SECURITY BITS: And then Dropbox has been leaking passwords. What’s next?

Hi,

We’ve had to deal with one security breach after the other lately. Bash, Target, Home Depot, Heartbleed and others. We also know that Dropbox is not the service you would choose for your most sensitive data because of the one key for all issue. And today we got to know it got worse: Login information has leaked through a third party application connected to Dropbox, you kow one of those services that you have to approves when it tries to access and work with your Dropbox. This one has been stealing password. More here:

 

Hundreds of Dropbox accounts compromised via third party service

 

Change your password! How many times have we heard that lately? Far too many!

Linux for work? Not Arch.

Hi,

I wanted to test some software I work with on Arch Linux to see  how it runs on this bleeding edge rolling Linux distribution. So I did an Arch install which was a bit more complicated than I’m used to but didn’t take much time. It was fun have the latest (but not greatest I found out) of everything from desktop environment through kernel to applications. But I soon ran into trouble. To be able to run the software I was testing I needed older versions of a couple of libraries. Not old, just a little older than bleeding edge and had to fiddle around being able to install those. I got it working and started testing the application. While doing this I used the computer like I normally do. I connected to my network and needed an HP printer to work. That was not easy! There were all these little problems I am not used to have to deal with on Linux these days. And since I was actually working I simply didn’t have time for that kind of thing anymore. Gone are the days where I spent my weekends on getting printing and wireless to work on Linux. These days I just need it to work. Now. right now!

I started looking at Arch forums for solutions and if I did this that and the other I might get things to work. The Arch Wiki is also an incredible source of information if you have the time to read it. The geek in me was interested in the challenge, but I had work to do and simply couldn’t spend it on this.

As soon as I had confirmed that the software was testing ran and worked on Arch I was back on Ubuntu GNOME which is my platform of choice. And I must say it was a relief. No thrill, no bleeding edge, but nothing I needed to fix, chat about or read forum threads to figure out. I guess my point is that Arch Linux is a fun distribution, but it requires your attention and a lot of what I do not have these days, time! It was exciting working on a rolling distribution with updates almost every day and a new kernel a few minutes after Linus has released it. But for work, no go. However, I am pleased to notice that there are Linux flavors out there that you can install and get work done on in 30 minutes. It all just works. Even printers and scanner are detected and set up in seconds and it’s easy to connect to networks directly from the file manager.

So if you are a Linux thrill seeker go Arch. If you, like me, need work done something like Ubuntu or Mint is the way to go. At least based on my recent experience. I know that there are many who would disagree with me, but so be it. I’m sure that if I spent time on it I could live with Arch, but I’m just not into that kind of thing anymore. 

 

 

From Skype to Viber?

I have been looking for an alternative to Skype for some time. Being a Linux user I do not trust that Microsoft will keep up the development pace on the platform, Well, they haven’t done so and the Linux Skype client lags behind other platforms. Not that Skype doesn’t work, but I would like to find a solid independent solution. Could Viber be it? On paper it has what I need: Voice and video calling capabilities, solid IM features and is available both for my phone and (Linux) desktop.

We are now at Viber v 4 and I found that it’s not an untested novel solution at all. If you decide to hook up with Viber you will share the network with more than 300 million registered users. I was surprised by the sheer amount of people using Viber but wondered if it would work for me.

The first thing I found out is that If you don’t have Viber’s smartphone app, then you can’t use its desktop app. Not a problem for me who wants them both. Signing up was a breeze but requires a phone number to tie your account to. Installing on Linux was not easy since the installer for my distribution is rough around the edges and installs the application in an odd location on your system which causes some issues. I will not get into detail here since the Viber devs have promised improvements in this regard. But I got it installed and it works and is well integrated into my desktop environment.

Once installed on your PC, you can use Viber for to make voice calls to other Viber users, send a text message, share pictures, or make a video call. You can also transfer calls between mobile devices and the desktop. If you start chatting with a friend using your laptop, you can quickly switch to Viber on your smartphone or vice versa. The problem is both users need to have a newer version of Viber for call transfers to work, so you may have to wait for your friends to update their apps before you can use this feature. I’ve had the same issue with Skype where certain features hasn’t worked for me being on the lagging Linux release.

