Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

All posts by jrivett


Uncategorized

Firefox 43 lands

Leave a comment

Earlier today, Mozilla published an article on their company blog, titled Firefox Gives You More Control Over Your Data in Private Browsing.

I must be getting pretty good at detecting these cryptic Firefox version update announcements, because I spotted this one right away. Sure enough, despite there being no mention of a new version, there’s a link at the bottom of the post which reads Release Notes for Firefox for Windows, Mac, Linux. And the link clearly points to a version 43 folder.

So it’s not exactly a new version announcement, but there were enough hints there to figure it out.

Maybe I should talk about the new version of Firefox.

The ‘announcement‘ only talks about changes to the Private Browsing with Tracking Protection feature, which now has a ‘strict’ setting that may provide better privacy while breaking many popular sites. Not recommended unless you’re truly paranoid and don’t mind being frustrated.

The release notes get into more detail. But there’s not a lot that’s likely to excite much interest. About sixteen security issues were fixed as well, so you should go ahead and update Firefox ASAP.

Adobe, Flash, Google, Security

Adobe’s plans for Flash

Leave a comment

Adobe’s plans to phase out Flash continue. Early in 2016, the software used to create Flash video will be renamed from Flash Professional to Adobe Animate CC. The new software will still be able to produce Flash videos, but it will focus more on HTML5 video.

The ubiquitous and notoriously insecure Flash player – the one that lets you play Flash video in your browser – will continue to be developed and supported by Adobe for at least the next five (and maybe ten) years. But Adobe is making it easier for video producers to move away from Flash and toward HTML5.

Meanwhile, Google has announced that they will start blocking Flash-based advertisements, which should provide the necessary motivation for advertisers to move away from Flash.

References

Adobe, Patches and updates, Shockwave

Shockwave player 12.2.2.172

Leave a comment

According to FileHippo’s release history for Adobe Shockwave Player, Shockwave 12.2.2.172 was released on November 25, 2015.

The official download page for Shockwave confirms that the latest version is 12.2.2.172. Unfortunately, the official release notes for Shockwave show the latest version as 12.2.1.171.

Worse still, Adobe’s Shockwave version checker page tells me this: “Sorry, your computer does not have the latest Shockwave Player installed. Please go to step 2. (Your version:12.2.2.172 Latest Version:12.1.9.159)” It’s trying to tell me that 12.1.9.159 is the latest version (it isn’t) and that the version I’m running (which is in fact the latest version) is both out of date and somehow older than a version which is clearly the older of the two (12.1.9.159 is older than 12.2.2.172).

Hey Adobe: it’s hard enough to keep our software up to date without you sending us mixed messages.

Opera, Patches and updates

Opera 34 arrives

Leave a comment

The latest version of the Webkit-based Opera browser is 34.0.2036.25. As usual, there was no proper announcement, just this weird article on the Opera desktop blog. At least the article bothers to point out that there is a new version, referring to it as 34.

The release notes describe some changes that are not likely to excite much interest, and go on to say vaguely that the new version contains ‘Stability enhancements and bug fixes.’

The full change log for version 34 lists numerous bug fixes and improvements. It’s not clear whether Opera 34 includes any security fixes, but I like to think anything like that would have been mentioned in the change log.

Adobe, Edge, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Silverlight, Windows

Patch Tuesday for December 2015

Leave a comment

Another month, another pile o’ patches from Microsoft and Adobe. This month Microsoft is pushing out twelve updates, affecting 71 vulnerabilities in Windows, Internet Explorer, Edge, Office, .NET and Silverlight. Eight of the updates are flagged as Critical.

Microsoft has also published a few security advisories since the last monthly update.

Adobe’s chimed in this month with a new Flash (aside: how weird would it be if they didn’t?) The new version addresses at least 78 security vulnerabilities in the veritable piece of swiss cheese we know as the Flash player. The new version is designated 20.0.0.228 on most platforms, but the version designed for use in Firefox and Safari on Windows and Mac is 20.0.0.235.

Boot13, Google, Security, SEO

New: browse boot13.com securely

Leave a comment

You may have noticed that web sites everywhere are moving toward secure browsing. There are a couple of reasons for this. First, Ed Snowden confirmed our fears, revealing that the NSA and partner organizations are snooping on everything we do. Second, Google is pushing for encryption everywhere by penalizing sites that don’t offer secure browsing.

Boot13 may now be browsed securely, by pointing your web browser to https://boot13.com.

A big shout out and thank-you to Let’s Encrypt, an organization that provides free security certificates and related tools to anyone who operates a site or service that can use them. The certificate we’re using on Boot13 was provided by Let’s Encrypt.

Android, Apple, Google, Hardware, Internet crime, Malware, Microsoft, Mobile, Privacy, Security, WordPress and other CMS

Security and privacy roundup for November 2015

Leave a comment

PCs from Dell were found to include support software and related security certificates that potentially expose users to various threats. Dell moved quickly to provide fixes, but many systems remain vulnerable. As if we needed more convincing, this is yet another reason to remove manufacturer-installed software from new PCs as soon as possible after purchase.

