Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

All posts by jrivett


Patches and updates, Vivaldi

Vivaldi 1.14 released

Leave a comment

Vivaldi 1.14 includes improvements for several existing features: vertical reading for Reader Mode, Markdown support in Notes, rearrangeable panels, and re-orderable search engines. Several dozen bugs are also addressed in the new version. There are no new security fixes in Vivaldi 1.14.

Somewhere along the line — possibly in this release — Vivaldi’s weird bookmark editor (the one in the bookmark sidebar) was finally made usable. It’s still weird, but at least now it works in a way that makes sense.

The release notes for Vivaldi 1.14 have additional details.

Hardware, Microsoft, Patches and updates, Security, Things that are bad

Spectre/Meltdown nightmare continues

Leave a comment

Microsoft has just released ‘out of band’ (outside the usual Patch Tuesday) updates that disable or reverse earlier updates that mitigate Spectre V2. These updates for updates are happening because Intel’s firmware fixes are causing a lot of problems for some folks.

If you were diligent and installed firmware updates on your Windows computers, you should install the new Microsoft updates as soon as possible. Of course doing that will leave your computer exposed to Spectre V2. There’s no solution, other than to be vigilant and extremely careful about visiting shady web sites, installing downloaded software, and clicking links in email.

I guess I’m lucky that no firmware updates are even available for my computers. If they were available and I had installed them, I might be suffering random reboots and even data loss.

Black-hat hackers who are working on malware that exploits the Spectre and Meltdown vulnerabilities are no doubt enjoying this mess, and I have no doubt that we’ll start seeing real-world examples of their handiwork before long.

Chrome, Google, Patches and updates, Security

Chrome 64.0.3282.119 released

Leave a comment

The latest version of Chrome is 64.0.3282.119. The new version, released earlier this week, fixes fifty-three security issues, and includes additional mitigations for the Spectre/Meltdown vulnerabilities.

The full change log lists ten thousand changes in the new version. There might be some interesting stuff in there, but I’m going to assume that if there was anything worth pointing out, Google would have done that in the release announcement.

Firefox, Mozilla, Patches and updates, Security

Firefox 58.0

Leave a comment

Earlier this week Mozilla released Firefox 58.0. The new version makes significant improvements its graphics engine and Javascript handling, which should translate into faster page rendering, especially on sites that use a lot of Javascript. Mozilla says we can expect further performance improvements in Firefox in the coming weeks.

At least thirty-two security vulnerabilities are addressed in Firefox 58.0. The release notes for Firefox 58.0 provide additional details.

Note that Firefox 58.0 user profiles are not compatible with earlier versions of Firefox, so if you don’t like 58.0 and decide to downgrade, you’ll have to create a new profile.

Opera, Patches and updates, Security

Opera 50.0.2762.67: security fixes for Meltdown and Spectre

Leave a comment

The latest version of Opera contains changes meant to mitigate the Spectre and Meltdown CPU vulnerabilities. Effectively, it’s now more difficult to exploit the vulnerabilities using Javascript running in Opera. Similar changes have already been made in the other major browsers.

Several Windows-specific issues were also addressed in Opera 50.0.2762.67. The change log for Opera 50 provides details.

Patches and updates, Security, Vivaldi

Spectre/Meltdown fixes for Vivaldi

Leave a comment

A Vivaldi update described as ‘minor’ includes mitigations for the Spectre and Meltdown vulnerabilities. The changes are intended to make exploiting Spectre and Meltdown much more difficult in the context of Vivaldi itself. Other browser makers have released — or are working on — similar updates.

The announcement for Vivaldi 1.13.1008.44 is light on details, and there’s no link to a change log. The new version number isn’t even mentioned.

Java, Patches and updates, Security

Java 8 Update 161

Leave a comment

Released as part of Oracle’s January 2018 Critical Patch Update, Java 8 Update 161 fixes twenty-one security vulnerabilities in previous versions.

You’re much less likely to be affected by Java vulnerabilities these days, as most web browsers no longer support Java. The only mainstream browser that still runs Java code is Internet Explorer. If you use Internet Explorer with Java enabled, you should update Java as soon as possible, via the Java Control Panel applet, or by visiting the official Java download page.

Hardware, Security, Things that are bad

Spectre/Meltdown CPU flaws: latest news

Leave a comment

It’s been about two weeks since the Spectre and Meltdown CPU flaws were revealed to the world, and we now have a better picture of the scope and impact of those flaws.

Intel CPU chips are vulnerable to both Spectre and Meltdown: almost every Intel CPU made since 1995 is affected. AMD CPUs are vulnerable to Spectre, and ARM CPUs, found in millions of mobile and IoT devices, are vulnerable to Meltdown.

Spectre variant 1 and Meltdown have been patched in Windows, macOS, iOS, Android, and Linux. So far, these updates don’t seem to have affected performance on those platforms.