Now to the important part. Call quality, and it is incredibly good with Viber on my phone, and the desktop app brings that same experience. Video calling was fine too offering about the same image quality as Skype.

The desktop app is pretty barebones and relies heavily on the mobile side of the service which is fine with me. I need to be able to place calls, do IM and transfer files. It all works very well. I have also signed up for the Viber Out service which lets me place calls to mobile and landline phone subscribers. The prices are a little bit lower than the comparable SkypeOut service and has been working very reliably although I haven’t used it that much.

One limitation as far as the desktop client goes is that I can’t add new contacts. That I have to do from the phone. It doesn’t bother me since I always have my phone with me when I work on my PC so I haven’t missed this feature and wasn’t aware of it until a friend pointed it out to me. I’m sure this functionality will be added at some point for the desktop client.

At the end of the day the reason I use, and in this case write about Viber is the call quality. It’s better than anything else I’ve tried. I can be on my phone and speak to people in another country and it sounds like a local call. In fact, I have been able to use Viber for calls I only could do by expensive long distance using my carrier network. On wi-fi, the call quality is phenomenal. There’s also very few dropped calls and less of the digital distortion and echo often found when using Skype and even Google Talk.

I really like Viber and hope it will continue to grow. Who doesn’t like to see a successful mobile service from Belarus? 🙂

I like that they are not tied to a tech behemoth like Skype is to Microsoft who will use the platform to push their own services and keep development on competing platforms lagging. 

If you’re interested go to: www.viber.com     

Wearable gadgets anyone?

Hi,

 

My phone is with me all day. I use it for a lot of things like mail, IM, photography, news and social networks. Oh, and I make calls with it also! 🙂

Over the last couple of years we’ve heard and seen the wearable gadgets being taken to market. It’s something your wear, most often on your wrist as a watch (remember those?) showing time while it’s connected to your phone showing whatever is thought to be useful to put on a tiny-tiny screen instead of on your phone’s small screen. A pretty stupid concept, or so I thought until I got a Pebble Smart Watch as a gift. I said nicely thank you and put it in a drawer. I was later going to do some traveling and thought I would try the thing. I charged it and bluetoothed it to my Android phone. So now it was showing time and weather. I added some apps. Cool! Now it could be used for navigation, show incoming e-mail/IM/SMS, high and low tide, World Cup scores, and was also connected to MyTracks which I use when I hike and bike. Cooler still! 

It’s now a couple of months later and the thing is stuck to my wrist. Since it can vibrate it offers the perfect alarm in the morning. A ‘brrrrrt’ on my wrist does the trick instead of noise. Eureka! How can I go back to sound alarms? I can’t. I won’t! 🙂

So just like when I swore I would never own a smartphone and was wrong I seem to have been wrong again. This is the only wearable gadget I’ve tried so maybe I was lucky getting to know a good specimen? But I now think the wearable gadgets are here to stay. At least the Pebble has been staying on me for more time than most gadgets I’ve tried over the last few years. Very cool! 🙂

Anyone here using wearable gadgets and/or have views on them in general?

Browser plug-ins and extensions. The backdoor to your data and an enemy to privacy.

Over the years web browser have become much more secure. All modern browsers are now pretty well protected against most types of attacks and fixes are released promptly after a new vulnerability is discovered. Browser vendors like Google even offers cash prizes to those who reports security holes in their Chrome browser. 

So where do we find most of the threats against browser users today? Anyone remember the Flashback trojan which infected over 600,000 Macs? How did it infect them? The Java plug-in was called from a web page and loaded a special Java applet that exploited a bug, gaining access to the system. And how is Java connected to your browser? It’s runs as a so plug-in which most often is installed separately but with access to the browser itself through a plugin API. Nothing the browser vendor does can circumvent the fact that this access to the user can represent a threat, and a threat that can only be identified and fixed by whoever wrote and published the plug-in or extension. 

Now picture a browser with multiple plug-ins – Java, Flash, PDF reader, QuickTime, Silverlight and a bunch of extensions you can easily pick up and install, and you’ll see just how much plug-ins and extensions increase your so called attack surface. While browser vendors are under heavy scrutiny to write secure code, plug-in and extension developers do not seem to be put through the motions in the same way, and many of them have mediocre security records (to put it nicely).

