Pavlov Scope

Heise online has a nice article on some of the technical details of the flaw if you are a concerned Mac user. But, to summarize, the problem is that Safari automatically executes certain file types designated as “safe” by default. Examples of these include ZIP files, documents, images, video, etc. However, Lehn has found that shell scripts (a kind high-level operating system programming function) will automatically execute if a specific qualifying line is omitted from the file. This is bad, because shell scripts are very powerful and can do things like delete or manipulate files, call other programs, etc. and a clever hacker could easily find a way to infiltrate a Mac OS X computer using these scripts.

Additionally, if the script file is disguised as an image file (etc.), it could be used on a web page and automatically rendered by the Safari browser to run. This remote execution is the crux of the severity assigned to this flaw and is very similar to the flaw found in December 2005 in Windows Metafiles (WMF) during the New Year’s time frame.

Mac users have yet to hear from Apple on this flaw and a fix has yet to be published. The vulnerability has been confirmed on fully patched systems running Safari 2.0.3 (417.8), Mail 2.0.5 (746/746.2), and Mac OS X 10.4.5.

How to protect yourself in the meantime

• Temporarily disable the “Open safe files after downloading” option in Safari until a fix is released from Apple and applied to your system.

• Do not open files or mail attachments from unknown or untrusted senders.

I will update this entry once Apple has posted a fix or if new information is forthcoming.

The fixes recently released from Microsoft include important updates to Windows Media Player (many versions). It is very important to update your computer(s) accordingly. The best route (if you haven’t already configured it) is to setup Automatic Updates in Windows. Or, you can manually go to the Windows update site every month or so. The Automatic method is the best, however, because it is a “set it and forget it” option that elminiates the manual step of visiting the website.

I have tested and installed these fixes in both my test environment and my workplace divisions without troubles.

It is important to install these latest updates because just a couple days after the patches were released (as is the case for nearly all patches), malicious hackers have reverse-engineered the patches to determine what “holes” were plugged. Accordingly, they have written exploit code that takes advantages of those flaws on unpatched machines – don’t let your computer be an unpatched (read:vulnerable) computer. Most XP Service Pack 2 machines have auto-updates already configured, but for users of older versions of Windows (XP original, Windows 2000, etc.) need to manually configure these updates.

Also – I CANNOT OVERSTRESS the need to keep your anti-virus software up-to-date. Most such programs have automatic update features, so please take advantage of them.

Many stastical studies have shown that most Windows users do not keep their computers up-to-date; be the exception and you will be a harder target (that is, most exploits will attack the easiest – soft – targets).

So, i bought an iPod. Now I feel cool … I think. I was a hold out for a while. They didn’t hold enough in the earlier versions, and monochrome screens just don’t do it for me. My friend Bill, however, shamed me into getting one to, and I quote, “get me up to speed.” So, if I had any questions on whether I was too old to own one, the answer is a resounding No since my maturity level is still apparently low enough to fairly easily succumb to peer pressure.

But, now I have been converted. Now comes the formidable task of loading up my 3,000+ releases of music that I have to show for the last 20 years or so.

However, just in case someone else has run into these issues:

• First thing, I ran into a problem with iTunes. 403 error – unable to contact iTunes Music Store. Then, a related error, “unable to connect” with no error number. After many trials and tribulations, I was able to get around both of these errors. The source of the problem: Internet Explorer is configured to use a proxy. Like many companies, my organization uses a proxy server to access the Web. These settings are pushed down to clients via Group Policy and are re-configured routinely if you uncheck (to not use a proxy) – I should know, I’m the one that configures those settings on my company’s network! But, this causes iTunes trouble in some cases, so I recommend unchecking the proxy config (under Tools-Options-Connections-LAN Settings) if you are having these or similar errors.

• Second, I have been having intermittent problems while importing (ripping) CDs into iTunes. It will intermittently / randomly crash during the import of the disc – it writes the following error information into the Application Log of the Event Viewer: Faulting application itunes.exe, version 6.0.3.5, faulting module itunes.exe, version 6.0.3.5, fault address 0×00770507 – the faulting address varies just slightly but all start with 0×00770nnn (where n varies hexadecimally). The fix I found for this was to disconnect from any active VPN connection I had simultaneously running. The Cisco VPN (version 4.8.00.0440) software appears to interfere with the ripping process in iTunes. Once I disconnect and close out the Cisco VPN app, I can rip as many discs as I want and iTunes doesn’t crash.