A hacking tool called KeeFarce looks for KeePass password databases, attempts to decrypt the stored passwords, and makes the decrypted passwords available to intruders. For this to work, the target computer must already be compromised, and the KeePass database left unlocked. According to researchers, the technique could be used on any password management software. Please, if you use password management software, remember to leave it locked, even if you’re the only user. Why make things any easier for intruders?

Anti-adblocking service provider PageFair was hacked on Halloween, and for a couple of hours, visitors to about 500 web sites were shown fake Flash update warnings that actually installed malware. PageFair fixed the problem relatively quickly and apologized for the breach.

The web site for the popular vBulletin forum software was hacked and user account information stolen. Site admins reset all user passwords and warned users, but have yet to address claims that the attackers used a long-standing vulnerability in the vBulletin software itself to achieve the intrusion. If true, anyone who manages a vBulletin site should immediately install the patch, which was made available after the vBulletin site hack.

With all the furor over Windows 10’s privacy issues, it’s important to recognize that modern phones have all the same issues. Anyone who uses a smartphone has observed that most apps ask for access to private information when they are installed. Generally, user choices are limited to agreeing or cancelling installation. A new study looks at popular iOS and Android apps, the user information they collect, and where they send it. The results are about as expected, and the authors conclude, “The results of this study point out that the current permissions systems on iOS and Android are limited in how comprehensively they inform users about the degree of data sharing that occurs.” No kidding.

A nasty new type of Android malware has been discovered. Researchers say that the perpetrators download legitimate Android apps, repackage them with malware, then make the apps available on third-party sites. Once installed, the infected apps allow the malware to install itself with root access. So far, the malware only seems to be used to display ads, but with root access, there’s no limit to the potential damage. Worse still, it’s extremely difficult to remove the malware, and in many cases it’s easier to simply buy a new phone.

Ransomware was in the news a lot in November. SANS reported seeing a malware spam campaign that impersonates domain registrars, tricking recipients into clicking email links that install the ransomware Cryptowall. Ars Technica reports on changes in the latest version of Cryptowall, and a new ransomware player called Chimera. Brian Krebs reports on new ransomware that targets and encrypts web sites. Luckily, the encryption applied by that particular ransomware is relatively easy to reverse.

Several web sites and services were hit with Distributed Denial of Service (DDoS) attacks in November. In some cases, the attackers demanded ransom money to stop the attack. ProtonMail, provider of end-to-end encrypted email services (and used by yours truly) was hit, and the attacks didn’t stop even when the ransom was paid.

Security certificates generated using the SHA1 algorithm are nearing the end of their usefulness. Plans are already underway to stop providing them and stop supporting them in web browsers and other software. SHA1 is being phased out in favour of the much more secure SHA2 algorithm.

A rash of vulnerabilities in popular WordPress plugins, including the excellent BPS Security plugin, came to light in November. WordPress site operators are strongly encouraged to either enable auto-updates or configure their sites to send alerts when new plugin versions are detected.

An app called InstaAgent was pulled from the Apple and Google app stores when it was discovered that the app was transmitting Instagram userids and passwords to a server controlled by the app’s developer. It’s not clear how the app managed to get past the quality controls in place for both stores.

Security researchers discovered a bizarre new form of privacy invasion that uses inaudible sound – generated by advertisements on TV and in browsers – to track user behaviour. As weird as it seems, this technology is allowing true Cross Device Tracking (CDT).

On a brighter note, Google is now detecting web sites that appear to use social engineering techniques to trick users. Chrome’s Safe Browsing feature will now show a warning when you are about to visit a page Google thinks is using these devious methods.

The whole-disk encryption technology TrueCrypt was previously reported as vulnerable, and a new study has confirmed those vulnerabilities. The study also found that if TrueCrypt is used on unmounted drives, it is perfectly secure, but what use is a hard disk if it isn’t connected to anything? TrueCrypt users are still anxiously awaiting new encryption technologies like VeraCrypt.

Security researchers discovered a critical flaw in many Virtual Private Network (VPN) services. VPN software and services are used by many torrent users to protect their identity. The flaw allows a malicious person to obtain the true IP address of a VPN user.

The Readers Digest web site was infected with a variant of the Angler malware and proceeded to infect unpatched visitor computers for about a week before site operators took action. Thousands of Windows computers may have been infected before the site was finally cleaned up.

Chrome, Google, Patches and updates, Security

Chrome 47 released

Leave a comment

Google just announced another new version of Chrome. Version 47.0.2526.73 includes fixes for at least 41 security vulnerabilities.

Alas, the only complete list of changes is the change log (warning: clicking may crash your browser), which as usual includes so much detail that it’s a headache to parse. It’s thousands of lines long. I started reading it, and ten minutes later, my browser scrollbar still hadn’t moved. Presumably if this version included any noteworthy changes, Google would mention them in the release announcement.

Meanwhile, if you use Chrome, you should install the new version, because of the security fixes it contains.