Tuesday, January 16, 2018

Trend Micro website safety ratings -- some questions (controversial news site rated "Dangerous")


I am noticing some confusion in Trend Micro’s website safety ratings.

The Site Safety Centeuses the color Blue for untested and gray for Dangerous.  (I know, quoting Milo.)  But in actual practice, if a site gives a gray circle with a question mark it means untested.
I find that Trend slips between green and gray on my two newer Wordpress sites (“billsmediacommentary” and “billsnewscommentary”).  I think that this is because Blue Host treats these as “addons” and Trend’s scripts have trouble navigating addons.  If I convert to subdomains (which I would have to do for https anyway) these problems go away, but that is a complicated and difficult and potentially disruptive conversion effort.  (The "Is it safe?" comes from the dentist scene of "Marathon Man".)

There is a discussion site yabberz which Trend rates as red (“Dangerous”, like Milo's book) and will not let me open. I haven’t tried it on the Mac.  Norton rates Yabberz as safe.   I have sent a Twitter message to Trend to ask them why this rating, A Facebook friend is writing on it. Does controversial content matter?  I hope not.  There could be issues with the site is navigated.
  
Website safety ratings could become more critical for publishers to remain connected after the rolling back of network neutrality.

Tuesday, January 09, 2018

"Typosquatting" scams


Here’s a risk I’ve mentioned before, “typosquatting”, as NBC News explained last night. 

The most common result is “scareware” where a site takes over your browser and freezes a Windows machine, and demands you call and pay them. This happened one time with “nbcbews.com”.  The cure is to power off the machine, power it back on and bring it up, and then when you go to the browser, click “No” on restoring it. 


“Https” doesn’t seem to stop the scam. 
  
Most major sites register common and deliberate misspellings of their names.  Legally, these are trademark infringements, but it would be impractical for companies to go after overseas (often Russian) offenders.  North Korea might even be trying this now. 

Monday, January 08, 2018

More on "https everywhere" (for me, at least; what I have found out so far)


Following up on my earlier post on doing https everywhere on all my blogs, I did a chat session with BlueHost today.

What I have found so far can be summarized in these two links:

With addons, you can have only one SSL certificate per hosting account, as I was told in early 2016.  

That is still true now

This one explains the differences between addons, parked domains, and subdomains. The information on this link is very critical.

The addon concept does not seem to keep the internal structure of the addon as a subdomain of the primary. A “WHOIS” at domaintools on one of my addons (like “billsmediacommentary.com”) does not mention that the site has an “owner” (“billsmediareviews.com”) so apparently this does not fit the meaning of a subdomain in the normal sense of SSL.

It would seem desirable to be able to equate a parked domain to a subdomain (so that the user doesn’t have to go to it) but I don’t see any statement that this is possible.
  
Another Bluehost link indicates that you can purchase a Postive Wildcard SSL for subdomains. 

Here is a discussion of how the subdomain concept applies at Godaddy.  

At this point, it would appear that if had been set up with addons, you would need to do a “conversion” of the addons to subdomains, which would require setting them up and copying the content from the addons after installs of Wordpress to each subdomain.  I haven’t had a phone call with tech yet on this (just chat), but putting this all together and “connecting the dots” this is how it looks.  You would have to write script (or have a tech write one or supply one) to do the copies.  I don’t know what that would cost.   There may be tools on the cpanel that enable this.

In the past, the need for SSL did not seem acute for sites that did not require user logon, and people could use Paypal or other platforms without requiring storing of consumer PII to process payments. The addon idea that only one domain needed https sounded reasonable. Today, the politics seems to be changing.  Https is seen as a sign of professionalism and that you “belong” online and can be taken seriously, and that you respect the vulnerabilities of some of your readers (especially overseas).  Telecom companies could eventually insist on this as net neutrality goes away, as could website safety ratings.  Yet, the concern seems somewhat political.
  
Most major newspaper sites have gone to https for all content.  Broadcast media is mixed. NBC and CBS news sites have gone to it, but CNN, Fox, and ABC have not yet.  But the “climate change” on this issue seems real. 

Update: Jan. 9

Here's a start on how you copy a Wordpress blog from a root site to a new subdomain.  You need to be comfortable with the plugins and have some knowledge of Wordpress internals, it seems.


