Thursday, March 31, 2011

Malvertising

Malvertising is where third-party ad servers serve up "poisoned" ads- fake anti-virus scams usually comprising a bit of social engineering and an exploit kit to make it a drive-by download if the social engineering fails. the attraction for cyber criminals is that they can get access to mainstream web sites by hacking third-party servers, or ad feeds into those servers- they can attack the weakest link and see their malware on the most trusted websites.

I've noticed a few stories about malvertising today, and a few different points leap out of the stories.

The BBC has a story here about malware on a government-backed website. Not that that surprises me- I've been saying for a long time that the idea that if you're careful where you surf, malware won't be a problem is deluded. What I noticed was this statement:
The exploit only affected users of Internet Explorer, including the most recent versions. Other browsers, including Firefox, were not affected.
Really? This is an exploit to which even the most recent versions of IE are vulnerable? Well, I've also been saying for a long time that Firefox is a safer browser for Windows, and I recently posted about IE getting pwned, but is IE really wide open to an exploit? (Since switching to Linux, I've followed the browser wars with less interest.)

The BBC has another story about malware on the London Stock Exchange site. The following grabbed my attention:
Security expert Paul Mutton fell victim when he viewed the site on 27 February.

He visited the LSE homepage to find out why some people reported that they could not access it.

The site was blocked by Firefox, he said, but accessible via Google's Chrome browser.

"It seemed to work with Chrome but then a few seconds later, without having to click on anything, pop-ups started to appear," he said.

The malicious code closed down several of the programs Mr Mutton was using and stopped new ones being started.

"I visited the site and it compromised my machine," said Mr Mutton.

Now if I was a security expert and had to visit a suspect site, I'd do it in Linux, to be honest. I assume Paul Mutton is a real security expert (this is the BBC) and had his system up-to-date (no vulnerable versions of Adobe PDF or Sun Java or Macromedia Flash installed), so where was the zero-day vulnerability? In Chrome, for all its claims of sandboxing? Or in the OS? Or in some other web-facing application?

My final BBC story reports on malware in Spotify. This story actually allows me to identify the vulnerability exploited- unsurprisingly, it's a fairly old vulnerability in Adobe PDF software- affecting version 8.1.2, when adobe is now shipping 9.4.2. These sort of exploits (affecting software other than the browser and OS- such as PDF readers) are actually as much of a risk as zero-day browser or OS vulnerabilities (meaning Microsoft, if you use IE on windows), which is why I found the previous two stories so surprising, as they suggest zero-day exploits in browsers or windows.
"Users with anti-virus software will have been protected," Spotify said in a statement.
Well, if you check the VirusTotal report available by following the links, you'll find this is horseshit- vulnerabilities may be years old, but if you still have the vulnerable software installed years later, you'll still be vulnerable to the latest malware, and the chance of your anti-virus program detecting that malware is slim.

Wednesday, March 30, 2011

Firefox 4 borked by Compiz bug in Linux

As mentioned in a previous post, Firefox 4 is suffering badly from a known bug in Compiz on Linux. After coming out of a screen saver, menus will disappear when hovered over.
Minimising and maximising the browser will fix the problem, but for a permanent fix, the only solution seems to be to disable Compix until a newer version of Compiz arrives in your distro. For Ubuntu users, that will be soon- Natty has the fix. For Debian users like me, Compiz will be disabled for quite a while.

Friday, March 25, 2011

Return of the Living Dead Part II

A while ago I wrote about some annoying bugs that had affected me in Ubuntu, but not in Debian Lenny, and how they had "come back from the dead" in Debian Squeeze.
I've just worked out that two of the bugs (failure of copy and paste in Firefox and disappearing controls in Totem in full screen) were actually the same bug- a problem with Compiz described here. Another manifestation of the bug was in the "awesome bar". Typing a letter in Firefox's address bar usually brings up previously visited web sites beginning with or containing that letter- but on occasion this would not happen. All these unexpected behaviours result from the fact that in Compiz "somehow inactivity messes up the order of 'layers' to draw and stuff that is supposed to be on top is drawn below other windows" (Vaphell).
The bug has an even bigger impact on Firefox 4, with right-click menus and even the main menu disappearing when hovered over- a show stopper of a bug.
The head shot required to kill these bugs seems to be to disable Compiz.
The Firefox 4 Compiz bug is discussed on the Debian Forum, the Ubuntu forum, and the Linux Mint forum.

