Tuesday, December 13, 2011

The safest web browser? Part III

Accuvant Labs has a new study out on browser security. The report (commissioned by Google) says Chrome is the most secure browser, because it has a well-implemented sandbox. Well, maybe.
But the report also contains data on browser vulnerability statistics, along with some very sensible caveats on using these to make any claims about security:
Given all this information, we can conclude that the browsers are different. Development methodologies, corporate structure and patch release infrastructure all play a role in making dissimilar graphs. However, none of these pieces of information can be used to draw a security related conclusion.
 They seem to be saying, "please don't use our vulnerability graphs to imply that one browser is more secure than another".

Unfortunately, actually reading the report seemed to be too much trouble for ZDNet.
[A]ccording to the report Mozilla’s Firefox has the highest vulnerability count compared to Google’s Chrome and Microsoft’s Internet Explorer.  Would you switch browsers over the results from a comparative review such as this one commissioned by Google?
 Either they didn't read the report, or they couldn't resist a bit of sensational journalism. Either way, they are doing a gross disservice to their readers.

As usual, the partisans pick up the FUD and start spreading it around:
Firefox fails miserably.
Avast! forum.

I don't know which is more depressing: that a news source can so casually misrepresent a report they are writing a story about, or that there are so many gullible idiots around that will lap up the misrepresentation.

Wednesday, December 7, 2011

Gnome extensions site

Gnome how have a web site where users can install shell extensions, just like Firefox users can install add-ons at the Mozilla site. What I really want to see there is an extension that will allow me to get the functionality of Alt Tab with a mouse click on the panel, maybe next to Activities.

Saturday, December 3, 2011

Gnome users are revolting less

Or should that be less revolting?

Seems that Gnome 3 isn't that bad after all
Hey, with gnome-tweak-tool and the dock extension, gnome-3.2 is starting to look almost usable.
InternetNews.com

I'm trying to check out the dock extension now. Seems to be in the Fedora repository, but how to enable it is another questions.

Update: OK, you have to install gnome-tweak to activate the dock. Which is a turd.  There may be some things Gnome 3 could do better, but this is like nailing a lump of wood onto the side of a new car to help you find the door handle more easily.

Alt Tab in Gnome 3

Alt Tab is a very useful keyboard shortcut in Gnome 3. But why isn't it available with a mouse click? Using the the 'Activities' button or hotspot is just too busy when switching between applications.
I've been using Windows 7 a bit recently and I quite like the way Windows does application switching: application icons appear in the bottom panel and hovering over the icon brings up images of open documents.
Gnome is more minimalist, and doesn't show running applications in the panel. But why not have a button in the panel for application switching, with the same function as Alt Tab for us mouse-bound users?

Wednesday, November 23, 2011

Needles, noodles and nanodes

Goolge has celebrated the work of science fiction author Stanislaw Lem with a doodle inspired by a story in The Cyberiad about two bickering robotic inventors who create a robot that can produce anything beginning with the letter 'n' upon request. The robot brings forth a needle, noodles and nanodes before one of the inventors foolishly asks it to make nothing, and the robot obliges.
The illustrations in the book were apparently by Daniel Mróz, and it's these that inspire the doodle as much as the Lem story.

Sunday, October 23, 2011

The safest web browser? Part II

I've written before about browser security. I found that if you look at browser exploits in the wild, which is really what matters, Internet Explorer and Firefox have been affected by such exploits in recent history. (Internet Explorer has been affected by far more further back in history, but let's put that behind us.) Looking at that criterion, Opera and Chrome are "more secure".
Of course it's also possible for a browser to be a vehicle of security compromise via a deliberate download of malware, rather than a "drive by" download as the result of a security exploit. I've also written about Microsoft's claim that Internet Exporer is much better at blocking this sort of malware than other browsers, and found that it is, but possibly with a 30-75% chance that the "malware" blocked is a legitimate file or program- a false positive rate that would cause outrage if it was a third-part anti-virus program doing it.
Now there's a new story which claims that Internet Explorer is the safest browser and Firefox is the least secure. To cut to the chase, it's Microsoft doing its own evaluation of browser security, and giving more weight to Internet Explorer's (somewhat contentious) ability to block malware than its record on security vulnerabilities.
 The story has been greeted by derision by two other writers on the ZDNet site, who point out that at the same time the story appeared Microsoft Explorer contained a major security vulnerability that affected even the latest version (IE9) which Microsoft was touting as much more secure, and that the "online security test" that Microsoft was doing was merely looking at the browser ID string and reporting Microsoft's previously-determined security assessment based on its own (some would argue biased) weighting.
Is there any truth to Microsoft's claim that Internet Explorer is "more secure" than Firefox? Another story I came across this week takes a slightly more objective look.
Paul Mehta, senior research scientist at Accuvant, told the SecTOR audience the Web browser rendering process should run at low integrity so, if it is compromised, the underlying system is still ok. In IE, the browser is assigned low integrity and the same is true for Chrome. Firefox runs everything as a medium integrity process, according to Mehta. (eSecurity Planet.)
So Internet Explorer and Chrome are "sandboxed", and Firefox isn't. Doesn't that make Firefox less secure? Well not if there are exploits which can get through the sandbox and infect the system, which is exactly the sort of exploit reported in Internet Explorer above. Which makes the Microsoft claim regarding Firefox debatable. I have reported a story which claimed that Chrome's sandbox had been breached, but never found out if there was any truth to it. So the Microsoft claim that Internet Explorer is more secure than Chrome is also debatable: we have a proven exploit of the MS sandbox, verses an unsubstantiated claim of a breach in the Chrome sandbox.
An important point to make here is that Internet Explorer is "sandboxed" and Firefox not because Microsoft won't let non-Microsoft software use its sandbox. The playing field is not level for Mozilla, Google or Opera. Chrome has chosen to add its own sandbox, which may give it a security advantage.
So what is the safest browser? Well, if you really feel the need for a sandbox, possibly Chrome. If somebody tells you its Internet Explorer 9, they've probably been listening to the Microsoft FUD. If they tell you Firefox is the least secure, then they've definitely been listening to Microsoft FUD, and as I pointed out before, they're very likely doing so for partisan rather than evidential reasons.

Sunday, September 25, 2011

Gnome users are revolting IV

Here's one Gnome user who is definitely revolting:
Reactions across the Internet were virtually identical with one fine division; users who were using Gnome 3 in a production environment or had use cases that required them to maintain a productive work-flow were completely hampered by the experience while the much smaller class of adventurous casual users thought that it was pretty and offered enough bling for them to impress their friends with.
I have to say I don't recognise myself from the description. Is this claim based on some sort of scientific survey, or just pulled from the author's behind? Certainly there are a lot of anti-Gnome 3 reviews on the internet, but there are some good ones too.

Here are a couple of examples.

