Sigh.
I really shouldn’t have read Bruce Schneier’s CNN Opinion post over the weekend: The Internet is a surveillance state
I’m not a tinfoil-hat wearing guy…Stetson is more my thing, but I think he makes a valid point. The rate at which we generate capturable data in our daily lives continues to get easier and easier. Almost every local or national store I do business at wants to capture my email address or phone number. More than a few look offended at me when I decline to immediately sign up for a “consumer rewards” card at checkout.
Our ISP’s and our cellular providers likely capture more data about our web-habits, our locational habits, and all points in between.
I seriously doubt we could successfully fly “under the radar” even if we ditched all things electronic, because even if we don’t directly create “data track patters” via digital activities, our “off-line” actions would continue to get logged by others who remain plugged in.
I’ve come to accept that -- even it my head is dizzy from the constantly accelerating pace of data collection we subject ourselves to -- what really, truly, frightens me are the following things;
- Others who collect that data just don’t seem to be able to keep it secure.
- The personal consequences for data loss/theft/abuse become larger and more catastrophic in impact.
- More and more people seem to just not know or care about data collection or protection.
- Data collection to these business, organizations, entities seems to be a right -- not a privilege.
- Your rights to control (and knowledge about) the data collected on you seems to get more and more removed from your ability to do anything about it.
In many people’s minds it has just become another price to pay for the privilege of eating at the trough.
The consumers are the consumed. Reminds me of a digital version of a certain classic film.
Bruce’s well composed post reminds us in IT…gatekeepers, sysadmins, for/sec incident responders, and policy makers that our own cry should be “Data is people!” And never, ever forget it.
Filed under “Oh Bother”
- Former Obama advisor argues Comcast is a threat to the open Internet - Ars Technica
- The World Has No Room For Cowards - Krebs on Security
- If I Can’t Trust You with my Photos, How Can I Trust You with My Sensitive Data? - Newsome.Org
- Yahoo Mail accounts still hijacked daily - Help Net Security
- Yahoo Mail Accounts Have Been Getting Hacked for Months - TheNextWeb - These Yahoo account hacks are still happening way to frequently. Every couple of weeks I get a call from a friend (or see a spam email sent to me from their Yahoo mail account). Yahoo claims to have fixed the XSS issues but it serves as a solid reminder to me to never, ever, ever, browse the web logged into any secure account I have. I log into the service…do my business…log out. Dump my cache/cookies/saved forms/etc. Restart the browser, and go on to the next site. It is a super-hassle but is the best I can do to avoid XSS site hacks/exploits (even beyond using NoScript). A simpler way would be to drop into your browser’s “Private” browsing mode for your secure login session.
- Bits from Bill: Hackers Steal WinPatrol Data Already Available
- Most PC security problems come from unpatched third-party Windows apps - Ars Technica
Cold Java
I was feeling so smug and confident having recently thrown in the towel with Java here at the Valca homestead and removing it from all of our Windows systems. At seeing notice of the latest Java releases I automatically began moving towards my Java download site to snag the updated…when I realized I didn’t need to.
When I set up my father-in-law’s new (to him) laptop with Windows 7 I didn’t install Java. He asked me about Java when I was showing him just how similar Windows 7 would be to him from his old XP system. He said he was wondering how he needed to update Java since it was always complaining on his old XP system. He looked relieved when I told him he probably wouldn’t need it so I didn’t event install it. The Java update notices in the system tray just confused him to no end.
So Saturday, Alvis started complaining about her on-line college class course not working on her laptop. A “sidebar” was missing used to navigate the course and material.
Hmm.
At first I thought it had something to do with the upgrade to IE 10 I did on her Windows 7 laptop. It’s been Spring Break so she hasn’t worried about classes since the update.
I added the college domain into the IE compatibility mode and that helped (the site now saw the browser engine as IE 7) but didn’t fix the issue.
According to the college, their program was only supported on IE, not Chrome or Firefox or Opera. I tried.
More troubleshooting with their helpfully unhelpful wizard.
Eventually I figured out it was trying to call to Java. Well, that made sense since I removed it at the same time I upgraded to IE 10.
