Mozilla Plugin Check Runs on Any Browser

I no longer use Firefox very much. But it doesn't seem that Mozilla holds a grudge. Mozilla's new Plugin Check will check your browser for outdated plugins allowing you to head off potential security threats even if you are running on a different browser. Mozilla, a class act in a world of squabbling children.

Thanks to security guru and all around paranoid freak Steve Gibson for the tip.

Firefox Gets Proactive

I don't use Firefox as much as I used to. Chrome is just so much faster that I almost invariably turn to it first. But Firefox's rich collection of add-ons is so useful that when I have time and feel like some random web surfing, I'll usually fire up both Firefox and Chrome and use them side by side.

Tonight when I fired up Firefox, I was confronted by this dialog box. A bit aggressive no? Actually no. It turns out that Microsoft's Firefox add-ons expose Firefox users to malware attacks. I'd noticed this little piece of news this morning and by nightfall when I fired up Firefox, it was already uninstalling the Microsoft add-ons. That's a pretty fast turn around time for cleaning up a problem which was only recently discovered.

Now if only Firefox could identify the add-ons that are slowing it down....

Exanotes—The Future of Cloud Computing?

I'm pretty happy with my Palm Pre but one of its shortcomings is in the Memos app. While it's a nice looking app, it is too simple, lacking such old-school PalmOS amenities as Categories or a List View. Worse yet, unlike the Pre's Contacts and Calendar, the Pre's Memos don't sync to anything. They are trapped on the Pre and cannot be edited on a desktop computer.

While I was able to import all of my old PalmOS memos into the Classic PalmOS emulator, again I have a situation where my memos are trapped because Classic cannot yet sync to anything. And since Classic cannot exchange cut and paste data with normal webOS apps, my memos are in a sense doubly trapped—on inside Classic semi-isolated from the rest of the Pre's data and unable to sync with the outside world.

Today I stumbled on to an interesting web-app. Exanotes is a web-based note-taking service. While it does offer a clean, simple interface what stood out for me is the fact that the service it uses 256-bit AES encryption. Good encryption is one of the things which have been sorely lacking in "Cloud Computing" applications and may help assuage the fears of people who are worried about putting their data into the hands of a third-party website.

The author of the web service has stated that he wants to create webOS app which syncs with the web service in the background. This would eliminate the need for a desktop client as any computer with a browser can be the desktop client for a user of this service and it will still be protected by the user's password (just don't click on the "Remember Me" check box if you are somebody else's computer).

My only real concern regarding Exanotes is its scalability. Will it be able to support thousands or even millions of users trying to sync to it at the same time? Only time will be able to answer that question but for now I'm hopeful. Exanotes looks like what I want to hear when people talk about Cloud Computing and I hope it succeeds.

Exanote might be worth checking out for people thinking of moving from a PDA to a smartphone.

Malware Goes Mobile

Image via Wikipedia

Two new stories by ZDNet caught my eye today. The first is a story about a piece of malware which attacks Symbian-based phones (most Nokia phones use some version of this operating system) by pretending to be a legitimate piece of third-party software and spreads through SMS messages. This was news to me as I didn't realize that mobile malware was so common (this was the latest of many Symbian viruses and differs from them only by being more transmissable). This is an unfortunate but development arising from the fact that phones have gotten so much more powerful these days.

The second story interested me mainly because I recently wrote something about this recently. Basically, you had a group of websites which got flagged by Google as malicious because the advertising network which they use was flagged as potentially carrying malicious code. And ironically enough, the advertising network claims that their ads were clean and that only website was attacked. Either way, it all adds up to a headache for everyone involved; users, website operators, and ad providers alike.

These stories caught my attention in part because they have become so commonplace. Our happy high-bandwidth Internet with its mobile access and fancy web apps is fun and exciting but it also creates new avenues for the bad guys to attack us.