Two reasons Why Jim Nelson Likes GNOME 3 Shell:
Stability – Considering this is an initial release, I’ve found the Shell to be remarkably stable. I’ve had no freezes or crashes. While that seems like a low bar to overcome, this is essentially an 0.1 release. Not much 0.1 code can make the claim that it’s stable. Most 0.1 code is just happy it compiles.

Productivity – I should list this first, but I decided to save the best for last. My productivity has jumped since I switched to GNOME 3 Shell. This might be a highly subjective evaluation. I suspect I’m not alone.
No, you're not. Jack Wallen likes it too. Here are a couple of examples of the 10 things he's grown to love about GNOME 3:
1: Minimalism I have always been a minimalist. No icons, no widgets, no nothing. I want a clean desktop, and GNOME 3 offers about as clean a desktop as you can get without running E16. The only object on the desktop is the panel — until you reveal the launcher. But just because GNOME 3 takes a minimalist approach doesn’t mean it’s not easy to use. In fact, once you get used to it, it’s one of the easiest to use desktops you will come across.

7: Compositing The compositing of GNOME 3 is elegant and far from overstated. Instead of going the Compiz route, GNOME 3 opts for subtle use of transparency and a few simple, clean effects that highlight how a compositor can actually improve the efficiency of a desktop. Transitioning between windows or in and out of the Dash is about as graceful a transition as can be had on a computer desktop. Best of all, the compositor on GNOME 3 does not, in any way, take a hit on the performance of the machine. GNOME 3 compositing is so much in the background, you will hardly notice it doing its thing.
Gnome 2 is a Windows 95 paradigm. It's inefficient and redundant. Put a quick launch icon on the panel and it will launch the application, but it won't let you switch to it or tell you what that application is doing. No you can't minimise windows in Gnome 3, because it doesn't have a crowded and unreadable bottom panel. No, Gnome 3 isn't perfect, but it's already getting better.

I'm sure there must be more people like me who love the elegant efficiency of Gnome 3. Let's make out voices heard!

Gnome users are revolting III

Hate Gnome 3? Looking for an alternative?

Jack Wallen has a suggestion.


Which is clearly an elegant improvement over the ugly and dated Gnome 3 paradigm.


Er... Or maybe Jack Wallen is taking the piss?

Saturday, September 24, 2011

Mozilla Extended Support Release

I've previously blogged on how the new fast development cycle from Firefox was making corporate deployment difficult.
Mozilla is now making a concession  to corporate users with an Extended Support Release with security updates for 42 weeks instead of six weeks with the fast release cycle. Datamation has the story.

Tuesday, September 20, 2011

Gnome 3 built-in screencast

Gnome 3 has built-in screencast recording. Just press Ctrl-Alt-Shift-R (you'll need to be a bit of a digital gymnast). How cool is that? No. 9 of Ten Gnome 3 features that won me over. Find the screencast in /home as a .webm file (reddit).

Wednesday, September 14, 2011

Gnome 3.2

I've been using Gnome 3 for a couple of weeks now, and enjoying it a lot. There are a few things about it that I was thinking could be improved, but today I discovered from the As far as I know blog that the Gnome team is already ahead of me.

Gnome 3.2 is going to get:
  • A matching GDM welcome screen.
  • Integrated chat- no need to launch Empathy.
  • More natural workspace switcher behaviour.
  • Device hot plugging work nicely with the shell.
  • More obvious  waiting messages.
The last one, for me, is the most annoying. Leave the computer for a few minutes and the only way to see if an email has arrived in the meantime is push the cursor into the bottom right of the screen to bring up the message tray.

Thursday, September 8, 2011

Edit and convert GTK-RecordMyDesktop output

Just a link I found useful while experimenting with RecordMyDesktop. Output is in the Ogg format, which Avidemux can't edit. TuxArena Blog has a tip on how to convert the output file to a format Avidemux can handle, and at the same time reduce the size of the file before uploading to a video-sharing website of your choice.

Can't stop GTK-RecordMyDesktop in Gnome 3

RecordMyDesktop is a program for recording screencasts. I was trying it out today when I encountered some unexpected results. I started recording, but couldn't find a way to stop. The program was in the Gnome 3 notification area at the bottom of the screen, but clicking it resulted only in the top Gnome panel disappearing. Fortunately I found a solution on Google before my HD filled up. There seems to be an incompatibility issue, which can be avoided by unticking a couple of (non-essential) options as described in the link.

Here's the screencast of the unstable behaviour. All-in-all a success, despite the hitch. A screencast review of Gnome 3 is a upcoming project.

Wednesday, September 7, 2011

Connecting to 1.gravatar.com

Recently I've noticed WordPress blogs taking a long time to load, or stalling before loading completely, while Firefox displays the message Connecting to 1.gravatar.com. The delay is minutes rather than seconds, so this is a serious inconvenience.

The problem seems to be with the Gravatar service, which supplies an avatar to comments added to a blog post.

WordPress Comments Slow Down Page Speed.
Gravatars Can Slow-Down Your WordPress Blog.

Update: Adding an AdBlock filter for Gravatar fixes this. Simply right click on any Gravatar avatar and  select AdBlock Plus: Block image.

Update 2: Not quite. Add a custom filter for http://*.gravatar.com/avatar/* to block all of Gravatar's servers.

s*.wp.com is also causing delays.

Friday, September 2, 2011

Empathy at startup in Gnome 3

To run Empathy (the chat program in Gnome 3) at startup, it seems to be necessary to run gnome-session-properties in a terminal and manually add Empathy. (Found on Ask Ubuntu.)
Update: It seems the aim is to integrate chat into Gnome without the need for Empathy running.
From 3.2, GNOME 3 will have fully integrated chat and messaging. This means that the system will be able to automatically log you into chat and messaging services without you needing to launch a separate application, and you will be able to take calls, reply to chat and room invitations as well as file transfers from the shell itself. Much of this has already been implemented, including a decent chunk of backend work. 
 As far as I know.

Integrating Pidgin and Gnome 3

Pidgin has always been my favourite chat program, and I've stuck with it even after Gnome switched to Empathy, partly out of habit, but also because it has the ability to block messages from people I don't know, and the ability to show email messages from web email applications and quickly go to the email page.
I've moved to Fedora 15 because I want to use Gnome 3, and I'm giving Empathy another go. I'm using Gmail to check my old and little-used web email accounts like Hotmail, and unless I get start getting annoying spam with Empathy, I might stick with it.
Empathy uses Gnome 3's new bottom-of-the-screen notification system. Apparently Pidgin doesn't, but there's a Gnome 3 extension that allows Pidgin to integrate. Hubfolio has a guide. I may be checking it out if the spammers find me.

Opera in Fedora

It may not be open source, but I like Opera, and like to install it on Linux. I'm using Fedora 15 at the moment, and Opera is a manual install, and must also be updated manually when updates become available, but it's not hard to do. If Not True Then False has a guide.

