boot13Minor bug fixes and stability improvements feature in the latest version of Opera, 39.0.2256.71. The full change log doesn’t list any security fixes, so this is not an urgent update unless you’re experiencing stability issues. For most users, Opera will update itself automatically.
Recent Infosec highlights
It sometimes feels like news in the world of information security (infosec) is a never-ending tsunami. With the almost-daily reports of breaches, malware, phishing, vulnerabilities, exploits, zero-days, ransomware, and the Internet of Things (IoT), it can be difficult to identify stories that are likely to be of interest to typical computer users.
Stories about infosec issues that are primarily academic may be interesting, but they’re unlikely to affect most users. Sometimes the impact of a security issue is exaggerated. Occasionally the threat is later found to be nonexistent or the result of faulty reporting.
In the past, I collected infosec stories and wrote about the most interesting and relevant ones in a single month-end roundup. This helped to manage the load, but it introduced an arbitrary and unrealistic schedule.
Starting today, I will occasionally post a few selected infosec stories in a single ‘highlights’ article. Without further ado…
Don’t be a victim of your own curiosity
Researchers in Germany discovered that most people click phishing links in emails, even when they don’t know the sender, and even when they know they shouldn’t do it. Why? Curiosity, apparently. It doesn’t just kill cats any more.
Promising new anti-phishing technology
On a related note, there’s a new reason to be optimistic in the fight against phishing. A proof-of-concept, prototype DNS greylisting service called ‘Foghorn’ would prevent access to unknown domains for 24 hours, or until the domain is identified as legitimate and whitelisted. Hopefully Foghorn will prove effective, and become available for regular users in the near future.
Scope of 2012 breaches of Last.fm and Dropbox finally revealed
Popular Internet radio service Last.fm suffered a breach way back in 2012, but the details were not revealed until very recently. According to a report from LeakedSource, as many as 43 million user passwords were leaked, and the passwords were stored using very weak security. If you had a Last.fm account in 2012, you were probably instructed to change your password. If you didn’t do it then, you should do it now.
Massively popular file sharing service DropBox was also breached in 2012, but again, the complete details of the breach are only coming to light now: passwords for as many as 60 million Dropbox user accounts were stolen. The validity of this information has been verified by SANS and Troy Hunt.
The usual advice applies:
- If you have accounts for these services, change your passwords now, if you haven’t already.
- Avoid using the same password for more than one service or site.
- Use complex passwords.
- Use password management software so you don’t have to remember all those unique passwords.
Chrome 53.0.2785.89
The full change log for Chrome 53.0.2785.89 is another one of those browser-annihilating pages that you probably shouldn’t even try to load. Included in the boat-load of changes in Chrome 53 are thirty-three fixes for security vulnerabilities, making this an important update.
For most users, Chrome will automatically update itself, but given the number of security fixes, you should probably make sure. Click the funny little menu icon (three dots in a vertical line), then select Help > About from the menu. If Chrome isn’t already up to date, this should trigger an update.
There may be some interesting new features in Chrome 53, but the announcement doesn’t mention anything in particular. If anyone out there is patient enough to read the full change log and notices anything noteworthy, drop me a line to let me know, and I’ll update this post.
Windows 10 update problems continue
Recent updates to Windows 10 are causing headaches for Kindle and Powershell users.
Kindle users are reporting that simply plugging their Kindle into their Windows 10 PC is causing Windows 10 to crash. Two important Powershell features were rendered inoperable by the updates, making the jobs of system administrators more difficult.
Both problems are apparently the result of poorly-packaged cumulative updates. Microsoft is working on fixes, but seems to be in no hurry, since the fixes will not be available until August 30.
As with the webcam problems reported last week, these problems highlight what appear to be major holes in Microsoft’s new testing process, which relies on user feedback. Clearly, huge swaths of functionality are not being tested either by Microsoft or Insider users.
Firefox 48.0.1 and 48.0.2
Mozilla snuck a couple of Firefox releases past me again. I only noticed version 48.0.1 when Firefox offered to upgrade itself on one of my computers. On a different computer, Firefox offered to upgrade itself directly to 48.0.2. I’m currently unable to induce Firefox to update itself to 48.0.2 on the former; the About dialog insists that “Firefox is up to date.”
Come on, Mozilla. Get your crap together:
- Provide proper release announcements. I’ve been harping on this for a while, but Mozilla is oddly resistant.
- Clarify update availability: why do I see update alerts on some computers, but not others?
- Add a manual update checker to the About dialog (menu > question icon > About), because otherwise it may not show the most recent version for several days after that version becomes available.
