Posts published in “Security”

Java: Where Oracle, Twitter and Black Hats Meet

By Christine Hall on February 5, 2013 |

Back on January 24th, Oracle was sitting on their hands after issuing incomplete patches to ~~not~~ handle security issues in Java, issues bad enough to evoke dire warnings from the U.S. Department of Homeland Security. I opined on that day that Ellison’s hired help needed to get off their duffs and come up with a good fix quick, even if Java has turned-out to be a puppy Larry Ellison no longer wants to keep. Evidently, somebody in Deadwood City felt the same way, as Oracle pushed a patch this past Friday addressing 50 security holes in the beleaguered programming language.

Wait a minutes, did I just write that the patch addressed 50 security holes? I’ve got a five pound block of Swiss cheese in the fridge that has fewer holes than that. I think if I was Larry Ellison I would be ashamed to admit I’d allowed that many security vulnerabilities to accrue unfixed while any project was under my care. I think I’d fix ten a day or something in five separate patches and try to make it look like I had my security eagles working overtime finding new holes ahead of the bad guys.

Christine Hall

Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

FOSSForce.com

Will Oracle Wake Up & Smell the Java?

By Christine Hall on January 24, 2013 |

Business, Security and Software

Does Oracle not know their own code?

I’m talking about Java. You know, the write-once-run-anywhere platform that seems to be severely broken from a security viewpoint, rendering it more than useless when used inside a browser.

Oracle, the company that’s owned Java since purchasing Sun Microsystems in 2010, seems to be clueless. Back in October the company pushed out a patch to fix some security holes that were already being exploited. There were complaints at the time that they were being secretive, saying little to nothing publicly about the problem, acting as if they were sweeping dust under a rug. Indeed, two months earlier, in August, the founder and CEO of the Polish security firm Security Explorations, Adam Gowdiak, told PCWorld that Oracle had known about the security problem for months:

Christine Hall

FOSSForce.com

Dotcom’s New Mega: Not Ready For Primetime

By Christine Hall on January 23, 2013 |

Business, News and Security

It’s funny how things work out. Entrepreneur Kim Schmitz changed his name to “Dotcom” in respect for the technology that made him filthy rich. However, his newest website doesn’t end in dotcom. He doesn’t dare use that top level domain because that would be an open invitation to the U.S. authorities to mess with him. I think Mr. Dotcom would like to be through dealing with the American government if he can. So he’s using .nz, the top level domain code for New Zealand where he resides.

Actually, his new site is a double dot–mega.co.nz, or Mega. Originally, he planned to use the too trippy url Me.ga, using the domain country code for Gabon, a plan that was derailed because the government of Gabon didn’t want to be party to “violating copyrights.” Mr. Dotcom might be excused for suspecting the United States for being an outside instigator in this matter.

Christine Hall

FOSSForce.com

Java Still Isn’t Safe – Possible New Vulnerability

By Christine Hall on January 16, 2013 |

Browsers, Internet, News and Security

I was just guessing on Monday when I said that the Java security patch pushed by Oracle on Sunday was “too little too late.” This appears to have been a lucky good guess on my part, as word is out now that the Java browser plugin still isn’t safe.

At least that’s what Brian Krebs is reporting on his blog Krebs On Security. Evidently there’s a black hat on a hacker forum who’s offering-up info to two buyers on a new vulnerability in the latest and greatest version of Java (that would be version 7, update 11) for the sum of $5,000 each.

Christine Hall

FOSSForce.com

Java Security Vulnerability – How To Disable Java In Linux Browsers

By Christine Hall on January 11, 2013 |

Browsers, Internet and Security

When the Homeland Security folks get into the mix and urge all computer users to disable Java in their browsers, you know it’s serious. Indeed, the exploit announced yesterday seems to affect all operating systems, including Linux, and it’s already being exploited. According to Trend Micro the flaw is already being used by blackhat toolkits mainly to distribute ransomware. In a blog posted yesterday, the company advises all users to disable or uninstall Java:

To prevent this exploit, and subsequently the related payload, we recommend users to consider if they need Java in their systems. If it is needed, users must use the security feature to disable Java content via the Java Control Panel, that shipped in the latest version of Java 7. The said feature disables Java content in webpages. If Java content is not needed, users may opt to uninstall Java as it can pose certain security risk.