The great thing about compromising a plug-in or extension is that you can target multiple platforms in one go. Compromise Flash and you have a barn door open into a bunch of browsers and the platform they run on, and you can wreck a lot of havoc before it’s discovered, *if* it is discovered that is.

Plug-ins and extensions lack behind browsers as far as security goes and their often frequent automatic updates adds to the threat they represent. Some of these buggers are updated as often as once a month making it really difficult to keep track of development and security implications. In most cases frequent updates is a good thing making sure bugs are fixed and security is increased, but with plug-ins and extensions it also complicates matters and make it hard for the user to know where they are at as far as security goes. Most people think that as long as their plug-ins and extensions are installed through a familiar trusted vendor like Google or Mozilla they will be safe and do not pay much attention to the security risk. This is not the case.

You don’t have to look very long and hard to find studies about how big a problem browser plug-ins and extensions are. A study from 2011 study found that 94% of Adobe Shockwave, 70% of Java, 65% of Adobe Reader, and 42% of QuickTime installations in the enterprise were out-of-date. Although very frequent updates is a threat in itself keeping them around for too long is even worse. You simply can’t win.

Some will claim that browser plug-ins and even extensions should be on their way out. Plug-ins are still often necessary (Flash and Adobe) but companies like Google and Mozilla are working on solutions that would make many of them obsolete. The old plug-in API’s are also being phased out. As for extensions they are still very much alive and kicking and being put out there by anyone who can put together some pieces of code and think they have found a need they would like to fulfill. There are also those who would like to see a browser that does it all without needing to expose the user to the threat plug-ins and extensions represent. Personally I would welcome such a browser, but for the extension addicts it may be a step back, but one worth taking if you care about your security and privacy.

 

Atom. The new and different editor from GitHub.

Github now has their own editor and have named it Atom. As a side note it’s being described as “web native”. What does that mean? To put it simple, it’s built on top of web browser technologies, namely Chromium (which Chrome is built on). More on that below.

The fact that GitHub now has a new code editor is what has attracted most interest, but the real news is how this editor was conceived and designed.

Since GitHub is hosting code in the cloud it would be obvious that their editor was somewhat cloud based and/or an web app of some sort. There’s plenty of such editors. like Orion and CodePen. But what Github created is completely different. It’s not a browser hosted web app. Although a lot of the implementation is HTML/Javascript based it doesn’t run in a browser. Github found that web app based editors had some limitations from a security standpoint with regards to accessing the local file system and can’t run local sub processes. 

So what did they do?

They took the source code of Chromium, the open source browser that Chrome is based on and customized it to work with the Atom web app. Put simply they have removed all of the security features built into the browser and this allows Atom to access anything it needs to. From the users point of view this is a very strange situation because they are running a web app but they have to download a special desktop application to run it! And a hefty download it is. Around 50 MB, but who cares about such things these days anyway?

The advantage of this approach is that the web app part of the system can be continuously updated and it has all of the interactive qualities of a web app but without the security restrictions mentioned above. As the Atom blog points out it also solves the problem of browser compatibility:

“Another great thing about writing code for Atom is the guarantee that it’s running on the newest version of Chromium. That means we can ignore issues like browser compatibility and polyfills. We can use all the web’s shiny features of tomorrow, today.”

The disadvantage is that the user has to download a special desktop app and can’t just move to another machine to work without downloading and installing the app. As I see it, minor.

Atom can currently run on the most popular OS’s, Windows, OSX and even Linux (some distributions).

The editor looks great and has the look and feel of Sublime Text. This is probably not a coincidence. It seems like GitHub has aimed at offering a free version of this popular programmers editor. And according to many who writes code they are very close to being successful in this regard.

If you like to use an advanced text editor and want something different and new you should most definitely take a look at Atom. Yes, you will be downloading a complete web browser to run it, but who cares as long as you get your job done in an elegant and well functioning shiny new editor called Atom! Get it here:

Atom.io

 

 

 

 

 

 

Browsers on Linux.

As a long time Linux user finding a good and stable web browser have always been important. I used Opera for Linux since v. 7 and was happy with it up to v 12.x. It was my browser, e-mail client and even Usenet news and IRC client.  I could do it all in Opera. Then Opera started lagging behind and I was looking for other options. The two obvious ones were Google Chrome and Firefox. Firefox as the default browser on most major Linux distributions was first of course and I used it for a while without problems. Then Adobe was dropping Flash for Linux and I started having problems with certain Flash based content. I decided to try Chromium and also Chrome and it ended up becoming my new default browser. After some time I ended up Chrome since Chromium also had Flash problems while Chrome has it’s own Pepper Flash implementation making sure you always have the latest version available. Chrome worked very well on Linux and synced without problem between computers and to my Android phone.

Then after a trivial Chrome update the browser stopped working. And since a browser is a piece of software that needs to work all the time I freaked out and went Firefox again but soon got stuck on a site that needed the latest and greatest Flash which Firefox couldn’t offer. I looked for a solution and found a way to get Pepper Flash from Chrome to work in Firefox through a wrapper application. But I still had problems with sites that detected the wrapper and wouldn’t play. Now what? It turned out that the non working Chrome was fixed after a few days and I could return to my prefered browser. 

I had been reading about Google’s Aura graphics stack which replaced GTK+ on Linux, and got it whether I wanted it or not with a recent update. I use Gnome-Shell and was going to install a couple of extensions to my desktop, but no, that didn’t work anymore in Chrome with Aura. Back to Firefox to do that and it works. I then thought I would simply use Firefox again for a while but found out that I for some reason do not have full hardware acceleration working with my graphics card. It turns out it is because Firefox blacklists computers with dual graphics cards like mine has even if one of them has been disabled. In Chrome I have full hardware acceleration, but can’t install Gnome-Shell extensions. 

Finding the perfect browser on Linux has been nearly impossible since I left Opera 12.x, and I’m pretty sure it will continue to be a matter of small compromises until one browser vendor gets it right, or a new shiny browser comes along supporting Linux perfectly. I’m not sure what is most likely to happen.

 

Turn your ASUS router into something great with a little bit of Merlin’s magic!

A while back I needed a new router for my home network. I found that an ASUS RT-N66U would fit the bill both feature and cost wise. It’s a great piece of home network hardware that works relaibly providing Internet access througout my house. 

I got to know the router’s web based configuration interface and started looking around for information on how to set it all up for best perfomance, security and reliability. That’s when I stumbled upon an alternative firmware for newer ASUS routers. It’s called ASUSWRT-Merlin and is developed by ‘Merlin’ based on stock ASUS firmware.

The primary goals for this firmware project are fixing bugs, add a few new basic features and tweaks to the original firmware. This firmware will try to remain as close as possible to the original. If you want something with tons of new features and is experienced in flashing alternative firmware onto devices you may want to look elsewhere. But if you prefer something as close as possible to the manufacturer’s firmware that is easy to install and set up, then this is for you (and me).

The ASUSWRT-Merlin firmwares expands the original manufacturers code. In some cases it fixes bugs, sometimes completes features, and sometimes adds features not present in ASUS’ firmware. ASUS has even provided Merlin with beta code to test and work with. So the underlying code in ASUSWRT-Merlin is still ASUS’ which should be reassuring for those who doesn’t want to stray too far off the beaten track

Merlin’s firmware provides the following changes over the original firmware:

– WakeOnLan web interface (with user-entered preset targets)

– JFFS persistent partition

– User scripts executed at init, services startup, WAN up, firewall up and shutdown.

– SSHD (through dropbear)

– OUI (MAC address) lookup if you click on a MAC on the Client list (ported from DD-WRT)

– Saving your traffic history to disk (USB or JFFS)

– Displaying monthly traffic history

– Cron jobs

– Monitor your router’s temperature (under Administration -> Performance Tuning)

– Display active/tracked network connections

– Allows tweaking TCP/UDP connection tracking timeouts

– Various bugfixes: crash issues related to VPN, etc…

– Layer7 and cifs kernel modules added

– Optional user-settings for the WAN DHCP client (required by some ISPs)

– Description field added to DHCP reservation entries

– Dual WAN support (RT-N66U, RT-AC66U)

– Disk spindown after user-configurable inactivity timeout

– System info summary page

– Wireless client IP, hostname, rate and rssi on the Wireless Log page

– OpenVPN client and server.

