RyuKent on Life

Following the last post about security problems, today we hear that at the hacker contest Pwn2Own Microsoft Internet Explorer 8 running on Windows 7 was compromised in less than 2 minutes. The setup runs DEP and ASLR which are anti malware defences designed to protect memory by restricting buffer overflow and randomly assigning memory addresses to make life hard for hackers.

Obviously all that hard work Microsoft put in to protect us ultimately provides very little real protection. Yet another example of how easy it is to run malicious code on our machines. The worry is that when we’re told we are running protected software that we believe this to be true and don’t take the basic precautions that are essential these days. Avoid going to dodgy websites where possible. Don’t download from untrusted sources. Always operate behind some kind of firewall. Don’t trust emails just because they come from addresses you know. I’d go so far as to say that we should only engage in online banking from a separate setup than we usually use for everyday browsing (i.e. chrome on Linux instead of our usual Firefox on Win7) though this is clearly not convenient for most.

And… don’t forget that iPhones aren’t safe either!

After the German government issued a warning that there was an immediate threat to the use of Firefox 3.6 allowing poisoned sites to compromise users’ machines, Mozilla have issued an emergency update to correct the problem. This comes as yet another example of how bugs in the browser put users at risk. Increasingly viruses and malware are being spread not by downloading infected software, but simply by visiting websites.

The question then must become, should we switch browsers if we consider this a problem. Of course it’s a problem but with users hopping backwards and forwards, do they really gain more protection and is it likely to cause more confusion ultimately leading to lack of security? In the long run it will be the browsers that successfully issue patches quickly and can be relied upon. If you’re going to stick with one, you want the software that will be updated automatically and you won’t have to switch from. By issuing a quick fix, Mozilla are no doubt proving they are tackling the issues head on.

The update was originally planned for the end of the month but considering the danger and bad press generated by such an official organisation in Germany urging users not to use the software, the patch was rushed through.

To make sure you have the most recent version, within Firefox, click on ‘Help’, then ‘Check for updates’. As of today, you should be running 3.6.2. This can be checked by selecting ‘Help’, then ‘About’.

Despite the fact that there is an official Delicious extension for Google Chrome in the pipeline and available in Alpha here, I am still looking for a decent plugin that actually works.

Recently I’ve tried a number and it seems they are all missing the ability to search through your existing bookmarks easily, like you can do in Firefox with the official plug in there. Some of the worse ones don’t even allow you to use keyboard shortcuts to bookmark. This is a real turn off for me as I hate having to use time consuming mouse movements which slow me down and are fiddly on a track pad.

At the moment, Chromium Delicious Plugin seems to be the best option. It allows quick bookmarking with CTRL+M and is very lightweight. For searching through your bookmarks, it’s possible to use Chrome itself.

Right click on the address bar, then select “Edit search engines”. Click on add and use this following string as the URL

http://delicious.com/search?p=%s&chk=&fr=del_icio_us&lc=1&atags=&rtags=&context=userposts|@@@@|

Note that the @@@@ will need to be replaced by your username. Call the entry Delicious and use the keyword “d”. This way if you want to search through your bookmarks, just hit CTRL+L then type “D ?????” where ????? is your search string. This is quite a nice integrated approach.

Lets hope there’s a decent official one coming out soon.

I’m currently loving the new Google Chrome extensions. Today I’d particularly like to plug Furigana Injector. This great little plugin adds furigana to kanji on websites.

It can be downloaded within Chrome at this address. With an increasing number of top quality extensions now available, the battle between Firefox is going to get interesting. With Chrome’s superior speed and seemingly faster development we will see people switching left right and centre.

Linux-mag have posted a very interesting article comparing Ubuntu and MacOS. Strongly recommend a read. Link here.

I’ve been doing some experiments trying to use Japanese characters in Adobe Air applications. There doesn’t seem to be much written on this subject so far. I’ve discovered that it is possible to input in Japanese in both Windows and Linux (using SCIM), but that it is program specific and depends on the fonts that have been selected in the application. Unlike Java which has a system of switching to a different font when a character is not found in the default set, Air will not continue if it cannot render the character in the selected font.

Some applications seem to have implemented a work around by having an international font that can be selected in the settings. TweetDeck is a great example of this. You can turn on the international font and then SCIM works fine. See below:

So basically, at the moment, until Adobe improve the Air system, it looks like the suggested way of getting east Asian characters to work in Adobe Air is to contact the developer and ask them to implement an international font. I imaging the prospect of their software also working in China, Japan and Korea would probably be enough for most to do this.

TechCrunch is reporting that a new application will allow push email notification for gmail on the iPhone. The system apparently uses the IMAP IDLE function and sits in the background allowing the authors server to ping your phone when an email comes. The only drawback is that you have to give away your username and password to a third company. We are still not sure how secure that will be.

The app, called GPush has been submitted to the appstore for vetting. Who knows whether Apple will agree to it. As push gmail is already available on other phones maybe there is some reason why Apple are allowing Yahoo but not Google. Anyway, it would be welcome for all us gmail users who are willing to risk our passwords and need instant gmail, not being able to wait 15 minutes for the system to dial in. Watch this space. I’ll keep you updated on when this app is available.

What is one of the most dangerous things people do these days? They use one or two passwords for every site that they set up an account for on the internet. They might think that password is secure, but how secure is every site they give it to? A hell of a lot of people use the same password for their primary email account as they do for some random forum they wanted to post on. Dangerous! If someone hacks the forum and gets hold of their password and email, chances are, they’ll try the same combination on every other popular site…. ebay, paypal, online banking. You get the jist.

So if we are to have a different password for every different site, how on earth are we going to remember all these long and secure passwords? The answer is KeePass. This wonderful freeware open source application will keep all your passwords secure. How many times have you forgotten you had an account or had to create a new one because you forgot the password? KeePass will solve this. Moat people fear storing all their passwords in one place, but as long as this place is secure, there is a relatively low chance of anyone getting to the file. Then there’s the fact that the file will be encrypted using AES. This is the same encryption system that US diplomats use. Finally the data stored in memory will also  be encrypted to prevent other applications from accessing it.

KeePass is great, not least because it runs on Linux, MacOS and Windows, so you can take your passwords wherever you go. There’s a Blackberry port, android port, mobile Java port and they are even working on an iPhone port too. Any where you go you can take your password file with you and only with the master password can anyone read it. If course you have to remember one really long, strong password, but if you can remember that, all the rest of your accounts are safe.

And KeePass stores more than just passwords. It stores the URLs to websites you have accounts on and also your usernames. You can even add extra notes for each account. This way you can easily keep track of hundreds of accounts and give each one a different password. The password can be something you’d never be able to remember. The built in copy paste system allows you to transfer these passwords securely when needed without having to type them in, thus avoiding keyloggers.

Of course, no system is without its cons. Keeping your passwords all i one place would increase the danger should someone get hold of your password database along with your master password. But I am very much of the opinion that this would be much harder to do than to hack a small time forum you’ve used the same password as on other sites for. Security is only as strong as the weakest link. Make sure you have decent antivirus and spyware apps. Make sure you avoid using internet explorer and preferably windows if you can. If you follow simple common sense rules, KeePass should help organise your accounts and allow you to implement a more secure password regime.

You can download KeePass here.