Security
On security matters, mostly digital.
A utility for disabling Windows 10
While there may be people who actually like Windows 10, there are also many people who aren’t interested in fully exposing every part of their digital life to for-profit mining as means of offsetting Microsoft’s declining profits in the desktop OS business, and if you’re one of those, fighting Microsoft’s truly viral (and malware) marketing techniques is quite a hassle. It appears there may be an easier way.
Micrsoft has finally provided an “easy” way for people to turn off windows OS update (e.g. from 7.x or 8.x to 10) from happening automatically and without user intervention (and frequently in outright defiance of clear user intent because profits first!)
The short form for people who are comfortable with some of the internal workings of Windows is:
Search for "edit group policy" and open the editor then follow the selection cascade as: Local Computer Policy -> Computer Configuration -> Administrative Templates -> windows Components -> Windows Update ->> Turn off the upgrade to the latest version... ->> [x] enabled
The longer instructions are at this link: https://support.microsoft.com/en-us/kb/3080351
Easy, no?
I suggest doing this and then downloading and installing the following program. It will pretty much do the same thing but it also checks to see if Microsoft has already kindly filled your hard disk with malware without your permission and offers to delete it:
https://www.grc.com/never10.htm
Note that my previous posts about removing specific “updates” are still relevant. The above should prevent windows 10 from auto-updating but Microsoft has been pushing updates with “telemetry” to Win 7 and Win 8, which are also spyware and are tracking you and reporting your usage patterns back to Microsoft without telling you or asking you.
Welcome to the new economy: you’re the product.
Turn off windows update now!
If you haven’t already, turn off Windows update now. Microsoft has recently started installing Windows 10 spyware without consent. A good friend of mine had a bunch of systems at the company where he runs IT hacked by Microsoft over the weekend, which broke the certificate store for WPA-2 and thus their wifi connections.
To be clear, Windows 10 is spyware. Microsoft has changed their business model from selling a product to selling data – your data – to whoever they want. Windows 10 comes with a EULA that gives them the right to steal everything on your computer – your email, your private pictures, your home movies, your love letters, your medical records, your financial records – anything they want without telling you. “If you’re not paying for the product, you are the product.”
If this happens to you, I suggest contacting your state attorney general and filing a complaint against Microsoft. Hopefully a crushing class action suit or perhaps jail time for the executives that dreamed up this massive heist will help deter future corporate data thieves, though that’s certainly irrational optimism.
I wish I could recommend switching to Linux for everyone, but there’s a lot of software that still depends on Windows and a lot of users that will have a hard time migrating (developers: please stop developing for Microsoft). Apple seems unequivocally better in refusing to act as key player in bringing about Total Information Awareness. I’m not a huge fan of their walled garden and computers as overpriced fashion accessories approach, but it is far better than outright theft. For those that are slightly computer savvy, there’s Linux Mint, which is quite usable and genuinely free.
These instructions might help prevent that disaster of an update being visited upon you (and possibly law enforcement visits to come after Microsoft starts sifting through all your datas and forwarding on whatever they find). The latest reports suggest they aren’t enough, but it is the best I have found other than isolating your windows box from the internet completely.
PGP Usability Regression thanks to Enigmail
The latest auto update to Enigmail, the essential plugin for Thunderbird for encrypted mail, is a fairly dynamic project that occasionally makes UI and usability decisions that not everyone agrees with.
The latest is a problem for me. I use K9 for mobile mail and K9 doesn’t support PGP/MIME, but Enigmail just:
Why? OK – PGP/MIME leaks less metainformation than inline PGP, but at the expense of compatibility. K9 should support PGP/MIME, but it doesn’t. Enigmail should have synchronized with K9 and released PGP/MIME when mobile users could use it.
But encryption people often insist that the only use case that matters is some edge case they think is critical. They like to say that nobody should read encrypted mail on a mobile device because the baseband of the device is intrinsically insecure (all cell phones are intrinsically insecure – phones should treat the data radio as a serial modem and the OS and the data modem should interact only over a very simple command set – indeed, the radio should be a replaceable module, but that gets beyond this particular issue).
For now, make sure your default encoding is Inline-PGP or you’ll break encryption. Encryption only works if it is easy to use and universally available. When people can’t read their messages, they just stop using it. This isn’t security, this is a mistake.
Signal Desktop: Probably a good thing
Signal is an easy to use chat tool that competes (effectively) with What’sApp or Viber. They’ve just released a desktop version which is being “preview released/buzz generating released.” It is developed by a guy with some cred in the open source and crypto movement, Moxie Marlinspike. I use it, but do not entirely trust it.
I’m not completely on board with Signal. It is open source, and so in theory we can verify the code. But there’s some history I find disquieting. So while I recommend it as the best, easiest to use, (probably) most secure messaging tool available, I do so with some reservations.