Highlight text in Firefox

Sometimes when reading a long text in Firefox there'll be a sentence or two you want to come back to and think about again, or paste somewhere else, in blog like this for example. But if you're like me, you've probably scrolled back up the page and spent several minutes looking for the passage again, trying to remember the words and spot them in the expanse of text.
A highlighter is the answer of course. There used to be a Firefox extension that did this, but it stopped being updated a long time ago and isn't usable with recent versions of Firefox. There are more sophisticated extensions available that include a permanent highlight function (like Wired-Marker), but I'm not doing research so their functions are largely superfluous.
I was having a look at extensions again yesterday and was happy to find a basic Firefox text highlighter that works with recent versions of Firefox. It's called TextMarker!

Update: Blogger users may not appreciate the way this extension adds a load of HTML every time you paste something into the comment field.

Monday, August 22, 2011

Gnome users are revolting II

I currently have Debian Squeeze installed on my computer, and Fedora 15 on a Live USB, and I'm booting into both from time to time. This gives me a good idea of how Gnome 3 in Fedora compares to Gnome 2 in Debian in terms of ease and pleasure of use as a desktop environment.
I have to say, when I boot into Debian now I feel disappointment that I won't be using Gnome 3. I miss the modern environment of Gnome 3, and not the Windows 95 paradigm of Gnome 2. Now there are some modern inventions that are just a trend, a fashion, and don't make our lives easier. We might get exited about them at the time, but a decade or so later we might be back to using whatever we were using before, because the fashion has come round again, or the novelty has worn off the new invention and we realised what we were missing in the old.
I don't believe that's true with Gnome 3. I think it really is a step forward in ease of use, but I've seen some strong claims to the opposite, for example, this from Steven J. Vaughan-Nichols on ZDNet:
The idea of GNOME 3 was to get rid of clutter OK, I can see that, but in doing it GNOME’s designers had made GNOME less usable For example, in shifting from one project to another in your workspace you need to use the dashboard as a window management interface For me, this is like having to stop my car to shift gears That by itself is so annoying that I quickly stopped using GNOME 3.0.
I decided to do a comparison between Gnome 2 and Gnome 3. This a screen shot of my bottom panel in Gnome 2 on a particularly busy "workspace":


OK one click will shift from one "project" to another, but it's quite difficult to see what window each button will open. Quite often I maximise the wrong window and it takes several clicks till I find the one I'm looking for.

Here's a screen shot of my workspace in Fedora with the same number of windows open.


Yes, I have to push the mouse cursor into the top right of the screen to see it, or click the Activities button, or hit the Windows button on my keyboard, but once I've done that, it's easy to read the description for each window, and even with 13 windows, the thumbnails give me a pretty good idea of what each window is- it's easy to recognise an image file I'm working on, for example.

I could move windows to separate workspaces in Gnome 2, but I have never got into the habit. Gnome 3 certainly makes it a lot easier to do:


To my mind, Gnome 3 is easier to use. Of course, when we get used to a way of doing something, it becomes easy to do, and when we move to a new way of doing something it's hard to do. The difficulty of just doing something different can stop us seeing that we're actually doing something easier. Of course the ultimate judgement is personal, but I think I'll be using Gnome 3 more and more in the future.
I'm not sure that it is ultimately the easiest way of organising windows- I think that docks like Docky and Avant Window Navigator do things better in some ways, grouping open windows under the icon of their common program. Now what I'd really like to see in Gnome 3 would be the quick launch bar having some of the functionality of a dock, with icons indicating which programs have windows open, and hovering over the icon producing a pop up list- something like this Docky Screen shot.

Update: I just realised that Gnome does have this functionality- icons that have windows open are indicated by a very subtle down glow (so subtle I'd missed it) and right click brings up the menu.

Sunday, August 21, 2011

MP3 in Fedora 15

I've been using a Fedora 15 Live USB to test Gnome 3, and also looking at how easy Fedora 15 is to do everyday task. Probably one of my most common everyday tasks on Linux is listening to MP3s and watching rips of TV shows and films. I was able to do this on Fedora 15 without much trouble, by following a series of notifications and advice links. Today I came across a review of Fedora 15 where the author (a person with lot more IT experience than me) has gone down the same road as me but somehow failed to reach the end.
Movie player is default application for MP3 files and it suggests to search for MP3 plugin. Of course I want to search. And search is... unsuccessful. Manual search in Package Manager is also unsuccessful. You probably know that MP3 support in Fedora is famous topic.
This has inspired me to write a walk-through for anybody struggling to listen to MP3s or play a movie in Fedora 15. (I've chosen a video file for this walk-through because I get video and MP3 working in one swell foop.)

The review writer has done what I did, tried to play a file and seen a notification about missing plugins and an option to search for them:


Here we go with the search:


And my search is also unsuccessful:


(I think that notification should really say Failed to find plugin.)

However, if the review author had clicked the More information button, he would have found the answer. The button launches the Fedora Project Wiki page:
If you're seeing this page, it is probably because you tried to search for something in PackageKit, but it could not find what you were looking for in the Fedora repositories. Look at the contents below to find information about specific issues you might encounter.
Scroll down the page and you'll find that the decoders you need are actually codecs which cannot be included in the Fedora repository because they are "patent encumbered or under an unacceptable license", and that you need to get them from a third party repository. Follow the link and you'll be offered several. I've used rpmfusion.org before, so I clicked on that, and then on the Enable RPM Fusion on your system link. I opted for Graphical setup via Firefox web browser, and selected Fedora 15. This brings up the option to open an rpm file:


After the download, there's a prompt to install the file:


A request for additional confirmation:


[Update: Repeat the process for the nonfree repository.]

Now we go back to our media file and try to play it again. We get the same notification about missing plugins- but don't be disheartened:


This time the search finds the plugins we need (in the third party repository we added, of course).


And we get another request for additional confirmation (and a chance to look at the packages that are going to be installed).


Then we are asked if we trust the source of the packages. (This is important! In this case, we can trust the signed packages from this trusted source, but clicking through confirmation dialogues like this without being sure is not a good habit to get into.)


And finally we can watch our film. (And listen to MP3s too, as the film required the MP3 codec.)



Update: Tried this procedure myself after a clean install of Fedora 16, and although video worked, MP3 coded audio in video (or indeed, just MP3 files) wouldn't.
In the end the solution was to manually install the GStreamer  streaming media framework "ugly" plug-ins and the Non Free GStreamer streaming media framework "bad" plug-ins.

Wednesday, August 17, 2011

Printing and scanning with HP Deskjet 3050 on Fedora 15

I've been running Fedora 15 from a Live USB drive, primarily to test Gnome 3, but I've also been wondering how easy it would be to do all the things I need to do on my computer on Fedora 15.
Today I tried to use my printer to print and scan. It's an HP deskjet j610 wireless printer/scanner which I'd previously configured in Debian and now connects to my router. In Debian Squeeze I'd had to manually install the latest version of the HP printer software hplip, because new versions of the software come out regularly to support new printer and Squeeze came with a version in the repositories that was too old to recognise my printer. Fedora 15 has just been released, so I hoped it would come with HP software up-to-date enough to work with my printer.
I managed to print fairly easily. I went to Applications>Other>Printing and my printer was listed as a Network printer. Adding the printer prompted for the download of an HP driver, and after tinstalling the driver, I was able to print a test page.
Scanning was more of a problem. Simple Scan was installed but couldn't see my scanner. I reckoned I would need hplip again, so I installed that [from the Fedora repository, not from HP]. I found I also needed hplip-gui. However, the hplip GUI disn't automatically discover my printer, and I had to add the printer's IP address (look in the router's DHCP Client List or print the report in the wireless section of the printer menu) using Manual Discovery.


