Category Archives: Things that are bad

COVID-19 scams are everywhere

Major events are viewed as opportunities by scammers worldwide. Same as it ever was. These days, the scammer’s tools of choice involve computers, because the potential victim pool is far beyond any alternative.

In keeping with this sad reality, COVID-19 scams are showing up everywhere on the web, and in our email inboxes.

Please exercise caution when you receive email or visit web sites that advertise cures, or entice you to click links or open attachments claiming to provide COVID-19/Coronavirus help.

If you’re looking for legitimate information about COVID-19, visit the web sites of major health organizations and local governments.

In Canada, visit the federal government’s COVID-19 page.

In the USA, try the web site for the Centers for Disease Control and Prevention.

For a global overview of the spread of COVID-19, see the frequently updated map of Coronavirus COVID-19 Global Cases by the Center for Systems Science and Engineering (CSSE) at Johns Hopkins University (JHU).

Ars Technica has more information about this.

Microsoft news: all bad today

The hits just keep on coming for Microsoft. I suppose it’s inevitable that a company as large as Microsoft will make mistakes, but when their products reach into our lives as thoroughly as Microsoft’s, those mistakes can lead to major disasters.

Global Windows 10 search failures

A huge proportion of Windows 10 users worldwide lost the ability to search their own computers recently. According to Microsoft, the problem stemmed from a glitch on a Microsoft server. Exactly why local search should be affected by some mysterious remote Microsoft server is yet to be explained.

In reality, search in Windows has been variously broken since Vista. I discovered a particularly horrible search bug in that garbage dump of an O/S soon after it was released, and was eventually able to convince Microsoft that it was a real problem; a fix soon followed. But even that didn’t fix all of Windows search’s problems; getting it to find all your files in all their locations was — and continues to be — a never-ending, and ultimately ineffective, exercise.

That’s why most people who need a search function that’s actually useful have long since switched to third party software, such as the excellent, fast, accurate, and free Fileseek. There’s also the blazingly fast (and also free) Everything. Both of these work perfectly out of the box, requiring no special setup to be useful, unlike Windows’ built-in search.

Still, many people assume that the Windows search feature is adequate, and never switch to anything else. Those people discovered the recent problem the hard way, when the already basically worthless search stopped working completely. Those people are understandably angry.

Implicit trust of driver software is a gaping security hole in Windows

Malicious folks have discovered yet another way to fool Windows into executing code that it shouldn’t. The new technique takes advantage of the fact that Windows implicitly trusts drivers. A driver is a small piece of software that connects Windows with hardware, allowing that hardware to be used by the O/S.

In this case, a specific driver that contains a serious security vulnerability — but is neverthless trusted by Windows — was used by hackers to deploy ransomware to affected systems.

There’s no word from Microsoft on how they intend to deal with this glaring hole in Windows security.

A treasure trove of illicit data awaits the buyer of corp.com, thanks to Microsoft

Decisions made by Microsoft years ago are poised to create massive problems for many business and educational customers worldwide. When the person who owns the generic corp.com domain sells it, the new owner will be able to gather credentials and other supposedly private data from Windows computers that assume they are communicating with internal systems.

The problem stems from an ill-considered decision to use corp.com as a default setting and in documentation provided by Microsoft. Server administrators who didn’t change that default are now faced with a huge task that involves bringing down entire networks and possibly creating new problems.

Microsoft has known about this problem for years, and their advice to customers is basically “you shouldn’t have used the defaults”. Thanks for nothing, Microsoft.

Microsoft news: the good, the bad, and the spiteful

The Good

Windows 7 support ended earlier this month, and with it any hope of fixing newly-discovered security vulnerabilities. Or did it? Microsoft recently discovered a problem with an update, released in Novemeber 2019, that is causing problems with desktop wallpaper on Windows 7 computers. This isn’t a security issue, but it probably affects thousands of users, and Microsoft has now released a special update that fixes the wallpaper problem. You can get the update via Windows Update on Windows 7 computers.

The Bad

Microsoft’s plans for expanding advertising in Windows 10 continue, albeit very slowly. The latest change is in Windows 10’s default rich text editor, Wordpad. When you run Wordpad, you’ll see an advertisement for Microsoft Office. It’s not much, and many users will never see it, but I’m reminded of the proverbial frog in steadily-warming water.

The Spiteful

Microsoft’s shenanigans with Google show no signs of slowing down. Both companies have engaged in questionable behaviour in trying to promote their software and services. The latest shot from Microsoft is particularly annoying: when Office 365 updates itself — a process that is both frequent and difficult to control — it will look for an installation of Google’s Chrome web browser, and change its default search engine to Bing.

