Monthly Archives: September 2016

Microsoft, Patches and updates, Windows 10, Windows 7, Windows 8.x

Windows 10 upgrade nagging removed from Windows 7 & 8.x

Leave a comment

Now that Microsoft’s offer of free Windows 10 upgrades for Windows 7 and 8.x users is over, it makes sense that we should stop seeing those annoying reminders everywhere. Sure enough, an update for Windows 7 and 8.x became available last Patch Tuesday (September 13) that removes the ‘Get Windows 10’ feature. The update is identified as KB3184143, and has the (surprisingly meaningful) title “Remove software related to the Windows 10 free upgrade offer”.

If you’ve been using the third-party software GWX Control Panel to keep those annoying Windows 10 upgrade messages away, and you’ve installed KB3184143 on your Windows 7/8.x system, you might be tempted to remove GWX Control Panel. Unfortunately, there’s no reason to assume that Microsoft won’t re-enable the ‘Get Windows 10’ feature again in the future. I plan to leave it running on my Windows 7 and 8.x computers.

Of course, knowing Microsoft, if they decide to start pushing Windows 10 on us again, they’ll probably develop something completely new, in which case GWX Control Panel probably won’t help.

Ars Technica has more.

In related news, at least one consumer group is calling for Microsoft to offer compensation to users and organizations that were harmed by unwanted Windows 10 upgrades.

Internet crime, Things that are bad

Brian Krebs site dumped by Akamai due to massive DDoS attack

Leave a comment

In what can only be viewed as a victory for the attackers, content delivery provider Akamai has dropped Brian Krebs’ web site krebsonsecurity.com in the midst of a record-breaking DDoS attack against the site.

Krebs and his site have been the target of DDoS, SWATting, and other attacks in the past, in response to his reporting on various illegal activities – and the people behind them. But this most recent attack, which began on Tuesday, is the largest in history.

Akamai provides services that limit the effectiveness of DDoS attacks. According to Krebs, Akamai was providing their services for krebsonsecurity.com at no charge. He doesn’t fault Akamai for dropping his site, but their doing so raises some interesting possibilities.

The most likely explanation is that Akamai could no longer justify providing their services to Krebs for free; dealing with such a large attack would have involved a lot of time and effort. Akamai may have offered to keep supporting krebsonsecurity.com, but at their normal price. Those prices are typically only paid by large corporate clients, and Krebs probably just can’t afford them.

As a result of all this, krebsonsecurity.com is offline, and likely to stay that way until the attackers lose interest. Once the attacks subside, I’m sure the site will return.

Although Krebs doesn’t blame Akamai for dropping him, it’s hard to see how Akamai can come out of this without their reputation being harmed. There will always be questions about exactly what happened. Was Akamai actually overwhelmed? I’m sure Akamai’s competitors will be looking at picking Krebs up as a client.

And finally, this is a clear win for the attackers. They now know that they can take down even high profile web sites, although perhaps not those owned by companies with very deep pockets.

Ars Technica has more, including speculation that the attacks involved hacked ‘Internet of Things’ devices.

Updates 2016Sep25: krebsonsecurity.com is back up, thanks to Project Shield, a free program run by Google to help protect journalists from online censorship. It will be interesting to see how well this service protects Krebs’ web site from inevitable, future attacks. And how will Akamai spin this?

Meanwhile, Krebs also thinks that poorly-secured ‘Internet of Things’ devices made the record-breaking size of this attack possible. And despite the site only being down for a few days, he feels that this kind of attack is a new form of censorship, referring to the effect as ‘The Democratization of Censorship‘.

Patches and updates, Vivaldi

Vivaldi 1.4.589.29

Leave a comment

This morning when I fired up Vivaldi (I still use it for social media), it popped up an update message. Luckily, I actually read the change notes in the message, so I can tell you that Vivaldi 1.4.589.29 consists of an engine (Chromium) update, plus a few bugfixes.

I say ‘luckily’, because as I’m writing this, there’s no announcement of the new version on the Vivaldi blog, and no release notes of any kind. Sheesh.

Internet, Privacy, Security, Things that make me happy

Let’s Encrypt’s finances

Leave a comment

I’m a big fan of Let’s Encrypt, an organization committed to encrypting all web traffic by proving free security certificates.

I’m also a big fan of transparency, so when LE published a summary of their financial information recently, my regard for their efforts clicked up another notch.

Highlights from LE’s financial information post:

  • Let’s Encrypt will require about $2.9M USD to operate in 2017.
  • The majority of LE’s funding comes from corporate sponsorships.
  • You can donate to Let’s Encrypt using PayPal.

For the record, this web site (boot13.com) and all my other secure sites now use Let’s Encrypt certificates.

Firefox, Patches and updates

Firefox 49

Leave a comment

I’m getting better at parsing Mozilla blog posts. I only had to read a few paragraphs of the latest post (“Latest Firefox Expands Multi-Process Support and Delivers New Features for Desktop and Android”) to be fairly certain that it’s talking about a new, just-released version of Firefox. The new version number (49) isn’t mentioned, and neither is there any definite indication of when the new version was released. But there is a link to the version 49 release notes, way down at the bottom of the post.

Why is that bad? Because the Mozilla blog also routinely includes posts that are not related to new versions of Firefox, and those posts are almost indistinguishable from posts about new Firefox versions. Of course, if your goal is to confuse and obfuscate, well, nice work, Mozilla.

According to the release notes, Firefox 49 enables multi-process tabs for even more users. After installing, you can determine whether your Firefox is using multi-process tabs by entering ‘about:support‘ in Firefox’s address bar and looking for the ‘Multiprocess Windows’ entry. In my case, that entry shows as 0/1 (Disabled by add-ons). I’m using add-ons that Mozilla hasn’t tested, I guess.

Also in Firefox 49, Reader Mode has been improved, and offline page viewing has been enabled for Android users.

Opera, Patches and updates, Privacy

Opera 40

Leave a comment

Version 40 of alternative web browser Opera includes several major enhancements. Most notable among the changes are:

  • free, unlimited, no-log browser VPN service: when turned on, the browser VPN creates a secure connection to one of Opera’s five server locations around the world;
  • automatic battery saving features for mobile device users;
  • Chromecast support via the Chrome extension;
  • improvements to the video pop-out feature;
  • the newsreader feature now supports RSS feeds;
  • updated browser engine (Blink, aka WebKit).

Sadly, the folks behind Opera seem to be taking a (rather dysfunctional) page from Mozilla – at least in the way changes are reported. Release announcements for Opera are still in the same place on the Opera Desktop blog. But whereas changes in previous versions were reported in changelog posts on the desktop blog (such as this one for version 39), on a page on the Opera documentation site (which stops at version 37), and on the Opera history page (which also stops at version 37), there doesn’t seem to be anything like a change log for Opera 40. Hopefully this is a temporary issue, and something better is on the way. But I’m not holding my breath. This trend toward a general reduction in (and dumbing-down of) information provided to users is not helpful, in my opinion.

Apple, Microsoft, Patches and updates, Things that make me happy

How to make an operating system better

Leave a comment

With Microsoft taking Windows in a direction that’s distinctly unappealing, it’s a pleasure to write about an operating system that’s actually being improved and enhanced in useful ways: Apple ProDOS.

You read that right: ProDOS. It’s a decades old system that runs on hardware nobody uses any more (Apple IIs), but with the dedicated efforts of a single developer, a new, greatly improved version of ProDOS was recently released as version 2.4.

Why am I so excited about this? Because operating systems are important. They form the core of all the computer systems we use daily. I want to use an O/S that’s reliable, fast, and mostly invisible. A good O/S provides this critical underpinning without compromising our privacy or trying to sell us anything.

As reported by Jason Scott on his ASCII blog, ProDOS 2.4 was a labour of love for its developer. He says:

“The current mainstream OS environment is, frankly, horrifying, and to see a pure note, a trumpet of clear-minded attention to efficiency, functionality and improvement, stands in testament to the fact that it is still possible to achieve this, albeit a smaller, slower-moving target. Either way, it’s an inspiration.”

I agree completely. There’s no reason for a new version of an operating system to ever get worse. This really applies to all software, but it’s especially important for operating systems. Microsoft would do well to look at this project and learn from it.

If you happen to have an old Apple II lying around (as I do), you can run ProDOS 2.4 on it. Otherwise, you’ll need to use an Apple II emulator like AppleWin.

Internet, Internet crime, Things that are bad

Someone out there is testing the Internet’s breaking point

Leave a comment

Security analyst Bruce Schneier reports on the recent increase in Distributed Denial of Service (DDoS) attacks against critical Internet infrastructure. He’s unable to go into details about exactly which companies and resources are involved, but the attacks are real. Someone is engaged in a series of DDoS probes that are clearly meant to test the Internet’s ability to cope with extreme stress.

Most DDoS attacks are perpetrated by angry hackers against web sites they don’t like, or simply to demonstrate their skills. Underground DDoS attack services are available for those not possessing the requisite skills. But the attacks Schneier is talking about stand out: they’re much more calculated and methodical than usual.

Assuming that Schneier is correct, and someone is gathering information about the Internet’s potential breaking point, one can only wonder what they have in mind. If the perpetrators are – as Schneier suggests – a state actor like China, the possibilities are the stuff of nightmares.