After the manual discovery, hplip recognised my printer and I could do a scan in Simple Scan. However, I also found the HP Deskjet 3050 was listed twice in Printers now, so installing and setting hplip might be the best way to set up the printer- hplip can also check ink levels which is useful.

[I did this from a Live USB- in an actual install, I had to enter username root and the root password  to add the printer.]

Tuesday, August 16, 2011

Microsoft's bad reputation(s)

A new report claims that Internet Explorer 9 is far better at blocking socially-engineered malware than other browsers. (This is malware which tricks the user into installing it rather than look for security weakness in software to install automatically.) IE9 is claimed to have a 96% protection rate, and its closest rival only a 13% protection rate.

Normally I'm quite sceptical of reports like this because they often turn out to have been sponsored by the firm that did so well, and that the test proves to have been biased in some way to favour the sponsor's product.
In this case, this doesn't seem to be true. The test is not Microsoft funded and the testing organisation seems to have gathered its own test samples. (However, Trend Micro has contested the findings.)
Microsoft has achieved this success using something it calls SmartScreen URL Reputation and Application Reputation. In other words, they are trying to blacklist every malicious URL that comes into existence, and whitelist every good download that exists on the web. Their users will be warned if a web site is malicious or if a download is known to be good.
How does Microsoft identify malicious URLs? windowsteamblog.com explains:
SmartScreen's reputation systems begin with telemetry feeds: reports from end users, data from third parties, traffic from URLs showing up in e-mail, logs from our services, etc. Some of these feeds contain billions of URLs per day. Other feeds contain URLs that a third party has certified to be known phishing sites, and still others contain little more than the fact that an URL has appeared in spam e-mail messages.
(End users? Does that mean that Microsoft checks every URL Internet Explorer users visit? Well, as Microsoft call it a cloud-based URL-reputation service, I would imagine yes. Cloud based would imply that URLs are sent to the mother ship to be categorised good or bad, or investigated if unknown.)

These feeds are checked largely by an artificial intelligence, but in some cases by human analysts.
we take every URL in every feed and use machine learning to predict the probability that the URL is abusive. At a high level, this involves examining each URL for suspicious substrings (for example, the word "pharmacy" in the URL), looking up the history of the URL–its associated domain, IPs, DNS servers, routers, subnets, ASNs–and combining these into tens of thousands of potentially predictive features for the URL. We then apply models based in machine learning, which pore over these features and separate the abusive URLs from the honest ones. Most of the time, we are confident enough in the findings of our machine learning engine that we can flag a URL as abusive based on this recommendation alone. Sometimes a URL is suspicious but we're not certain; we send many of these suspicious URLs to our analysts for final classification.
Microsoft seems to be being quite aggressive in extending this list of suspected malicious URLs:
With the right evidence, SmartScreen's reputation system will flag whole domains as abusive.

URLs and domains are concepts that let humans refer to computers. But every computer that's directly on the Internet also has a numeric code, called its IP address, that lets other computers refer to it. For example, 109.22.33.142 might be the IP address of the computer that's running the web server that's hosting the canada-pharmacy.us domain. SmartScreen's reputation system tracks these as well and will mark specific web server IP addresses as abusive. SmartScreen will also generalize to other computers "in the neighborhood" of known bad ones. For example, IP addresses are often allocated in blocks, and it's likely that the person who owns 109.22.33.142 also owns 109.22.33.143 and .144 and .145. We use knowledge about the way infrastructure blocks are allocated–into subnets, ASN (Autonomous System Number) blocks, the way message routing works, and more–to figure out what other computers the abusers own, and prevent those abusers from attacking Microsoft customers.

DNS servers are another key to SmartScreen's reputation system. DNS servers translate the URLs that you type into your browser into the IP addresses used by computers. SmartScreen assigns a lower reputation score to DNS servers that seem to know just a little bit too much about abusive domain names.
The aim is to increase the "costs that abusers incur as we dig deeper into their infrastructure".

Source: windowsteamblog.com.

But is Microsoft being too aggressive in blocking URLs, and downloads, because the Application Reputation system is also URL based?
The Sophos nakedsecurity blog contends that there is a 30-75% chance that Application Reputation warnings will be a false positive.
There's certainly evidence that Microsoft is sometimes getting it wrong:
Ever since the release of Internet Explorer 9, we (and other smaller sites) have been plagued by visitors who, when they attempt to download our stationery files, see a strong warning in Internet Explorer 9 about downloading and installing our files. This is worrisome. Even visitors who have been downloading our stationery for over a decade are writing and expressing their concern about the safety of our files.

We’ve changed nothing as far as the way our files are created. The problem lies with Microsoft and Internet Explorer 9′s obviously misnamed, SmartScreen filter.
And concern that Microsoft's aggressive attitude to abusers is damaging legitimate users:
When users who know us and have trusted us for years write us expressing their concern, what do you think users who have just discovered our site are going to do? You’re right: They’re going to leave and never come back. There is nothing we can do about it – Microsoft doesn’t care about the damage this kind of thing causes to small, niche sites like ours. They’re concerned about Microsoft and protecting what’s left of its reputation.
thundercloud.net

The Sophos nakedsecurity blog identifies the problem:
Users think, "If this were truly dangerous, it would have simply been blocked, right?" Microsoft's statistics show that in a real world attack 99% of users did delete the file, but this warning message is still a new phenomenon. It will be interesting to see how many click through over the long run.

Even worse, if up to 75% of the time you get the warning you are downloading a legitimate file, will you continue to pay attention to the warning when it really matters?
The statistics show that at the moment the warnings are causing Internet Explore 9 users to delete legitimate downloads. Internet Explorer 9 users need to be aware of this issue.

Microsoft may be saving you from yourself (to save its reputation?), but handing out some undeserved bad reputations. Don't assume that a SmartScreen download warning mean a file is malware, but don't become complacent and assume a warning is a false-positive too. Get the balance right.

