Archive for World o’ Web

UPDATE – Firefox Zero Day Exploit Traced To FBI

Yesterday a rather worrisome exploit was found in the Firefox browser and all products that use the underlying Mozilla engine – Thunderbird, Tor Browser – that allowed otherwise safe and trusted web sites to inject malicious code into computers using the Windows operating system. You can read about it (and get links to updated versions of the software that correct the problem) here.

Now an even more startling development reveals that the exploit may have been added to the Firefox/Mozilla codebase by law enforcement officials, specifically the FBI. Since James Comey assumed the leadership of the FBI they have constantly targeted the Tor Browser, ostensibly as a way to investigate and prosecute offences in child pornography but with a quietly stated endgame of adding to their toolbox for mass surveillance upon all citizens of the United States. It’s not out of the realm of possibility to assume that they will be ramping up these efforts with an incoming president who is publicly committed to destroying personal privacy and free speech rights, and this is the first stage in surreptitiously broadening their listening powers. The widespread fallout that compromises the computer security of millions of innocent “cyber bystanders” would likely be considered acceptable collateral damage in the current political climate.

A full update has been added to the original post on the WordFence blog. It’s definitely worth a perusal – if you only have the time to read one article today, this is definitely the one.

And remember – UPDATE YOUR FIREFOX/MOZILLA PRODUCTS NOW.

Firefox Zero Day Exploit – Alive And Extremely Dangerous

A freshly discovered “zero day” vulnerability in the Firefox browser is currently being exploited and – if you are using Windows – can compromise your computer simply by visiting otherwise benign web sites. Fortunately, the exploit was published rather quickly and the Firefox team was able to issue a security patch within a few hours.

However – the exploit uses benign websites (especially ones that are commonly used as starting pages for browser sessions) as “watering holes” and any use at all of previous versions of Firefox is contraindicated until you download and install the newest release. If you use Firefox you need to immediately switch to another browser such as Safari or Chrome until you update Firefox. You can get the update here:

Firefox 50.0.2 Release Notes And Download

If you use Thunderbird for your email you also need to update as it uses the same Mozilla engine for parsing HTML within email messages. This is only a concern if you have Thunderbird set to allow inline content to be displayed automatically or you manually select content to load, but it would be in your best interest to update regardless:

Thunderbird 45.5.1 Release Notes And Download

Finally, if you use the Tor browser and security package, you also need to update as it contains a discrete version of the Mozilla engine that is affected by the same exploit:

Tor Browser 6.0.7 Release Notes And Download

Remember – you should not use either Firefox or Tor for any reason, even to download the updates, until you have the newest versions installed. Kudos to the Firefox/Mozilla team for getting these updates out so quickly. If you are interested in how the nuts and bolts of this works, there is an excellent write-up along with some pro analysis at the Wordfence Blog.

The Best Mobile Safari Tip You Will Get This Week

Unless you live in some sort of odd 1998 time bubble, or are inexplicably using Internet Explorer for something other than demonstration how not to write a browser, you probably use browser tabs pretty much all the time. Listen: As positive developments go, browser tabs are right up there with sliced pizza and the polio vaccine.

Being a clever tab user you are probably also familiar with – and beholding to – the “Undo Close Tab” function. As an extension to that familiarity you have probably cursed out Mobile Safari more than a few times for not having the same function. Sure, you can bring up your history and swipe down to the tab you just closed, and hope like hell you didn’t open it three days ago because now it is about 1,437 items down the list, and … stop. Just stop. Calm down. Mobile Safari does have a “reopen closed tabs” function; you just haven’t found it yet.

Let’s do some finding.

First, tap on the “Show Tabs” icon at the bottom of the screen:
Mobile Safari - Show Tabs Button

Then tap and hold the “New Tab” icon at the bottom of the tabs view screen:
Mobile Safari - New Tab Button

Zut alors! C’est magnifique! Fermer la porte! All of your recently closed tabs, ready for tapping.
Mobile Safari - List Of Closed Tabs

Life, as the kids say, is good. You’re welcome.

Aerial – A Ridiculously Awesome Open Source Screen Saver

San Francisco Daytime Flyover From Apple TVYou may be aware that the latest generation of Apple TV went on sale yesterday. You may also be aware that the new box features some absolutely eye-popping screen savers – slow-motion hi-def flyovers of locations from around the globe, tuned to your current time of day.

