TechByter Worldwide

If you enjoy today's article, please share it!

Program Date: 13 Apr 2014

It's Time to Change Passwords Again

Security researchers have identified a flaw in the encryption technology that's used to securely transmit data via the Internet. This could affect e-mail and Web-based communications, including websites operated by financial institutions. You know the drill: Change your passwords.

This threat has the catchy name "Heartbleed" and, although it was just discovered by the good guys, it's considered to be a serious problem because the problem has existed for more than 2 years. It's unknown how many bad guys might have found it in the interim. It's also unknown whether anyone has successfully used the exploit because using it would leave virtually no traces.

Hence the recommendation to change your password for all critical sites, such as those dealing with financial issues or medical data.

Two years ago, a programmer made an error in the OpenSSL code, which is used by many websites that need to provide the secure-sockets layer (SSL) protocol. Some bugs can remain unnoticed for months or years. Years, in this case.

OpenSSL is an open-source routine, which means that dozens or hundreds of developers might donate time to the project. What's a bit surprising, given the number of people who have seen and worked on this code is that the flaw wasn't discovered for 2 years.

The bug was located in what's called the Heartbeat protocol that's intended to keep the communication channel active. It does this by communicating periodically with the other computer so that the session isn't terminated. The code that controls this is not in the main part of the code, but in a relatively obscure section that is probably not reviewed very often.

There is some good news, though. The flaw is believed to affect only a few of the busiest websites. The chief technology officer at security firm Qualys, Wolfgang Kandek, says that perhaps only about 600 of the 10 thousand most popular websites are vulnerable. The threat is thought to be more severe at smaller sites that use common open-source encryption software.

Researchers at Google and at Finland's Codenomicon almost simultaneously found the flaw. It affects the OpenSSL application that creates secure connections. A connection that might appear to be secure was still subject to snooping according to the researchers. That is, the website URL might say "HTTPS" instead of "HTTP" and the browser's "secure connection" icon might be displayed, even if the connection wasn't secure.

OpenSSL was patched within days, but rolling out the patch to all websites and then depending on website operators to re-certify security keys will take time. Particularly now that the exploit has been made public, changing passwords would be a good precaution.

If you're curious about sites that you visit frequently, CNET has a good list.

You can also check sites that you use by running the URL through the site tester at http://filippo.io/Heartbleed/. Note that if you try this with techbyter.com, you'll see this message: "tls: oversized record received with length 20291". This isn't a problem because TechByter doesn't have user names or passwords and although STARTLS is available on the server, it hasn't been implemented. The warning applies only to sites that that have user names and passwords.

When you find a site that ran the flawed code, make sure that the flaw has been patched and then change your password for the site. Don't bother changing your password until the site has been patched, though. And if you used any commercial sites, keep an eye on credit card statements to unexpected charges.

Are You Satisfied with Today's Internet Privacy?

South By Southwest (SXSW) is the annual music, film, and interactive conference and festival held in Austin. This year, the owners of Giganews, Golden Frog, Data Foundry, and Texas.net hosted a program to discuss the current state of privacy on the Internet. The hour-and-a-half-long program is too long to included on this program, but I'd like to share some of the highlights with you.

If you'd like to hear the entire event, this is a link to the 90-minute YouTube version.

Somehow privacy has become a political issue and it shouldn't be. Ron Yokubaitis, the co-founder and co-CEO of Golden Frog, Giganews, Data Foundry, and Texas.net is clearly not a bleeding-heart liberal by any stretch of the imagination. As the host of the conference, he noted that it's not conservatives versus liberals or Democrats versus Republicans and it's also not just government surveillance but business surveillance that's a concern ...

The conference brought together several activists from Washington, Yokubaitis, and a Republican member of the Texas legislature:

The conference started by addressing the current privacy situation. Evan Greer of Fight for the Future stressed that concerns about privacy aren't new.

And Kevin Bankston of New America Foundation’s Open Technology Institute said that in the past year people overall have become more aware of the concerns and, although it seems that the situation is bleak, it's now better than it was.

Although most of the concerns expressed now regard government surveillance, that's not the only concern. Ron Yokubaitis, who has attended many SXSW conferences, says that he's equally concerned about commercial surveillance. He talked about experiences he's had in previous years.

But still it's government surveillance that is the hot-button topic for many and one way to mitigate surveillance is with tools that provide security. In general, these are applications that encrypt data when it's on a hard disk (data at rest) or when it's being transmitted (data on the wire). The primary problem, cited by Fight for the Future's Even Greer is that those tools are hard to use.

Many in what might be called the "privacy community" address surveillance as a violation of Fourth Amendment rights.

FOURTH AMENDMENT: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

But Greer says it's also a First Amendment violation.