Christine Hall

FOSSForce.com

ZoneAlarm: Defining the Difference Between Freeware and Free Software

By Christine Hall on July 30, 2012 |

Browsers and Security

The other day, when my friend’s laptop spit-up a warning from ZoneAlarm that she was no longer protected, I stood over her shoulder and instructed her to update the firewall. The warning was basically a scare tactic, of course. Without the update she would still be protected, just as protected as she had been the day before. She just wouldn’t have any new whiz-bang features included in the update, nor would she be able to take advantage of any new security enhancements.

We ran the default install. This was Windows, so there had to be a reboot. After that, we opened the browser to find that the homepage had been reset to a ZoneAlarm themed Google search page. We had not opted-in to any such change; the ZoneAlarm folks had just taken it on themselves to hijack Firefox’s revenue, which I didn’t think cricket.

Christine Hall

FOSSForce.com

The Death of Zune, the Resurrection of WebOS & Kernel.org Returns

By Christine Hall on October 7, 2011 |

Browsers, Business, Distros, Internet, Mobile, News and Security

Friday FOSS Week in Review

It was already a slow week when the news came on Wednesday of Steve Jobs’ demise. Since then, most tech sites have been reporting on not much else. As always, however, there were a few things to note…

Privacy Issues with Kindle Fire’s Silk Browser

Almost as soon as Amazon unveiled their new Kindle Fire tablet last Wednesday, Naked Security raised some privacy concerns about the device’s browser, called Silk. It seems the browser, in order to offer a quicker user experience, does most of it’s heavy lifting in the cloud:

Christine Hall

FOSSForce.com

Secure Boot: What’s Microsoft’s Agenda?

By Christine Hall on October 3, 2011 |

Hardware and Security

Secure boot is the sort of security solution Microsoft loves. Back in the days when Windows was even less secure than it is now, one of their security solutions was to have software vetted and signed. Although this might have helped enterprise customers a bit, it did little to make the home user more secure, as any software would still install normally after clicking through an “are you sure” warning. If this scheme did anything, it hurt small vendors who couldn’t afford to go through the process of having their software approved by Redmond.

Secure boot is the same sort of scheme, except this time there’s no “are you sure” screen to click through. If a user is trying to install an operating system (or even run one from a live CD) on a machine with secure boot enabled, that operating system will have to have unlock keys to enable hardware devices. These keys are provided to the creator of the operating system at the whim of the hardware makers.

Christine Hall

FOSSForce.com

Can Penguins Dance on a Dell, Will Reiser File Again, Are Samsung and Intel Going to the Prom?

By Christine Hall on September 30, 2011 |

Business, Distros, Hardware, Mobile, News, Patents, Security and Software

Friday FOSS Week in Review

The biggest news this week has centered around fears that Linux may become uninstallable on Wintel machines from the big OEM’s. But there’s been more. Some fun stuff. Some silly stuff. Some stuff that might eventually develop into something important…

Secure Boot Has Penguinistas Buzzing

Last week on FWIR I mentioned there was a storm beginning to brew around Windows 8 and secure boot, which could potentially keep Linux from being installed on some computers once they’re implemented. Well, it’s not just brewing anymore, it’s a full fledged storm with hurricane force winds.

Christine Hall

FOSSForce.com

Kernel Archives Hacked, SCO Dies Again, More HP Changes & More

By Christine Hall on September 2, 2011 |

Business, News and Security

Friday FOSS Week in Review

It’s been a busy week in the FOSS world. Evidently everyone’s been in a hurry to make some news happen before leaving town for the Labor Day weekend. Well, lots of FOSS news is good for me, makes my job easy, so here goes…

HP Makes PR Changes After WebOS/PC Fiasco

I’ve been working on a story all week on the mess at HP caused by the all-at-once and probably premature announcement they’re dropping WebOS, smartphones and consumer PCs. One trouble, I keep having to go back and rewrite stuff, because the story is still very, very fluid and new aspects keep popping up almost daily.

On Monday, Bloomberg Businessweek announced that HP’s chief communications officer, Bill Wohl, will be moving to a “special assignment.” Chief Marketing Officer Marty Homlish will be picking up the slack with the corporate communications team and Lynn Anderson will take care of PR’s day-to-day operations, at least for the time being. According to the Bloomberg, both Wohl and Homlish have a history with CEO Leo Apotheker that predates his tenure at HP:

Christine Hall

FOSSForce.com