Microsoft has a history of inappropriately reverting settings during updates, which is annoying enough, but this is excessive and downright spiteful, in my opinion. Microsoft, please play out your differences with Google in a way that doesn’t annoy millions of users.

Update 2020Feb11: Microsoft relented, and won’t be switching Windows 10 searches to use Bing during Office 365 updates. I guess they realized that they didn’t need yet another public relations disaster.

LifeLabs hacked; patient data compromised

Some security breaches are worse than others. If your bank suffers a breach, the potential for damage is enormous, because banks necessarily store a lot of critical information about you and your money.

Almost as bad are breaches of health-related services, because those systems may store extremely private information about you and your medical history.

Which makes the recently-announced breach of Canada’s LifeLabs (PDF) very disturbing.

The Ars Technica story about this provides a helpful summary of what happened, although it starts out by saying that LifeLabs “paid hackers an undisclosed amount for the return of personal data they stole”. Data can be copied, and when someone copies data to which they have no legal access, it’s a crime. But the idea that data can be ‘returned’ is bizarre.

It’s more likely that LifeLabs was the victim of a ransomware attack, in which data is encrypted by attackers, rendering the data useless until a ransom is paid and the data decrypted by the attackers.

However, it’s also possible that the attackers copied the data to their own systems before encrypting it, with the aim of selling that extremely valuable data, containing names, addresses, email addresses, customer login IDs and passwords, health card numbers, and lab tests. So far, there’s no evidence that the data has made its way to any of the usual dark web markets for such data, but there’s no way to be sure that won’t happen.

Charles Brown, President and CEO of LifeLabs, posted An Open Letter to LifeLabs Customers on December 17, in which he discloses the breach and apologizes to customers. While it’s good to see the company take responsibility, an apology is hardly sufficient. Even the offer of “one free year of protection that includes dark web monitoring and identity theft insurance” seems unlikely to satisfy affected customers. There’s at least one petition in the works, “calling on Parliament’s Standing Committee on Access to Information, Privacy and Ethics (ETHI) to investigate LifeLabs, and put forward recommendations to ensure this doesn’t happen again.”

In British Columbia, users access their LifeLabs test results online using a service called eHealth. It’s not clear whether LifeLabs’ relationship with eHealth is in any way related to this breach. At this point it appears that it makes no difference whether you signed up to access your test results using eHealth. In other words, changing your eHealth password, while advisable, seems unlikely to mitigate the potential damage.

However, as usual in the case of any breach, you should review your passwords, and if you’ve used your LifeLabs or eHealth password for any other site or service, change those passwords to something unique. Do it now.

MORE Windows 10 update problems

Today’s nightmare is brought to you by Microsoft

An open letter to Microsoft:

Dear Microsoft –

Please either allow us to disable Windows 10 updates, or stop pushing out updates that break millions of computers worldwide every few weeks.

Sincerely,
Almost a billion Windows 10 users

The problems with Windows 10 updates are getting worse, not better. The last major feature update (1903) had major issues at release, and more seem to be turning up with each new set of “quality” updates. Those quotes around the word ‘quality’ are very intentional, by the way.

I’ve just spent most of a day troubleshooting and fixing a heinous set of problems related to printing, affecting most of the computers at a retail client. Printing is a critical function for this client, as it is for most businesses.

What follows is the sequence of events leading up to the printing problem, and what finally fixed it.

All of the computers are running 64-bit Windows Professional release 1903 (build 18362.356).

SUMMARY: Update 4522016, which apparently caused these printing problems on some computers, was never installed on any of the affected PCs at this business. Update 4524147 caused the printing problems it was supposed to fix. Uninstalling update 4524147 fixed the printing problems on three otherwise up-to-date Windows 10 PCs.

  1. 2019Oct03: Update 4524147 was installed automatically on all affected PCs. This happened overnight, which is normal for these PCs.
  2. 2019Oct04: The client reported printing problems on several PCs.
  3. 2019Oct04: The usual troubleshooting for printing issues was ineffective. Research eventually showed that a recent Windows update (4522016) was causing printing problems for many users. But that update was never installed on any of the affected PCs.
  4. 2019Oct04: Since printing was working fine before 4524147 was installed, I uninstalled that update, and printing started working again. Repeating this on all affected computers resolved all the printing problems.
  5. 2019Oct05: On trying to log into one of the recently-fixed PCs, Windows 10 told me that the Start menu was broken. Research showed that update 4524147 was causing this problem (the second time an update broke the Start menu in recent weeks). I checked, and sure enough, 4524147 had been reinstalled automatically overnight. Uninstalling it fixed the Start menu.
  6. 2019Oct05: To delay recurrence of the printing problem, I used the Advanced settings on the Windows Update screen to delay updates as long as possible. On most of the PCs, I was able to delay updates for between 30 and 365 days. On one PC, these settings were inexplicably missing. I eventually had to use the Local Group Policy Editor to make the necessary changes.
  7. 2019Oct04: I reported this bizarre situation to Microsoft via its Windows 10 Feedback hub. It’s difficult to know whether anyone at Microsoft will actually see this, or take it seriously. I have doubts, which means that this problem seems likely to reappear at some point.