Monday, August 15, 2011

Fedora 15 Live USB

I've been trying Fedora 15 (and Gnome 3) from a Live USB. I've had a Live CD since the beta but my CD is failing and read errors mean programs fail to launch even if the OS does load. I'd tried a USB installation a year or so ago when I was distro hopping, but without luck. This time the USB boot worked, with only a minor hitch.
I downloaded the Live image from Fedora,and copied it to my USB drive using these instructions. I then bumped up the USB drive in my BIOS boot options and let the computer reboot... to see this message:
isolinux.bin missing or corrupt
I'd made a small error in the device name of the USB. After copying the Live image correctly, I could boot into Fedora.
The USB boot is stable and fast, and fun to play with.
I'm tempted to install it and get used to it, but this is my "production environment" as computers you occasionally do some work on from time to time are described nowadays, and I don't want to be scrabbling to install a printer or scanner or get email working on a new system.
I haven't used Gnome 3 long enough to say anything other than I'm enjoying it so far, except, why did Fedora make the Gnome icon set the default? The Gnome icon set is dull. The icons look like they were created around the same time as Windows 95.




Saturday, August 13, 2011

Fedora 15 has Gnome 3

DesktopLinux.com has the story (although they're too dumb to realise they've posted a screenshot of Fedora 13 running Gnome 2. Epic fail, I believe the appropriate colloquial comment on the interwebs).
DesktopLinux.com also reports that Linus Torvalds doesn't like Gnome 3.
I've tried Gnome 3 on the Fedora live CD, and I would love to install Fedora and try it for longer, maybe as a dual boot with Debian Squeeze, but my CD drive is failing and keeps crashing while running live CD's or install disks.
I had to make do with this in-depth trial report from Adam Craig (actually of the Fedora 15 beta). It pretty much sums up my impressions of Gnome 3, and my feeling that people should try out Gnome 3 for a couple of weeks before condemning it. Something that's been round for a long time and we're all used to is not always the best way of doing things. After all, Gnome 2 is basically a Windows 95 paradigm.




Flash player 11 beta

Flash player 11 beta is available from Adobe. As I mentioned in a previous post, if you already have the Flash player installed on Linux, it's just a case of dropping the new file into the right directory.
The big news seems to be 64 bit support (which I don't need) but there are other new features.
I wonder if the new version will work with my web cam?

Tuesday, August 2, 2011

Ripping to be legal in UK

Millions of people regularly convert movies on DVDs and music on CDs into a format that they can move around more easily, although most do not realise that it technically illegal.

"The review pointed out that if you have a situation where 90% of your population is doing something, then it's not really a very good law," said Simon Levine, head of the intellectual property and technology group at DLA Piper.

BBC News Technology.

Saturday, July 30, 2011

Intelligence quotient and browser usage

OR: Correlation is not proof of causation.

New online study says Internet Explorer users are dumb, smarter users use Firefox, even smarter users use Chrome, but the smartest users use Opera.


Internet Explorer users confirm they are dumb by threatening a dumb lawsuit.

I think the Internet Explorer 6 result may have something to do with my previous post. Does the daily tedium of office life for civil service and other corporate users of IE6 decrease IQ with time?

(Story first seen on the Debian Forum.)

Update: The BBC has the story.
The findings have been treated with scepticism by Professor David Spiegelhalter of Cambridge University's Statistical Laboratory: "They've got IE6 users with an IQ of around eighty. That's borderline deficient, marginally able to cope with the adult world.
Just for fun, I tried searching Google for an image of an Internet Explorer user to see if it matched the description.

LOL.

Image: shoutEx.

Update 2: The story seems to have been a hoax, according to the BBC.

Why Firefox dumped corporate users

From a BBC story on UK government being ripped off on IT:
I'm a civil servant and have to use these IT systems. For all the money that is spent on them I'm using a machine that's 7 years old, has minimal memory and hard-drive capacity, is running Internet Explorer 6, has snail's pace connectivity speed and find it really difficult to do my job. And as you all may know, everything is done on computers these days.
Corporate use = browser fossilisation.

Friday, July 15, 2011

The safest web browser?

(OR: What connects Internet Explorer and Rush Limbaugh)

Surely not a difficult question to answer? Just look at the statistics for security vulnerabilities- especially those that were exploited by malware "in the wild" before a patch was issued and how long those vulnerabilities remained unpatched.

Source: Web Devout.

Historically, the answer would certainly not have been Internet Explorer. It has the worst record for zero-day vulnerabilities leaving the browser open to "drive-by" malware attacks for considerable periods before a patch was released- it has left its users vulnerable to such attacks on numerous occasions.

To my knowledge, Firefox has only exposed its users to one such vulnerability, and only briefly, and only to malware on one specific website, rather than widespread attacks. Still, to my recollection, Opera, although it has had vulnerabilities, has patched these before they were used in malware attacks; the same for Chrome.

So, historically, if I had to guess, Opera or Chrome might get the award. To Microsoft's credit, they recognised the security problems with their browser and recent versions have been a lot more secure. Anybody interested in the original question could look at the data on browser vulnerabilities for recent versions and follow the evidence.

The evidence will tell you the answer- a purely logical process that tends to invoke irrational responses. Why?

The first illogical response is the common statement that Internet Explorer is used by more people and therefore a bigger target and therefore more looked at for vulnerabilities. This excuse ignores the evidence that Internet Explorer is more open to exploit because it has features that other browsers don't have that have their own security weaknesses, such as ActiveX, and because it is more integrated into the Microsoft operating system. It also ignores the evidence that hackers find Internet Explorer easier to hack.

The second illogical response is usually an attack on Firefox, usually along the lines of "Firefox sucks" or similar. Should Firefox users then point out the evidence, they are then often labelled as "fanboys", despite the juvenile nature of their own emotional response- an unsophisticated form of ad-hominem attack known as "projection".

Back to the question- why? And why is it Firefox that is resented by Internet Explorer users? I think the answer is political. The people who resist the evidence that Internet Explorer is not as secure as other browsers often subscribe to a loud-mouthed extreme right wing ideology. Take for example this post to a thread on browser security:
Anything has to be better than FF. (Roll Eyes)
With the signature:
"If you want to make a Conservative angry, tell him a lie. If you want to make a Liberal angry, tell him the truth." - Rush Limbaugh
Now you could say I'm stretching one comment to make a point.

But the internet long called Poe on the American fringe right's antipathy to Firefox: Exhibit 1, Exhibit 2.

The extreme hard right mentality resents a group of people working together to produce a better browser for free: it undermines their belief in the superiority of free-market capitalism in producing better software, and indeed a better world than any collective, altruistic enterprise run by wishy-washy socialists, as they would see the open-source community.

The idea that open-source software is a tool of socialism designed to undermine capitalism is of course total nonsense. Wherever could the hard right have got that idea from?


(Possibly it's the result of a complete lack of a sense of humour?)

As a footnote, the only thing the hard right hate more than a collective, altruistic enterprise interfering with a commercial enterprise, it's a collective, altruistic enterprise interfering in the economy itself- which is why the anti-Firefox trolls have turned their attention to climate science and global warming.

Saturday, July 9, 2011

Debian Mozilla Repository engages warp drive

In response to the rapid new Firefox release cycle mentioned in my previous post, the Debian Mozilla team repository has been updated- and users need to update the appropriate lines in their source files, as detailed on the Debian forum.
In short, the new line will contain release for the latest version, instead of the version number, which will now change every six weeks or so as new versions are released and older versions are no longer supported.
There is also a beta channel for the adventurous, and an alpha channel (called aurora) for the really adventurous.

