chrome

What to look for in a cheap laptop in late 2014

Dave Farquhar Hardware , , , , , , , , , ,

So the sales fliers for the 2014 Christmas shopping season are out, and I’m seeing tons of cheap laptops. If you only have $200 to spend, they have something for you.

Some of them look like they’re even worth having. Yes, I’m shocked too. Here’s how to figure out which ones are worth taking home, and which ones are best left for some other sucker. Whether you’re shopping for yourself or someone else, you’ll probably want to keep the following in mind.

Read more

Chrome goes 64-bit

Dave Farquhar Software ,

Google released a stable 64-bit Chrome today for Windows. You can download it from the main page by selecting the Windows 64-bit build. It upgrades cleanly over the 32-bit version.

It’s really fast but not always pretty. Read more

The difference an SSD makes

Dave Farquhar Hardware , , , , ,

Back in the spring I bought a used computer. My wife wanted one, and while I probably could have cobbled something together for her, I didn’t have any extra Windows 7 licenses. So I bought a home-built Pentium D-based machine with Windows 7 on it from an estate sale for $70. The Windows license is worth that, so it was like getting the hardware for free.

When I got the hardware home to really examine it, it turned out not to be quite as nice as I initially thought. It was a fairly early Socket 775 board, so it used DDR RAM and had an AGP slot, limiting its upgrade options. The system ran OK, but not great, and it was loud.

The hard drive was a 160 GB Western Digital IDE drive built in 2003. That’s an impressive run, but a drive that old isn’t a good choice for everyday use. It’s at the end of its life expectancy and it’s not going to be fast. This weekend I got around to replacing it with an SSD. Read more

How to fix Firefox–really

Dave Farquhar Software , ,

I’ve been having problems with Firefox for a while now–crashes and other odd behavior. I’ve put up with it for a while, but I shouldn’t have to. It turns out the fix is very easy, but non-obvious.

Mozilla’s documentation is abysmal. When you move stuff around for no reason, change your docs to reflect the move, so people can find what you’re talking about. Or better yet, leave well enough alone.

If you actually want to fix the problem, don’t fiddle with the menus. Do this:

  • Type about:troubleshooting in the address bar
  • Click “Reset Firefox” in the upper right corner Read more

Curious conspiracies… or maybe just progress all at once

Dave Farquhar security , , , , , , , , , , , , , , ,

In the wake of Truecrypt’s sudden implosion, someone sent me a link to this curious blog post. I can see why many people might find the timing interesting, but there are a number of details this particular blog post doesn’t get correct, and it actually spends most of its time talking about stuff that has little or nothing to do with Truecrypt.

What’s unclear to me is whether he’s trying to say the industry is deliberately sabotaging Truecrypt, or if he’s simply trying to make a list of things that are making life difficult for Truecrypt. His post bothers me a lot less if it’s just a laundry list of challenges, but either way, the inaccuracies remain. Read more

The browser tradeoff

Dave Farquhar security, Software , ,

I probably ought to know better than the venture into the topic of web browsers by now, but since I stepped into it Friday, I guess there’s no point in staying in the shallow end.

The problem with web browsers is that they all require you to trade one thing for another, and if anything, that’s more true today than it ever has been before. Read more

Chrome and EMET

Dave Farquhar security ,

A week or two ago, Chrome quit working–I would launch it, and EMET would give me a message that it detected Caller Mitigation. It turns out that particular setting isn’t compatible with Chrome 35 and up.

The fix is easy. Launch EMET, click “Apps,” scroll down to Chrome, and uncheck the 10th item from the left.

Google doesn’t recommend EMET because Chrome already does most of the things that EMET forces, and the EMET mitigations that Chrome lacks can be bypassed. To me, that doesn’t make them worthless. It filters out the unsophisticated attackers. And if you make the advanced adversary make the attack more complex, there’s a greater chance of being caught. Security isn’t about preventing everything–you can’t–but you can raise the stakes.

That’s why I disabled Caller Mitigation and keep EMET enabled on Chrome.exe.

I also saw this week that Google is working on a 64-bit version of Chrome for Windows. Finally! Once it comes out of beta, that’s something I’ll be installing. That may be what makes me change allegiances from Firefox.

Takeaways from Patrick Gray’s AusCERT coverage

Dave Farquhar security , , , , ,

I’ve been listening to Patrick Gray’s coverage of the AusCERT security conference, and I walked away with two major takeaways, one for security professionals and one for everyone.

Everyone first: Use SSL (https) everywhere you possibly can. Generate superfluous https traffic if you can.

Network professionals: Block as much UDP at the firewall as you can.

Read on for more. Read more

Windows XP gets its first forever-day

Dave Farquhar security, Windows ,

This week Microsoft disclosed a critical 0-day flaw in Internet Explorer. Microsoft is considering an out-of-band patch, but regardless of when the patch gets released, no Windows XP patch will be coming, except for the companies and governments who are paying a large fee for end-of-life support.

This was about 20 days later than some people estimated, but now it’s happened. The mitigation is to run EMET. But in the long term, getting to a new version of Windows is the only viable option. You can do this on the cheap if you need to.

While we’re talking about browsers, Chrome has the most CVEs associated with it, making it numerically the least secure of the browsers, but they have the fastest time to patch, by far, so the numbers are very deceiving. So using Chrome isn’t a bad choice, especially on XP where Internet Explorer is out of date and forever EOL.

How to patch less

Dave Farquhar security, Windows , , , , , , , ,

One of my former supervisors now works for a security vendor. He told me the other day that someone asked him, “Does your company have anything so I don’t have to patch anymore?”

The answer, of course, is that there’s nothing that gets you out of ever having to patch anymore. To some degree you can mitigate, but there’s no longer any such thing as a completely friendly network. The reasoning that you’re behind a firewall doesn’t work anymore. On corporate networks, there’s always something hostile roaming around behind the firewall, and you have to protect against it. If you’re on a home network with just a computer and a router, your computer and router attack each other from time to time. That’s the hostile world we live in right now. Patching is one of the fundamental things you have to do to keep those attacks from being successful.

That said, there are things you can do to patch less. Read more