Wednesday, April 24, 2013

Windows 7 stalls on ads from "reputable" companies

I still have problems with a few sites in a Windows 7 environment.  The notification bar will tell me that the computer is waiting for some connection (either an ad network or comment software) and the computer freezes.  If I press the trackbar (left side) repeatedly, the computer eventually unlocks, and shows recent clicks. 
This morning, it hung on the “Doubleclick” ad network at (Major League Baseball) and went into a loop displaying McDonalds ads, which I didn’t even try to click on.  Both of these sites are reputable (even if some of McDonalds fast food isn’t), so I still think it’s a Windows 7 problem.
The problem doesn’t recur until another restart is done.
Even Windows 8 will stall for a few seconds on a few sites with heavy advertising (Slate) once after bootup, but doesn’t need to have the trackbar pressed to unlock. 

Monday, April 22, 2013

Could computer-aided telepathy create security problems?

It may sound strange to discuss computer mediated telepathy on an Internet security blog, but the potential is there that someday, it could open new “opportunities” for hackers. 

Imagine changing the contents of a financial file in a bank just by “thinking” something.  Maybe it’s possible.  Maybe it would relate to the psychological makeup of the person.  Anxiety might actually intensity telepathy. 
I had wondered about this idea some years ago, after companies put production files behind typical access restrictions even for most programmers, and also started introducing change control to guarantee source-load-module integrity.
The military is looking at it right now as a way to guarantee that soldiers would obey orders in the filed.  Imagine this if a draft ever came back.  There is an article about it in the conservative-to-libertarian paper the Examiner, article by Suzanne Lebeouf, on DARPA and DIA’s work, link here

Wired had an article by Katie Drummond in 2009, link here

There’s a technical article on News Vine and Deep Thought, link here

Monday, April 15, 2013

Web hosting can complicate password management, use of https

Here’s another security anomaly.  A certain site, in Windows 8, if you enter the domain name into Google Chrome, takes you to the account manager page for the site under https for sign up, rather than the content page, because of the way it is set up by the ISP.  Also, with a password change, the password verifications internal to the site work immediately, but the basic sign on doesn’t take effect for 24 hours. 

Windows 7 (or Mac OS - Safari) doesn't seem to behave this way. Nor does Firefox or IE even in Windows 8. Just Chrome.
If the original site doesn’t have any user logon capability, then it really doesn’t need https, and there is no need for the browser to presume it (unless there is concern that someone could monitor the visitor’s surfing habits, but that’s a whole different area, “do not track”).  

Tuesday, April 09, 2013

On a new Windows 8 laptop, two companies have a "beef" with Webroot, by accident

I had a couple of anomalies today with a new Toshiba Windows 8 Satellite laptop.
I did purchase Webroot Secure Anywhere product. 

I found, on the taskbar today, and application called “WildTangent Games”.  I thought it was Webroot, which  has a similar icon (both use greenn W's).  It came up and asked me to accept the license for a gaming platform that I have never used.  The link for Wild Tangent is (website url) here.
It does get green ratings from major site rating companies. 

I don’t know what trademark laws says about similar notification icons pinned on a taskbar.  I’ll look into this for the trademark blog later.  It would seem that some app ought to be developed to help users recognize them. Different colors could help.  (But then some people are colorblind.)

In the picture above, the green "W" on the left represents WildTangent; the "W" on the right represents W.  By the way, a red curly "W" represents the Washington Nationals MLB  baseball team.  I go to Nats games. (MLB is very jealous of its trademarks, too.)   If you look very closely, you can see the word "games" in the WildTangent icon.

I also don't know how Wild Tangent got pinned as a notification icon.  Security scans show no problems.  Perhaps it is there somewhere and I hit the app somewhere on the Start screen.  The Sateliite laptop does not have a touch-sensitive screen like a tablet version does. 

Also, I downloaded Chrome without incident.  I have not yet used my Google account on the machine. But when I went into it to browse, it listed apps that had been disabled for faster access, and Webroot was one of them. I quickly enabled it.  But no browser should disable a security application from a recognized vendor.  This can be a significant, if unintended, browser security hole that some users might overlook.  
I welcome comments (monitored) on these matters.  There should be no confusion about a security product on a new machine. 
Microsoft did a major security update on the machine today.  It seemed to take about an hour to download even on high speed Comcast, and it took about 20 minutes for the configuration step to finish on shutdown before the restart.  Again, I thought BestBuy had brought all the updates up to date.  It seems like it hadn’t if the installation of so many updates was necessary. 

The major use for the new laptop will be book production (one non-fiction, one fiction, as I've discussed on my main blog).   Music and film will remain on the MacBook, although as a 2011 machine it seems a little outmoded already.  Is there a good film-editing program for Windows 8? 

This new machine is very fast with most apps and Internet access.  

Saturday, April 06, 2013

Moral responsibility for software security should rest with vendors

On Friday, April 5, Marc Maiffret offered an essay in the New York Times, p. A23, “Closing the door on hackers’, link here, p A23.
Maiffret says that the main problem is that software vendors don’t try hard enough to make their products secure.  Instead, the government and authorities are constantly warning users and employees that it is their responsibility not to get infected or duped by swindles.  In a few cases, users have been held criminally liable for malware (or perhaps child pornography) with winds up on their machines, or associates have been fired. The "moral" justification for this viewpoint has to do with asymmetry.  

Microsoft (“Microslop” – remember the days of Windows Me?) has reformed its priorities, but too many other companies have too much incentive to offer more gadgetry that invites security problems,  The article is particularly critical of Adobe (for PDF and Flash vulnerabilities, from overloading and Oracle (for Java, whose holes are so serious that attackers can take over home machines using it sometimes). 

Tuesday, April 02, 2013

Java still said to be risky for users despite many patches; bizarre restarts from Comcast, related to DDOS?

The Hacker News maintains that Java-enabled browsers are still very vulnerable, despite multiple patches from Oracle, with a brief story (website url) here.    Whar’s not so clear from the article is whether most of the exposure comes from the fact that most users don’t have the latest versions or patches.
Also, the article notes that java does not have to be unsafe.  It’s not clear what that means.  Is this a matter of applications avoiding “unsafe code”, an issue often taught with other languages like C#. 

The HNews also maintains that the Spamhaus DDOS last week nearby “broke the Internet” and was the largest ever.  In my own use, Wells Fargo was down for one afternoon, and I noticed several slowdowns on Comcast, with a need for a sudden modem restart.  One restart happened as McAfee Site Advisor blinked on an ordinarily green television station site, then suddenly the modem restarted itself.

Maybe these incidents are related to the DDOS.

The Oracle story was tweeted by Webroot recently.

Update: April 7

From 2002 to 2006, I had a website with a company called "javastarter" where I tried to play with putting things on a database.  I found that major ISP's even then didn't like to offer java because of security problems. (The mostly encourage php.)  This company was OK for a while but started becoming erratic and failed in the summer of 2006.