Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

All posts by jrivett


Chrome, Google, Patches and updates, Security

Chrome 57.0.2987.98

Leave a comment

The latest version of Chrome includes fixes for thirty-six security vulnerabilities.

There are numerous other changes in Chrome 57.0.2987.98. Google didn’t see fit to highlight any of them in the release announcement, so you’ll have to read the browser-annihilating change log to see if any of the changes are of interest. I’m not planning to do that myself, as it’s likely to take several hours, and unlikely to be particularly rewarding.

Chrome updates itself on its own mysterious schedule, but you can usually trigger an update by going to its ‘About’ page. Because this version includes security updates, you should try to update Chrome as soon as possible.

Update 2017Mar16: Ars Technica points out that Chrome 57 includes power saving features that should extend battery life for Chrome users on laptops.

Microsoft, Things that are bad, Windows 10

They’re here: ads in Windows 10

Leave a comment

We called it. Microsoft denied it. Now the reality of advertising in Windows has arrived. We’re not talking about the tiny, easily-ignored ads commonly seen in Skype, either. The ads that just started appearing in Windows 10 are hard to miss, and they’re in Windows Explorer, arguably the core user interface of the system.

Of course Microsoft is calling these ads ‘tips’ and insists that they just provide helpful information to Windows 10 users. Okay, let’s take a look at what users are seeing:

You be the judge: is this an advertisement?

You may disagree, but in my opinion, that’s an ad. It might as well say “Your Advertisement Here” or “Advertise In This Space”. At this stage, I’m sure we’ll only see ads from Microsoft in Explorer, but once the anger subsides, it’s difficult to imagine Microsoft won’t start selling that space – and others like it – to the highest bidder.

That’s right, Windows 10 really is an advertising platform, just as we’ve been saying all along. It explains why Microsoft was so happy to give away the O/S to anyone who upgraded from an earlier version, why they pushed so hard and literally tricked people to upgrade from earlier versions, why they included so much user activity tracking in Windows 10, and why they retrofitted that tracking into earlier versions when people failed to upgrade in sufficient numbers.

Clearly, the underlying reason for Microsoft’s advertising-in-Windows strategy is simply the enormous amount of money being made by Google from advertising.

Linux is looking a lot better now, isn’t it?

Analysis from The Verge and Ars Technica.

Update 2017Mar17: Tom Warren over at The Verge reacts to the new ads in Windows 10. He describes it as an ‘infestation’, and I agree with his assessment.

Firefox, Mozilla, Patches and updates, Security

Firefox 52 – security fixes, WebAssembly support

Leave a comment

At this point it seems clear that Mozilla has instructed its content writers to never mention version numbers in Firefox release announcements. The reason remains a mystery. Take yesterday’s announcement, for example. It begins “Today’s release of Firefox” – which makes it sound like Firefox is a new product.

Anyway… the mystery Firefox release yesterday was in fact version 52, which fixes at least twenty-eight security vulnerabilities. The new version also adds support for WebAssembly, which can dramatically improve the performance of web-based applications. Support for those annoying WiFi ‘captive portal’ hotspot login pages is improved in Firefox 52, and there are further improvements to the warnings you’ll see when you’re presented with a login form on an unencrypted connection.

Firefox 52 also removes almost all remaining support for the NPAPI plugin technology, with the lone exception being Flash, which means Silverlight, Java, Acrobat and other plugins that depend on NPAPI will no longer work. Support for the NPAPI version of Flash will apparently be removed in the next major Firefox release.

Microsoft, Patches and updates, Windows 10

Microsoft announces amazing new Windows 10 feature

Leave a comment

There’s a surprisingly lengthy post on the Windows Experience blog, co-written by two senior Microsoft managers: Michael Fortin (CVP of Windows and Devices Group Core Quality) and John Cable (Director of Program Management, Windows Servicing and Delivery).

Okay, what’s so important that these two folks decided to write about it? Just this: after the upcoming Windows 10 “Creators Update”, Windows 10 will be slightly less likely to do things at inconvenient times.

I don’t know about you, but allowing users to have control over when updates are installed, and when their computer reboots, seems like a pretty basic feature. And in fact that kind of control has existed in Windows for years. Until Windows 10. But instead of fixing the problem and apologizing for it, we get senior Microsoft managers talking about this bug fix as if it was the most amazing new feature ever.