Tuesday, June 28, 2011

Firefox release cycle hits warp factor 8

-Too fast for corporate use:

By releasing small, focused updates more often, we are able to deliver improved security and stability even as we introduce new features, which is better for our users, and for the Web.

We recognize that this shift may not be compatible with a large organization's IT policy and understand that it is challenging to organizations that have effort-intensive certification polices [But] tying Firefox product development to an organizational process we do not control would make it difficult for us to continue to innovate for our users and the betterment of the Web.

Kev Needham, Mozilla's channel manager, on computerworld.com.

Asa Dotzler, director of Firefox, puts it more bluntly:
I don't care about making Firefox enterprise-friendly.
computerworld.com again.

How will this affect corporate uptake of FOSS?
Mozilla has basically said that they aren't interested, at all, in corporate deployments. Oh good, a medium-sized business investigating a switch to FOSS now has a strong disincentive to make the switch. Mozilla's rejection of corporate deployments almost certainly hurts other FOSS projects, most notably Linux.
dasein, writing on the Debian forum.

What about Debian users? Squeeze came with Firefox 3.5- by the time Wheezy arrives, Mozilla could have issued Firefox 12. Well, Debian users can get the latest release from the Debian Mozilla team, as mentioned in a previous post.

Saturday, June 18, 2011

Libreoffice arrives in Squeeze backports

I'm using an old Lenny machine at the moment and not my usually Squeeze laptop, but this is something I'm going to try as soon as I get back to it.

Details on the Debian forum.

Update: Official announcement and installation instructions on debian.org.

Mouse pointer highligher trail in GIMP

The default setting in the GIMP has a mouse pointer highlighter active. It makes working in GIMP difficult- to the point that it's been mistaken for a bug. I came across this issue before- and disabled the highlighter immediately. Using another computer today, I came across the same issue, but I'd forgotten how I'd fixed it- and it took me a while to find the solution. Eventually I found it on Pimp my GIMP.

Go to File>Preferences>Image Windows and untick Show brush outline.

Update: this looks like a Debian Lenny issue: my Debian Squeeze machine doesn't have this problem. Time to update the old laptop I was using when I wrote this post, probably.

Friday, June 10, 2011

Do I need an Anti-virus program on Linux?

This is a question often asked by new users of Linux. (See here.) The short answer often given is no, but that answer often stirs controversy. (See here.)
I haven't used an anti-virus program in Linux for years (although I've tried all the free ones). My answer to the question, as a home user of Linux only computers who doesn't share files with Windows users is also no. Obviously I've caveated that answer, and there are plenty more caveats, so here are some points to beware.
  • Saying that you don't need an anti-virus doesn't mean that Linux malware doesn't exist. It does.
  • Saying that you don't need an anti-virus doesn't mean that you don't need to be careful about security in Linux. You do.
  • For new users of Linux, that attention to security means getting software from the distributions digitally signed software repository, or trusted sources. (For example, I have installed software from Opera and HP in addition to software from the Debian repository.) This guide is not intended for or likely to be useful to more advanced users of Linux.
  • Linux malware exists, but Linux users are very unlikely to encounter it. Don't go downloading packages form the internet and you won't. (Obviously, with so much free software available in distribution repositories, Linux users won't be on crack sites or peer-to-peer networks downloading dodgy executables that claim to unlock Windows programs.)
  • Most Linux anti-virus programs don't do the background scanning of files that Windows anti-virus programs do. If you want to scan a file, you have to do it manually.
  • Why use one installed scanner to scan a file when you could send it to Virustotal and have 30 or so scanner check it? (And please see the point above about not downloading packages from untrusted sources in the first place.)
  • Linux users are simply not affected by the web-borne exploits that install software willy-nilly on Windows systems.
  • Most Linux anti-viruses are primarily intended for file servers, not desktop environments. Yes, an anti-virus is recommended in that situation- beyond the scope of this simple guide. But if you have a dual partition with Windows, or share files with Windows users, yes, an anti-virus is useful- but you'll be looking for Windows viruses.
  • There is no certainty that anti-virus programs will detect a malicious file, as I demonstrated here and here.
  • Linux anti-virus programs are meant as file scanners, not system scanners- scanning the /root (system) directory is likely to result in a lot of frightening warnings (for the new user) which actually don't indicate any sort of infection. See here and here.
  • Institutional network users running Linux may well be asked to use an anti-virus program- I'm not here to contradict your system administrator. Mostly the concern is that Linux users will pass Windows malware around. But there is also the possibility that these users will have valuable information and may be targeted by criminals- and receive a Linux Trojan in their email inbox, for example.
  • Where untrusted and possibly malicious people have physical access to a computer, there is the possibility that they may try to run malicious software. This area is outside my experience. Untrusted people don't use my computer. In institutional situations like this, the answer may be yes, an anti-virus might be a good idea. Listen to your system administrator or consult a more advanced guide.
  • Most of the people advising that home users of Linux need an anti-virus program are Microsoft shills spreading FUD. The idea that you can run a computer connected to the internet without anti-virus protection or risk of infection tempts users away from Windows, and Microsoft has never been above a little black propaganda. More importantly, these people don't actually look at the evidence when they tell you it's not safe to run Linux without an anti-virus.

Thursday, May 26, 2011

Google country settings

I'm abroad for a while, using my old Lenny laptop, and doing some Googling this morning, I noticed I was getting results from google.com- not what I wanted as I was looking specifically for UK based advice pages on a certain topic and was seeing US pages. I remembered that I'd been able to set Firefox to use google.co.uk on my other laptop while abroad- fortunately I found the link again. The Mycroft Project has a page that allows you to set Google search in Firefox to get results from just about any country's own Google page.

Wednesday, May 11, 2011

Virtual browsing

My two previous posts remind me of this site somebody pointed me to recently. It purports to test recent malware against quite a few if not most of the best Windows security products. I think these tests are a better indication of the effectiveness of security products (anti-virus, anti-spyware etc.) than tests against a huge bank of malware samples. In such tests, security products often score 96-97% in detecting malware; in tests like this, they score far lower- 40-60%- because "0-day" malware is designed to evade detection- and largely does.
This is why the results obtained by DefenseWall (a product I'd never heard of) impressed me: 100% protection. How do they do it? Well I checked the product web site, and it seems DefenseWall is a virtual system: a computer within a computer. av-comapratives.org has a review. (The DefenseWall site seems to have disappeared, so I don't know if the product still exists.)
Running a virtual system is one way to beat malware- until the virtual system is breached, and you need to run the virtual system in a virtual system to remain secure- but it must carry a performance penalty.
While Windows users are running virtual machines and sandboxes to remain secure, I'm running Linux with no layers of virtualisation, no sandboxes, no HIPS or behaviour blocker- indeed, no security products at all to slow down my computer. Of course it's possible to argue that this security is down to Linux's low profile rather than inherent superior security, but for the moment at least Linux is ipso facto more secure.