Other than those growing pains, I have been enjoying the new “toy.” The first quest was finding a case to protect it. Out of the box, the black iPod has a terrible affinity for fingerprints and everyone tells me that it has a proclivity for scratching. I have settled on three ways to keep these things from havppening: The InvisibleShield is protective plastic cover that you can apply to the entire exterior of the iPod to protect it from scratches if you drop it, keep it in your pocket with keys, etc. It was originally developed to protect helicopter blades from debris – the stuff is pretty hardcore.
Additionally, I am using the Agent18 for the Video 5G 60GB. It is translucent/transparent hard plastic, and with the black front of the iPod creates a kind of smokey gray appearance to the device without adding my much mass or girth.
While in LA, I also picked up the black Speck Toughskin at the Northridge Apple store. The service in that store is very good – everyone was friendly – and that alone almost made me want to convert to a Mac. The Toughskin is a black rubber cover with an almost “Mad Max” look. I’m not sure how I feel about the look yet, but it should prevent my butterfingers from destroying my new acquisition (at least in the first month or so).

So, the 5G Video iPod is nice and I’ve put in around 4GB at this point. My favorite part so far is podcasting. I have been into it before, but only via my computer.

If you don’t yet know of Karl Pilkington, you will have fun learning all about him. This is a producer/friend of the creators of the original (UK) TV program named “The Office” – the U.S. version of the same program stars Steve Carrell. If you want to hear the first twelve episodes, please feel free to download them from here. If you have a good sense of humor, you are bound to get some good laughs out of this series of time wasters. To give you an idea if you haven’t become an addicted listener, the most famous thing Karl has pontificated out loud has been “I could eat a knob at night.” This facet of the show has spawned (per host’s request) over 70 variations of dance remixes using that quote as the hook. The original mix was quick and direct, and here is my favorite so far. Here are a few I’ve compiled so far.
Karl even has his own Wikipedia entry – amazingly detailed and complete.

“May the funk be with you.”

Winamp has more vulnerabilities. Upgrade to version 5.2 to resolve those issues.

If it doesn’t automatically prompt you to update, please visit WinAmp’s site for the latest version (at the time of this writing, 5.2) which will resolve all known exploited issues.

Exploit code has been released to take advantage of the recent flaws, mostly by spyware writers to install popups and adverts onto your machine, so prevent that by upgrading ;-)

Here is a quick perspective of “big three” browsers – Opera vs. Firefox vs. IE

Security
Firefox (especially with the NoScript and AdBlock extensions) is more secure than IE.
Opera (especially by tweaking some config settings) is more secure than IE.
IE has been shown to be the least secure of the three… by FAR.

Opera is (arguably) the fastest browser out there, which is what initially drew me to it in the first place (back in 1999). There are several speedy features built-in to Opera, but the one I use the most is its ability to easily “toggle” images off and on on demand (it is an icon on the main bar). So, I surf the web with images turned off by default which makes the pages load much, much faster. Then, if I need images to view the site properly, I simply toggle them ON on-the-fly.
Additionally, there are network-level settings that make it pull pages down faster, and you can tweak just about every setting you want to squeeze performance to the max (like cached pages, etc.).

Tabbed Browsing – Both Opera and Firefox have had tabbed browsing for years. I believe Opera was the first to support it, but that doesn’t matter for this discussion. Tabbed browsing simply refers to the ability to have multiple webpages open within a single “program window.” When you use IE and you open multiple websites, you have a string of IE windows open on your task bar. With tabbed browsing, instead of these multiple windows, you have a single Firefox or Opera window and within it, you have additional windows of websites. It is a convenience thing and sounds rudimentary, but it makes a big difference one you get used to it.
With Opera and Firefox, you can run with or without tabbed browsing… or both at the same time!
In IE7 (the upcoming version of the browser), it finally has tabbed browsing. Additionally, there are other browser “wrappers” that use IE (a popular one is Avant) as an engine and force it to support tabbed browsing, but that might be cumbersome for the standard “I just want it to work” user.