This is basic stuff, folks.
Firefox 48.0.1 was released on August 18. It’s mostly fixes for crashing problems, and doesn’t seem to include any security fixes.
Firefox 48.0.2 was released on August 24. It fixes one specific crashing problem.
Since neither of these updates include security fixes, delaying their installation (for whatever reason) isn’t going to make your computer less safe.
Update 2016Sep03: On my Windows 8.1 computer, Firefox didn’t prompt me to upgrade to version 48.0.2 until a week after the update became available. That seems an excessive delay. Of course, 48.0.2 isn’t a security release, so it’s not really urgent. Or is it? The 48.0.2 update message says “A security and stability update for Firefox is available.” Which seems weird, since the release notes don’t mention anything about security. The update message also says this: “It is strongly recommended that you apply this update for Firefox as soon as possible.” That would make sense if this was a security update, but again, it’s not. And how much sense does it make to tell people to update ASAP, when the message doesn’t appear until a week after the update becomes available? Sheesh.
Apple fixes three critical vulnerabilities in iOS
If you have any Apple mobile devices, including iPhones and iPads — anything that runs iOS — you should update them immediately.
Three three vulnerabilities are already being exploited (0days), and can lead to a complete remote compromise of an affected device.
Yesterday Apple released updates that address these vulnerabilities. The updates were released outside of Apple’s regular update schedule (i.e. out of band updates).
Duo Security has additional analysis.
The EFF scolds Microsoft for anti-consumer Windows 10 tactics
The Electronic Frontier Foundation (EFF) is “the leading nonprofit organization defending civil liberties in the digital world.” If you’re not familiar with their work, you should be.
In a recent post on their site, the EFF provides a scathing review of Microsoft’s troublesome decisions in relation to Windows 10, including: hitherto unheard-of free upgrades; insistent and entrenched upgrade prompts on Windows 7 and 8; pushing Windows 10 upgrades via Windows Update; categorizing privacy-compromising and advertising-related updates as important for security; user interface tricks that are common to malware; collecting and transmitting large amounts of potentially sensitive data from Windows computers to Microsoft; failing to provide either adequate explanations for — or methods for disabling — various unwanted features; obfuscating their intentions behind claims of improved security and enhanced functionality; and claims that Windows Update is somehow unable to function without privacy-violating functionality enabled.
It concludes with a stern warning:
Microsoft should come clean with its user community. The company needs to acknowledge its missteps and offer real, meaningful opt-outs to the users who want them, preferably in a single unified screen. It also needs to be straightforward in separating security updates from operating system upgrades going forward, and not try to bypass user choice and privacy expectations.
Otherwise it will face backlash in the form of individual lawsuits, state attorney general investigations, and government investigations.
We at EFF have heard from many users who have asked us to take action, and we urge Microsoft to listen to these concerns and incorporate this feedback into the next release of its operating system. Otherwise, Microsoft may find that it has inadvertently discovered just how far it can push its users before they abandon a once-trusted company for a better, more privacy-protective solution.
Windows users face a choice:
- Option #1: Continue using Windows 7, 8 and 10. Trust that Microsoft’s intentions are good; that they are not really trying to control what we see, and track what we do, when we use Windows.
- Option #2: Continue using Windows 7, 8 and 10. Assume that Microsoft will back down from its more aggressive moves, whether prompted by consumer backlash or legal action.
- Option #3: Continue using Windows 7, 8 and 10. Disable what you can, block what you can, and stop using Windows Update, hoping that this will prevent Microsoft from compromising your privacy, but making your computer increasingly less secure.
- Option #4: Continue using Windows 7, 8 and 10. Rely on the computing community to develop ways to block Microsoft’s attempts to control and monitor users (without compromising security), as we’ve already seen in the form of GWX Control Panel and other software.
- Option #5: Stop using Windows 7, 8 and 10. Rather than wait for Microsoft’s plans to reach their probable conclusion (a Microsoft-controlled advertising platform on every desktop), switch to a less problematic operating system, such as Linux.
Recommendation: Option #5 if you can; otherwise Option #4. Option #3 should be viewed as a temporary solution only, and dangerous in the long run. Option #2 is probably overly optimistic. Option #1 is just sadly naive.
The Verge and Techdirt have their own take on the EFF’s post.
Latest hard drive reliability data from Backblaze
Cloud storage provider Backblaze publishes their hard drive reliability findings quarterly, thus providing a useful benchmark for us regular folks.
