Truecrypt and collateral damage

Dave Farquhar security

Last week, the free full-disk encryption program Truecrypt was abruptly discontinued, for reasons that made no sense, and making equally nonsensical recommendations about substitute products to use.

There’s speculation that the creators of Truecrypt received a National Security Letter, but can’t say anything about it. Right now we have to take it as a rumor–it’s bad if governments are cracking down on encryption, but we’ll save that discussion for another day, when we know whether they actually are. Let’s talk instead about why you need encryption if you own a computer, just like you need locks on your front door.

Read more

Windows XP rises from the dead… accidentally

Dave Farquhar security, Windows ,

I’ve been hearing predictions for a year that after Windows XP went out of support, it would only be a matter of time before people started backporting patches to it.

As it turns out, they don’t have to. Windows XP has a close relative, Windows Embedded, that doesn’t go out of support until 2019. The people who are fretting over XP-based ATMs and cash registers don’t realize many of those devices–those built in 2009 or later–are running Windows Embedded. It looks just like XP, works just like XP, and installs a lot like XP, but it’s still supported. The bigger question is whether the people running it are patching it, but that problem has existed ever since Microsoft released Windows Update.

Well, with a simple registry hack, it’s possible to make Windows XP look like Windows Embedded and keep getting updates. Microsoft quickly issued a statement, and some people are predicting Microsoft will quickly close that loophole.

I’m not so sure about that. Read more

Firefox memory high? It might be Adblock Plus

Dave Farquhar Uncategorized ,

Last week, a great deal of discussion about ad blocking and its effect on memory usage took place. This makes a lot of sense, and explains why my memory usage has always been really high.

I’m not sure there’s a lot you can do about it. One of these days I’m going to get around to standing up a pfsense box, which, among other things, can serve as a web cache and block ads for an entire network. My family has enough machines to justify that, and, given that security is what I do for a living, it’s something I need to be experimenting with anyway.

Takeaways from Patrick Gray’s AusCERT coverage

Dave Farquhar security , , , , ,

I’ve been listening to Patrick Gray’s coverage of the AusCERT security conference, and I walked away with two major takeaways, one for security professionals and one for everyone.

Everyone first: Use SSL (https) everywhere you possibly can. Generate superfluous https traffic if you can.

Network professionals: Block as much UDP at the firewall as you can.

Read on for more. Read more

Web browser plugins you need to uninstall now–even if you have a Mac

Dave Farquhar security , ,

I’ve been seeing a lot of news this week about web browser plugins getting exploited to plant malware on computer systems. A lot of people know to keep Flash up to date, and to keep Java up to date or uninstall it–at least I hope so by now–but there are two targets that people generally forget about: Shockwave and Silverlight.

Because so many people have them installed and don’t know it, and therefore never update them, they are ripe targets for attack. Read more

The danger of conspiracy theories

Dave Farquhar Uncategorized

It seems like a hundred years ago, but in 1996, I briefly infiltrated a group of conspiracy theorists–“sovereign citizens”–and wrote a few news stories and an analysis piece about them. They quit speaking to me after the first one was published, and I received threatening phone calls at the newsroom.

The group was newsworthy because it was causing a lot of problems for officials in that town, but we struck gold. Another reporter in the newsroom was a Marine–there are no former Marines–and when he saw the ringleader’s claim he was a retired Marine colonel, he made some phone calls. This “colonel” turned out to only be a low-level enlisted. (There are two tracks in the military: officers and enlisted. A colonel is the rank below a general–a big deal. This guy was probably a common infantryman, and probably wasn’t in very long.) When I printed this finding, he lost credibility. If he was lying about his rank, what else was he lying about?

This movement fizzled out after a couple of years, but this and other movements like it are back again. Read more

Happy birthday, Rubik’s Cube!

Dave Farquhar 1980s , , , , , , , ,
Happy birthday, Rubik’s Cube!

Rubik’s Cube turned 40 this week. In a reflection of how much faster the world moves today than it used to, I remember Rubik’s Cube from the early 1980s, when it was a big, national craze. I had no idea at the time that it was invented in 1974 and took six years to reach the U.S. market. I asked for one for Christmas in 1981, and so did everyone else I knew. We all got one. And none of us could solve it. Granted, some of that may have been because we were in grade school, and the early years at that. My best friend’s older sister, who was in sixth grade or so, had a book, and she could solve it with the book’s help.

It was even the subject of a short-lived Saturday morning cartoon. I only watched it once or twice. It turns out it’s not easy to make engaging stories about a six-sided puzzle. There were tons of cheap knockoffs out there too, but unlike the knockoffs of today which are generally regarded as better, the 1980s knockoffs were generally worse. After a year or three, the craze died down. We moved in 1983, and I don’t remember anyone in our new town talking about Rubik’s Cube. Mine ended up in a drawer. I’ve looked for it a few times over the years, but never found it. Read more

How to write reviews without getting sued

Dave Farquhar Uncategorized , , , ,

In a well publicized incident that happened earlier this month, someone who wrote a bad review on Amazon about a cheap router got threatened with a lawsuit by the router’s distributor, Mediabridge. Amazon retaliated by banning the distributor from selling on Amazon. But unfortunately, this means we have to think about how to write reviews without getting sued.

By the time this happened, the review was no longer on Amazon, so all I’ve heard about the review is secondhand. Ars Technica published this guide to writing reviews without getting sued (link removed in retaliation for Conde Nast’s 11/3/2025 layoffs–sorry not sorry) and I think it’s good advice, but of course, having written dozens, if not hundreds of reviews myself, I feel inclined to elaborate. I actually value online reviews by people who bought the product and tried to use it. I value them a lot, so I want people to write reviews, and not be afraid to do it. And since I went to school for this stuff, hopefully I can say something helpful. Read more