September 2006 - Posts
Over on the Grand Stream Dreams blog, Claus Valca has written a post outlining the reasons you should take the security of your computers at home seriously. He mentions various scams that target home users with a few real world examples of people just like you and me who got caught out.
He's told you now. I've told you in the past. Counless others have mentioned it.
It's your credit rating, your internet connection, your bank account, your reputation. Microsoft, Apple, or whatever flavour of Linux you use have to accept some responsibility for their mistakes, but sooner or later, we also have to take some responsibility ourselves and keep our home systems patched, use the (often free) security software you can get, and make an effort. Or if all you want to do is play games, just trade your computer in for something more appropriate.
But it doesn't happy to people like me anyway!
Nonsense. I've got a mailbox full of spam, phish and scams right here. It wouldn't happen if there were not people falling for it. And - if it helps - I'll admit I've fallen for a Phish email before now.
But I'm insured
Sure - checked the terms lately? Sure they include being ripped off on the Internet? Anything in there about taking due care and attention / appropriate precautions?
But I don't know how to protect myself!
Ok, this can be a fair point. So ask around, there are lots of places that offer help with securing your system. If you're a home user, you can get free AntiVirus from the likes of Grisoft and Alwil. You can get free spyware scanners like AdAware or Spybot Search and Destroy, and you can get help in lots of places (like Microsoft Communities) with putting these together and keeping your computer working well.
And you thought it was just Microsoft products that needed to be patched.
Apple have announced the release of update 10.4.8 for 10.4 users and Security Update 2006-006 for 10.3 users.
I don't normally bother posting such notices, but a couple of things here caught my eye, and I have to say that any OSX users reading this need to update to the appropriate patch level as a matter of extreme urgency.
CFNetwork
CVE-ID:
CVE-2006-4390
Impact: CFNetwork
clients such as Safari may allow unauthenticated SSL sites to appear as authenticated.
Description:
Connections created using SSL are normally authenticated and encrypted. When encryption is
implemented without authentication, malicious sites may be able to
pose as trusted sites. In the case of Safari this may lead to the
lock icon being displayed when the identity of a remote site
cannot be trusted. This update addresses the issue by
disallowing anonymous SSL connections by default. Credit to Adam
Bryzak of Queensland University of Technology for reporting this
issue.
Ouch. Seems like a big Phisherman's friend to me. After all, you don't need to supply a cert and the few users who know about SSL will be happy just to see the SSL lock appear. Hmmm. Any Mac using readers think their bank website looked a little odd when you were replying to their latest email?
ImageIO
CVE-ID:
CVE-2006-4391
Impact: Viewing a
maliciously-crafted JPEG2000 image may lead to an application crash or arbitrary code execution
Description: By
carefully crafting a corrupt JPEG2000 image, an attacker can trigger a buffer overflow which may lead to
an application crash or arbitrary code execution. This
update addresses the image by performing additional validation
of JPEG2000 images. This issue does not affect systems prior
to Mac OS X v10.4. Credit to Tom Saxton of Idle Loop Software
Design for reporting this issue.
I'm fairly sure I've seen something akin to this somewhere else you know. Think Robert... think... Oh well, it'll come to me, I'm sure.
It's not all about Apple though. Seems Microsoft have a few interesting problems of their own, not to mention being accused of handling them in an interesting way. If you're an Apple MS Office user, note that the issues behind those links apply to you too and act accordingly. It takes a special kind of mistake to exist on five different versions of a piece of software over two totally different platforms.
I really hope the NIST story about Microsoft's handling of this is untrue, by the way. If it's true, it's a slap in the face for the AV
community which has been in place long before Microsoft decided to muscle in.
It's a slap in the face for Windows users - aka Microsoft's entire
customer base, punishing them for not buying AV with an unknown (at best)
pedigree from Microsoft, and let's not forget, it undermines the security and
reputation of Microsoft's own platform.
It makes no sense for it to be true (which of course didn't stop WGA being invented...).