Wednesday, March 23, 2011

Firefox 4- needs polish

Firefox 4 is out. There are plenty of comprehensive reviews out there, so I'm just going to look at a couple of features that caught my eye. These are features Opera has had for a while, so I'm going to compare Firefox 4 to Opera 11 (on Debian Squeeze)- it's FOSS Vs. Proprietary.
Firefox 4 has removed the menu bar and replaced it with a drop down menu button in the tab bar- this is certainly an idea I like as it gets rid of some wasted screen real estate. This is how the Firefox 4 and Opera 11 implementations compare.


I think Opera has the edge here- its menu button is neater, and the tabs more readable on a dark theme. (The Firefox menu button doesn't seem to give access to all the options present in the menu bar, for example View>Sidebar, so it looks like it's functionally less polished as well.)

Firefox 4 also introduces tab management, called Panorama- a feature Opera 11 already has in tab stacking. Here's how they compare:





For me, the Opera method is better. Firefox's Panorma requires you to fiddle around with the size of tab group windows, whereas in Opera's tab stacking, thumbnails are automatically grouped and displayed when hovering over a tab stack. Tab stacking is also more immediate in that you can just flick one tab on top of another, without changing window.
A big problem with Firefox's Panorama window is that thumbnails are very low resolution, and when clicking on a thumbnail, that thumbnail is maximised to full screen to become the web page depicted, but intermediate images are just the low resolution thumbnail magnified, which appears ugly, even disconcerting.
Opera's implementation is more polished; Firefox's functional but visually cruder.
Firefox 4 needs more polish: automatic sizing of windows in Panorama, and a smoother change from thumbnail to full screen browser page.

Thursday, March 17, 2011

Qt4 GUI Styles

Qt4 is a cross-platform application and UI framework. It has a configuration manager in System>Preferences (or enter qtconfig-qt4) in a terminal.
If Qt4 applications don't look quite right on your desktop, try changing the GUI style.

Here is the Qt configuration editor:


Here's KeePassX with the Cleanlooks GUI style:


And with the GTK+ GUI style:


Spot the difference! (I was sure the Cleanlooks style was not right, but couldn't work out why for some time- then I realised, my GTK+ applications have a dark menu bar as well as title bar.)

One Qt4 application is Skype- according to this post, it is hard-wired to use one particular style, but there is a method given to change the style used.

[Update: Skype has a Chose style dropdown menu in Options>General.]

Open as administrator in Nautilus

It's sometimes useful to be able to open a folder as administrator in Nautilus, the Gnome file browser, for example to edit a configuration file or drop a new theme in the root directory for all users to be able to use.
I had enabled this feature in Lenny, but not in Squeeze. This post on the Debian forum reminded me how to do it. (Install nautilus-gksu.)

Password Managers

We all have a large number of passwords to look after- web sites, email accounts, user accounts. How to remember them? Password managers in web browsers help a lot, but they don't remember everything, and we still need to record email and user account passwords- either for other users we've set up or for ourselves on other computers. One option is to simply write them down- perfectly safe in a private place. I have a lot of usernames and passwords scribbled down in an old notebook. Trying to be more organised recently, I started typing them into a text file in my user directory. No bad people have access to my computer, so not really a problem. But just in case, I wondered whether I should encrypt the passwords file in some way. A recent thread on the Debian forum discussed password managers, so I thought I'd give some a try- all available in the Debian repositories.

The first I tried (it seems to be the most popular on the Debian forum thread) was KeePassX. It's a cross platform application and uses Qt4, and at first the GUI didn't fit into my desktop, but using qtconfig-qt4, I was able to get the GUI to use GTK+, like the rest of my desktop GUI's.
A useful feature is AutoType, which will automatically enter username and password details on web pages.

