Uncategorized

YouTube no longer uses Flash by default

Leave a comment

If you’ve been trying to live without Flash, because of its never-ending security vulnerabilities, take heart. YouTube now shows videos using HTML5 instead of Flash by default. YouTube will still use Flash in browsers that don’t support HTML5, but all the major browsers do now support it.

Flash use is still pervasive on the web. But this change by YouTube – arguably the biggest user of Flash up to now – is going to reduce Flash usage enormously.

Note that while YouTube started experimenting with this change some time ago, it’s only recently shown up in Firefox, with version 37.

If YouTube was the only place you were using Flash, you should be able to completely disable Flash in your browser now.

Google, Internet

Google pushing for mobile-friendly web sites

Leave a comment

Google wants the web to be easier to view on mobile devices. To encourage web site owners to make their sites mobile-friendly, Google is now ranking mobile-unfriendly sites lower on mobile searches.

In other words, if you run a web site that fails to meet Google’s mobile-friendly requirements, that site will now appear lower down in Google’s search results, when the search is performed on a mobile device.

There’s no reason to panic, however. Mobile-friendliness is only one of numerous factors that determine where a site ranks in Google search results.

Internet, Internet crime, Security

User and sysadmin mistakes allow intruder access in most cases

Leave a comment

Recent studies from Verizon and Symantec show that malicious hackers almost always gain unauthorized access to computer systems because of misconfigured software and user errors. You don’t have to be a genius hacker to get into a supposedly secure system if a sysadmin left the door wide open, or if you can fool a gullible user into revealing their password.

As a user, you’re probably getting tired of being told to be careful when clicking links on the web and in email. But it’s good advice. If you receive an email message that includes a link, and tells you to click the link, think before you click. If someone asks you for your password, do not give it to them.

Chrome, Google, Internet Explorer, Microsoft, Security

Chrome and Internet Explorer add security features

Leave a comment

A new extension for Chrome called Password Alert helps users recognize when they’ve unknowingly entered their Google/GMail password on a phishing web page. The extension does this without itself compromising security. If you use Chrome, this extension is highly recommended. You can find the extension in the Chrome web store. Bruce Schneier has more.

Meanwhile, Microsoft is adding a feature to Internet Explorer that will warn users when they visit a site with ads that contain malware. The feature is expected to start working on June 1.

Update 2015May01: And just like that, Google’s Password Alert extension is shown to be extremely easy to bypass. Google issues an update, which is also shown to be seriously flawed.

Internet, Privacy, Security

Jeff Atwood on passwords

Leave a comment

Noted technology blogger Jeff Atwood discusses passwords in a recent post on his entertaining and informative site Coding Horror.

Jeff wants web-based services to get better at both insisting on strong passwords, and helping users to choose those passwords; or to switch to authentication technologies provided by Facebook, Google, and others. Based on his testing, he also observes that passwords shorter than twelve characters are easy to crack using brute force methods.

Patches and updates, Security, WordPress and other CMS

WordPress 4.2 and 4.1.3

Leave a comment

WordPress 4.2 was released yesterday. This version adds some new features and improves others. This is not a security-related update.

Updating to version 4.2 also seems to trigger several theme updates. On one of my sites, which uses a Twenty Eleven child theme, an update to the parent Twenty Eleven theme caused the site to stop working completely. I was able to resurrect the site by installing the Twenty Eleven theme again manually. Update: apparently one of the download servers had an incomplete copy of the theme. This problem has been resolved.

Confusingly, WordPress 4.1.3 was also released yesterday. Because it was released so soon after 4.1.2, it’s safe to assume that it contains more security fixes. However, details are sketchy at this point. There was no formal announcement of the release. The WordPress Codex entry for version 4.1.3 says ‘Fix database writes for esoteric character sets, broken in the WordPress 4.1.2 security release.’

WordPress sites configured for auto-updates will update themselves to version 4.1.3 over the next few days. Depending on the auto-update settings, WordPress sites may also update themselves to version 4.2, bypassing 4.1.3. This shouldn’t be a problem, since it’s safe to assume that any fixes in 4.1.3 are also in 4.2.

Your best bet at this point is to update your WordPress sites manually to version 4.1.3. Then start testing version 4.2; once you’re sure it’s not going to break anything, upgrade your production sites.

Patches and updates, Security, WordPress and other CMS

Critical security updates for WordPress and plugins

Leave a comment

WordPress 4.1.2 was released on Tuesday to address a critical security vulnerability. Sites configured for auto updates will be updated over the next day or so, but you might want to consider installing the update via the dashboard right now.

In related news, security researchers at Sucuri just published a list of popular WordPress plugins that contain serious XSS vulnerabilities. Most of these plugins already have updates addressing the issue. Check your WordPress sites for these plugins, and either update or disable them.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.

Close

Ad-blocker not detected

Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security. Learn more.