Therefore it's either not true (or at least not the whole
story) or it's an absolute disgrace, labelling any claims of "trustworthy
computing" to be a joke and placing Microsoft's approach to
security only a few steps above Sony's reputation for trustworthy music CDs
that don't try to root your computer every time you listen to them. BTW, I'm still not buying Sony since that event. Neither should you.
So I finally got around to installing Vista RC1 and Office 2007 B2TR on my MacBook. I've got some great screenshots in the photo gallery, and it's looking quite good. There really is some kind of delicious irony in the Apple Mac being one of the best Vista test platforms that I've used. For anyone who is interested, here are some videos of UAC and Aero graphics in action on the Mac.
Vista installed easily enough using the lastest beta of Bootcamp, and runs quite well indeed on a MacBook. About the only criticisms I can find so far are that the keyboard mappings could be better (but then any laptop keyboarding is a compromise), and that the Mac touchpad loses the Apple right-click ability (but then support for this was only just added in BootCamp for XP) which is easily fixed by plugging in a mouse. I'm still not sure I actually like Vista, but at least if I'm forced to run it, I know that I can do so easily enough.
Everything seemed quite fast and responsive working with this system, both at the keyboard and over terminal services. Of course you might say "As well it ought to!" when you consider my system specs, but still, we've heard FUD about how every single computer on the planet will be rendered obsolete by Vista and in the face of that, it's nice to see that a computer that wasn't designed to run any version of Windows will quite happily turn out top notch performance with Vista.
Sorry, website was broke and the video links didn't work earlier. Now fixed. Enjoy!
Yet again, it's the start of a new academic year where I work. We've done our best to get everything lined up and ready for the return of our lecturers and students. And mostly, we've managed.
A couple of things spring to mind: Software is supposed to be about ones and zeros. Binary. It either works or it don't. Why then, does some software appear to change it's behaviour based on the phases of the moon?
Of course, that isn't really so.Software IS binary and WILL behave according to rules and the appearance of random behaviour simply means that I haven't isolated the right variables. I'm quite aware of that. What I'd like to know is why the supplier of this software apparently isn't. I can't believe some of the stuff that gets sold into education, supposedly well tested and robust enough for a classroom environment. Frankly, I'm embarassed to run some of this code, so I can't imagine the developers felt good about writing something that dodgy.
I don't want to name names. I've got better things to do than to fend off lawsuits, but I'm sure anyone working in UK education has probably narrowed it down to two or three major suppliers based on my gripe above.
On a more positive note, perhaps, hopefully most networks will have a stable bedrock this year as the major operating system suppliers haven't really done much since last summer. Right now it seems that everyone's waiting for Windows ME part 2 or for Apple's Leopard. In the meantime, the Linux developers are continuing to talk about how unique and special they are while ripping off the desktops from the two products I've already mentioned, and so it seems that this time next year, every window on every computer will be transparent, because people don't suffer enough eyestrain after spending 12 hours sat in front of a computer already.
Did I say that bit was going to be more positive? I'm such a cynic. But it isn't all bad. Apple are putting together a real nice desktop environment and I've been very impressed with their latest hardware and application releases. This year we replaced all our current Apple Macs with Intel Core Duo iMacs running the latest Final Cut Studio build, and very nice and fast it is too. We also opened up a whole new classroom set of Final Cut Studio equipped Macs, and with some fiddling the notes I've made on this blog about Apple Mac deployment also worked well for the Intel Macs.
I've also made a decision about my home computer arrangements. I've been a Microsoft MVP for servers and security for years now, and I hope they keep me around for a while longer yet, but as much as I like using the server based products, I'm becoming more and more dismayed about the direction Microsoft's home products are taking.
Therefore, once my current Windows desktop machine rolls over and dies and can't be repaired for a decent price, I'm going to replace it with an Apple, which will probably be setup to dual boot for the few things I still can't do in OS X that I can in Windows, but essentially my home will be an all Apple solution as soon as it's feasable.