Spectre variant 2 can only be fixed with a firmware update, which will be optional on most platforms, but also seems likely to result in reduced performance. Firmware updates are more difficult to install than software updates. The task should not be undertaken by casual users, since mistakes can result in ‘bricked’ (unusable) devices. One possible exception is Linux, which in some cases allows for updates to be read from a file during startup, eliminating the need for updating firmware.

Intel is making available firmware updates that will hopefully eliminate the threat on affected computers, but — as Microsoft has demonstrated — many of those computers will be slowed significantly by the updates. Intel is downplaying the performance impact, saying that many users won’t even notice the difference.

Microsoft estimates the performance impact of firmware updates on Windows computers with Intel processors will vary depending on:

  • CPU: Haswell and older will be affected more
  • O/S version: Windows 7 and 8 will be affected more than Windows 10
  • I/O bound servers could be affected greatly (Microsoft may recommend avoiding the firmware updates in this case)

Unfortunately, many PC and device makers first learned of the CPU flaws when the rest of us did: on January 3. While Intel, Microsoft, and the other major players knew about the problem months earlier, less high-profile companies are now scrambling to develop firmware updates for their devices. Most are concentrating on their most recent models, and may never release updates for older devices. For example, as of January 21, the Asus web site does not show any recent firmware updates for my Asus M70AD PC. Millions of other devices seem likely to remain permanently vulnerable to Spectre 2.

The Spectre and Meltdown flaws are very deep inside the internal hardware of almost all computers. This makes them very unusual: more difficult to fix, and potentially very dangerous. Even worse, many Internet of Things devices use affected chips; these devices are usually difficult (if not impossible) to update, and may never be fixed.

The vulnerabilities were discovered in early June 2017, and disclosed privately to CPU chip makers first, then to O/S makers, browser makers, cloud and server providers. Some arguably important groups were left out, including CERT, but despite disclosure being handled responsibly, the news leaked out ahead of schedule on January 4. A lot of work had already been done, but hardly anyone was truly ready.

Intel’s response to the flaws in their CPUs has been criticized by some, and it does seem that the chip giant is not being completely transparent. Intel continues to downplay the seriousness of the flaws, and the performance impact of firmware updates. It’s also fair to ask whether in the rush to increase processor speed, security is being neglected by Intel and the other chip makers. The Spectre and Meltdown flaws should arguably have been caught in development.

What are the actual risks involved?

A malicious process on your computer could read data from another process (such as your banking app) and send it to anyone. This kind of exploit has been demonstrated as effective, and it can even be accomplished using specially-crafted Javascript code on a web site.

A malicious process on a web-based service, server, or virtual machine could read data from another process on that machine or a virtual machine that’s controlled by someone else.

Risks going forward: this has all been rushed (despite some advance warning), and the changes are at the core of CPUs and O/S kernels. Emergency fixes have a way of causing new, hidden problems. We will probably be dealing with the fallout from these flaws for months.

Update 2018Jan23: Intel is now telling us to avoid earlier firmware updates while they work on new updates that (hopefully) avoid rebooting issues on computers running Haswell and Broadwell CPUs. Meanwhile, there’s some strong language coming from Linus Torvalds (Linux’s creator) about the quality of the firmware fixes coming from Intel.

Google

More rug-pulling by Google

Leave a comment

“Hey, look here! We’ve got a great service that you need to be using. Okay, cool, now that you’ve been using the service for a while, we’re going to shut it down. Because of reasons.” — Google’s secret motto

Okay, it’s not like YouTube is shutting down, but Google has changed the rules for monetising video, and that change is going to affect a lot of creators. Specifically, starting in February, you’ll need 1000 subscribers and 4000 hours of watch time (time people spent watching your videos) in order to make money from them.

Google’s explanation? “In 2018, a major focus for everyone at YouTube is protecting our creator ecosystem and ensuring your revenue is more stable.” What does that even mean?

It seems clear that this change is a reaction to recent events, including several major advertisers pulling ads from YouTube in 2017 because of extremist content. There’s less money to go around, so Google is saving money by cutting off people who arguably need it most.

Full disclosure: my own YouTube account will be affected by this change. I’m currently in the YouTube Partner Program, which allows me to monetise my videos. Not that I’ve made much money from those ads. Google seems to make a lot more money selling ads than it hands out to people hosting those ads on their videos and web sites. In any case, I will no longer me able to earn money from ads on my videos after February.

Google, your search engine is amazing, and I use a lot of your (free) services, so I shouldn’t really complain. But dammit, this is getting annoying.

Related links

Ars Technica: YouTube raises subscriber, view threshold for Partner Program monetisation
Futurism: YouTube Cracks Down on Eligibility Requirements for Which Video Channels Can be Monetized