In their most recent report, Backblaze’s data includes 8 terabyte drives for the first time. Failure rates for the 8 TB drives is slightly higher than smaller drives, but this may be due to the fact that all of the 8 TB drives are new, and new drives tend to fail more often than drives that have been running for a while.
As usual, HGST (Hitachi) drives top the reliability charts, but Seagate is now close behind. Western Digital failure rates are the worst of all the drives analyzed.
Windows 10 update breaks many webcams
Microsoft wants us to let them update our Windows computers whenever they choose. Anyone using the Windows 10 Home edition is already living with this new reality, and — short of upgrading to Windows 10 Professional — can do nothing about it.
Of course, Windows 10 Professional is only slightly less invasive, as it only lets users delay updates for a few weeks. The only way to regain complete control over updates is to use one of the extremely pricey Enterprise or Education editions.
If you wanted to demonstrate just how awful this all is, you couldn’t ask for a better example than the recent anniversary update, which caused huge numbers of webcams to stop working.
Nothing in the release notes for the anniversary update provided any clues that this might happen. I imagine plenty of people simply assumed that their webcams had failed. Some may even have purchased new webcams.
Microsoft is apparently working on a fix, but there’s no indication of when it will be available. In the meantime, there are a lot of angry webcam users out there.
But wait a second: why wasn’t this problem reported by people with affected webcams who are on the Windows 10 Insider Preview program? The problematic changes were available to those users well in advance of the anniversary update’s release. If it was reported, Microsoft apparently failed to grasp the scope of the problem. A more likely explanation is that Insider Preview participants either don’t have webcam hardware (e.g. they test Windows 10 on a virtual machine), or simply never thought to test their webcam. Either way, Microsoft failed to perform adequate internal testing, and this doesn’t bode well for Microsoft’s reliance on the new Feedback mechanism.
Microsoft: “Upgrade to Windows 10 or we’ll make Windows 7 and 8.1 just as bad.”
Microsoft just announced the next move in their fight to push their advertising platform into our faces, and it’s very bad.
Let’s review, shall we? Microsoft really wants you to use Windows 10. Their official explanation for this includes vague language about reliability, security, productivity, and a consistent interface across platforms. Their claims may be true, but they hide the real reason, which is that Microsoft saw how much money Google makes from advertising, realized that they had a captive audience in Windows users, and added advertising infrastructure to Windows 10 to capitalize on that. The privacy-annihiliating features are easily explained: the more Microsoft knows about its users, the higher the value of the advertising platform, since ads can be better targeted.
A short history of Microsoft’s sneakiest Windows 10 moves
Move #1: Offer free Windows 10 upgrades for Windows 7 and 8.1 users. Who doesn’t like free stuff? Many people jumped at this opportunity, assuming that newer is better.
Move #2: Dismayed by the poor reception of Windows 10, and upset by all the recommendations to avoid it, Microsoft creates updates for Windows 7 and 8.1 that continually pester users into upgrading, in some cases actually upgrading against their wishes or by tricking them. Angry users fight back by identifying and avoiding the problematic updates.
Move #3: Still not happy with people hanging on to Windows 7 and 8.1, Microsoft creates updates that add Windows 10 features to Windows 7 and 8.1, including instrumentation related to advertising. Again, users fight back by identifying and avoiding these updates.
Move #4: Microsoft announces that business and education customers can avoid all of the privacy-compromising and advertising-related features of Windows 10 through the use of Group Policy. This is good news for bus/edu customers, but then again, those customers pay a high premium for Enterprise versions of Windows already. At least now Windows 10 is a viable option for those customers.
Move #5: Microsoft realizes that the Group Policy tweaks provided for bus/edu customers can also be applied to Pro versions of Windows, Microsoft disables those settings in the Pro version. Windows 10 Home users never had access to those settings. Angry users are running out of options.
Move #6: Which brings us to today. Since the only way to avoid privacy and advertising issues (borrowed from Windows 10) in Windows 7/8.1 will be to stop using Windows Update entirely, angry users are now looking at alternative operating systems.
We know business and education customers won’t be affected by this latest change. The rest of us will have to suffer – or switch.
Assuming Microsoft doesn’t back way from this decision, I imagine my future computing setup to consist primarily of my existing Linux server, and one or two Linux machines for everyday use, development, blogging, media, etc. I’ll keep a single Windows XP machine for running older games and nothing else. In this scenario, I won’t run newer games if they don’t have a console version. Aside: if I’m not the only person doing this, we might see a distinct decline in PC gaming.
Dear Microsoft: I only kind of disliked you before. Now…
Computerworld has more. Thanks for the tip, Pat.