- It originally handled encrypted SMS messages. There is a long argument about why they broke SMS support on the mailing lists. I find all of the arguments Whisper Systems made specious and unconvincing and cannot ignore the fact that the SMS tool sent messages through the local carrier (Asiacell, Korek, or Zain here). Breaking that meant secure messages only go through Whisper Systems’ Google-managed servers where all metadata is captured and accessible to the USG. Since it was open source, that version has been forked and is still developed, I use the SMSSecure fork myself
- Signal has captured all the USG funding for messaging systems. Alternatives are not getting funds. This may make sense from a purely managerial point of view, but also creates a single point of infiltration. It is far easier to compromise a single project if there aren’t competing projects. Part of the strength of Open Source is only achieved when competing development teams are trying to one up each other and expose each other’s flaws (FreeBSD and OpenBSD for example). In a monoculture, the checks and balances are weaker.
- Signal has grown more intimate with Google over time. The desktop version sign up uses your “google ID” to get you in the queue. Google is the largest commercial spy agency in the world, collecting more data on more people than any other organization except probably the NSA. They’re currently an advertising company and make their money selling your data to advertisers, something they’re quite disingenuous about, but the data trove they’ve built is regularly mined by organizations with more nefarious aims than merely fleecing you.
What to do? Well, I use signal. I’m pretty confident the encryption is good, or at least as good as anything else available. I know my metadata is being collected and shared, but until Jake convinces Moxie to use anonymous identifiers for accounts and message through Tor hidden nodes, you have to be very tech savvy to get around that and there’s no Civil Society grants going to any other messaging services using, for example, an open standard like a Jabber server on a hidden node with OTR.
For now, take a half step up the security ladder and stop using commercial faux security (or unverifiable security, which is the same thing) and give Signal a try.
Maybe at some later date I’ll write up an easy to follow guide on setting up your own jabber server as a tor hidden service and federating it so you can message securely, anonymously, and keep your data (meta and otherwise) on your own hardware in your own house, where it still has at least a little legal protection.
Making Chrome Less Horrible
Google’s Chrome is a useful tool to have around, but the security features have gotten out of hand and make it increasingly useless for real work without actually improving security.
After a brief rant about SSL, there’s a quick solution at the bottom of this post.
Chrome’s Idiotic SSL Handling Model
I don’t like Chrome nearly as much as Firefox, but it does do some things better (I have a persistent annoyance with pfSense certificates that cause slow loading of the pfSense management page in FF, for example). Lately I’ve found that the Google+ script seems to kill firefox, so I use Chrome for logged-in Google activities.
But Chrome’s handling of certificates is abhorrent. I’ve never seen anything so resolutely destructive to security and utility. It is the most ill-considered, poorly implemented, counter-productive failure in UI design and security policy I’ve ever encountered. It is hateful and obscene. A disaster. An abomination. The ill-conceived excrement of ignorant twits. I’d be happy to share my unrestrained feelings privately.
I’ve discussed the problem before, but the basic issues are that:
- The certificate authority is NOT INVALID, Chrome just doesn’t recognize it because it is self-signed. There is a difference, dimwits.
- This is a private network (10.x.x.x or 192.168.x.x) and if you pulled your head out for a second and thought about it, white-listing private networks is obvious. Why on earth would anyone pay the cert mafia for a private cert? Every web-interfaced appliance in existence automatically generates a self-signed cert, and Chrome flags every one of them as a security risk INCORRECTLY.
- A “valid” certificate merely means that one of the zillions of cert mafia organizations ripping people off by pretending to offer security has “verified” the “ownership” of a site before taking their money and issuing a certificate that placates browsers
- Or a compromised certificate is being used.
- Or a law enforcement certificate is being used.
- Or the site has been hacked by criminals or some country’s law enforcement.
- etc.
A “valid” certificate doesn’t mean nothing at all, but close to it.
So one might think it is harmless security theater, like a TSA checkpoint: it does no real harm and may have some deterrent value. It is a necessary fiction to ensure people feel safe doing commerce on the internet. If a few percent of people are reassured by firm warnings and are thus seduced into consummating their shopping carts, improving ad traffic quality and thus ensuring Google’s ad revenue continues to flow, ensuring their servers continue sucking up our data, what’s the harm?
The harm is that it makes it hard to secure a website. SSL does two things: it pretends to verify that the website you connect to is the one you intended to connect to (but it does not do this) and it does actually serve to encrypt data between the browser and the server, making eavesdropping very difficult. The latter useful function does not require verifying who owns the server, which can only be done with a web of trust model like perspectives or with centralized, authoritarian certificate management.
