There are claims that Gnome 3 is too dumbed down for Linux users. I have to admit I'm a little frustrated at not being able to test Gnome 3 properly, because my CD drive is failing, causing my Fedora 15 beta live Gnome 3 session to crash regularly.
One of the main objections to Gnome 3 seems to be the lack of minimise and maximise buttons on windows. However, I have been able to try out the way Gnome 3 handles windows, and it seems intuitive and more efficient in a minimalist way than the previous method. "Everything should be made as simple as possible, but not simpler,"* said Einstein, and to my mind the Gnome team have done this: "Made of easy" indeed.
Of course there is no bottom panel to minimise windows to. Grabbing a window and bumping it up to the top panel will automatically maximise the window; grabbing it again and pulling it down will minimise it to the desktop.
Simple. And elegant.
* Apparently actually a paraphrase (for understandable reasons) of: "It can scarcely be denied that the supreme goal of all theory is to make the irreducible basic elements as simple and as few as possible without having to surrender the adequate representation of a single datum of experience."
Tuesday, April 26, 2011
Wednesday, April 6, 2011
Revoke fraudulent Comodo digital certificates
Fraudulent digital certificates were issued by the Comodo Certificate Authority, for sites such as Microsoft Live, googlemail, skype and Mozilla addons. Potentially, visitors to fake sites with these fraudulent certificates could have been deceived into thinking they were the real site. Apparently the fraud was detected before this could happen. The Fraudulent certificates have been revoked, and browsers with certificate revocation checking enabled will identify the certificates as invalid. Some browsers have automatic revocation; in others it has to be enabled. It's also possible (in Firefox at least- I haven't tried it in other browsers) to manually import a revocation list. Details here at nakedsecurity.
Tracking cookies
F-Secure has a good write up on tracking cookies. Ed Bott tells how to eliminate them. The only problem with this method is the rare occasion when an action on a website requires a third-party cookie. (Logging into WordPress seems to do so.) I've looked at a couple of Firefox extension that block tracking cookies while still allowing third-party cookies. They are Ghostery and the Easy Privacy list for Adblock Plus. Both seem to work well.
Gnome 3 is finished- when can I use it?
Gnome 3 seems to be finished. It looks great. When can I use it on an installed Linux distribution? In May, on Fedora, and in October, in Ubuntu. On Debian Stable, I'll have to wait a couple of years. I'd be tempted to install Fedora, but my CD drive is failing.Update: Status of Gnome 3 in Debian.
Dark green means Gnome 3 packages are up to date in Debian Testing. As you can see, there isn't much dark green.
Update: apt-get install debian-wizard has a good post on installing Gnome 3 in Debian: in summary, as a comment points out, Gnome 3 may be "made of easy", but installing it on Debian Squeeze isn't: it's for Linux experts only, requiring Debian Testing plus Experimental repositories. The blog does hint at what may be the best compromise for Debian Squeeze users eager to try Gnome 3: install Testing and wait for Gnome 3 to "land" there. The status site linked to above shows that Testing is making progress towards Gnome 2- but no ETA yet!
Thursday, March 31, 2011
Malvertising
Malvertising is where third-party ad servers serve up "poisoned" ads- fake anti-virus scams usually comprising a bit of social engineering and an exploit kit to make it a drive-by download if the social engineering fails. the attraction for cyber criminals is that they can get access to mainstream web sites by hacking third-party servers, or ad feeds into those servers- they can attack the weakest link and see their malware on the most trusted websites.
I've noticed a few stories about malvertising today, and a few different points leap out of the stories.
The BBC has a story here about malware on a government-backed website. Not that that surprises me- I've been saying for a long time that the idea that if you're careful where you surf, malware won't be a problem is deluded. What I noticed was this statement:
The BBC has another story about malware on the London Stock Exchange site. The following grabbed my attention:
My final BBC story reports on malware in Spotify. This story actually allows me to identify the vulnerability exploited- unsurprisingly, it's a fairly old vulnerability in Adobe PDF software- affecting version 8.1.2, when adobe is now shipping 9.4.2. These sort of exploits (affecting software other than the browser and OS- such as PDF readers) are actually as much of a risk as zero-day browser or OS vulnerabilities (meaning Microsoft, if you use IE on windows), which is why I found the previous two stories so surprising, as they suggest zero-day exploits in browsers or windows.
I've noticed a few stories about malvertising today, and a few different points leap out of the stories.
The BBC has a story here about malware on a government-backed website. Not that that surprises me- I've been saying for a long time that the idea that if you're careful where you surf, malware won't be a problem is deluded. What I noticed was this statement:
The exploit only affected users of Internet Explorer, including the most recent versions. Other browsers, including Firefox, were not affected.Really? This is an exploit to which even the most recent versions of IE are vulnerable? Well, I've also been saying for a long time that Firefox is a safer browser for Windows, and I recently posted about IE getting pwned, but is IE really wide open to an exploit? (Since switching to Linux, I've followed the browser wars with less interest.)
The BBC has another story about malware on the London Stock Exchange site. The following grabbed my attention:
Security expert Paul Mutton fell victim when he viewed the site on 27 February.Now if I was a security expert and had to visit a suspect site, I'd do it in Linux, to be honest. I assume Paul Mutton is a real security expert (this is the BBC) and had his system up-to-date (no vulnerable versions of Adobe PDF or Sun Java or Macromedia Flash installed), so where was the zero-day vulnerability? In Chrome, for all its claims of sandboxing? Or in the OS? Or in some other web-facing application?He visited the LSE homepage to find out why some people reported that they could not access it.
The site was blocked by Firefox, he said, but accessible via Google's Chrome browser.
"It seemed to work with Chrome but then a few seconds later, without having to click on anything, pop-ups started to appear," he said.
The malicious code closed down several of the programs Mr Mutton was using and stopped new ones being started.
"I visited the site and it compromised my machine," said Mr Mutton.
My final BBC story reports on malware in Spotify. This story actually allows me to identify the vulnerability exploited- unsurprisingly, it's a fairly old vulnerability in Adobe PDF software- affecting version 8.1.2, when adobe is now shipping 9.4.2. These sort of exploits (affecting software other than the browser and OS- such as PDF readers) are actually as much of a risk as zero-day browser or OS vulnerabilities (meaning Microsoft, if you use IE on windows), which is why I found the previous two stories so surprising, as they suggest zero-day exploits in browsers or windows.
"Users with anti-virus software will have been protected," Spotify said in a statement.Well, if you check the VirusTotal report available by following the links, you'll find this is horseshit- vulnerabilities may be years old, but if you still have the vulnerable software installed years later, you'll still be vulnerable to the latest malware, and the chance of your anti-virus program detecting that malware is slim.
Wednesday, March 30, 2011
Firefox 4 borked by Compiz bug in Linux
As mentioned in a previous post, Firefox 4 is suffering badly from a known bug in Compiz on Linux. After coming out of a screen saver, menus will disappear when hovered over.
Minimising and maximising the browser will fix the problem, but for a permanent fix, the only solution seems to be to disable Compix until a newer version of Compiz arrives in your distro. For Ubuntu users, that will be soon- Natty has the fix. For Debian users like me, Compiz will be disabled for quite a while.
Minimising and maximising the browser will fix the problem, but for a permanent fix, the only solution seems to be to disable Compix until a newer version of Compiz arrives in your distro. For Ubuntu users, that will be soon- Natty has the fix. For Debian users like me, Compiz will be disabled for quite a while.
Friday, March 25, 2011
Return of the Living Dead Part II
A while ago I wrote about some annoying bugs that had affected me in Ubuntu, but not in Debian Lenny, and how they had "come back from the dead" in Debian Squeeze.I've just worked out that two of the bugs (failure of copy and paste in Firefox and disappearing controls in Totem in full screen) were actually the same bug- a problem with Compiz described here. Another manifestation of the bug was in the "awesome bar". Typing a letter in Firefox's address bar usually brings up previously visited web sites beginning with or containing that letter- but on occasion this would not happen. All these unexpected behaviours result from the fact that in Compiz "somehow inactivity messes up the order of 'layers' to draw and stuff that is supposed to be on top is drawn below other windows" (Vaphell).
The bug has an even bigger impact on Firefox 4, with right-click menus and even the main menu disappearing when hovered over- a show stopper of a bug.
The head shot required to kill these bugs seems to be to disable Compiz.
The Firefox 4 Compiz bug is discussed on the Debian Forum, the Ubuntu forum, and the Linux Mint forum.
Subscribe to:
Posts (Atom)