Chrome's sandbox compromised?

A French security research firm boasted today that it has discovered a two-step process for defeating Google Chrome‘s sandbox, reports Brian Krebs.

A comment has a solution:
Chrome is in fact one of several browsers that I utilize, but each Internet facing application on my system also runs in an “untrusted” state in a DefenseWall sandbox. So when I’m running Chrome, it’s like having a sandbox encapsulated in another sandbox.
And so ad infinitum.

100% Safe browsing in Windows

100% safe browsing has finally arrived in Windows:
German security company released a version of Firefox 4 that runs independent of the operating system on a client PC and automatically contains malware that may be downloaded via Firefox.
How is this achieved?
The browser version, originally developed upon request by the German government, is quite possibly the most secure browser you can use today. The software called BitBox (Browser-in-the-box) Virtualbox 4.04 comes as a self-contained package with a stripped version of Debian 6 Linux and runs within a virtual machine environment. The browser itself is isolated from the actual host computer, which does not have access to websites when the Sirrix browser is used.
Hey, that's really great. But couldn't I be just as secure by running Firefox on Debian? Oh wait, I already am! ;-)

Get recent Mozilla packages in Debian

Debian stable releases come with a re-branded version of Firefox (and a re-branded Thunderbird is available too). However, the version doesn't get upgraded, so Lenny users still have Iceweasel 3.0.6 (unless they've got 3.5.16 from backports) and Squeeze users 3.5.16.
The Debian Mozilla team "provides various versions of some Mozilla related packages for use on different Debian systems". There's a wizard to help you find the packages suitable for your system.
If I'd known about this, I probably wouldn't have installed Firefox on Squeeze- I'd've gone for an updated Iceweasel and saved myself the manual updates (3.5.16 has an annoying bug in the way it handles dark menus in Gnome, which was fixed in 3.6).

Sunday, May 8, 2011

Enable hardware-accelerated OpenGL drivers on ATI X1600 in Debian Squeeze

If you have a ATI X1600 graphics card, are running Debian Squeeze and enjoy fragging bots in Open Arena, and find that you can't run the game because hardware accelerated video isn't working and the game runs like cold treacle, try adding the debian-multimedia.org repository and updating libdrm-intel1, libdrm-radeon1, libdrm2. These libraries...
...implement the userspace interface to the kernel DRM services.
DRM stands for "Direct Rendering Manager", which is the kernelspace portionof the "Direct Rendering Infrastructure" (DRI). The DRI is currently used on Linux to provide hardware-accelerated OpenGL drivers.
There must be some sort of patent-encumbered aspect of these libraries that is disabled in Squeeze, because installing the updates from debian-multimedia.org allowed me to run the game at full speed.

Debian Multimedia wants to update packages

Enabling multimedia in Linux often means installing packages excluded from outside the main distro repository because they are not free software or because there are legal restrictions on their use- proprietary video drivers and codecs covered by patents, for example.
In my current installation of Debian Squeeze I had to enable some proprietary firmware for my video and wifi cards, and to install some patent-encumbered packages to decode MP3 files. This I did from the Debian non-free repository.
I haven't had any problem playing multimedia content (I had also installed Adobe Flash from non-free, but that's it as far as I recall) but today I needed to install a package from debian-multimedia.org to enable MP3 decoding.
I was going to just install the one package since I haven't had any trouble with other multimedia content, but I noticed that Synaptic was telling me that there were updates available for several packages. This worried me because the only information Google was bringing up was a Debian Q&A question that suggested these updates could break things that work in Squeeze- like video playback.
I did some more digging and found this more reassuring comment on the Debian forum:
Many (most?) of the packages that he has available are not available in the official repos, for one reason or another (patent issues being a big one). If packages are in both his versions usually have things turned on that are not available in the official repos (often encoders of various types, again often related to patent issues). (Since he's located in France software patent issues that are applicable in the USA don't effect him).
I went back and checked the updates debian-multimedia.org had made available and noticed these: libdrm-intel1, libdrm-radeon1, libdrm2.

The information on these libraries says:
This library implements the userspace interface to the kernel DRM services.
DRM stands for "Direct Rendering Manager", which is the kernelspace portionof the "Direct Rendering Infrastructure" (DRI). The DRI is currently used on Linux to provide hardware-accelerated OpenGL drivers.
Could these packages from debian-multimedia.org have something turned on that isn't turned on in the Squeeze version? Hardware-accelerated OpenGL drivers caught my eye. I'd been a fan of Open Arena in Ubuntu. Lenny didn't have drivers for my video card that supported 3D effects; Squeeze does but Open Arena was as slow as treacle on a cold day.
Could there be a patent-encumbered aspect of Squeeze support for my video driver that I was missing.
I took the plunge, installed the updates, rebooted and tried Open Arena again. Was I to be disappointed again, or could I frag some bots at last? Please see my next post.

How to enable mp3 output in SoundConverter

SoundConverter is a program I've used before to convert sound files to a format that will play on my MP3 player (basically just that as it plays only MP3 and WMA files). I converted some MP4 files to MP3 format,
probably in Ubuntu at the time
[EDIT: Actually it was in Lenny: I've been here before and forgotten]. Now MP3 encoding requires LAME, which due to some patent issues, is not installed in most Linux distros by default. In Ubuntu, it's in the multiverse repository. A post on the Debian forum today reminded me of the issue- I checked and found I hadn't even installed SoundConverter on my Debian Squeeze. When I did install it, of course MP3 encoding wasn't enabled.
A quick Google search brought up instructions for enabling MP3 output in the major Linux distros. I added the debian-multimedia.org repository as instructed and installed the gstreamer0.10-lame package, after which MP3 output was enabled.
But that's not the end of the story. I noticed that after I had added the debian-multimedia.org repository, Synaptic was telling me there were updates available for several packages. At first I couldn't find any information about why this might be, and was wary about letting a third-party repository update packages, but then.... well, I think this will have to be another post.

Saturday, May 7, 2011

Adobe Flash Player 10.3 Release Candidate

Adobe have a release candidate for their Flash player. I have installed the flashplugin-nonfree package in Debian from the contrib repository, so trying out the release candidate simply involved download and unpacking the Flash Player 10.3 Release Candidate 1 tar.gz from Adobe, and dropping libflashplayer.so into /usr/lib/flashplugin-nonfree.

Friday, May 6, 2011

2.6.39 kernel will drop 686 flavour

Updating my Linux kernel recently in Squeeze (and previously in Lenny), I had to chose a 'flavour' to match my CPU architecture. For me this was the 686 flavour- compiled and optimised for modern multi-core chips.
An email from Debian Project News recently informed me that the 686 flavour kernel is to be dropped.
From the information linked to at Ben's technical blog, it seems I'll be able to use the '686-bigmem' flavour- even though my computer only has 1GB of memory- with a tiny hit on performance but a slight security advantage:
Even those that have less than 4 GiB RAM do support PAE and can run the '686-bigmem' flavour. There is a small cost (up to about 0.1% of RAM) in the use of larger hardware page tables. There is also an important benefit on recent processors: the larger page table entries include an NX bit (also known as XD) which provides protection against some buffer overflow attacks, both in the kernel and in user-space..
There are a few 686-class processors that won't be able to use 686-bigmem and which will have to use the 486 flavour- apparently with a performance gain (see the blog for details).