I understand that there are good reasons to force updates and restarts, the main one being that otherwise many people allow their computers to get out of date, and vulnerable. But seriously, wouldn’t it have made more sense for automatic updates and restarts to be the default behaviour, and allow for this behaviour to be overridden, when Windows 10 was released?

The Verge’s take on this. And Ars Technica’s.

Update 2017Mar22: A new ‘tip’ from Microsoft shows Windows 10 users how to change ‘Active Hours’, during which Microsoft hopefully won’t remotely restart their computer. Of course, the maximum duration for active hours is still only twelve hours. On a related note, I was wondering why my Windows 10 test PC always seemed to be logged out lately, and discovered that it’s been trying to install one particular update every night for a couple of weeks. Windows reboots to complete the install, but the installation fails, and the cycle repeats. This is exactly the kind of thing that bothers me about letting Microsoft screw around with my computer without my knowledge.

Internet, Security, Things that are bad

Nasty Cloudflare bug leaked sensitive information for months

Leave a comment

Cloudflare provides caching, proxy, and security services for thousands of web sites, including some very popular ones like digitalocean.com, patreon.com, bitpay.com, news.ycombinator.com, medium.com, 4chan.org, yelp.com, okcupid.com, zendesk.com, uber.com, 23andme.com, curse.com, and minecraftforum.net.

For about five months, starting in September 2016, a truly awful bug in Cloudflare’s services caused private information from sites hosted by Cloudflare to be leaked to unrelated systems. Since the leaked information was merrily crawled and stored by all the major search engines, all that data became available to the entire planet.

The leaked data includes just about everything you wouldn’t want leaked, such as encryption keys, cookies, passwords, private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, and hotel bookings.

My initial reaction to the news of this leak was relief, because I don’t use Cloudflare for any of my (or my clients’) web sites. But I use other web sites and services that use Cloudflare, so my private information may have been leaked. Almost anyone who uses the web actively could be affected by this bug, and its fallout.

The bug itself has been fixed by Cloudflare. The major search engines are working with Cloudflare to scrub related private information from their databases. But the damage has already been done.

What should you do?

If you run any web sites or services that use Cloudflare, you should take action immediately, by invalidating all user sessions (e.g. login cookies). How this is done depends on the platform you’re using (WordPress, Joomla, etc.) You should probably recommend to your members/subscribers that they change their passwords.

If you use any of the affected sites or services, you should probably change the associated passwords. This may turn out to be overkill, but it’s difficult to know for certain.

The full extent of the damage caused by this bug remains to be seen. In the worst case scenario, malicious hackers noticed the bug when it first appeared, and proceeded to gather leaked information for months.

References

Continue reading this post

Adobe, Patches and updates, Security, Shockwave

Shockwave 12.2.7.197

Leave a comment

Another new Shockwave version was released this week by Adobe. Once again, the official release notes page for Shockwave 12 only shows 12.2.7.197 as the current version, and provides no details. There was no announcement.

A couple of years ago, Adobe changed the way Flash functionality is built into Shockwave, presumably to beef up Shockwave’s security, which up to that point included older, vulnerable versions of Flash. So it’s possible that these barely-documented Shockwave updates exist primarily to synchronize Shockwave’s security with the current version of Flash.

As usual, if you use a web browser with Shockwave enabled, you should install the new version as soon as possible.

Edge, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Microsoft releases update for Flash

Leave a comment

Normally, Microsoft releases updates for Flash in Edge and Internet Explorer along with everything else on the second Tuesday of each month.

This month, something went wrong with the Windows Update system, and Microsoft pushed all the February updates to March, including an expected fix for a serious SMS flaw.

Someone at Microsoft apparently realized that this decision would leave some Flash users (those using Flash in Edge and Internet Explorer) vulnerable for an extra month. Flash vulnerabilities are targeted aggressively by malicious hackers, so this is obviously a bad thing. As a result, Microsoft has released a Flash update, one week later than originally planned.

Anyone who uses Flash in Internet Explorer or Edge should visit Windows Update and install the Flash update as soon as possible.

So we do get a Microsoft Security Bulletin Summary for February 2017 after all, but it only includes a single bulletin.