Then I tried Password Gorilla, another cross-platform application. This one required the installation of some cryptographic libraries as dependencies. (I haven't looked into the relative security of encryption methods or library used.) The GUI on this program is seriously old fashioned, and glitchy too- the right click menu disappears before you can select an action. The GUI also locked up for me a couple of times.


I also tried a couple of native Gnome applications. GPass is a simple password manager for Gnome.


Revelation is another.

Both are pretty basic (if competent) applications, although lacking the more advanced features of KeePassX like auto type.

Monday, March 14, 2011

Blue Boot



Here's a Plymouth theme I knocked up using the Moreblue Orbit wallpaper (which is in the Debian desktop-base folder), and the Debian Vizta Plymouth theme.
I've added the Moreblue Orbit wallpaper as a background image to the theme, as described here, changed the Debian logo used to the standard logo, and changed the position the logo swarm appears by editing the Plymouth script.
The GDM splash screen is just the Moreblue Orbit wallpaper minus the Debian logo.
In contrast to my dark Plymouth theme, the lack of integration between Plymouth and the GDM greeter is obvious- the screen turns black for several seconds and the Gnome cursor timer appears. Plymouth themes in Fedora go straight from the Plymouth theme to the GDM splash- without a black screen appearing, so I imagine better integration will arrive at some point in Debian.

Friday, March 11, 2011

Internet Explorer destroyed

Here's a report from Pwn2Own, where hackers try to pwn various browsers for prizes.
Internet Explorer 8 was utterly destroyed by the security researcher Stephen Fewer who used three various techniques crack through the IE 8′s security parts such as ASLR/DEP. He also managed to escape the protected mood of the IE 8 and that was a quite a mesmerizing feat by a independent researcher. Here is what Aarion Portnoy, the organizer of Pwn2Own said about the amazing feat -
“He used three vulnerabilities to bypass ASLR and DEP, but also escape Protected Mode. That’s something we’ve not seen at Pwn2Own before,” Aarion Portnoy
A good excuse to post the wallpaper above by Joshua Holbrook.

Monday, March 7, 2011

File permissions

I've been having some problems sharing files between users on my computer. So have others, it seems. But I don't think the problem was a bug- rather my failure to use the GUI properly. Now possible the GUI is not very intuitive, but that's another question.
I'd copied some files from my external hard drive into my home directory, and was trying to give permission to another user to read all the files in the directory, but the "Apply Permissions to Enclosed Files" button didn't seem to be working.
I think I worked out what I was doing wrong. Copying the file from the external disk meant that group access was set to none on files.


Trying to set file permissions for other users to read the file would fail without setting Group>File access to Read-only in the drop down menu in the folder permissions menu, as well as setting file access to other users to Read and write, before hitting the Apply Permissions to Enclosed Files button.


The behaviour of the drop down boxes is a little perplexing. Upon opening the folder permissions menu, the drop down boxes show "---". If an action selected from the box will not change any attribute of an enclosed file (for example, all the files are already Read-only for the named group). Once Apply Permissions to Enclosed Files is clicked, the drop down boxes will again show "---". It would be useful to get a message saying No attributes will change or File attributes have been changed.


Finally, I noticed that moving files from one users account to another's would leave the owner of the files set as the first user's name, and also the group, making it impossible to change file permissions. Copying the files over means the new files are owned by the user to whose account they have been transferred. To change the owner if necessary, use the chown command. The command below will set owner and group of a directory and file contents to the new user name.
$ chown -R username:username somedir
It seems that Gnome is behaving logically in the way permissions are handled by the GUI, but that that logic is not always intuitive to the user, hence the confusion here. Bruno Girin's post attempts to explain, and hopefully this post will prove useful to somebody in similar confusion to mine. Maybe the Gnome developers could also make the permissions menu a little more intuitive to users.

Sunday, March 6, 2011

Nautilus location bar

It used to be possible to switch between button and text-mode in the Nautilus location bar, but this function was removed some time ago. It's sometimes useful to switch. Rebel Zero describes how to switch permanently, or temporarily from the now default setting of buttons to text.



