Posts Tagged ‘security’

Storing Data in the Cloud Has Drawbacks

January 7, 2010

See http://arstechnica.com/tech-policy/news/2010/01/ftc-reminds-us-that-storing-data-in-the-cloud-has-drawbacks.ars

Really!

It’s not news to an old-timer like me who’s suspicious of all Internet services – especially “free” ones. See for example the posts on Google Public DNS and Google Wave. In the latter I list (most of) the Google services I use.

FTC LogoThe US Federal Trade Commission (FTC) document is at http://fjallfoss.fcc.gov/ecfs/document/view?id=7020352132.

Of course, as no less a person than Eric Schmidt says:

“If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”

That statement gave me the chills – but it is also a wake-up call to users worldwide. The amplification he gave is factually correct.

“But if you really need that kind of privacy, the reality is that search engines, including Google, do retain this information for some time. And […] we’re all subject, in the US, to the Patriot Act, and it is possible that that information could be made available to the authorities.”

His apparent assumption that people only require privacy if they are doing something scandalous or illegal is mind-boggling.

There are two types of information that I will keep in the cloud:

  1. Encrypted information where I hold the key.
  2. Information that I don’t mind if it gets plastered over the front pages of the New York Times and the Bangkok Post.

Anything else is held in encrypted storage using a tool that I trust: TrueCrypt.

WordPress Annoyance – Embedded Slide Shows

November 10, 2009

I use Picasa Web to store a lot of my pictures. Many times I want to include them in a post in this blog. It is easy to link to pictures or to an entire album.

For example, here’s a link to some photos I took last year of the band at SuanLum Night Bazaar in Bangkok:

Suan-Lum Night Bazaar, Bangkok

But Picasa Web has another feature: you can embed a live Flash slide show of an album in a your blog. I wanted to do this for some pictures of Bang Sue Railway Station.

Picasa Web makes it as easy as possible with a screen that includes code you copy and paste into the HTML view of the post you’re writing.

It gives you some options for size, auto play and whether to include captions.

 

PicasaWeb SildeShow Embed

PicasaWeb SildeShow Embed

But WordPress.com does not permit that. You can paste the HTML into your page but the WordPress preprocessor strips it out without even a warning.

 

Similarly I tried embedding a search tool for aviation photos from the well-known site Airliners.net. But WordPress would not allow it. I’m surprised they trust me enough to embed simple links in my blog.

I know why WordPress.com does it. They want to be safe for both blog authors and viewers. There are so many cases of people using such embedding tools to distribute malware. I bet it even happens that an innocent blog author has been persuaded to embed something bad in her blog with disastrous consequences.

And of course WordPress.com is free so any bad person can sign up.

But still it is annoying for the huge majority of bloggers who are just trying to share information from one site to another. It’s sad when one big company (WordPress) cannot find a way to trust content and tools provided by another (Picasa Web is of course from Google). Surely they could work together to ensure that what I’ve embedded is a valid slide show?

Strange Firefox Errors

October 19, 2009

Most of the time Mozilla Firefox is a very reliable and fast web browser. So I was very surprised to see this error dialog box pop up on my screen.

Firefox Addons May Be Causing Problems

Firefox Addons May Be Causing Problems

I don’t know what the Windows Presentation Foundation is and I have never knowingly installed it. It sounds like a Microsoft product. I clicked on the “More Information” link and got something even more confusing:

This Connection is Untrusted

This Connection is Untrusted

This seems to be some sort of localization failure. I think I told Firefox (or maybe Windows XP) that I use British English. So it was having trouble checking access to the GB version of mozilla.com. That’s Firefox’s own maker!

The warnings were ambiguous but worrying so I decided to take the “Get me out of here!” option. I feared it could have been some fiendishly clever spoofing attack and en-gb.www.mozilla.com is a bad site. It does look like a strange address.

I tried “More Information” a second time with the same result.

I restarted Firefox as it requested to disable the Windows Presentation Foundation and everything seems to be working okay.

Another proof, as if more was needed, that computers in general and PCs in particular are far too complex. Why did Firefox need a secure http (https) connection to show me that information in the first place?

Security Pros Are Focused on the Wrong Threats – Bits Blog – NYTimes.com

September 16, 2009

Security Pros Are Focused on the Wrong Threats – Bits Blog – NYTimes.com.

It’s endless! Not only do PC users have to handle constant operating system updates from Microsoft. Now the bad guys are focusing more on ancillary software that everyone has like Adobe PDF Reader and Flash. I seem to get at least one update a week from some type of software – and I try to run a very lean machine.

It is amazing to me that after many years of development these programs are not rock solid. They are backed by large companies with (we hope) the best developers and unlimited resources.

I think part of the problem comes from the features that companies are constantly adding. Originally the PDF Reader was just that – a program to read documents no matter what software produced them. But the companies had to make enhancements to make the documents “active”. They can go out to the web and update information, they can access my computer and so on.

Most people do not need or use those features. All I want to do is read documents that people have published. I don’t want it to do anything clever.

Same for Flash Movies. There’s a limit to the amount of damage a bad Flash movie can do if it is just running in a window on my computer showing me an animated demo or something. But no, Adobe had to make it “active”. Now it is a programming environment with all the attendant challenges and vulnerabilities.