How to fix Chrome:
The damage is done. Millions of websites that could be encrypted are not because idiots writing browsers have made it very difficult for users to override inane, inaccurate, misleading browser warnings. However, if you’re reading this, you can reduce the headache with a simple step (Thanks!):
Right click on the shortcut you use to launch Chrome and modify the launch command by adding the following “--ignore-certificate-errors”
Once you’ve done this, chrome will open with a warning:
YAY. Suffer my ass.
Java? What happened to Java?
Bonus rant
Java sucks so bad. It is the second worst abomination loosed on the internet, yet lots of systems use it for useful features, or try to. There’s endless compatibility problems with JVM versions and there’s the absolutely idiotic horror of the recent security requirement that disables setting “medium” security completely no matter how hard you want to override it, which means you can’t ever update past JVM 7. Ever. Because 8 is utterly useless because they broke it completely thinking they’d protect you from man in the middle attacks on your own LAN.
However, even if you have frozen with the last moderately usable version of Java, you’ll find that since Chrome 42 (yeah, the 42nd major release of chrome. That numbering scheme is another frustratingly stupid move, but anyway, get off my lawn) Java just doesn’t run in chrome. WTF?
Turns out Google, happy enough to push their own crappy products like Google+, won’t support Oracle’s crappy product any more. As of 42 Java is disabled by default. Apparently, after 45 it won’t ever work again. I’d be happy to see Java die, but I have a lot of infrastructure that requires Java for KVM connections, camera management, and other equipment that foolishly embraced that horrible standard. Anyhow, you can fix it until 45 comes along…
To enable Java in Chrome for a little while longer, you can follow these instructions to enable NPAPI for chrome <42 (which enables Java). Type “chrome://flags/#enable-npapi” in the browser bar and click “enable.”
Superfish proves certs are useless for identification
Can we please, please stop with the stupid certificate verification warnings?
Dear security developers, your model is broken. It never worked. Stop warning people about certificate errors. Now. Forever.
Certificate errors serve two purposes:
- They make developers uncomfortable with using perfectly secure self-signed certs, and since commercial certs cost money, much of the web that could be encrypted remains unencrypted. That’s harm done to the public. Thanks.
- They happen so often, so relentlessly, for such trivial reasons (not even Google can keep their certs up to date) that users learn to ignore them, which makes an actual man-in-the-middle attack almost certain to succeed with most people, despite the warnings.
The Certificate Authority system is predicated on the idea that Certificate Authorities are flawless and trustworthy. They are neither. The Lenovo/Superfish problem shows another obvious flaw: hardware vendors (and actually any trusted software installer) has to be trustworthy too or client-side MITM is easy. And CA’s simply can’t verify against that.
This whole idiocy creates massive problems for something so basic as LAN administration. Even before wireless became pervasive, LAN coms should always be encrypted when passwords or any meaningful data is moving. Current security settings create a massive avalanche of useless errors for “untrustworthy certs” on one’s own network (the obvious fix is to automatically trust all certs on private networks, duh).
This is an issue that bothers me a lot. It gets in my way constantly and makes real security and encrypted communications way harder and way more complicated than it needs to be and the only beneficiaries at all are the certificate Mafiosi. This is just stupid. Superfish proves, again, how broken it is. Can we stop pretending now?
Also, this most recent of many certificate flaws comes with a bonus feature: the MITM cert Superfish uses is apparently really pathetically insecure, aside from using broken crypto, their software had their passwords in it, making it easy for crackers to develop tools to harvest additional data from the victims of the Superfish/Lenovo attack.It probably hurts more to find out your vendor hacked you, but the penalty is that the hack also destroyed the security of all of your communications. Thanks. This is why we can’t have nice things. It is also why any back door, no matter what the motive, compromises security.
Update: Superfish is, apparently, out of business. While that sucks for the people at the company, who were probably very happy with their Lenovo OEM deal and instead got a big sock of coal, one might naively hope for an upside that companies considering a model based on stealing people’s data might take notice of the cautionary tale of superfish.
Unfortunately – that won’t happen, not in the current valley climate. While it is economically advantageous to hire cheap kids who have no life and will work long hours for meagre pay, they come with a downside: they are all ignorant idiots. I don’t mean they’re not smart or capable (though the smart barrel was long ago drained and the vast majority of brogrammers sauntering around SF really are stupid), rather that they are foolish as in the opposite of ‘wise.” Wisdom comes from experience, and experience only comes with time, an immutable dimension. This superfish debacle was only from Feb 2015, but this year’s batch of idiot brogrammers weren’t around to see it and as they gather in self-congratulatory clusters in posh, VC-funded collaborative spaces, company barrista-brewed latte in one hand and social-media-distraction feeding portable device in the other, they’ll be high-fiveing and fist-bumping the brilliance of their brand-new idea for getting around SSL so they can collect marketing data and better target advertising. Yay.
How to fix Superfish:
Install Perspectives. And support them.
Also, this bugs the crap out of me: