Monday, April 21, 2014

Heartbleed

Heartbleed (CVE-2014-0160) is nothing short of an Internet disaster. Here's why:

1. In a noble effort to clean up OpenSSL, the OpenBSD team is reportedly making hundreds of changes per week. Unfortunately, that means new bugs are being introduced no matter how careful the review. You cannot test in quality — it has to be designed in from the beginning. What we should be doing is starting over from scratch with a robust programming languageC and its progeny aren't suitable for mission-critical programming. (Ada would be a good alternative.)

2. History teaches that a substantial percentage of compromised machines won't ever get patched and will continue to be exploited. Until we all start taking security seriously and come up with a way to rapidly push out a mandatory fix to all affected machines (which ain't gonna happen anytime soon), we're going to have to live with fundamental lack of security. The lesson here is that transmitting sensitive information over the Internet is folly without careful offline strong encryption.

3. Heartbleed is at least partly a consequence of the cruel hoax of free software, where talented individuals are tricked into working without monetary compensation to the great benefit of commercial enterprises. There needs to be some way to fund essential projects for the public good, especially because we can't afford to continue to rely and depend on wishful thinking.

Tuesday, April 1, 2014

Google Sneakware

Updated 24 July 2014 to reflect the latest Google sneakware.

Watch out for Google "sneakware" on Microsoft Windows!

If you use Picasa, Google is installing Google+ Auto Backup even if you don't use or want Google+.

And Google is enabling Chrome to always run in the background for Notifications and Hangouts with just brief popup notices.

All are privacy and security issues and a drain on system resources.
  1. To get rid of Google+ Auto Backup, uninstall it in Control Panel.
  2. To stop Chrome running in the background, open Chrome > Settings, Search settings for "background", and uncheck "Continue running background apps when Google Chrome is closed".
  3. To stop Hangouts, open Chrome > Tools > Extensions, go to Hangouts, and uncheck Enabled (or click Delete).