Mozilla Fights XSS With CSP

Image via Wikipedia

H-online reports that Mozilla is implementing a new Content Security Policy (CSP) to guard Firefox against cross-site scripting attacks (PDF link). Cross-site scripting attacks, also known as XSS attacks are a huge problem for today's web users. Basically XSS attacks take advantage of the fact that today's websites draw content from many different servers. You may be on one website but that website is displaying ads which run on Javascript code from an ad server run by another company. And that cute little widget that shows the time? It might also be running on code from yet another server owned by yet another company. And finally those embedded videos we love to watch on the web are all running with code from Youtube or some other large video website. Worse yet, each of those third-party servers may also be running third-party code themselves.

It all starts to sound like an AIDS awareness commercial from the '90s—when you browse on one website's server, you're browsing on every server that has been in contact with. And indeed is the result. A hacker can hack one website and spray malicious code all over the Internet, compromising millions of PCs with one attack.

While Firefox's NoScript extension includes protection against XSS attacks, it has plenty of problems of its own. For one thing, it has trouble telling bad third-party Javascript from good. Every time I click on the New Post link on my own blog, NoScript asks me to confirm because it thinks that it might be an XSS attack. Furthermore, the author of NoScript has been accused of whitelisting ad servers which place ads on the NoScript website and breaking extensions which try to block them anyway. While the author of NoScript has apologized for this behavior, it points to a potential problem with attempts to fight XSS attacks.

Mozilla's new policy also involves whitelisting known safe websites and probably holds the same potential for conflict of interest. But with the web becoming more interconnected all the time and with the rise of social networking, servers are swapping code all the time now and a system like the one which Mozilla is planning to implement will be necessary to stop malicious hackers using XSS to attack PCs.

Windows 7 Security

Steve Gibson's Security Now podcast does an extensive overview of Windows 7 security. Ever the curmudgeon, Steve insists that he'll wait a year to see how Windows 7 endures the inevitable flurrry of attacks it will suffer once it's out but is impressed by the work that Microsoft has done in fixing the mistakes it made with Vista.

I for one am pretty happy with the Windows 7 Release Candidate. It's fast and fixes most of Vista's annoyances. I'm running it on two computers and plan to install it on a third....

Windows 7 Exploit is a Blast From the Past

Geek.com reports on a "new" exploit found by F-Secure. I put the word new in quotes because it's really a very ancient exploit. I remember when the first scripting viruses came out, they took advantage of two features in Windows. The first was the newly introduced Windows Scripting Host which allowed users to create little files full of commands which would control Windows—in much the same way that DOS batch files control DOS. They also took advantage of the fact that Windows by default hides the extensions of most of the files on your computer. Typically you would receive an email message with an attachment which was supposed to be a picture or a document and was in fact a script full of malicious commands.

This was ten years ago. And this exploit is still possible. At least back then, it was possible to tell that a script was not a real document because Windows would give it an icon which differed from the normal icon it would assign to a real document. For example, a Word document would get a Word icon while a script with fake .doc extension would get a Windows Scripting Host icon. Nowadays, it is more common to use an executable with a fake extension and a proper icon for the document that it purports to be. Of course it still has a second .exe extension which would normally be a dead giveaway save for the fact that Windows will by default hide that second extension, unwittingly helping you get hacked more easily.

Ten years. And Microsoft still won't fix this serious security problem because it supposedly makes your computer easier to use. One of the first things I do with a new computer is to open up the Computer (My Computer in XP and older versions of Windows) item and select Tools | Folder Options. Then I click on the View tab and uncheck everything that Microsoft normally hides. Pretty much everyone who knows something a little bit about computers should do this—it just makes sense.

New Windows 7 Hack Sounds Familiar

A recent Engadget article on a supposedly "unfixable" hack devised for Windows 7 had me scratching my head a bit. While the article was short on details, it seemed to have a familiar ring to it. So I looked over GRC's archive of Security Now episodes and found the podcast entitled "Blue Pill." Blue Pill was a hack that attacked early Beta versions of Windows Vista running on AMD processors. It took advantage of a relatively new features meant to support "virtualization" which, among other things, allows a computer to more easily run multiple operating systems at the same time. A good example of this are programs like Parallels and Virtualbox which allow Mac users to run Windows. Blue Pill was a root kit which like this supposedly unfixable hack, installed itself at boot time and bypassed the hard drive.