Session History – Also, unique to Opera is that you can configure it to save all the open windows (webpages) you had open at the time that you close it – so that when you open it next it opens all the same websites you had open previously, in the same order and place as where you left off – it is an awesome productivity feature that I have come to rely upon. It will even save where you were if you crash.
A cool thing in favor of Firefox is that you can Bookmark all open tabs into a new or existing Bookmark folder – all at once. This effectively allows you to come back to the same set of pages in the future, but not quite as seamless as the Opera (start from last time) feature. Opera can open all the bookmarks in a folder as well.

Searching – Opera and Firefox both have a built-in Search field for direct searching of the web (without the use of addins). Opera has a quick search for Google, Amazon, Price Comparison, Ebay, Download.com, etc. Firefox has built-in search capability for Google, Amazon, Ebay, Yahoo, Answers.com, and CreativeCommons, and also allows you to Add your own which is a really cool feature.

Customizability – Both Opera and Firefox can have their appearances changed using “skins” in Opera or “themes” with Firefox. These alter the way that buttons and windows appear. I like a really clean looking browser window (none of this fancy whiz-bang stuff for me), so I change the default Opera skin to a clean, simple view which gives me maximum viewing area for webpages.

Mouse Gestures – Opera has another unique feature to which I have become accustomed – Mouse Gestures. This interesting feature allows you to control common surfing commands using a combination of mouse buttons and flicks of the wrist. For example, to go “Back” I simply hold the right mouse button and “flick” my wrist to the left quickly. To go forward, flick to the right quickly. New Page, Flick down. Etc. You can also enable Voice commands in Opera, but I haven’t tinkered with that one yet since I talk to my computer enough as it is ;-)
A mouse gesture extension has been developed for Firefox – here.

Extras – Pop-up blockers built-in to Firefox and Opera are superior to the IE capability and by far predate its support.
Opera has a built-in spell checker for Edit boxes on the web (for things like posting to blog or feedback forms, etc. via a right click in the field.
In Opera, the Refresh and Stop buttons are interchangable based on state, which is a simple, but cool little feature. Additionally, you can modify the settings so that the status of the page loading is in the same field as the location/address (so that there is only one place to check for page status).
Opera’s Zoom feature is better than IE and Firefox in that it zooms proportionally all parts of the page, including images – as if you are bringing your face closer to the page.

6 of one, Half dozen of the other – Many features first introduced by Opera have been ported over to Firefox through the open source community’s use of extensions, but development of those extensions is up to the support of that community which sometimes lags behind the release schedule of Firefox in general (but they usually keep up fairly well). This means that if you prefer Firefox but would like some functionality associated “out of the box” with Opera, it is likely available in some form through a Firefox extension or method.

Downloads – Both Opera and Firefox blow the doors off of IE when using it for downloading files (like PDFs, ZIP files, MP3s, etc.). As soon as you click a download link, you are presented with a dialog box on what to do with it (like, where to save it, etc.). But, in the meantime, it is already downloading the file in the background while you decide on where you are going to save the file, etc. IE waits until you have made that choice, which adds sometimes significant waiting time for the download to finish.

Extensibility / Customization – The customization you can do to the browser is extraordinary in Opera, and extensive in Firefox. Firefox benefits in this area by being Open Source and many programmers and hackers have developed extensions to Firefox that make it even more feature rich.

Cross Platform – Both Opera and Firefox support multiple “platforms” which means they run on Windows, Linux, Mac, etc. Opera supports a huge number of platforms, including additional Unix variants (like FreeBSD and Solaris) as well as mobile phones and PDAs.

Compatibility – I use Opera as my primary browser, but it does still have some compatibility problems with sites designed specifically for IE. The problem here is that Opera was developed in strict adherence to worldwide adopted W3C (web) standards. Microsoft (with IE), doesn’t care about what the rest of the world does, and has developed competing, incompatible “standards” of its own, and often the extensions/changes that they have made make it easier for website developers on the front end when designing webpages. However, the downfall is that standards-based browsers like Opera fail to properly render some elements of those pages, making it problematic to use.
Firefox, OTOH, is also standards-based, but has made a much stronger effort to render IE-designed pages more accurately. As a result, it allows the rules to be bent better than Opera and often yields better results when viewing proprietary pages than Opera.

Choices – There are so many “that’s cool” little things in both Firefox and Opera that are hard to completely document, and I find new ones in Opera all the time. The main thing is to explore your choices and then choose one that works for you.

I use Opera – and if I run into a site that doesn’t work right, I use Firefox. If all else fails, I open up IE (which, sometimes I do have to do). Most of the time I don’t have any trouble and to be honest I am almost always running a Firefox window, an Opera window, and an IE window at the same time with different sites in each… but then again, I am a bit of a geek.

But, everyone has their own preferences and computer programs are no different. The easiest and funnest thing (especially on a snowy Sunday afternoon like this) is to download them and try em out.

http://www.opera.com/
http://www.mozilla.com/firefox/

Additionally, here are some other reviews that might be helpful:
Zhooibaal review
NewsForge review by Kris Shaffer

I am in a conundrum: From a technology perspective, how do we prevent confidential company data from being disclosed over the web?

Information leakage, in this sense, is a very difficult problem to solve with certainty. Almost everything is merely a mitigation and nothing is seems to be foolproof or without a way around it. If an organization has decided to provide fairly liberal access to the Web by company employees using company computers, either internal or remote, then preventing the use of “certain” kinds of sites (such as webmail, webstorage, etc.) becomes very difficult.

For example: How to lock down the use of webmail and those free (or cheap) webstorage sites like FreeWebSpace.com, BigVault.com, xdrive.com, ibackup.com, filelodge.com, etc. etc. etc. (I’ve counted more than 20 and that is with a simple, quick Google search)?

Add to the problem, remote users. Other than installing software firewalls with according policy configurations (which is daunting in itself), how does one prevent remote PC users (i.e. users outside of the company network) from utilizing webmail and webstorage services? And, even with software firewalls, if the remote users have Admin rights on their computers, they can delete, disable, or cripple the firewall software (and arguably, need to for interop with the heterogeny of networks and configurations in hotels, hotspots, etc.).

Additionally, dropping access to each and every Internet proxy (used for anonymizing, etc.) which might be used to circumvent company site restrictions is like trying to stop lava flows with a garden hose – akin to putting each spam domain name one encounters in a blocklist individually! Hell, anyone can setup a private proxy and use that to browse the web and it would go undetected for a while before the log pattern of a single site being accessed would emerge.

Another REMOTE user problem:

If one mandates that all users, including remote VPN-attached clients, use the proxy server for Web access. This is to prevent access to webmail, webstorage, anonymizers, etc. type sites to prevent information leakage or outright unlawful and intentional disclosure.

However, this introduces a bit of a problem: Users will be required to connect to the VPN to get access to the proxy server in their web browsers. However, to connect to the VPN from most hotels/hotspots/etc., one must authenticate with the provider’s infrastructure (either to accept charges and/or to accept terms and conditions) via the same web browser. This writes out a session cookie from the provider, which then allows the PC out to the Internet (which then allows VPN, etc.).

The problem is that browsers configured to use a proxy server will not “trigger” the mechanisms generally used by hotels/hotspots/airports/etc. So, we are stuck with a chicken-and-egg problem.

I see two primary ways around this:

1) Determine the URLs / addresses used by a majority of providers, and place those into the “exceptions” list in each of these remote clients to bypass the proxy for those sites (allowing authentication with the local provider’s infrastructure to get a VPN connection, thereby allowing the rest of the Internet sites to route properly through the proxy server).

2) Put the proxy server into a publicly available (non-NAT) DMZ, so that the Proxy server’s IP address is available to both internal and Internet-based clients (this seems less secure).

I ask these questions to determine what technology can be used to construct a policy enforcement system to contain intentional attempts to utilize non-company mechanisms to transfer, share, or store company information assets.

Am I missing something or is this just hard? To me, without spending gobs of money on technology and implementation, this is a question of the classic security vs. usability problem. Is there an enterprise solution for preventing PCs from sending data (preferably policy-based) either via blocking HTTP PUT commands or other methods? Please only consider IP network methods specifically – USB, CDRom, etc. should be excluded from the discussion.

Krugle looks like it could be very useful for you code warriors out there… I wonder how long it is before Krugle is acquired by Google?