So I did the “correct” thing and installed the latest, most secure version of Java, 1.7.17. Only it still didn’t’ work as that was an “unsupported” version of Java.
SO I did the next-best “correct” thing and installed the latest, most secure previous version of Java, 1.6.43…and went into the Java control panel applet to disable use of the 1.7.17 version (and showed Alvis how to toggle between them). That works for me at work with a particular Symantec Java console applet that likes 1.6 but not 1.7. Alas, the college’s web portal still saw the 1.7 version and wouldn’t run.
(Side note: The Java 1.6 download versions aren’t easily accessible to install directly from Java.com as it is no longer being publically made available.) I had to grab a copy off a trusted third-party software mirroring site. Later I was able to finally find a public link to it on Java after-all: Java Downloads for All Operating Systems Version 6 Update 43). That will probably be the end of the line for 1.6 so you better bookmark this link if your Java app doesn’t like 1.7 builds.
SOOOO I uninstalled Java 1.7.17 completely. And then the web-app portal was happy and Alvis could finish the course homework she had put off over Spring Break.
And all the hard work and victory I felt about us “plain home users” not needing to fuss with Java evaporated.
So it looks like I will have to continue to regularly scratch that itch on at least one of our home systems for the foreseeable future.
- New holes discovered in latest Java versions - The H Security: News and Features
- The Lowest Hanging Fruit: Java - F-Secure Weblog : News from the Lab
- All I need Java for is .... - ISC Diary
- Oracle investigating after two more Java 7 zero-day flaws found - ZDNet
- New Java 0-day exploited in ongoing attacks - Help Net Security
- Blackhole Exploit Kit Run Adopts Controversial Java Flaw - Security Intelligence Blog / Trend Micro
- Another Java zero-day exploit in the wild actively attacking targets - Ars Technica
- And the Java 0-days just keep on coming - ISC Diary
- Java j6u43 update #YAJU - ISC Diary -
- ISC Diary | Java 7u17 update #YAJU - ISC Diary -
- Oracle plugs critical Java vulnerability it knew of in February - The H Security: News and Features
- Oracle releases emergency patch to fix exploited Java flaw - Help Net Security
- Malicious Java applet uses stolen certificate to run automatically - Help Net Security
..and the Emperor Flash is found to have no clothes…
- Adobe releases third security update this month for Flash Player - Ars Technica
- Flash in Windows 8 - IEBlog
- Microsoft changes default Flash behavior in Windows 8 and RT - ZDNet
- Microsoft Adds Flash Back To IE10 - Is That A Good Thing? – ReadWrite
- Guess what? Flash is vulnerable again...still - BetaNews
- Adobe closes more critical holes in Flash Player - The H Security: News and Features
- Flash Safety 101 - Security Intelligence Blog / Trend Micro
For those who care…
- Adobe Flash Player Distribution - Adobe
- Shockwave Player Distribution Downloads - Adobe
- Java Downloads for All Operating Systems - Java.com
- Qualys BrowserCheck
Stay safe.
--Claus Valca.
3 comments:
For the most part I have been able to get away with not having Java on my desktop, just the laptop. The college district is transitioning to a new online course system. I am attending two different schools in the same district, one uses the new system and one uses the old system. Neither of them require Java, but they don't seem to like Chrome. However, for my Cisco Network Security class (how ironic), to access the course labs which control the equipment virtually, we need to have Java installed and it doesn't seem to like the newer version of Java.
There's no need to go to a 3rd party site for Java, but java.com is not where I go when I have the unfortunate need for it. The latest Java Runtime Environments (JRE) for both version 6 and 7 are available from links on Oracle's Java Standard Edition page:
http://www.oracle.com/technetwork/java/javase/downloads/index.html
-Bret
@ Bret - You are right. I always do prefer to get all my downloads/updates (especially third-party browser plugins) directly from the source rather than download sites. I do "cheat" by RSS feeding a site like FileHippo to keep me abreast of updates as it seems to have the most that I use. There are times that FileHippo can serve downloads faster than from the source. But there are security concerns (is your binary good or tainted) with any "mirrored" source.
For Java downloads I like using this source myself:
http://www.java.com/en/download/manual.jsp
Cheers!
--Claus V.
Post a Comment