FIRST AMENDMENT: Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

Regarding government surveillance, the government now allows companies who have been asked ("ordered") to provide information to the government to describe publicly what they have been asked (ordered) to release, but there are significant limitations.

"WHAT DO YOU PEOPLE WANT?" This is a common refrain from those who seem not to understand the implications of our loss of privacy to government and business interests. What do they want? Bankston explains exactly what they want.

Now is the time to speak up for privacy, security, and neutrality. If you wait, there may be nothing to speak up for.

The Windows 8.1 Update Arrives

The Windows 8.1 Update is big: 2000 megabytes. It's a cumulative update for Windows 8.1 that continues to streamline the interface, add support for more devices, enhance security, speed system operations, and improve reliability. What gets the most attention, in part because these are the features Microsoft enthusiastically points out, are the ones designed to make happy people who will never be made happy.

This week, PC World put it this way: The Windows 8.1 Update "should woo over all but the most obstinate of the PC faithful." The article points out that Windows 8.1 is now "a desirable operating system even for die-hard keyboard and mouse users" and says that there's little reason to avoid Windows 8 now. Not, in my opinion, that there ever was.

If you already have Windows 8.1, you need to install the Windows 8.1 Update soon. If you don't, Windows Update will no longer apply patches to your system starting with next month's patches. If you have installed Windows 8 but not the Windows 8.1 update, you'll still receive patches.

Let's get one thing straight on the terminology for Windows 8. First there was Windows 8. This was followed by the Windows 8 update (note the lower case "u" there) to Windows 8.1. The new version is called the Windows 8.1 Update (note the capital "U" there). You can see how people might be a bit confused. Some might even think that Microsoft has revived the old "Who's On First" routine. Sadly, no; they're just not very good at naming things.

The name Metro was shot down for the touch interface. They had to withdraw SkyDrive and rename it OneDrive. I suppose Windows 8.1 Update (with the capital "U") is safe enough, but couldn't they have called in Windows 8.2? Does somebody in Redmond think they're going to run out of decimal numbers? Apple has been running OSX 10.something for nearly 15 years now and I fully expect that 100 years from now they'll have OSX 10.137. Would it be OK for the purposes of this report if I called it Windows 8.2?

I mentioned that idea to my wife, but she told me I'm stupid. I already knew that (repetition is a wonderful thing), but it caused me to consider another option. Here's what I mean when I say the following: "Windows 8" is the original version, "Windows 8.1" is the first update to Windows 8, and "Windows 8.1 Update" is the current update.

The Windows 8.1 Update is cumulative and includes all previously released security and non-security updates, so it's large. It also requires users be running Windows 8.1. If you're still running Windows 8, you'll need to do a two-step upgrade.

So What's New?

You'll find 2 new buttons on what used to be called the Metro Interface: Power and Search. The Search button is useless because the search function appears if you just start typing, but for those who can't function without a button, it serves a purpose.

And the power button? That saves you one mouse click. Or maybe it doesn't. Most computers still have power switches and pushing the physical power button has the same effect. If you have trouble with the hot corners and you haven't yet figured out any of the other ways to turn the system off, this provides quick access to the power icon.

Microsoft has perfected the process that allows users who really, really dislike the Metro interface to boot directly to the Desktop, thereby eliminating the need to press the Windows Key and D to get there. And wait -- didn't they do that with Windows 8.1 and not the Windows 8.1 Update? On the other hand, if you've grown used to booting to the Start Screen and want to re-enable that feature, open the Control Panel and visit the Taskbar and Navigation Properties section.

Users who could never figure out how to close a Metro app will be pleased to find Minimize and Close icons on Metro Apps. Now you can click instead of using the old Windows standby of Alt-F4 to close applications.

I'm going to keep calling it "Metro", but Microsoft seems finally to have settled on a name for the former Metro ("modern") interface: They're calling it the area where Windows Store apps run.

For the easily confused, those folks who are unable to figure out how to get back to the Desktop when they're running a Metro application, the Taskbar is now available. Hover the mouse near the bottom of the screen when you're running a Metro app and the Taskbar slides up. The Taskbar itself has been modified so that Metro apps can be pinned there. In fact, the Windows 8.1 Update automatically pins the Windows Store icon to the Taskbar.

Among the features that really do solve a problem is something that Windows 8.1 Update does more slowly than Windows 8.1. Those with touch devices can swipe the Charms panel in from the right, but Microsoft created "hot corners" so that the panel would be accessible on computers without touch screens. The problem has been that users often need to place the mouse cursor near the corner of the screen to close an application that's running full screen and that could trigger an unwanted display of the Charms panel. Microsoft has slightly lengthened the hot-corner delay so that the user who simply wants to close an application won't be bothered by the panel, but the delay is short enough that users shouldn't be annoyed by waiting if what they want is the Charms panel.