In order to support virtualization technology, Windows Vista introduced a "hypervisor" to control the operating system. Blue Pill essentially set itself up as a hypervisor for Windows. This new hack is probably doing the same thing. Which probably points to the way that this unfixable hack will be fixed. Windows will need to be running its own hypervisor at boot time. Of course, most people assumed that this was what Windows would be doing this ever since Blue Pill showed up. Oh well.

Chrome: Is This Your Father's Web Browser?

A couple of months ago I set up a computer for an older couple who had never used a computer before. It was an old laptop with busted hinge but it was in otherwise good condition and it was an easy matter of setting it up with an external monitor and wireless keyboard and mouse. Neither of them knew much about computers and they just wanted it for e-mail and web browsing—the same as most computer users these days.

When it came time to choose a web browser for the computer I wanted to steer them away from Internet Explorer. Besides being slow and bloated, IE is a magnet for hackers if for no other reason than the fact that it is installed on the vast majority of computers. So I installed Opera on the computer.

It seemed like a good choice at the time, Opera is small and fast—perfect for an old computer with only 512MB of RAM. Unfortunately, Yahoo! Mail didn't cooperate. Several days after setting up the computer, I began receiving calls about the a problem between Yahoo Mail and Opera. For some reason it kept redirecting Opera from its Inbox to the log-on page. I never figured out exactly why this was happening. So I installed Chrome—Google's then new browser—on the computer and the older couple has been happily using it for e-mail and web browsing ever since.

Chrome hasn't made much noise since the week when it was launched. A lot of geeks (myself included) downloaded it, complained about a lack of features and possible privacy problems, and quickly went back to Firefox. But from my perspective setting up computers for people—many of them older—who really know nothing about computers and don't care about cookie handling or security.

For these people, Chrome's shortcomings suddenly turn into strengths. Chrome was designed from the ground up to run javascript so temperamental web applications like Yahoo! Mail are more likely to run properly on it. Chrome runs in the background quietly updating itself through Google's Updater application even when it is supposed to be "closed." While more tech-savvy and paranoid people see this as a potential privacy risk, for people who neither know nor care about security or privacy issues, this is an invaluable feature since their web browser always has the latest updates and patches. While there is no way to control how javascript and cookies behave on a site by site basis, people who lack computer savvy won't know how to use these features anyway, so for them relying on Google to handle these potential threats makes sense. It all comes down to how much you trust Google—maybe you and I don't always trust Google but most people don't care one way of they other. For them Google's web browser is just another program that they run on their computer.

So for confused newbies, Chrome's lack of features and minimalist interface are an advantage. Ironically enough, Chrome's name comes from the term used by web developers for the buttons, menus, and other widgets that constitute the browser's interface. But Chrome has very little "chrome" compared to other web browsers; just front, back, and reload buttons, a combination address/search bar, and a couple of hidden menus which are easy to ignore. It even tucks its tabs into its title bar which further reduces clutter. And while Google has talked about producing add-ons for Chrome, there are currently none available. There are no toolbars or extensions for Chrome. But then again, too many extensions can slow Firefox down and toolbars are frequently more trouble than they are worth for Internet Explorer users.

So if you are a tech-savvy nerd who has been wondering what Google was thinking when they put out Chrome, maybe they were thinking about your mom and dad.

Google Evil? It's More (And Less) Likely Than You Think

Slashdot reports on a mistake by Google which resulted in an entire domain being blacklisted by Firefox which uses Google's list of bad website for its anti-phishing filter. The top comment by on the website encapsulated an increasingly common reaction towards Google:

"In my mind giving this power to Google is the most objectionable thing related to the company. I know somebody who has had his legitimate business ruined because Google mistakenly added his site to this list. Why? Because it was hosted on the same physical server as a truly objectionable web site.

People need to stop childishly sneering at Windows users and take their focus away from Microsoft. The terrible Goliath is clearly Google now. Even when it's not being evil it causes trouble just by being *clumsy*."