Friday, March 4, 2011

Skype in Debian

A friend recommended Skype as an alternative to MSN for video chat- so I thought I'd give it a go. Of course I also have to persuade the people I want to chat with to install it, but that will come later.
I'd already bookmarked the Debian Skype Wiki, intending to install Skype at some point. Checking the page again, I found that installation is easy for i386 platforms at least. There is a Skype repository, although there doesn't seem to be a key, so installing brings up a security warning. I used Synaptic to add the repository, update sources and install, rather than edit the sources file and use the command line to update and install- both methods work.
Registering with Skype was easy, but my webcam didn't work. Skype recognised the camera, and the blue light on the camera would flash briefly after hitting the Test button, but no image.
The solution turned out to be the same one I'd used for my webcam not working in Meebo (the web-based chat program that allows me to use MSN on Linux).
It seems that Skype has problems using the latest webcam interface libraries on Linux (not just Debian) and the solution is to tell it to use older libraries.
Simply start Skype from a terminal with this command:
LD_PRELOAD=/usr/lib/libv4l/v4l2convert.so skype
[Update: Ray in a comment says that the above command didn't work for him, but a similar command did:
LD_PRELOAD=/usr/lib/libv4l/v4l1compat.so skype
By coincidence, I came across an explanation on the Arch Linux Wiki webcam page today of what the two commands do and when to use them. It is a little technical, but it's not a problem just to try both and see which works- actually both do for me.]

For convenience, save the command as a script: create a new document on the desktop, in Preferences make it executable, add the following to the file and save.
#!/bin/sh
LD_PRELOAD=/usr/lib/libv4l/v4l2convert.so skype
(The first line tells the computer that this is a script.) Double click on the file and select Run to launch Skype with working web cam.
Skype may of course fix their program to work with newer webcam libraries in the future- so check after any updates- maybe Skype will work with webcams when launched normally at some point in the future.

Tuesday, March 1, 2011

Quod Libet

Rhythmbox (the music player that comes with Debian) is pretty good. Fine most of the time. But it does have a problem with compilation albums. Investigating the issue before, I'd found that Banshee will play compilation albums correctly, but in the process of installing it on Squeeze I noticed it has an obsolete dependency bug, so I gave it a miss. On a whim I tried Quod Libet again. Lenny came with version 1 which didn't impress me too much, but Squeeze has version 2 which is a big improvement. It recognised my compilation albums correctly- and what's more its excellent tag editor allowed me to fix some tagging errors I hadn't noticed before.
The default GUI is pretty basic, can be customised to show a paned browser, album covers, a search feature, playlists etc. (These features are also available in a separate window.)

The basic GUI:


Album cover view:


The Tag Editor:


The download album art plugin:


Quod Libet comes with many plugins that can be enabled if desired. I really liked the album cover search feature which works really well- no more Google searches and file saving- it's all automatic.
I also used the notify plugin to get new track notifications, and the tray icon plugin to put the music player in the notification area rather than close it completely. (I like to keep the bottom panel for documents and keep my music player separate.) This is probably the weakest feature of the player (although it is only a plugin.) Hovering over the Quod Libet icon only gives track information- not album art and track progress like other players. The panel icon is also indistinct when paused (a bug?)
[Update: not a bug. The plugin superimposes the Gnome paused icon (which depends on the theme selected) over the Quod Libet icon. Unfortunately in a dark panel, the Quod Libet icon does not display well, as it is black with a white border (so only the border shows. Editing the Quod Libet icon to white helps.]
Other plugins worth a look would be the MusicBrainz and CDDB lookup plugins for identifying audio tracks. (I looked previously at other programs using MusicBrianz and CDDB.)
Despite the minor gripe about the tray icon plugin, I'll give Quod Libet five stars for handling compilation albums, having one of the best tag editors around, a brilliant album cover finder and an elegant and customisable GUI. And I haven't looked at all the features yet- for example, Quod Libet claims to be better able to handle large music libraries than other players.