What you might not be particularly aware of is the work of an exceptionally talented Swift programmer named John Coates who has crafted an OS X screensaver that brings these exact same flyovers to your computer desktop. Aerial is free, completely open source, and ready for your downloading pleasure right now. If you have one of the new 4K iMacs, this will blow your mind. If you have any other machine, well, it will still blow your mind, just not as much.

Those 4K iMacs are the bomb.

A couple of notes:

This is written in Swift, so you have to be running at least OS X Mavericks to enjoy it.

It is truly open source so you can use it to learn a little bit about Swift, or – if you are already a Swift guru – you can help contribute to or collaborate on the project.

If you aren’t familiar with GitHub and the downloading and building process here is an easy shortcut: Scroll down on John’s page to the section headed “Download” and then click on the link where it says “Download from GitHub”. Then just unzip the downloaded file, double-click on the file called “Aerial.saver” and allow OS X to install it. After that you can use it like any other OS X screen saver.

Finally, if you are planning on selecting only a few of the choices and would like to see a large (and gorgeous!) preview of all of the different locations and times, head over to Benjamin Mayo’s page for a complete set of views and browse away.

“Give Us A Hint”

Invitation graphic to the media event being held on September 9, 2015 at the Bill Graham Auditorium in San FranciscoWell, well. As mentioned here last week, Apple is hosting a September media event to launch a new crop of phones, along with the somewhat-delayed reboot of the Apple TV box and the official releases of iOS 9, OS X “El Capitan” and the beginning of the end of Apple Watch tethering with Watch OS 2.0. The date and location were made both public and official yesterday via the standard round of colourful email invitations. What’s not standard, however, is the semi-interactive nature of the invite. The theme this time around is “Hey Siri, give us a hint” and if you do indeed ask Siri for a hint you will get … no, that would be telling. Why don’t you ask her yourself?

Better yet, ask her a bunch of times. She’s at her coquettish best on this one. Will the answers change as we get closer to September 9th? Only one way to find out …

November Launch For Apple Pay In Canada

By anyone’s estimate, Apple Pay has been a huge success in the U.S.A. Apple’s timing in launching the service was exceptionally fortuitous … while the company touted “ease of use” as the prime selling point, the fact that numerous retailers recently proved that they can’t be trusted with your credit card data is really what put the service on the map in a hurry. Apple still downplays the value of keeping both your personal information and your card number secret from retailers – they do need to keep on good terms with said retailers to roll out the service – but it is undeniable that this is the main reason for the service becoming the single largest electronic payment method in less than a year.

Apple Pay point-of-sale terminal in useUntil now, however, Canada has been left out. The main sticking point was the fact that Canadians love to use debit, not credit, as their point of sale payment option. Down below the 49th, people whip out the Visa or Mastercard to pay for small day-to-day purchases. Canadians? We go for the debit card. Using a secure token for debit purchases hasn’t been as easy to integrate as with credit card accounts, and Apple had no appetite to launch the service here without including the most popular form of payment.

Time to catch up. Apple is now planning to roll out the service across Canada in November, with complete debit card integration. They are working with all six of the largest banks and it will be interesting to see if they manage to launch with all six at one time. It will also be interesting to see how hard they push the “keep your information safe from retailers” angle to security-minded Canadian consumers at the expense of possible retailer relationships. Stay tuned.

Journey To The Centre Of The Earth

1959 movie poster for "Journey To The Centre Of The Earth"Did you read Verne’s classic when you were a kid? Imagined walking through those prehistoric jungles, seeing the first glimpses of battling dinosaurs and man-eating plants? It was cool when you were a kid … but like most sci-fi, especially period sci-fi, it comes off as pretty hokey when you get older and realize that there isn’t very much worth seeing under the surface of the planet.

Or is there?

One way to find out: The BBC’s excellent interactive web feature that lets you delve down to the very core of the planet. They did a bang-up job on this – take a few minutes today and take a look.

Brilliant.

Disposable Passwords.

Terrible New Yahoo WordmarkI was skipping through the Yahoo blog this morning …

What? Yes, Yahoo. That Yahoo. Still in business and everything. Shocking, I know.

Ahem. I was skipping through the Yahoo blog this morning and they are floating an idea that I think has a some serious legs: On-demand one-shot passwords. You set up your account to take advantage of the feature, and instead of using your regular permanent password you can hit a button that will send a single-use disposable password to your verified mobile device.