I am a simple user but I have a computer that can do a lot of damage to others if it gets infected with a virus or worm. It can perform a lot of processing and communicating without me noticing. I need the computing horsepower for Photoshop and Lightroom but it is easy to subvert.

If I were Adobe I would distribute a rock solid “Lite” version of the PDF Reader and Flash Player. It would display documents and animations but that’s it. If users need the bells and whistles they can pay for a Pro version. I bet most of the bells and whistles are for corporate users anyway.

The Lite version would be stable – no more enhancements, ever. It will be a bit boring but I would know I can trust it.

The only development they will do is the minimum to support new hardware. But before it is released it should be tested to the same standards as mission critical software like flight or nuclear powerplant control.

Then Adobe will have an income stream from the Pro version and maybe more of an incentive to make them solid. As it is, its way too easy to fix a problem by doing yet another point release and asking users to download it.

In my day (a Mister Fredrickson phrase) it was very expensive to update software with bug fixes. They had to be distributed to customers on a tape. Thus we designed software conservatively and tested the heck out of it before releasing as we knew big fixes would be very expensive. I think we had the mindset that critical bugs were a firing offence.

The ease with which the Internet enables update distribution is a two-edged sword. I think it encourages developers and testers to let their end-users do the testing.

I don’t want to single Adobe out for criticism. I am tired of weekly updates to Mozilla Firefox too. Each one is touted as the safest most secure browser available. You said that last week! And the week before!

Firefox 3.5.2 Update - 4th September 2009

Firefox 3.5.2 Update - 4th September 2009

Note how I have to be concerned about my browser extensions and themes too – not just the browser. They all come from different vendors.

Firefox 3.5.3 Update - 9th September 2009

Firefox 3.5.3 Update - 9th September 2009

I’d like a rock solid web browser too. One that just displays web pages circa 2002 and does not purport to be yet another “platform”.

(Full disclosure: I think my software development career went downhill after I agreed to work on platforms rather than useful applications, so maybe I am biased.)

I guess one problem is that too many bright programmers are working for the bad guys and not for the boring corporations that make the applications they attack.

Back to Adobe. It is interesting that their major applications like Photoshop and Lightroom are on a much slower update cycle. Maybe once every six months. It seems to be a different world for those development teams.

China Scales Back Plans for Software Filter – NYTimes.com

August 14, 2009

China Scales Back Plans for Software Filter – NYTimes.com.

I wrote back in June about the Chinese Government’s order to manufacturers to put “Green Dam/Youth Escort” software on every computer sold in the country.

Now the authorities have backed off.

The industry and information technology minister, Li Yizhong, said the notion that the program would be required on every new computer was “a misunderstanding” spawned by poorly written regulations.

I guess some low level heads rolled for that, perhaps in the group that built the dam software.

I don’t think we have heard the last of this. Many governments would love to have such mandatory software on every PC that they could control and update at will. I bet the government is re-grouping and will introduce the regulation in less of a rush with software that is well designed and implemented.

I don’t doubt that Western companies will be willing to assist for the right money, just as the network equipment vendors do in creating the “Great Firewall of China”.

Already Microsoft and others download megabytes of updates onto my PC every month. “For security reasons” they don’t give me a full explanation of what the updates do. It’s a huge temptation for the software vendors and worrying for users.

You Need …

August 9, 2009

Here’s another message that annoys me every time I see it :

You Need ... !

You Need ... !

No I don’t need to at all. The designers of Yahoo Mail want me to do something.

I have needs like air, water and food. They are things I cannot live without. I can live without typing my password, thank you very much.

LR2Blog

August 6, 2009

It got too tiring having to re-enter three pieces of information each time I used LR2/Blog (see my post on the issue here). I purposely chose a difficult-to-guess password so I have to go to Password Safe (great little tool) to retrieve it.

Tim hasn’t updated it recently, despite his pleas for feedback and claims for “rapid development”.

I find it is easier to export the picture I need from Lightroom and “pull” it from the WordPress “insert image” tool rather than “pushing” it from Lightroom.

The tool does not save metadata for the pictures I uploaded, unlike Jeff Friedl’s export plugins. So I add a keyword “BKKphotographer” to each picture that I upload to this, my only, blog.

I’m disappointed Tim hasn’t kept developing the plugin. Maybe he’s been diverted to other projects. Plus it’s the summer holiday season in the Northern  Hemisphere.

I am sure there is a market for this plugin and if he was as creative as Jeff Friedl it would be fantastic. I wish Jeff would create an alternative. It looks like he has got loads of reusable components – he could probably make one in an evening.

<rant>

While I am grumbling, one thing that annoys me is how software always hides the password you enter with asterisks or dots. I know it is a defence against shoulder surfing. But I don’t have that vulnerability at home. It’s far easier for me, a cackhanded two-finger typist, to see what I am typing.

I read somewhere a reference to a study that indicated that this password hiding is overall a detriment to security. This is because users tend to use shorter, easier to guess passwords if they cannot see what they are typing.

Makes sense to me.

</rant>

(I’m not writing for Wikipedia – I don’t have to provide references to reliable data sources for my assertions!)