TechByter Worldwide

If you enjoy today's article, please share it!

Program Date: 15 Dec 2013

Surveillance: Some of the Big Guys Say "Enough!"

In some ways, it's amusing that Google is one of several big players in Internet commerce to tell the federal government that their surveillance policies need to be modified. This is the same Google that has more information about people than the FBI, the CIA, the NSA, China's Ministry of State Security, the Mossad, Russia's FSB, MI5 and NCA in the United Kingdom, and even the fictional SMERSH.

But I digress. AOL, Yahoo, Microsoft, Google, Apple and LinkedIn are calling for reforms that they say will restore the public's trust in the Internet.

The companies raise valid points in their open letter to the government in saying that "The balance in many countries has tipped too far in favor of the state and away from the rights of the individual." The letter suggests (or, depending on your interpretation, demands) major changes in US surveillance laws. It also call for an international ban on collection of data on a massive basis.

Facebook CEO Mark Zuckerberg said that reports about government surveillance show there is "a real need for greater disclosure and new limits on how governments collect information." Zuckerberg says the US government should lead this reform effort to make things right.

This is blow-back that should have been anticipated by the various security agencies in light of revelations that the NSA intercepted data by tapping into fiber optic cables. This week's open letter was addressed to President Barack Obama and Congress. The companies say that surveillance "undermines the freedoms we all cherish."

Possibly stating the obvious, Microsoft's General Counsel Brad Smith said that people simply won't use technology they don't trust. Given Microsoft's history with security, there's a certain amount of irony there, too. "Governments have put this trust at risk," Smith said, "and governments need to help restore it."

Citing his company's use of encryption and reports to users about government requests for data, Google CEO Larry Page said that privacy measures taken by Google are "undermined by the apparent wholesale collection of data, in secret and without independent oversight, by many governments around the world."

The open letter says that the Internet giants understand that governments have a duty to protect their citizens and went on to recommend 5 reform principles that address specific concerns:

The 5 reform principles are enumerated here: http://reformgovernmentsurveillance.com/

In the words of a late-night infomercial for knives: But wait! There's more!

Several Nobel Prize-Winning writers have joined hundreds of writers who have signed an open letter to all governments and corporations worldwide appealing for them to respect citizens' privacy rights.

The message says that "surveillance violates the private sphere and compromises freedom of thought and opinion," and the writers say that surveillance is being "systemically abused."

The writers are urging the United Nations to create an international bill of digital rights. And the writers call on citizens of all nations to express their outrage over mass surveillance by adding their names to a public version of the appeal.

The petition is located on the Change.org website.

Comments from CEOs cited in this report
were provided by Microsoft.

April is the Cruelest Month (for XP Users)

T.S. Eliot wrote that in The Waste Land (1922), except for the Windows part because he knew nothing of Windows or computers. Maybe you liked Windows XP and maybe you thought it was better than Vista (you were right) or Windows 7 (you were wrong) or Windows 8 (you were wrong). In April, Microsoft will stop supporting Windows XP, which by then will be a 14-year-old operating system.

In as few words as possible: GET OVER IT. It's time to move on. It's time to obtain a modern operating system.

Support for Windows XP Ends on April 8, 2014.

What does this mean? It means that Windows XP Service Pack 3 (SP3) users will no longer receive new security updates, non-security hot-fixes, free or paid assisted support options or online technical content updates.

Any new vulnerabilities discovered in Windows XP will not be addressed by security updates from Microsoft.

If you're a Windows XP user and this doesn't concern you, then you don't understand the problem.

The problem is this: Microsoft routinely releases security updates and, when they do, criminals act quickly to reverse engineer the update. Then they develop code that will allow them to exploit the flaw on any system that hasn't been updated. After April 8, that will be any system that's running Windows XP.

Yes, Windows XP has security features, but these were developed 5 to 10 years ago. Crooks have become smarter in the intervening years. The Microsoft Security Intelligence Report clearly shows that XP is no match for today's crooks. Even now, XP is significantly more vulnerable than Windows 7 or Windows 8.

If you're an individual who's continuing to use Windows XP, your files are at risk. If you're the chief technology officer of a corporation, your job is at risk.

Is waiting really a viable alternative?

If you must put off an upgrade because the CEO needs yet another vacation home, you at least should investigate what protective measures you can put in place on your network. And you need to realize that it's not just the operating system that's a threat. Although XP was available as a 64-bit operating system, fewer than 1 in 100 systems are 64-bit systems. That means your users are running outdated, outmoded 32-bit applications. So most of the applications that your users are running will also no longer be updated because no vendor will consider it to be worthwhile.

Is it time to convince the CEO that operational computers are important? I certainly think so.

Images in this report were provided by Lenovo.
The company's goal is, of course, to sell new computers,
but that doesn't make the concerns about continuing
to run Windows XP after April 8 any less valid.
(1) wikipedia.org
(2) geekwire.com
(3) Flurry Analytics
(4) gs.statcounter.com

Passwords May Be Dead, but Users Don't Know it Yet

Passwords are inherently insecure. They can be compromised in many ways and most people, even some information technology professionals, don't know how to create a good password. Microsoft wants to help with "Telepathwords".

Certain password mistakes are common and they result in passwords that are easy to guess and therefore aren't secure. Telepathwords is based on the techniques that thieves commonly use to guess passwords.

"Guess" is probably a bad term to use here because it makes the process seem less structured than it actually is. "Guess" describes the process used in Hollywood movies that show the bad guy (or the good gal) guessing a complex password in 12 seconds on the third try. It doesn't work that way in real life.