Whether or not you agree with this sentiment, there is still an undeniable kernel of truth to it. Google is now more powerful than Microsoft, the traditional big, evil boogyman of the computer industry. While Microsoft flails about trying to convince people that it is still relevant which weird ads, Google has quietly built an advertising and software empire which affects all of our lives. People instinctively use Google to search for information so much that the word has become a verb in popular culture. The ads on almost every website on the Internet are powered by Google. I personally use Google every day. I'm typing this blog post in Google's Chrome web browser and it will be posted on Google's Blogger website. And when I'm not at my computer, I still access Google on my cellphone. Clearly, Google is no longer the little company started by two graduate students at Stanford running on a computer made of Lego.

Because of this power, when Google makes a mistake, it affects people heavily. A couple of months ago, Google decided that I was a spammer and now I have to solve a CAPTCHA every time that I want to post something on my blog. Some of the twisted, mangled words that make up the CAPTCHAs can be surprisingly difficult to recognize. This can be discouraging at times and as a result, I'm posting a lot less these days. On the hand, spam blogs are a very real problem and Google would be doing a poor job if it didn't try to do something to stop them from proliferating.

As Google continues to grow larger and more powerful, it is natural that people will grow to distrust it. And the consequences of mistakes at Google will become more serious. I doubt if Google will ever be as "evil" as Microsoft whose hardball tactics are notorious in the software industry and which has been fighting off federal anti-trust and patent infringment suits for almost a decade. But Google's actions whether good or evil now have a very direct effect on people and often that effect can be felt directly in the pocketbook. With all this at stake, it's natural that people are going to get upset at Google even as they continue to use its seach engine and software every day—just like Microsoft.

You May Already Be Under Attack....

Slashdot has an interesting link to an article about the fact that malware authors have been targeting Blogger (which is the blogging engine that powers this blog along with millions of others) heavily. Since Blogger is owned by Google, this means that about 2% of all malware is hosted by Google. There are three big reasons for this:

1. It is easy to automate setting up a blog on Blogger
2. It is easy to set up Blogger to redirect links to another site
3. Blogger is owned by Google so it's blogs are automatically indexed by Google's search engine

As a result malware authors are drawn to Blogger and set up 16,000 malicious web pages every day—Google simply can't flag and delete these pages fast enough. It's an interesting phenomenon that is repeated over and over again. Call it the "Windows Effect"—a computer product or service becomes so popular that it becomes ubiquituous and it will inevitably be targeted and attacked by hackers. Just like Windows in general and Internet Explorer in particular have been (and still are) popular targets for hackers, now it's Google's turn. And it's not just Google either. MySpace and Facebook are also popular malware targets. Congratulations guys, you've been pulled into the same infamous club that Microsoft has been trying to kick and scream its way out of for years.

Windows for Warships?

Slashdot links to a disturbing and slightly sensationalistic article about the many unconventional uses of Microsoft Windows. These says everything from ATMs to warships use an embedded version of Windows and a lot of people who hate Microsoft hate this fact. But ultimately, they do have a point. Windows is overkill for many of these situations and its buggy enough that I can't help but wonder about what sort of mayhem can happen when someone hacks an ATM or worse yet, a US Navy "Smart Ship."

Old Palm Website Flagged "Bad" By Google

While browsing Palmaddicts, I came upon a link to an article at The Inquirer with a misleading headline suggesting that Google was pronouncing PalmOS utilities as dangerous to your computer. In fact, Google actually is referring to the hosting website as shown in this screenshot:



When you actually click on the "This site may hard your computer" link you get this page:


It's not too informative except for the final comment which explains that, "In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message." The first comment in the original Inquirer article gives us a better explanation than either Google or The Inquirer, pointing us to another Inquirer article. It seems that a few months ago, crackers began to take advantage of a flaw in Microsoft's SQL Server software which allows them to inject malicious code into web pages. Most webmasters have since fixed that problem but palmsource.com is actually an old website for PalmSource the company which owns Garnet (the official name for version 5 of the Palm Operating System) and which was bought by ACCESS a couple of years ago. Since buying PalmSource, ACCESS has sold the Palm name back to Palm and is working to build a new operating system with a new name. So it appears that ACCESS never bothered to update their old website even after a serious exploit made it vulnerable to being hacked. This makes me wonder if ACCESS will approach their new OS with the same care.