. It is trivial in cost and setup to use some form of encryption on all Internet traffic, which means that any Internet filtering solution will be unable to inspect that traffic and block sites.

Aside from that, if people access illegal content using non-encrypted communications, that is a good thing. Why? Because that means your ISP can actually detect them and send the information to law enforcement agencies. That sort of thing is common practice within the ISP industry already.

All that implementing a net filter would do is force people actually doing illegal things to get clever and use encryption technologies like the above, rather than leaving at least some of them out in the open as they are now.


Layer Cake


The Internet works on a layered communication method, where "protocols" are run on top of each other. I'm going to simplify some and leave out some things that aren't necessary to mention, but that's okay.

At the base, there exists "hardware" - wires, radio waves, that kind of thing.

Each type of hardware has a type of hardware specific communication that things use to communicate over it. (DSL, DSL2, 56k modem, wireless 802.11b/g/n, etc).

On top of that hardware specific communication is layered a protocol called "IP" (Internet Protocol), in which every device on the Internet has a numerical IP address.

At each endpoint of those bits of hardware are things called "routers", which essentially take traffic from one part of the network and "route" it to another part.

On top of IP is layered a protocol called "DNS" (Domain Name Resolution), which lets you look up a domain name (like www.google.com) and have it translated to some IP address.

In order to make a connection between one computer (e.g., yours), and another (e.g., a web server), your computer uses DNS to find the IP address, then connects to it on a "port" (another number) which is related to a particular service.

HTTP is a protocol that runs on top of IP. When you put a URL like http://www.google.com.au/intl/en/options/ into your web browser, your computer asks via the "DNS" protocol for the IP address to contact. It then contacts that IP address on port 80, and makes a "request" for the content that lives at /intl/en/options. The server then sends the content back to your computer, which feeds it to your web browser, which then renders it.

Because all of that traffic is not encrypted, your ISP (which controls the routers between you and the rest of the Internet) can inspect that traffic, and if it sees a request for the "wrong" sort of content, it can block the rest of the traffic. That is what is proposed under the net filtering trials that have been conducted.

Sounds good. The problem is that there already exist technologies in common use today that defeat this approach completely.

There is a protocol called SSL (Secure Sockets Layer), which is another protocol layered on top of IP. It actually provides exactly the same function as IP, in that you make a connection from your computer to the other side, but what it supports (that IP doesn't) is encryption and authentication. When your computer makes an SSL connection to another server, it can tell if the other side has a "certificate" which, when "signed" by the appropriate well known authorities (Thawte and Verisign are the primary providers), proves that the server in question is really the server that is supposed to live at that hostname. In addition to that, all data passing back and forth over an SSL connection is encrypted, so nobody in between can read it.

The analogy is that "IP" traffic is like postcards - they're being passed around readable by anyone. "SSL" traffic is instead like sending a sealed and signed and stamped envelope - tampering is obvious to the other end, and you in fact can't even tamper with the envelope without destroying the contents.

HTTPS is defined as being exactly the same protocol as HTTP, except that instead of making a connection using "IP", it runs over SSL. This is the protocol used by all of your Internet banking services, and indeed by many webservers that require login of some kind, because they don't want your password and details flying around the Internet for anyone to inspect.

If your ISP wants to "filter" HTTPS traffic, it essentially can't do that effectively. It can block access to specific hostnames (e.g., groups.google.com.au), but it can't block say, https://groups.google.com.au/groups/dir?sel=topic%3D46479.46478%2C without blocking all traffic to everything at groups.google.com.au.

So, anyone wanting to host RC content under the proposed filtering system simply has to provide it over HTTPS, and that will defeat any filtering attempt.

There is another protocol called IPSec (Internet Protocol Security), which is IP tunnelled over IP. Sounds weird, I know. What use is it? It's the same deal as SSL - it's an encryption/authentication protocol. This is what your corporate road warriors use to connect to their corporate network via a VPN (Virtual Private Network). All the traffic leaving your computer is essentially encrypted and sent down the "VPN tunnel", to your VPN server, which then decrypts it and sends the "real" traffic out to the Internet at large. All the ISP sees is a bunch of encrypted IPSec traffic, which it cannot decipher.

Now, there are quite a large number of providers in the US and elsewhere, who are happy to sell you a VPN service. What does that do? It makes your computer appear to, as far as the Internet is concerned, be coming from the US. This is commonly available technology, costs you about USD5 a month at the low end, more than that for better services. Anyone using one of these VPN services is, essentially, totally immune to the filter, because their Internet connection effectively originates in the US (or elsewhere), instead of in Australia.