– Customized config files for router services

– Customized config files for router services

– LED control – put your Dark Knight in Stealth Mode by turning off all LEDs

– Option to force your router in becoming the SMB master browser.

– DNS filtering (OpenDNS etc,)

I do not use all of these and some I do not even know how to use, but others have been really helpful like DNS filtering for parental control and the VPN client.

The ASUSWRT-Merlin firmware adds a lot of value to the ASUS’ stock firmware. The main focus on bug-fixing provides improved stability. And his selective approach to feature addition doesn’t put that improved stability at risk by possibly introducing new bugs along with features.

If you own a newer ASUS router you should really try this. Don’t let having to flash firwmare onto your router scare you. It is very easy through a web interface and has never caused me any problems. And if you do not like it it’s easy to go back to the stock firmware from ASUS. Merlin is providing frequent updates fixing bugs and sometimes adding or improving a feature. And in the user forum there’s always someone who can help if you should need it.

You’ll find all the information you need on ASUSWRT-Merlin here:

http://forums.smallnetbuilder.com/forumdisplay.php?f=42 

 

Why do we need browser extensions?

Over the years I’ve gotten used to browser extensions and have a few I consider part of my typical browser install. Without them I feel less productive and the experience of browsing the web is not complete. The extensions I use are for ad-blocking, password management and on-the-fly image manipulation like hover-zoom. I also use one for session management and one for URL shortening. There’s been others also but I am now down to a set of five extensions I use all the time. 

I’ve been asking myself why do I need these extensions? The answer is simple: The browsers available lacks important features and more and more so after the extensions concept got widely adapted. The browser vendors creates a slim feature poor browser and rely on the user to fill in the blanks with extensions. There are problems related to this:

— Poorly written extensions causing instability and crashes.

— Extensions interfering with each other or with the browser itself slowing it down.

— Extensions compromising security of the browser.

Lately the security aspect of extensions have reached the news since there’s been stories of people getting accounts on services like LinkedIn compromised by malicious extensions. This has made me rethink how I would like my web browser to be developed and work. I would like to see the browser return to when it’s design goal was to offer all the features you need for secure and convenient web access. An advanced password manager is obvious, and there are other features that I would like to see back in a web browser where it once belonged. I remember back in the day when my browser had all I need. It was fast, finely tuned to my liking and secure. There are many browsers to choose from these days but the full featured super-fast and feature-rich web browser is no longer there. I am hoping that will change at some point.

 

 

Google Now

The most profound piece of technology I discovered in 2013 was Google Now. It is a service on my Android phone which keeps track of me. Literally! I pops up my appointment, tells me before I leave how traffic is on my normal route to kids school and work. It also pops up news stories that is presumed relevant to me based on my search patterns and use of services like YouTube, Google Music and Video. On top of that it knows how far I have walked, biked and run giving me stats at the end of the month nicely packaged with graphs and bars. Incredible! Google Now starts out as something not very useful and learns as you go getting more and more to the point and accurate the longer it is being used. It is also voice controlled to an extent I have never experienced. It really understands what I am saying and gives me the results I want. I can say “I want to go home” and it directs me home commenting on unusual traffic and gives me the weather and important news as I go.

But then there’s the dark side to all of this. I am not giving Google any more information about myself than I otherwise would. Google knows all these things already. What happens here is that it is all put together painting a picture of who I am, what I do, when I do it and often why. And if an service like Google Now can be so accurate with regards to what I am doing and where I am doing it all the time, someone else could access it and have me pictured spot on. Advertisers must love this technology and I’m pretty sure NSA is drooling over it also unless they are already using it. Sad thing is that I have somewhat given up on protecting my privacy as far as Google goes. It’s just too convenient and addictive having your life gathered and organized like Google now is able to. We need an alternative though, but who could do it? I do not have the answer to that but hope that something will come along in 2014 which can indicate other ways to go, give us other options. Right now the only other option is pulling the plug on Google and pretend you do not need them. I can do that, but right now I do not even want to comforting myself with the fact that no one would be interested in my boring where- and whatabouts anyway.

 

Happy New Year!