security

XP may not be as bad as it sounds

Dave Farquhar security, Windows ,

Patrick Gray and Darren Pauli of The Register blasted the continued use of XP on Risky Business last week.

But I think their criticism is based on an assumption that may not be correct. Read more

Don’t run unknown executables for a dollar. And PLEASE don’t for a penny!

Dave Farquhar security , , ,

I can’t bribe my preschooler with a penny anymore, but, sadly, a consortium of Carnegie Mellon University, NIST and Penn State University found that 22% of respondents through Amazon’s Mechanical Turk were willing to run a dodgy unknown executable in return for a penny. Fifty-eight percent would do it for 50 cents, and 64 percent would do it for a dollar.

I’ve been telling people for 17 years not to take executable files from strangers. I know the percentage of people who will bend down to pick up a penny off the ground when they see one is less than 22%, so this saddens me. Read more

A Comcastic-ally bad idea

Dave Farquhar security , , , ,

If you haven’t heard about it, Comcast has plans to build a wifi network for its subscribers, on the back of its other subscribers’ routers. What’s worse is it’s an opt-out service. If you don’t hear about it and say something, you’re a hotspot for any other Comcast customer who happens to wander by.

I’m not a Comcast customer. I’m in Charter territory, and I’m not a Charter customer either. But I have so many problems with this it’s hard to know where to begin, so I sure hope other ISPs don’t copy this. Read more

Some tips for trolling fake technical support calls

Dave Farquhar scams, security, Windows , , , , , , , , , , , , ,

I did a little more digging after getting yet another fake technical support phone call last week, and I’ve done some thinking on my own. If you want to troll these criminals when they call you, here are some ideas. Read more

Curious conspiracies… or maybe just progress all at once

Dave Farquhar security , , , , , , , , , , , , , , ,

In the wake of Truecrypt’s sudden implosion, someone sent me a link to this curious blog post. I can see why many people might find the timing interesting, but there are a number of details this particular blog post doesn’t get correct, and it actually spends most of its time talking about stuff that has little or nothing to do with Truecrypt.

What’s unclear to me is whether he’s trying to say the industry is deliberately sabotaging Truecrypt, or if he’s simply trying to make a list of things that are making life difficult for Truecrypt. His post bothers me a lot less if it’s just a laundry list of challenges, but either way, the inaccuracies remain. Read more

The browser tradeoff

Dave Farquhar security, Software , ,

I probably ought to know better than the venture into the topic of web browsers by now, but since I stepped into it Friday, I guess there’s no point in staying in the shallow end.

The problem with web browsers is that they all require you to trade one thing for another, and if anything, that’s more true today than it ever has been before. Read more

Mr. Genius Man from “Windows Technical Support” gets nasty

Dave Farquhar scams, security, Windows , , , , , , , , ,

I got another “Windows Technical Support” call on Friday evening. My caller ID said Minneapolis, and since I have coworkers in Minneapolis, I answered. But the guy on the other end was a long way from Minneapolis and probably doesn’t know diddly about ice hockey.

I’m pretty sure it was the same criminal as last time, but over a better VOIP connection. I remember the voice pretty well, because his parting lines from last time, “Enjoy your broken computer, Mr. Genius Man!” struck me as funny. And he started the conversation with, “I’m calling you again about your Windows 7 computer.”

My conversation with him revealed a few things about why this scam is likely to be profitable.

Read more

Steve Gibson on Truecrypt

Dave Farquhar security, Software ,

Dan Bowman sent me this link to Steve Gibson’s analysis of Truecrypt, a suddenly dear departed piece of full disk encryption software.

The important thing to remember right now is that we still don’t know what’s going on.

Johns Hopkins cryptography professor Matthew Green is heading up an effort to audit the Truecrypt code. Last month he said the code could be of higher quality, but at that point he hadn’t found anything truly horrible in there either.

That said, his analysis of the cryptography itself is phase 2. Cryptography is notoriously difficult to do–even when cryptography is your specialty, you can get it wrong.

So it’s premature to declare Truecrypt 7.1 as the greatest piece of software ever written. Green did find some flaws that need to be fixed. As far as we know, right now Truecrypt is better than nothing, but the most important part of Green’s work isn’t finished yet. Green has said he is going to finish his audit of the code. He probably won’t find perfection. He may find a fatal flaw that makes it all come crashing down. More likely, he’ll find something in between. But until those findings come out, it’s all speculation.

Truecrypt’s license allowed someone else to come along, take the existing code, act on Green’s findings, and make it better. It’s called Veracrypt. But going open source doesn’t guarantee people will work on it.

Gibson’s page on Truecrypt is a good reference page, but his cheerleading is premature. Gibson is a talented software developer in his own right, but cryptography isn’t his specialty. At the company where I work, we use Truecrypt for some things, and until we know otherwise we are going to continue to use it, but we haven’t made any final decisions on it yet.

Update: Here’s an analysis by Mark Piper, a penetration tester by trade, who explains the history and the issues today.

Chrome and EMET

Dave Farquhar security ,

A week or two ago, Chrome quit working–I would launch it, and EMET would give me a message that it detected Caller Mitigation. It turns out that particular setting isn’t compatible with Chrome 35 and up.

The fix is easy. Launch EMET, click “Apps,” scroll down to Chrome, and uncheck the 10th item from the left.

Google doesn’t recommend EMET because Chrome already does most of the things that EMET forces, and the EMET mitigations that Chrome lacks can be bypassed. To me, that doesn’t make them worthless. It filters out the unsophisticated attackers. And if you make the advanced adversary make the attack more complex, there’s a greater chance of being caught. Security isn’t about preventing everything–you can’t–but you can raise the stakes.

That’s why I disabled Caller Mitigation and keep EMET enabled on Chrome.exe.

I also saw this week that Google is working on a 64-bit version of Chrome for Windows. Finally! Once it comes out of beta, that’s something I’ll be installing. That may be what makes me change allegiances from Firefox.

Truecrypt and collateral damage

Dave Farquhar security

Last week, the free full-disk encryption program Truecrypt was abruptly discontinued, for reasons that made no sense, and making equally nonsensical recommendations about substitute products to use.

There’s speculation that the creators of Truecrypt received a National Security Letter, but can’t say anything about it. Right now we have to take it as a rumor–it’s bad if governments are cracking down on encryption, but we’ll save that discussion for another day, when we know whether they actually are. Let’s talk instead about why you need encryption if you own a computer, just like you need locks on your front door.

Read more