Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

All posts by jrivett

Firefox, Patches and updates, Security

Firefox 43.0.4 re-enables SHA1 certificates

January 7, 2016 jrivett Leave a comment

Well, that didn’t last long. Firefox 43.0.3 disabled SHA1 security certificates, but that caused a lot of problems for some users, and Mozilla has rolled back the change in the new Firefox 43.0.4. Most users won’t notice the difference, but if you started having problems browsing secure web sites after installing 43.0.3, that issue should be resolved with 43.0.4.

Firefox 43.0.4 also fixes a crashing bug affecting some users, and at least one other change is documented in the release notes.

Incidentally, there wasn’t a proper announcement for the new version. The closest we got was a post on the Mozilla security blog about the SHA1 reversal, which doesn’t mention Firefox version identifiers at all.

Chrome, Internet crime, Java, Linux, Malware, Privacy, Security, Tools, WordPress and other CMS

December security and privacy roundup

January 4, 2016 jrivett Leave a comment

Security and privacy stories making the rounds in December…

Aethra modem botnet

In February I wrote about hack attempts on several of my WordPress sites. Most of those attacks originated in Italy, from Aethra modems provided by Italian service provider Albacom. At the time, I tried to contact Albacom and its new owner, BT Italy, with no success. Apparently I wasn’t the only person who noticed. The people who make Wordfence, an extremely useful security plugin for WordPress, recently reported on the efforts of a Voidsec security researcher to track down and report the problem.

Nemesis malware worse than ever

A particularly nasty piece of malware called Nemesis now has the ability to insert part of itself in the boot process of a PC, making it even more difficult to detect and remove. Luckily for regular folks, Nemesis mostly seems to be targeting financial institutions. On second thought, there’s nothing lucky about that.

Linux computers increasingly targeted – and vulnerable

It’s becoming clear that Linux computers can be just as vulnerable as computers running Windows: a single, unpatched application vulnerability can be all that’s required for attackers to gain complete control. Hacking groups are acting quickly when new vulnerabilities are revealed, and have been adding exposed Linux servers to their botnets at an alarming rate.

Mysterious attack on root DNS servers

In early December, most of the Internet’s core name servers were briefly flooded with requests from all over the net; the requests were all related to two specific (and undisclosed) domain names. It’s still not clear who perpetrated the attack, and no real damage was done, since the servers involved absorbed the traffic relatively easily.

Help for securing routers

The US-CERT security organization posted a useful guide for securing home routers. The guide necessarily gets into technical details, but anyone who is interested in keeping their home network secure – and has access to their router’s configuration – should give it a look.

Oracle spanked by the US FTC for its deceptive practices

Oracle has done a terrible job of informing Java users of the dangers of leaving old versions of Java installed. Worse, Java installation software is traditionally not very good at detecting and removing older Java installs. The FTC finally noticed, calling Oracle’s practices a “deceptive act or process” in violation of the Federal Trade Commission Act. In response, Oracle has posted a Java uninstall tool on its web site. To be fair, the newer Java runtime installers now also look for older versions and offer to uninstall them, so they are making progress.

A rational response to claims that encryption is somehow bad

You’ve no doubt noticed elected officials in various countries claiming that smartphone encryption is making police work more difficult. They often use the catchphrase ‘going dark’ and invoke ‘terrorism’ to scare people into believing their BS. There’s a post over on Techdirt that exposes the lunacy of these ‘going dark’ claims.

Panopticlick – is your browser keeping your activity private?

The Electronic Freedom Foundation (EFF) created a web-based tool that analyzes your web browser and lets you know how well it protects you against online tracking technologies. It’s a handy way to make sure that the browser you’re using is keeping your activity as private as you think it is. Keep in mind that a lot of web sites (including this one) use tracking technologies for legitimate reasons, such as counting the number of visits. To learn more, check out this helpful post over on the PixelPrivacy site that explains browser fingerprinting.

Security practices of some service providers still terrible

Brian Krebs recently reported that his PayPal account was hacked. During his subsequent investigation, he discovered that PayPal handed his credentials to someone impersonating him on the phone. PayPal’s responses to Krebs’ criticisms don’t exactly inspire confidence. Krebs says “the successful takeover of the account speaks volumes about why most organizations — including many financial institutions — remain woefully behind the times in authenticating their customers and staying ahead of identity thieves.”

Firefox, Patches and updates

Firefox 43.0.3

January 1, 2016 jrivett Leave a comment

Two minor bugs were addressed in Firefox 43.0.3, which was released on December 28. It doesn’t appear that any security-related issues were fixed in this version. The release notes point to the usual massive list of bugs addressed in Firefox 43.x, so it’s not very useful. There was no announcement for this release.

Adobe, Flash, Patches and updates, Security

Flash 20.0.0.267 fixes numerous security issues

December 29, 2015 jrivett Leave a comment

There’s a holiday present from Adobe in the form of yet another new version of Flash. This one fixes at least nineteen security vulnerabilities – including one that is currently being exploited on the web – as well as a few other bugs. There are additional details in the release notes.

As usual, Chrome and Internet Explorer will get the new version via their own update mechanisms.

If you use Flash in a web browser, push that plate of turkey leftovers to the side and install the new Flash ASAP.