Rumors continue: I keep hearing that Microsoft has plans to bring back a real Start Menu and I have to wonder why. Apparently there is also some perceived great yearning to be able to run Metro (Store) interface apps on the Desktop, so that feature is probably in the works, too. These would both be in place of new features that would actually be useful and that would have some purpose other than mollifying the obstinate.

But for as much noise as Microsoft made about this update, I'm not really finding very much here that's both new and useful. There are features that are designed to placate the "I Hate Windows 8" crowd, but it seems that nothing will placate them.

Actually, I'm being needlessly surly here. Microsoft says that Windows 8.1 Update runs on a wider variety of devices and, for business users, the Windows 8.1 Update includes "features that improve the compatibility of Internet Explorer, extend policy settings for mobile device management, and more easily install first-party apps for easier deployments across businesses." Windows 8 has been a tough sell in the corporate environment, so maybe that will help.

Microsoft has been diligent in attempting to gain acceptance for Windows 8.1 from corporate information technology managers. Delivering Windows 8.1 Update through the standard Windows Update process makes the IT manager's job easier. Additionally, the company is trying to make it easier for corporations to develop their own internal Metro applications by enabling what's called "sideloading" as a feature of Windows 8.1 Pro when a machine joins a corporate domain.

Windows Wasn't the Only Update on Patch Tuesday

Tuesday was definitely UPDATE day: 2GB of Windows updates, about 1.5GB of Adobe Creative Cloud updates, more than 500MB of Adobe Lightroom updates, smaller updates for Adobe Acrobat and Oracle Java updates, and nearly 1GB of Ubuntu updates.

Because I was updating everything else, I decided that it would be a good time to upgrade Ubuntu, too. The version I was using was no longer supported, so I opted to update to version 13.10 (Saucy Salamander). Before I could perform that update, Ubuntu needed to download and install about 200MB of other updates.

The Windows download and update had completed in about 32 minutes and the main part of the Ubuntu download and update also consumed about half an hour. In both cases, the updates ran without problems and ended successfully, with the exception of a driver problem under the Windows 8.1 Update on one machine. Downloading and installing the current driver for the sound subsystem resolved that problem.

Short Circuits

Two Extremely Short Circuit Items

Two events this week are worth noting, but this week's program is already running a bit long, so I'm going to combine these as the first item in the Short Circuits section.

Adobe Makes Lightroom Even More Portable

In coming weeks, I'll tell you more about some exciting news from Adobe. Lightroom continues to stake out a larger share of photographic workflow, whether for amateurs or professionals. Unfortunately, the latest enhancements are available now only for the Apple Ipad. The other IOS device, the Iphone, will be the next target for development, and then Android devices.

The new features make it possible to perform preliminary image culling and some basic editing on an Ipad, and that includes editing camera raw files. The gigantic raw files are represented on the tablet by much smaller proxies, so Photoshop-like editing isn't possible and not all of Lightroom's editing functions are available. The new features will be welcome, though, and they seem certain to change -- once again -- the way we work with photographs.

If you own Lightroom 5, be sure to obtain the latest free update to version 5.4.

Support for Windows XP Has Ended

There is no story here. This has been known for years. Some European governments are paying Microsoft millions for a few extra months of support. Apparently they didn't get the memo several years ago. Move along here, folks. Nothing to see.

Intel Shrinks its Employee Base

Intel says that it will eliminate 1500 jobs from its assembly operation in Costa Rica, but will continue to employ more than 1200 engineers, finance, and human resources workers there.

The company has been struggling in recent years because of the move toward smaller, portable computing devices. Intel is not well represented in that marketplace because most of the processors it creates are designed for notebook and desktop computers.

Intel says that it plans to relocate the assembly and test operations from Costa Rica to Asia and that this is part of a plan announced earlier this year. The change is intended to improve what the company calls "geographic closeness between plants and main markets."

Intel has maintained a manufacturing presence in Costa Rica for 15 years. Officials of the country say they're sorry to see this component of the company's business leave, but credit Intel with helping Costa Rica to develop itself as a competitive location for high-tech operations.

Microsoft Wants Nokia's Device and Services Division

It appears that Microsoft's plan to acquire a division of Nokia is moving forward. The company started the $7.2 billion process last year and had hoped to complete it during the first quarter of this year. That didn't happen, but the end is in sight.

The US Department of Justice approved the purchase in December and the Federal Trade Commission's Bureau of Competition also added its permission. The latest piece to fall into place is approval by Chinese regulators. Previously, the European Union and Japan's regulators had also approved the deal, as had Nokia shareholders.

The deal could now close this month.

Microsoft also plans to license Nokia's mapping services for future versions of the Windows Phone. This deal is essentially an outgrowth of a relationship that began in 2011 and led to Nokia's development of the Lumia brand of smart phones.