Thursday, May 5, 2011

Linux kernel wonder patch hits Debian Squeeze

Linux kernel 2.6.38 has arrived in Debian backports. I installed it using the guide at backports.debian.org. Linux kernel 2.6.38 contains a much-hyped wonder patch.
I rebooted and observed... no noticeable difference in performance. But then I wasn't running a HD movie, compiling a complex program and running a 3D game stress test- if you do, you might.
The patch is also reported to improve web page load times with a busy CPU, by non other than... Linus Torvalds.
Now if only I weren't such a slacker my CPU might be busy enough to test this, but no.... CPU usage at about 5%.

Tuesday, April 26, 2011

Gnome users are revolting

There are claims that Gnome 3 is too dumbed down for Linux users. I have to admit I'm a little frustrated at not being able to test Gnome 3 properly, because my CD drive is failing, causing my Fedora 15 beta live Gnome 3 session to crash regularly.
One of the main objections to Gnome 3 seems to be the lack of minimise and maximise buttons on windows. However, I have been able to try out the way Gnome 3 handles windows, and it seems intuitive and more efficient in a minimalist way than the previous method. "Everything should be made as simple as possible, but not simpler,"* said Einstein, and to my mind the Gnome team have done this: "Made of easy" indeed.
Of course there is no bottom panel to minimise windows to. Grabbing a window and bumping it up to the top panel will automatically maximise the window; grabbing it again and pulling it down will minimise it to the desktop.
Simple. And elegant.

* Apparently actually a paraphrase (for understandable reasons) of: "It can scarcely be denied that the supreme goal of all theory is to make the irreducible basic elements as simple and as few as possible without having to surrender the adequate representation of a single datum of experience."

Wednesday, April 6, 2011

Revoke fraudulent Comodo digital certificates

Fraudulent digital certificates were issued by the Comodo Certificate Authority, for sites such as Microsoft Live, googlemail, skype and Mozilla addons. Potentially, visitors to fake sites with these fraudulent certificates could have been deceived into thinking they were the real site. Apparently the fraud was detected before this could happen. The Fraudulent certificates have been revoked, and browsers with certificate revocation checking enabled will identify the certificates as invalid. Some browsers have automatic revocation; in others it has to be enabled. It's also possible (in Firefox at least- I haven't tried it in other browsers) to manually import a revocation list. Details here at nakedsecurity.

Tracking cookies

F-Secure has a good write up on tracking cookies. Ed Bott tells how to eliminate them. The only problem with this method is the rare occasion when an action on a website requires a third-party cookie. (Logging into WordPress seems to do so.) I've looked at a couple of Firefox extension that block tracking cookies while still allowing third-party cookies. They are Ghostery and the Easy Privacy list for Adblock Plus. Both seem to work well.

Gnome 3 is finished- when can I use it?

Gnome 3 seems to be finished. It looks great. When can I use it on an installed Linux distribution? In May, on Fedora, and in October, in Ubuntu. On Debian Stable, I'll have to wait a couple of years. I'd be tempted to install Fedora, but my CD drive is failing.

Update: Status of Gnome 3 in Debian.
Dark green means Gnome 3 packages are up to date in Debian Testing. As you can see, there isn't much dark green.


Update: apt-get install debian-wizard has a good post on installing Gnome 3 in Debian: in summary, as a comment points out, Gnome 3 may be "made of easy", but installing it on Debian Squeeze isn't: it's for Linux experts only, requiring Debian Testing plus Experimental repositories. The blog does hint at what may be the best compromise for Debian Squeeze users eager to try Gnome 3: install Testing and wait for Gnome 3 to "land" there. The status site linked to above shows that Testing is making progress towards Gnome 2- but no ETA yet!

Thursday, March 31, 2011

Malvertising

Malvertising is where third-party ad servers serve up "poisoned" ads- fake anti-virus scams usually comprising a bit of social engineering and an exploit kit to make it a drive-by download if the social engineering fails. the attraction for cyber criminals is that they can get access to mainstream web sites by hacking third-party servers, or ad feeds into those servers- they can attack the weakest link and see their malware on the most trusted websites.

I've noticed a few stories about malvertising today, and a few different points leap out of the stories.

The BBC has a story here about malware on a government-backed website. Not that that surprises me- I've been saying for a long time that the idea that if you're careful where you surf, malware won't be a problem is deluded. What I noticed was this statement:
The exploit only affected users of Internet Explorer, including the most recent versions. Other browsers, including Firefox, were not affected.
Really? This is an exploit to which even the most recent versions of IE are vulnerable? Well, I've also been saying for a long time that Firefox is a safer browser for Windows, and I recently posted about IE getting pwned, but is IE really wide open to an exploit? (Since switching to Linux, I've followed the browser wars with less interest.)

The BBC has another story about malware on the London Stock Exchange site. The following grabbed my attention:
Security expert Paul Mutton fell victim when he viewed the site on 27 February.

He visited the LSE homepage to find out why some people reported that they could not access it.

The site was blocked by Firefox, he said, but accessible via Google's Chrome browser.

"It seemed to work with Chrome but then a few seconds later, without having to click on anything, pop-ups started to appear," he said.

The malicious code closed down several of the programs Mr Mutton was using and stopped new ones being started.

"I visited the site and it compromised my machine," said Mr Mutton.

Now if I was a security expert and had to visit a suspect site, I'd do it in Linux, to be honest. I assume Paul Mutton is a real security expert (this is the BBC) and had his system up-to-date (no vulnerable versions of Adobe PDF or Sun Java or Macromedia Flash installed), so where was the zero-day vulnerability? In Chrome, for all its claims of sandboxing? Or in the OS? Or in some other web-facing application?

My final BBC story reports on malware in Spotify. This story actually allows me to identify the vulnerability exploited- unsurprisingly, it's a fairly old vulnerability in Adobe PDF software- affecting version 8.1.2, when adobe is now shipping 9.4.2. These sort of exploits (affecting software other than the browser and OS- such as PDF readers) are actually as much of a risk as zero-day browser or OS vulnerabilities (meaning Microsoft, if you use IE on windows), which is why I found the previous two stories so surprising, as they suggest zero-day exploits in browsers or windows.
"Users with anti-virus software will have been protected," Spotify said in a statement.
Well, if you check the VirusTotal report available by following the links, you'll find this is horseshit- vulnerabilities may be years old, but if you still have the vulnerable software installed years later, you'll still be vulnerable to the latest malware, and the chance of your anti-virus program detecting that malware is slim.