As predicted

This is in fact the nightmare scenario envisioned by myself and others when it became clear that Windows 10 updates would not be optional. While Microsoft has — grudgingly — made it possible to delay updates, it’s still not possible to avoid them completely, and if you’re one of the unlucky Windows 10 Home users, even that’s not an option.

Questions for Microsoft

Why did an update intended to fix printing problems actually cause those exact problems?

Why are some of the advanced Windows Update settings missing from one of several identically-configured Windows 10 PCs running the same build?

Why are you inflicting this garbage on us? Do you hate us?

WHY DON’T YOU LET US TURN OFF UPDATES? This is the simplest solution, and while I understand that you want Windows 10 installs to be secure (and that means installing fixes for security vulnerabilities), until you can produce updates that don’t cause massive problems, we don’t want them.

Related links

Update 2019Oct10: Apparently update 4517389, released on October 8 along with the rest of October’s updates, addresses this problem.

Firefox 66.0.4 fixes major add-on problem

On May 3, Firefox users all over the world noticed that the browser’s add-ons suddenly stopped working and disappeared from the toolbar. This caused major consternation, as you might imagine. Mozilla has previously made changes to Firefox which disabled some add-ons, so there was initially some concern that this was intentional. However, it turns out that someone at Mozilla failed to renew a critical security certificate, which then expired on May 3rd.

Mozilla added certificate checking to Firefox’s add-ons (extensions, themes, search engines, language packs) some time ago to weed out malicious add-ons and prevent them from being used. When the main certificate expired, Firefox suddenly identified all add-ons as invalid, and disabled them.

Many people use Firefox without add-ons, and those people were unaffected by this problem. Some people, including myself, use add-ons to provide functionality without which Firefox is almost unusable. For example, I use uBlock Origin to prevent Javascript from running on all web pages by default, and Dark Reader to make dark-themed web pages readable.

Once people started noticing the problem, they naturally tried to find workarounds, some of which did more harm than good. Mozilla scrambled to solve the problem, and on May 4 pushed out an official, temporary workaround using a little-known Firefox feature called Studies. Once installed, this fix did re-enable add-ons for many users, but didn’t help if the Studies feature was disabled, and was only effective for desktop versions of the browser.

On May 5 a new version of Firefox was released by Mozilla. Firefox 66.0.4 includes a single change that fixes the certificate expiry problem. There are a few caveats: some add-ons may need to be re-enabled manually. Certain add-ons will remain disabled. Other add-ons may need to be reconfigured.

This was a major (and embarassing) blunder, but Mozilla handled it reasonably well, although the information they published was occasionally somewhat misleading. There’s a useful record of what happened on this Mozilla blog post.

Update 2019May10: Yesterday, Mozilla published a followup/apology post.

Latest Google rug-pull: Google+

Google will terminate Google+ for individuals in the near future. The service will continue to exist for organizations, which presumably includes what Google calls ‘brand accounts’. But for anyone who bought into Google’s hype about the social media service, this is a major disappointment.

Just ask Mike Elgan, one of the more prolific Google+ contributors. In two recent posts, Mike expresses his profound disappointment with Google’s tendency to create new services, coerce people into using them, and then kill those services. I know all about this, having been a victim of Google’s rug-pulling shenanigans myself.

The rationale for Google’s decision to kill Google+ is the discovery of a huge hole in one of its programming interfaces (APIs). Apparently any developer using this API had access to Google+ user data beyond what was supposedly allowed. Lucky for Google+ users, hardly anyone was using this API, just as hardly anyone was using Google+. Anyway, Google fixed the hole back in March but didn’t tell anyone about it.

Okay, Google. This one doesn’t hurt me very much, as my use of Google+ is limited to parroting posts from my blogs to associated brand accounts. I’ll keep the brand accounts around, but I won’t be expanding my use of them. Fool me once… actually, I’ve lost track of how many times this has happened.

Windows 10 October Update is deleting user files

As you may be aware, there’s no longer any practical way to avoid installing Windows 10 updates. Once Microsoft pushes them out, they’re going to end up on your computer whether you want them or not. But maybe you trust Microsoft to make changes to your computer while you sleep (for the record, I’m definitely not). On the other hand, when an update ends up causing problems, it makes these forced updates look downright irresponsible.

According to numerous reports, the recently-announced October Update for Windows 10 is causing user files to be silently deleted. Now, before you go into panic mode, keep in mind that the October Update is not yet being pushed out to all Windows 10 computers: the only way to install it is to manually check for available Windows Updates. For now, the only people affected are those eager types who like to install shiny new things before looking closely at them.

Microsoft is aware of the problem, and they are looking into it, although it’s not at all clear when it might be resolved. Hopefully Microsoft will either pull the update, or at least delay pushing it out to all Windows 10 computers.

If you’re worried about losing files, I strongly suggest backing up all your documents, images, music, video, and other data files. Which you really should be doing anyway. I back up all my data nightly to an external hard drive, using the freeware Cobian Backup.

Update 2018Oct07: Microsoft put a halt to the planned rollout of the October update. The update is still available via Windows Update, so don’t think seeing it listed there means the problem has been fixed. All it means is that the update won’t be pushed out until the issue has been resolved.

Update 2018Oct08: When you shift testing away from professionals and to your user base, quality will suffer. Things are going to slip through. That’s why formal software testing is so important, especially for operating systems and other critical software. Microsoft seems to have made an erroneous assumption: that if you have a (nearly) infinite number of monkeys people using your software, they will find (and reliably reproduce) every bug. In fact, the people doing this unpaid “testing” are mostly power users who are just hoping that their own specific needs will be better served by the latest version. They aren’t testing every scenario, just the same one they tested for the last version. Power users are also much less likely to make the kinds of obvious mistakes that regular folks make, which can lead to surprises even after an update is pushed out to the general public. This situation seems likely to get worse, sadly. The Verge weighs in.

Update 2018Oct16: On October 9, Microsoft made a new (fixed) version of the October update available to users subscribed to the Windows Insider program. Microsoft also seems to understand that the current user-focused testing process is less than ideal: the Windows Insider Feedback Hub now allows users to provide an indication of impact and severity when filing User Initiated Feedback.

More CPU flaws discovered

Microsoft and Google just announced a new CPU speculative execution flaw that’s similar to Spectre and Meltdown: Speculative Store Bypass.

As with Spectre and Meltdown, almost all CPU chips made in the last ten years are affected by this issue.

The Verge: Google and Microsoft disclose new CPU flaw, and the fix can slow machines down.

Bruce Schneier thinks there are more speculative execution flaws coming. And he’s probably right.

Spectre update

Intel has decided not to produce Spectre microcode updates for some of the oldest of their affected CPUs, leaving most Core 2 chips without any hope of a Spectre fix. As for first generation CPUs, some will get updates, and some will not. Microcode updates for all CPUs from generation 2 through generation 8 have already been released.

Not sure whether your computer is affected by Spectre? If you’re running Windows, Gibson Research’s free InSpectre tool will tell you what you need to know. Looking for a Spectre BIOS update for your computer? PCWorld’s guide is a good starting point.

Intel has produced new microcode for most Spectre-affected CPUs, but some manufacturers have yet to provide corresponding BIOS updates for all affected motherboards. They may have decided not to bother developing updates for older motherboards. That’s a potential problem for millions of computers running older CPUs that are new enough to be vulnerable to Spectre. If the manufacturer hasn’t released a BIOS update with Spectre fixes for your motherboard, consider contacting them to find out when that’s going to happen.

Update 2018May24: I contacted Asus about a particular desktop PC I happen to own, and was told that “details on whether or not there will be a Spectre BIOS update for the <model> is [sic] currently not available.” That doesn’t sound very encouraging. It feels like they’re waiting to see how many complaints they get before committing resources to developing patches.

Latest Google rug-pulling is a victory for censorship

Normally when Google cancels a service, it’s annoying and baffling, but we grumble and find an alternative. Google’s latest rug-pull is much worse: it effectively hands a massive win to those who wish to prevent access to things they don’t like.

Until the feature was disabled recently by Google, it was possible to use Google’s App Engine to make web sites and other online resources available to users who would normally be blocked due to state- and corporate-sponsored censorship. The method used was referred to as domain fronting.

Google says they never meant for domain fronting to be possible with App Engine, but they also allowed it to happen for years, without any indication that it was a problem or would be stopped. So people started to rely on the service to get around censorship.

There’s a lot of hate directed towards Google these days, and a lot of it is misguided. From my perspective, enticing users with new services, only to kill those services once they are widely used, is their most infuriating habit.