While the blog post makes it sound like this is a panacea for those people who constantly forget their passwords – I’m looking at you, mom – it is actually a brilliant idea from a security standpoint. We have all heard the horror stories about hotel and airport wireless networks that are compromised with assorted chunks of malware that fish for user credentials when connected users connect back to their personal email or VPN accounts … and if professionally-administered networks can be easily infiltrated, it’s a pretty safe bet that the WiFi at your local coffee shop or library branch is packing some hidden nasties too.

This process is a simple and foolproof way to protect yourself – it doesn’t matter if the bad guys get your password, because it only works once. They can knock themselves out trying it all day long, and get nothing but air for their troubles.

I haven’t been able to try this yet, because the rollout is currently limited to users with a U.S. phone number. If you happen to live in the states and have a few minutes to try this out, follow the link to give it a shot and let me know how you get on. If it works as advertised, this is something I would love to see become widespread across the industry in a hurry. Credential theft is by far the biggest business in the world of cybercrime … being able to protect yourself in one easy step has the potential to be a game-changer.

Canadian DRAM Class Action Lawsuit

Are you Canadian? Did you buy consumer electronics in Canada between 1999 and 2002? If you can answer “yes” to both of those questions then you are entitled to a cash money payout as part of the now-settled class action lawsuit against the manufacturers of DRAM.

Photo Of A Typical Canadian DRAM buyerIn a nutshell: The companies that manufacture RAM chips conspired to fix the price of DRAM at artificially high levels. Companies that use those chips to make things (and a lot of things use DRAM) necessarily passed those inflated prices on to you. And now you can get back a little bit of that coin by filling out a simple form – it takes about three minutes for the basic $20 claim – and clicking the send button.

In a bigger nutshell: Any Canadian can claim the basic $20 compensation just by filling out the form … no receipts or other supporting documentation is needed. The legal assumption here is that you almost certainly purchased at least one item that qualifies and it would be unfair to expect you to come up with a receipt at this point for a 15-year old MP3 player or videogame console or whatever. Alternatively, if you are one of the few people in the country who didn’t purchase a device that uses DRAM, your decision was probably influenced by the corrupted market pricing and you are still eligible for damages. Either way, you should take the time to at least fill out the basic claim. To paraphrase the immortal words of Geddy Lee, “Twenty bucks is twenty bucks, eh?”

It a really, really big nutshell, we are talking about a cocoanut here: If you have documentation – it doesn’t necessarily have to be receipts, there are other types of supporting documentation allowed – of multiple items that you bought between April 1, 1999 and June 30, 2002 you can apply for a larger claim. If you are Average Bobby Consumer then your claim is still going to be within spitting distance of twenty bucks, and it wont make much difference. But if you own a couple of stores, make or resell items that use DRAM, or have any other legit reason for buying a lot of gear then it is probably worth the time to sit down with the online calculator and see what you can get.

All of the details, including the FAQ, lists of affected items, the legal back ground, and (most importantly) the online claim form can be found here. It costs you nothing to file a claim but the process closes on June 23, 2015 so if you are going to partake, do it now. One quick tip: Each adult in a household should file individually and not as part of a group submission, otherwise you will end up shorting yourself.

As an aside, I personally think class action lawsuits are the worst kind of legal chicanery, nothing more than opportunistic and greedy lawyers looking to cash in on massive fees while the actual aggrieved parties do all the work of submitting the claims. That said, this one is already in the bag and no matter how odious you think it is you might as well get your piece of the pie. Just hold your nose and think of Geddy Lee.

SkyMall Bites The Dust

In a past incarnation of my career I travelled a lot. And by a lot, I mean a shitload. I was in airports and on airplanes a couple of times a week minimum, and often a lot more. Like a lot of travellers, I found both a lot of humour and great comfort in the SkyMall catalogue. It was something that was familiar, always there for you, and decidedly entertaining … although somehow I don’t think that it was entertaining in the way the company wanted it to be.

A typical SkyMall productWhen you settled in on a flight and found that the SkyMall book in the seat pocket was a brand new edition, packed with all sorts of ridiculous new goodies? Didn’t matter what time it was or how tired you were … your next couple of hours of seat time were set.

It’s not a surprise that SkyMall has now bitten the dust. In fact, it’s a surprise that it lasted this long. But I will still take a minute or two to mourn. And I suspect there are a lot of frequent flyers out there who will do the same. An institution has truly passed.

So long, SkyMall. It was fun.