These are just the two most commonly used encryption and authentication protocols out there, that are in common use by a lot of people. They are both designed to be entirely secure and not breakable in a real-time manner, not even by governments.

No filtering technology can possibly block these protocols, because to do so would cripple Australia as far as the ecommerce world is concerned. Imagine not being able to use https://paypal.com/ or https://amazon.com/ or https://ebay.com/ to do anything. Imagine the CEO of IBM visiting Australia and not being able to access corporate email. We're already considered an Internet backwater due to our slow bandwidth and terrible usage caps. Inability to use basic encryption would just be madness.

Aside from that, if people access illegal content using non-encrypted communications, that is a good thing. Why? Because that means your ISP can actually detect them and send the information to law enforcement agencies. That sort of thing is common practice within the ISP industry already.

All that implementing a net filter would do is force people actually doing illegal things to get clever and use encryption technologies like the above, rather than leaving at least some of them out in the open as they are now.



Relevant links

thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)

Microsoft .NET Remote Code Execution exploit



Similar class of problem as last time with the TCP/IP thing:

From: http://www.auscert.org.au/render.html?it=11798&template=1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2009.1410.2
           Vulnerabilities in the Microsoft .NET Common Language
                 Runtime Could Allow Remote Code Execution
                              15 October 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Microsoft .NET Framework
                   Microsoft Silverlight
Publisher:         Microsoft
Operating System:  Windows 2000
                   Windows XP
                   Windows Server 2003
                   Windows Vista
                   Windows Server 2008
                   Windows 7
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2009-2497 CVE-2009-0091 CVE-2009-0090

Original Bulletin: 
   http://www.microsoft.com/technet/security/bulletin/ms09-061.mspx


That list of Operating System: entries? That's every single supported version of Windows, from XP (which should be end-of-life but isn't), to Windows 7 (the supposedly new "much more secure" shiny thing). They forgot to put Mac OS in the list - if you have Silverlight installed on a Mac somehow (I don't know who uses it), then it's vulnerable too.

Seriously, if you are a normal person, or even a small business with no ability to pay serious tech-support (and I'm talking about a real network and systems administrator, worth at absolute minimum AUD90k p/a, or a regular contractor worth at least AUD90 per hour for at least a day every week) to make sure you're safe and securely firewalled and patched 100% of the time, don't run Windows, and don't run any Microsoft products if you can help it.

Unless, of course, you don't value about your personal information, anyone else's personal information you might have, your bandwidth, your sales data, your netbanking, and anything else that you might use your computer to access. No worries, have fun with that.




Microsoft Danger Sidekick: All your data are belong to bitbucket



For more fun in that space, late last week, Microsoft managed to blow away all the storage for all Sidekick mobile customers. As in, boom, gone, no backups, kiss all your contacts and anything else supposedly securely backed on their "cloud service" goodbye, unless you were sensible and had your own offline backup (which isn't an officially supported thing on that platform).

See:
T-Mobile Sidekick Disaster: Danger’s Servers Crashed, And They Don’t Have A Backup. There's a rumour today that
Microsoft May Be Able To Restore All Of The Lost Sidekick Data, After All, but so far it's a rumour.

Even if they manage to recover some of the lost data, that's going to be due to heroic manual data recovery of the SAN disks, rather than routine backup restoration. And when I say "routine", I mean - everyone involved in Systems Administration at any serious level knows full well that you have to have a full backup of all data with a regularly tested and validated restore process before you commence any kind of important upgrade.

That is industry standard procedure, and has been industry standard procedure for many decades. Which Microsoft Danger obviously wasn't following. Of course you can play the "blame the subsidiary" card - but they've been a M$ owned company for long enough, with a high profile M$ exec moved in to be in charge for long enough, that basic disaster recovery processes should be in place. There isn't any valid excuse for that kind of data loss by a corporation. None.

ETA: Looks like there has been successful data recovery. Microsoft Confirms Data Recovery for Sidekick Users.
thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
LJ-news: Media embedding change - important notice
DW-maintenance: LJ web security exploit

In short, LJ had a "cross site scripting hack" which infected a bunch of people's accounts. Check the LJ news post and verify you're okay if you're on LJ.

However, Dreamwidth wasn't vulnerable.

Yet another reason to Dump LJ in favour of Dreamwidth.

ETA: If you're not running some kind of flash blocker, you probably want to be.

Safari - http://apple.com/safari - http://hoyois.github.com/safariextensions/clicktoplugin/ (Was: http://rentzsch.github.com/clicktoflash/)

Firefox - http://mozilla.com/firefox - http://noscript.net/ or http://flashblock.mozdev.org/

Opera - http://opera.com/ - http://my.opera.com/Lex1/blog/index.dml/tag/Flashblock

Chrome - http://google.com/chrome - http://www.privoxy.org/ (run a local proxy) or switch to one of the above.

Internet Explorer - http://www.microsoft.com/ie - http://www.privoxy.org/ (run a local proxy) or switch to one of the above.
thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
So, that TCP/IP issue I mentioned last time in " Computer Security - Anything But Windows. Seriously."?

Microsoft: No TCP/IP patches for you, XP

"We're talking about code that is 12 to 15 years old in its origin, so backporting that level of code is essentially not feasible," said security program manager Adrian Stone during Microsoft's monthly post-patch Webcast, referring to Windows 2000 and XP.


So, in other words, Microsoft has forgotten how to maintain the code for Win XP. Either they've dumped too much critical build infrastructure, or it's just "too difficult" to build a patch that goes that deep into the XP kernel.

Either way, it really doesn't speak well for toolchain maintenance, development process and their software architecture (or lack thereof).

Bear in mind, this is for a version of the OS that is not supposed to be end-of-life yet. I have no issue with inability to patch end-of-lifed OS versions - I wouldn't expect to see patches for Win98, for example.

Although the two bugs can be exploited on Windows 2000 and XP, Microsoft downplayed their impact. "A system would become unresponsive due to memory consumption ... [but] a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases."


In short, Microsoft's other excuse for why they aren't bothering to patch XP is that your Windows XP machine will theoretically hang if it's being attacked, so you're obviously perfectly safe from being hacked. Ahahah. Very funny. At least to me, anyway.

So: Computer Security - Anything But Windows. Seriously. Really, Seriously. Run, don't walk. Try something else.
thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
Amongst a swathe of other "[Win]" security alerts from AusCERT, this one stands out:



AusCERT Security Bulletin: ESB-2009.1267 - ALERT [Win] Windows TCP/IP: Multiple vulnerabilities

Product: Windows TCP/IP
Publisher:Microsoft
Operating System: Windows 2000, Windows Server 2003, Windows Vista, Windows Server 2008
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Original Bulletin: http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx



Why does this particular instance stand out to me? Because TCP/IP is the fundamental core of Internet communications - if your device does Internet, it does TCP/IP. The code to do it has been around for a few decades now, and pretty much everyone knows how to do it securely. Except, apparently, Microsoft.

This sort of security vulnerability can theoretically exist on other OS platforms, yes. That said, the only competing OS family these days is Unix - there are no extant OS platforms in common use that are not some type of Unix. Even Mac OS X is a version of Unix with a very shiny graphics layer on top.

Unix is designed from the ground up with a highly layered security approach, and in the layers where security is critical (i.e., the "kernel" - the part of the OS that deals with the computer hardware, and therefore can do things like snoop passwords, steal data from anyone on the machine, etc), the programmers tend to be very very careful, and most of the code is not actually new, and has been inspected heavily by many many people over the long decades that the technology has existed for, and tested by lots and lots of people who are pretty crazy about security, and think about it a lot.

Microsoft, fairly clearly, don't organise their code and their programmers to work that way. Every time they release a new OS version, they say "now more secure!" Every time they say that, they're proven wrong. Again. With several different hacks that break into the kernel layer, not just surface compromises. A Linux blogger describes the experience best:Windows Users - The Charlie Browns of Computing. Go on, kick the football. We promise it's secure this time. Really.

Don't get me wrong: You absolutely need to take security measures on other computers too. If you've got a Mac, you should still be purchasing anti-virus software, and if you've got Linux, or FreeBSD, or Solaris, or any other UNIX, you still need to be securing your computer in a variety of ways.

But on Windows - none of that matters. You can run all the anti-virus software you like, but if the Windows TCP/IP stack is open to a remote hacker, the remote hack will disable your anti-virus software, and install a bunch of stuff that will keep your computer broken and hacked, permanently.

If that happens to you, you can expect your computer to use all your bandwidth sending out spam email, attempt to crash and hack other computers on the Internet, send all your banking details to people who might be interested in stealing your money, send anything resembling personal data to the same people, and so on. Not good, not fun.

So, if you care about having a secure computer, don't use Windows. Ever. Really.

If you really do have to use Windows, then don't connect it directly to the Internet. Ever. Put that computer behind a secure firewall of some kind. If you don't know how to do that, find out from a tech-savvy friend. For your own sake.

April 2015

S M T W T F S
   1234
567891011
12131415 161718
19202122232425
2627282930  

Syndicate

RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags