Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

All posts by jrivett


Serious Cryptocat security flaw fixed

Even before the recent NSA revelations, increasing interest in online privacy led Nadim Kobeissi to develop Cryptocat, an easy to use, secure, web-based chat client.

Unfortunately, Cryptocat – until recently – had a serious flaw. A programming error limited the total possible secure keys to a number small enough to make cracking them trivially easy. The person who discovered the flaw created a demonstration program, and the flaw was quickly fixed, but Cryptocat had been running in this flawed state for at least seven months, possibly longer.

Anyone using Cryptocat versions earlier than 2.0.42 should upgrade immediately. Cryptocat typically runs as a web browser add-on or plugin.

Update: the Duo Security blog has an interesting take on this.

Advance notification for July 2013 Patch Tuesday

The next batch of updates from Microsoft will become available starting at about 10am PST on July 9. This month’s patches comprise seven bulletins – four of which are flagged as critical – addressing vulnerabilities in Windows, the .NET Framework, Silverlight, Internet Explorer and the GDI+ subsystem.

Related posts from Microsoft:

Visa and Mastercard don’t want you to use VPN services

The big credit card companies are once again trying to use their influence to make the world more to their liking. Their previous ban on payments to Wikileaks was finally overturned by the Supreme Court of Iceland only weeks ago, but it seems their lawyers are eager to get beaten up again.

It remains unclear exactly what the credit card companies have against VPN services. Virtual Private Networking has many legitimate uses, and VPN solutions are commonplace in the business world. Anywhere remote access to corporate systems is necessary, VPN is just good security. No doubt Visa’s and Mastercard’s true motives will be revealed in the coming days.

Latest Ouch! newsletter: all about ‘spearphishing’

The latest installment (warning: PDF) of the user-focused Ouch! newsletter from SANS discusses ‘spearphishing’. As in regular phishing, the goal of the attacker is to gain access to computers, systems and services. The difference is that while phishing is targeted very broadly, spearphishing targets specific companies, organizations or even individuals. Attackers typically use this technique to gain access to valuable targets like banks.

A good reason to avoid Windows 8.1: advertising

When Microsoft first started talking about making the Windows user interface more like the XBox 360 UI, I wondered if that also meant we would be seeing advertising in Windows 8. I was both surprised and relieved to see that the Windows 8 Start screen was not filled with ads, which alas cannot be said of the XBox 360 UI.

Well, that relief was short-lived. It was recently announced by Microsoft that the search function built into Windows will display advertising, starting with the Windows 8.1 update. As you read the announcement, marvel at the way advertising will “mak[e] it easier for consumers to complete tasks.” Nice try.

Firefox 22 now available

Version 22 of Mozilla’s web browser was released yesterday, with the usual utter lack of anything approaching a proper announcement. The closest we got was a post on the Mozilla blog entitled “Firefox Delivers 3D Gaming, Video Calls and File Sharing to the Web“. That post discusses some of the new features of Firefox 22, but never actually mentions the new version number. I understand that Mozilla is trying to place less importance on version numbers, but in my opinion this is going too far.

Making things even more confusing, the main download page for Firefox never mentions the current version, although all the download links point to version 22 URLs, which you can see by hovering your mouse over them.

The release notes page is still a confusing mess. The first text you read on that page is “Firefox Notes (First offered to release channel users on June 25, 2013)”. It sounds like they’re saying that Firefox was released on June 25, 2013. What they really mean is that Firefox version 22 was released on June 25, 2013, but the version isn’t mentioned in the title. In fact, the only reference to the version is in a contributor “thank you” note below the title. Below that, the “What’s New” section lists changes made to Firefox, which we can only assume are specific to version 22 because the page’s URL includes the text “22.0”.

A link on the release notes page for version 22 titled “complete list of changes” now points to a list of bugs in Mozilla’s bug tracking system, Bugzilla. The list of bugs shown is huge, and although each of the 510 entries supposedly represents a bug fixed in version 22, the information is highly technical and not really intended for regular users. A proper change list is nowhere to be found.

Somewhat more useful are the confusingly-named and well hidden “known vulnerabilities” and “security advisories” pages for Firefox. The first of those pages lists security vulnerabilities and the versions of Firefox in which they were fixed, including version 22. The second page lists Firefox security vulnerabilities by the date on which they were first reported by Mozilla, with no indication of which vulnerabilities have been fixed, or when they were fixed.

I’ve been pointing out the lack of proper version announcement resources for Firefox here and in other online forums for a while now, but have yet to see any significant progress.

WordPress 3.5.2 released

WordPress 3.5.2 fixes several security vulnerabilities. Given the recent worldwide attacks against WordPress-based web sites, all WordPress sites should be upgraded to the new version as soon as possible.

One of the vulnerabilities fixed in version 3.5.2 is CVE-2013-2173, a Denial-of-Service (DoS) vulnerability recently disclosed on the VND blog. The vulnerability and a Proof of Concept were disclosed on that site one week after the author reported the issue to the WordPress security team. Concerned that a single email might have been caught in a spam filter, I posted a link to the report in two of the WordPress IRC channels (#wordpress and #wordpress-dev), and soon after that I was told that the security team had been notified. It was later disclosed that the original report had indeed been caught by a spam filter, even though the reporter had received a ‘we received your report’ auto-response. The lessons here are: 1) security email inboxes should not have spam filters; 2) don’t use an auto-responder on security email inboxes; and 3) don’t stop reporting a security issue until you’ve heard back from a human being, confirming receipt of your report.

Java 6 end-of-life

Oracle has quietly stopped updating Java 6, sort of. A page on the Java download FAQ site states that updates for Java 6 will no longer be publicly posted, and recommends upgrading to Java 7. Updates for Java 6 will still be available to customers who have support contracts from Oracle.

Switching from Java 6 to Java 7 is going to be a problem for anyone who uses Java-based software that is not yet compatible with Java 7. Large organizations with such Java 6 dependencies will either start paying for support (if they aren’t already), or deal with the consequences of allowing their Java 6 based software to become increasingly vulnerable. Smaller organizations and individuals with Java 6 dependencies who cannot afford to pay for Oracle support may want to consider switching to alternative software.

There’s likely to be a certain amount of backlash against this move. At the very least, if Oracle doesn’t back down from this stance, expect a ‘black market’ in Java 6 updates to start up fairly soon: people with access to the official Java 6 patches will make them available to the public. The main problem with this, besides annoying Oracle, is that nefarious persons are likely to use the need for Java 6 patches as a way to spread malware.

I predict that Oracle will relent; as long as they are still developing updates for Java 6, those updates will end up being publicly available.