Friday, January 05, 2018

Anti-virus vendors, PC manufacturers have to cooperate with Microsoft to fix Meltdown, Spectre; users confused; mainstream media coverage is shallow and misleading


Trend Micro has provided instructions to its customers on how to receive the Microsoft “Project Zero” (Meltdown and Spectre) patches, at this link. 
  
But Microsoft Knowledge Base KB4072699 advises customers that the automatic update is offered only to consumers whose security products that have a particular registry key patch.
Judging from these two posts, it appears that Trend is releasing updates that will set this key, and after that the Microsoft automated update will be offered.
Users of computers other than Microsoft Surface will need to get firmware updates from their hardware vendors, also.  Generally these can be installed in any order.

Users can attempt to do the patch manually on their own, but the posts above don’t show enough information for users who don’t already know how to code Windows 10 Internals. 

Users should check the status of their Internet Security product.  The very act of checking when connected to the Internet for sufficient time may cause the registry key to be updated properly within the anti-virus product automatically (may require one extra restart before doing the Microsoft update).

Zdnet has a comprehensive explanation here.

Peter Bright has an explanation here on Ars Technica. 
  
Google’s own Blogspot discussion.

Update:  Jan. 16

Here's a master story on both Meltdown and Spectre from the source.

Here's a story on how Daniel Gruss hacked his own computer in finding the defect. Like Magnus Carlsen, he rather looks like a model. 

Wednesday, January 03, 2018

"Project Zero" security vulnerability in Intel chip may (or may not) require software fixes that slow things down


Milo Yiannopoulos is including security news on his “Dangerous” newsletter.  Today he has a story about a security vulnerability ("Project Zero") in the Intel chip which requires an extensive software fix.  Microsoft is supposed to issue it the week of January 9.


The story by Ian Miles Cheong is here.

However Intel responds as follows.Maybe we don’t need the update yet.
  
Google Project Zero has a complicated reply which suggests that the exposure to home users would be insignificant.

US Cert in Pittsburgh has this description. (Meltdown and Spectre Side-Channel Vulnerability) 

AMD has a story here.
  
But I first got this news from “Dangerous” Milo!

Tuesday, December 26, 2017

Mapping out a tentative plan to make all my sites https (if realistic)


In early January 2018, I will look into the possibility of making my remaining sites https.
  
Bluehost now has a link on the issue.  What I don’t know yet is whether this can be applied to more than one domain on one account (with addons).  In the past only one account could be https.   Here is a clue to how it might work that I found.  It sounds like this would have to be planned carefully (dealing with possible internal server errors), and would take time and labor. 


Electronic Frontier Foundation has a link on this issue, but I have not yet looked into how it would apply in my situation. 
  
Electronic Frontier Foundation has a product with a trade name “https-everywhere” which you can install in some browsers, link. But I don’t know how this affects access to all sites.

Google would need to weigh in on the issue of https for “Blogger” blogs linked to domain names. 

Google however has weighed in on the desirability of making all sites (not just those requiring log-in or doing transactions and passing or storing PII) https.   So I would expect to see progress on this question soon. 
  
Search engines are starting to prefer https. I can tell that now by noticing results on searches I do often. 

I’ve had some issues on my old legacy flat-html site doaskdotell.com with IIS permissions leading to 503 errors.  I don’t see a direct connection to https but the errors could come as an automated way for IIS to shut down a DDOS attack within an application pool in a shared hosting provider (story). I will look into whether to get SSL for this in January.    
  
Furthermore, in an era without net neutrality, we could face a day when telecom providers will screen out domains that don’t have https.  That would at least make economic sense, to me at least. 
  
One interesting issue for me is that my two providers (BlueHost and Verio) now belong to Esurance, the same owner (check Wikipedia).  Maybe there could be some savings by consolidating onto one of them. But again, could mean a lot of work. 

Monday, December 18, 2017

Be careful about the mechanics of how Twitter private messages work on your iPhone


I had an occasion tonight where someone sent me a direct message on Twitter.  I was in a MacDonalds and tried to reply on the iPhone.  Twitter converted it into a public tweet and chopped it at 140 characters.   I had to delete the tweet and send the message again when I could get to a regular laptop.
  
If you leave your normal tweets public, be wary of how it works on an iPhone (6 in my case) if you want to respond to a private message.  It may not remain private.  The Twitter direct message is supposed to be more like email than a public post (not quite like Snapchat).
  

At least my account survived the supposed “Twitter Purge” today.