Try Telepathwords yourself here: https://telepathwords.research.microsoft.com/

The "guessing" system actually uses a highly sophisticated process that's based on the technology used by the "auto-complete" function seen in word processors and text processors. Start typing a password and Telepathwords will show the most common 3 letters that it would expect for the next character. Try it with one of your existing passwords and you may find the results to be more than a bit disconcerting.

You'll learn rather quickly that "@" is not a good replacement for "A" because the system will guess it just about every time. Or try replacing "L" with "7" and Telepathwords will pop up a reminder that says password crackers know about all of these common substitutions as well as about many that are not common.

What's the world's worst password? "PASSWORD", "password", and even "P@55w0rD123" probably tie for that honor. A lot of people would consider that last one to be highly secure and many websites that display a value for password strength would consider it "very strong". Another poor password is the common "LetMeIn".

Many websites require users to create passwords with at least one lowercase letter, uppercase letter, number, and symbol. Clearly "P@55w0rD123" satisfied those rules and it's relatively long, so it appears to be strong.

Here's a comparison of 2 passwords that I use. The first is relatively short, but secure. Telepathwords was able to guess only 2 of the characters, so the remaining 8 are hard to guess.

 

But look at this. Here we have a 15-character password, but Telepathwords was able to identify 9 of characters. Not so good!

As you learn what makes a bad password, you'll begin to develop better passwords, but earlier I mentioned that passwords are dead and you might be wondering why? This is because break-ins at commercial and social media sites are increasingly common and a single event can put tens of thousands of passwords in the hands of crooks. In most cases, those passwords will be "hashed", but hashing simply slows the process for crooks.

For now, though, users need to concentrate on creating good passwords, using a password only once on important sites, and changing the passwords on important sites frequently. By "important sites", I mean sites that contain financial information or other high-value data. Login credentials for newspapers have a lower importance because no critical data would be exposed if the account is compromised.

Short Circuits

Why You Need Firefox 26 for Windows, Mac, Linux, and Android

Firefox 26 is now generally available. Those on the beta channel have been using it for a while now and all users should allow this update to be installed. A major security update called "Click to Play" is now turned on by default.

Click to Play (CTP) makes the browser safer because it won't allow Java plug-ins to run without intervention from the user. Java is a common target for malware developers. The new version also introduces an improved update process for Windows users and some major changes for Android users.

CTP was supposed to be released for all platforms and was intended to apply to all plug-ins except for the most current version of Flash. Late in the beta process, Mozilla delayed the change for all platforms except Windows and all plug-in technologies except Java. The other changes will be made in later versions, possibly 27. It is scheduled for release in February 2014.

CTP blocks all Java plug-ins until the user clicks to use them. Previous version of Firefox simply loaded Java whenever a site requested it and that's a significant security treat. Mozilla could block plug-ins (and does so for old versions of Java, Sliverlight, and Flash) but those blocks had to be established by Mozilla and pushed out to browsers. The new version of Firefox gives the user complete control over when Java is loaded.

Users who don't like being bothered and who implicitly trust a specific site can configure CTP so that it will run any plug-ins that it finds on the site.

Click for a larger view.Windows users will find that updates will be a bit easier because the updater will be able to install new versions on systems where the user doesn't have write permissions on the Firefox directory.

To find out what version of Firefox is running, use the Help menu and select About Firefox.

Click for a larger view.Android users will find a new startup screen. A new page that Mozilla refers to as "Home" will provide access to commonly visited sites, information about recently browsed sites, bookmarks, search and more. Home is a "swipable" panel, which means that it will act the way tablet users expect it to.

When the user swipes the first panel to the left, the Bookmarks panel appears; subsequent swipes reveal the Reading List panel and the History panel.

If you don't update Firefox automatically, now would be a good time to visit mozilla.org.

Adobe Updates You'll Want

Adobe has been busy. There are updates for many Creative Cloud, Creative Suite 6, Lightroom, Camera Raw, and Elements applications. So, in general, whatever Adobe application you use, there's probably something new for you on Adobe's website.

Lightroom 5.3 is now available as a final release on Adobe.com and through the update mechanism in Lightroom 5. The goal of this release is to provide additional camera raw support, profiles for more lenses, and fixes for several bugs that were introduced in previous releases of Lightroom.

Camera Raw 8.3 is now available as a final release for Photoshop CS6 and Photoshop CC. This release provides new features including Auto Levels-like functionality and Auto Straighten. In addition, this release also includes bug fixes, support for new cameras and new lenses. DNG Converter 8.3 is provided for customers using versions of Photoshop older than Photoshop CS6.

The new features in Adobe Camera Raw (which are also automatically provided to user of Lightroom) include these:

Both Camera Raw and Lightroom have added support for 2 new Canon models, one from Casio, 2 from Fuji, 5 from Nikon, 1 from Nokia, 2 from Olympus, 1 each from Panasonic and Pentax, 2 from Phase One, and 3 from Sony: Canon EOS M2, Canon PowerShot S120, Casio EX-10, Fujifilm XQ1, Fujifilm X-E2, Nikon 1 AW1, Nikon Coolpix P7800, Nikon Df, Nikon D610, Nikon D5300, Nokia Lumia 1020, Olympus OM-D E-M1, Olympus STYLUS 1, Panasonic DMC-GM1, Pentax K-3, Phase One IQ260, Phase One IQ280, Sony A7 (ILCE-7), Sony A7R (ILCE-7R), and Sony DSC-RX10.