boot13Microsoft and its partners have successfully disrupted another botnet. This time the target was Citadel, which was being used to harvest banking information.
Oracle’s response to Java’s ongoing security woes
A May 30 post on Oracle’s Software Security Assurance blog reviews Oracle’s plans to improve Java’s security.
Step 1 was apparently making sure that Java conforms to Oracle’s software security policies. Without knowing the details, I can only wonder whether the new policies are better or worse than whatever policies were already in place for Java, and whether they are even a good fit for a project like Java. Is it possible that this transition contributed to the recent spate of problems?
Step 2 is to throw more money at Java. Oracle describes this as “increasing investments in Java overall by Oracle”.
Oracle has been working on improving their response time to critical vulnerabilities, which is commendable. They are gradually coming to realize that scheduled releases just don’t cut it for security issues. These days, vulnerability and exploit details propagate almost instantly, and waiting weeks or months for fixes is unacceptable.
Apparently the use of automated security testing tools has been expanded. Presumably from ‘not used consistently or even at all’ to ‘used on a sensible schedule’.
The article goes into a lot of detail about the general security improvements made in recent Java updates. Good stuff, but not news.
On a positive (and actually news-worthy) note, Oracle is working on further separating Java as it runs in web browsers from Java used in server environments. This and other changes will make distribution and administration a lot easier for IT folks. Server Java will also be hardened in ways that are not practical for web-based Java.
So, not much to see here, although it seems clear that Oracle knows that Java security is a serious problem and is at least making an effort to fix it.
Infoworld proposes a design for the next version of Windows
It seems clear that Microsoft isn’t going to fix Windows 8 with Windows 8.1. The changes in 8.1 are trivial and do not address the major concerns about Windows 8.
Infoworld has a solution: a new design for the next version of Windows, code-named Windows Red. This is a serious re-thinking of the design choices made by Microsoft and an attempt to rectify Windows 8’s problems.
All of Infoworld’s changes make sense to me. It would be wonderful if Microsoft paid attention to this design and actually used some or all of it. But knowing Microsoft, they’ll ignore it completely.
Infoworld also posted a useful followup with additional details on Windows Red.
Latest Ouch! newsletter
Sans has published the latest edition (PDF) of their user-oriented newsletter Ouch! This edition covers URLs, URL shorteners, and QR codes.
New version of Chrome
Google has released version 27.0.1453.110 of its web browser, Chrome. The new version fixes several security issues.
Your passwords are not strong enough
If you’re like most people, you’ve grudgingly started to use complex passwords like “hf7s4hfk23” instead of “1234”. If you’re listening to the security experts, you’ve started using a different password for every site and service. You may even be using a password store like Password Corral.
And, after doing all that, you may actually feel somewhat secure in your online activities. Unfortunately, you’re not. Advances in password cracking techniques, the availability of powerful graphics hardware that can be used to speed up password cracking, and the failure of many web sites and services to use the latest security techniques make your security online weaker than ever.
Ars Technica has an excellent (although scary) post about the current state of online security and passwords.
The upshot is that you should do all of the things that security experts have been telling us for years: use long (11 characters plus), complex passwords with upper and lower case letters, numbers and punctuation; avoid using words in passwords; don’t re-use passwords; don’t use ‘stringdigit’ passwords (a string of letters followed by digits); and use a password store to help remember all those passwords. Do all of those things, but also ask your service providers to use current security technologies.
For example, if you track your finances with the fictional site myspendingxyz.com, you clearly don’t want that site to use anything but the latest security. Look for a statement regarding security on the web site. If you can’t find one, contact the site operators and ask what they use to ensure the security of user accounts. The list below shows a few of the technologies commonly used and indicates whether those technologies are actually helpful.
- Password hashing – absolutely required
- Cleartext passwords – utterly unsecure
- One-way hashing – much safer than reversible hashing
- Reversible hashing – dangerous
- MD5 hashing – ancient, easy-to-crack crypto
- Microsoft NTLM crypto – easy to crack
- SHA1, SHA2 – much harder to crack than MD5 but still not secure enough to use for passwords
- bcrypt, scrypt, PBKDF2, and SHA512crypt – current best crypto for use in hashing passwords
- Password salting – a good way to boost security
- Password complexity requirements – another good way to improve security
- Corporate data protection policies – any company that handles user passwords should have policies in place that preclude such dangerous activities as copying password data to a laptop or removable drive
Some companies may be reluctant to go into details, and may even suspect your motive. However, they should at least be able to state that they do not use any out of date technologies and have effective data protection policies in place.
Update: A followup article from Ars Technica digs deeper into what makes a secure password, and the use of password manager software. They examine several of these programs in detail.
Windows 8.1: Start button is back, but useless
Microsoft heard the complaints, and is bringing the Start button back in Windows 8.1. The problem? They heard, but they didn’t listen.
The Start button itself isn’t really all that useful. What’s useful about the Start button in previous versions of Windows is what happens when you click it: a menu appears. Of course, that menu has been criticized for years, but it’s still the only practical way to see a list of what’s possible on your computer.
With Windows 8.1, Microsoft has brought back the Start button, but pressing it just takes the user to the new Start screen (the one with the tiles). Useless. Apparently the Start screen has an “All apps” section that can be configured to look somewhat similar to a traditional menu, but this menu would be incomplete at best.
In public discussion on this subject, Microsoft spends a lot of time talking about branding, desktop wallpaper on the Start screen, and the ability to boot to the desktop. They also apparently realized that on a computer with no menu, searching is the only way to find anything, so search has been ‘improved’ to Windows 7 functionality.
On the positive side, it will once again be possible to have more than one program or window visible on the screen simultaneously, although that feature will also be limited.
Here’s a roundup of related articles from around the web:
- In Blue: Start Experience Changes
- Windows 8.1: Microsoft brings back the Start button with options to appease desktop users
- Windows 8.1 preview: many small tweaks make for a significant update
- Windows 8.1 given first official outing, and yes, the Start button is back
Update 2012Jun03: Peter Bright over at Ars Technica also noticed that the Start menu won’t be back in Windows 8.1, although I disagree with his conclusions.
Google’s rug-pulling frenzy continues
The latest victim of Google’s recent spate of service-killing is Google Code. While the service itself is still running, its usefulness is being dramatically reduced: downloads are being phased out.
The reason? Abuse, according to Google. Apparently nefarious types are using the service to distribute [insert something bad here]. Instead of allowing the (technically-savvy) user community to get involved and suggest solutions, Google unilaterally shut it down.
Sure, I get that this is a free service, and as such, Google has no legal obligation to leave it intact. But stranding users like this is no way to make people love you. I’m already re-thinking my current use of Google services, and I’ve altogether stopped using new Google services. What’s the point of switching to a new service – no matter how good it is – if it’s going to disappear in a few months?
Google is a rarity among modern tech corporations: it’s run by engineers instead of accountants, lawyers and MBAs. That has worked well for Google in the past, but I can’t help wondering if those bottom-line numbers are starting to sway Google’s head honchos. The power of those numbers is seductive. Once we lose Larry and Sergey to the dark side, Google’s days as one of the good guys are numbered.
Google Chrome version 27.0.1453.94 released
Google has pushed out a new version of Chrome that fixes a graphics-related bug.
Google Chrome 27.0.1453.93 released
The latest version of Google’s web browser includes several security and other bug fixes, better spell checking, improved search predictions, improved web page loading times and the latest Adobe Flash for Chrome (11.7.700.203).