Update 2016Jan02: On January 1, Adobe released another version of Flash, this time just for the ActiveX version used in older versions of Internet Explorer on Windows 7 and earlier. According to the updated release notes, Flash 20.0.0.270 includes one change: “Fixed loading problem with Flash Player in embedded applications”.

Firefox, Patches and updates, Security

Firefox 43.0.2

December 24, 2015 jrivett Leave a comment

Firefox 43.0.2 was released on December 22, with no announcement at all. I learned about the new version when my copy of Firefox offered to update itself. The release notes say only that the new version includes a new security certificate for Windows. The notes also mention “Various stability and security fixes”, but the linked Security Advisories page lists security fixes for all of Firefox 43. Presumably at least one security issue was fixed in 43.0.2, but it’s not clear.

Microsoft, Patches and updates, Windows 10

Windows 10 Insider Preview Build 11082

December 20, 2015 jrivett Leave a comment

It could be argued that it’s unfair to talk about problems with Windows 10 preview builds, since they are provided to us for testing purposes and expected to have issues. I hold the opposite view: everyone is better off if we report problems as publicly as possible. But I’ll try to stick to the facts and avoid complaining.

With the arrival of Windows 10 Insider Preview Build 11082, my test PC started doing some very weird things. The extent to which these problems are specific to my hardware remains unclear.

On logging in for the first time after the new build was installed, Windows reported that the application CCleaner was not compatible with the new Windows build, and had been removed. CCleaner (formerly CrapCleaner) is primarily a tool for removing junk and temporary files from Windows systems. The message pointed to this page, which says “If you try to use this app with Windows Insider Preview , it might not work correctly or might not work at all.” Not too helpful. I reported the problem to the CCleaner developers.
Normally, when File Explorer copies, moves, or deletes files, it displays a progress dialog. Those dialogs no longer appear. File operations still work, but there’s no visual indication of what’s going on.
Audio stopped working completely. A reboot didn’t help. Powering off the computer completely and then back on did fix the problem. There was nothing in the Windows events logs to point to a possible cause.

None of these issues are show-stoppers for me. I used the Windows 10 Feedback app to report the File Explorer dialog problem.

This is the first Windows 10 preview build with which I’ve had any serious problems, aside from privacy concerns. It will be interesting to see how quickly Microsoft responds.

Update 2015Dec21: The CCleaner developer responded to my report, saying that they have received similar reports and that they are looking into it.

Firefox, Flash, Patches and updates

Firefox 43.0.1

December 19, 2015 jrivett Leave a comment

A single minor change seems to be the only reason for the Firefox 43.0.1 release yesterday. The release notes describe the change as preparation “to use SHA-256 signing certificate for Windows builds”. This does not appear to be a security-related change, so there’s no hurry to update.

Mozilla has improved the look of Firefox’s release notes pages, but there has been no functional improvement. For instance, while there is a link to the ‘complete list of changes‘, that link goes to the Bugzilla bug tracking system, which is not easy to parse for non-technical users. Worse, it shows all changes in Firefox 43, not just 43.0.1, and there’s no way to search for changes to 43.0.1 only.

As usual, there was no proper release announcement for this version. There wasn’t even a vaguely-corresponding post on the Mozilla blog.

On my test computer, when the Firefox 43.0.1 update finished installing, Firefox displayed a web page with a brief video and an underlying announcement, about Firefox 43’s new privacy features, and ‘new’ Pocket integration. Which seems weird, because Pocket integration was also announced for Firefox 38.0.5 in June.

In other Firefox-related news, Mozilla recently pointed to an announcement from Netflix in a blog post titled ‘Firefox Users Can Now Watch Netflix HTML5 Video on Windows‘. This is an important change, because it’s no longer necessary for Firefox users to install and use Flash to watch Netflix content.

Firefox, Patches and updates

64 bit Firefox finally arrives

December 16, 2015 jrivett 1 Comment

Something I neglected to mention about the recent Firefox 43 release: there is finally an official, 64-bit version of the browser. There have been unofficial and/or experimental 64-bit versions in the past, but they were abandoned for various reasons and never made it to prime time.

Those of you with modern computers who are running a 64-bit operating system have the option of installing the 64 bit Firefox or sticking with the traditional 32-bit version. The two versions look and act exactly the same, and I don’t think it’s likely that any particular advantage will be gained by switching to the 64-bit version. However, some people (you know who you are) are excited about this long-promised Firefox version.

Patches and updates, Security, WordPress and other CMS

Critical security fixes for Joomla

December 16, 2015 jrivett Leave a comment

Sites running the popular web Content Management System (CMS) Joomla have been targeted by large-scale attacks recently. Joomla’s developers have responded by publishing a fixed version, Joomla 3.4.6.

Anyone who operates a Joomla-based web site should stop what they’re doing and install the necessary updates immediately.

Update 2015Dec23: Joomla developers discovered that a bug in PHP – the language in which Joomla is developed – would likely lead to more vulnerabilities in Joomla. The PHP bug has been fixed, but that won’t help sites that are running older versions of PHP. Recognizing this, the Joomla developers released another update (Joomla 3.4.7) that addresses the underlying vulnerability.

Chrome, Google, Patches and updates, Security

Chrome 47.0.2526.106 announced