How much Java do you need?

Sun Oracle has been giving us a few reasons to get rid of the Java Runtime Environment (JRE) from end-user machines for a while now.

I’ve been struggling with this decision, as I need Java for my favourite mind mapping software but I don’t want it to be used against me by Internet criminals.

My initial reaction was to remove Java completely and just keep the installation package around, for whenever I needed to do mind mapping. This soon got ridiculously cumbersome, so I’m now on to the next model:

Keep Java for local use, but disable Java for the browsers.

This still allows local applications to use Java, but stops Web-borne remote exploits from being delivered to my machines.

First of all: Get the latest Java

First things first. Always ensure you run the latest software. Visit http://java.com/en/download/installed.jsp?detect=jre&try=1 to verify that you have the latest version (currently 1.6.0_24)

If you haven’t got the latest version, download and install it from http://www.java.com/

Then verify that auto-update it turned on and frequent enough. For Windows users, go to Control Panel -> Java. Switch to the “Update” tab of the window that comes up and then click the “Advanced…” button. This should show you something like this:

The default is to check for updates once a month, which is a bit pathetic. Change this to weekly at the very least, or daily if you’re serious about your computer’s security:

Then click “OK” to save & close this dialog and “OK” again to save & close the Java settings window.

Now, onto the browsers:

Firefox 3.x

Go to Tools -> Add-ons and you see something similar to this:

Click on “Disable” for both Java extensions, to get this result:

Don’t restart Firefox just yet! Now, onto the “Plugins” tab of the same window:

Click on both Java entries and on the corresponding “Disable” button of each entry, until the window looks like this:

Now it’s time to hit that “Restart Firefox” button in the Add-ons window to restart your browser.

After you’ve restarted, visit http://java.com/en/download/installed.jsp?detect=jre&try=1 with Firefox to verify that Java is disabled.

You should get the following result:

Congratulations – Java has been disabled in Firefox!

Note: Some people may point out that using the NoScript plugin achieves the same goal in a more elegant way – i.e. it allows one to selectively allow the execution of Java code in Firefox. The problem here is that NoScript works on the premise that websites you trust will not deliver malicious code to your machine. Unfortunately there are reports that claim that up to 75% of websites serving malicious code are legitimate websites that have been compromised. Add to that the fact that malicious code can be delivered to your machine through ads served from trusted domains like google.com and yahoo.com.

The only way of protecting against this headache is really to keep all browser plugins updated and disable the ones you don’t absolutely need. Java is not the only culprit here, Adobe’s PDF reader and Flash plugin, as well as Microsoft’s DirectShow and Media Player are also repeat offenders.

Internet Explorer

If you’re forced to use Internet Explorer (e .g. because some luminary in your organisation had the brilliant idea that the “free” SharePoint server was a good developing platform for your corporate websites…), follow these steps:

First, make sure you have the latest version of the browser. Microsoft itself is begging people to stop using IE6, as it’s an open window for remote control of your machine by criminals. Download and install the latest version of IE.

Now, let’s disable Java in Internet Explorer:

Go to the menu “Tools” -> “Manage add-ons”.

(this example is from IE version 8 on Windows XP, your version might be slightly different)

In the “Manage add-ons” window, select “Show add-ons” on the left hand side pull-down menu:

Now you can see all Java add-ons listed. Select each of them with a single click and hit the “Disable” button:

The final result should look like this: (all Java add-ons disabled)

Now click the “Close” button on the bottom right and close your browser.

Annoyingly, I’ve found it necessary to also disable the Java plugin from the Java Control Center – as disabling it from IE only seems to not be enough…

Go to Control Panel -> Java and then to the “Advanced” tab. Make sure the options look like below:

Save & close with “OK” – you will get a popup similar to this:

Click OK and then fire up Internet Explorer to visit http://java.com/en/download/installed.jsp?detect=jre&try=1 to verify that Java cannot be executed in IE.

You should get one or more of the following popups:

(this means you disabled the add-on in IE but not in the Control Panel. Unfortunately this seems to result in Java code somehow getting executed regardless!)

(surreal web page, telling you both that Java *is* and *isn’t* working, but there you have it)

If you’ve disabled everything appropriately you should see the following:

Clicking “OK” will eventually land you in this page:

…which is lying to you. You don’t have an old version of Java. You just have a disabled installation.

If you need to use Java for local applications, that’s the best place to be.

Otherwise, if you’re tired with all this faffing about, just uninstall Java completely to get it over with and have one less thing to worry about.

How difficult can Denplan make it for customers to protect their personal information?

It turns out the answer is “quite”.

Consider the following gem from the “corporate claim form” – this is a piece of paper you have to sign and send to Denplan if you’ve had treatment and are claiming back the costs, as covered by your corporate dental insurance:

(Click the image for a larger version)

This is how I understand this part (let’s call it “Part 1″):

• As long as you use our services, we’ll send your personal information to anyone we like.

Reading on, we reach Part 2:

(again, click on image for larger version)

Here we are told: “You may be contacted by phone, telephone or electronically if appropriate. If you DO NOT wish us to do this please tick below as appropriate.”

This is how I understand this:

• Ticking below will stop us from contacting you.

And then, the million-dollar statement:

“Denplan Limited may send you details of other products and services.”

The way this is phrased, putting a tick right next to it directly implies “YES, you may”! Even though the sentence above implies the exact opposite.

The lunacy continues with Part 3:

(click on image for larger version)

This part says “To enable them to send you details of their services we may also share some of your details with other AXA group companies based within the European Economic Area [TICK?] and with other carefully selected companies based within the European Economic Area [TICK?]“

Again, it’s not clear how the customer can indicate “No, I don’t want my details shared with others!”, as both phrasing and intuition say “don’t tick here”, but the instructions tell you to “tick as appropriate if you don’t want this to happen”.

Absolute rubbish. Certainly a strong candidate for the Plain English Campaign‘s Golden Bull Award.

If you’re a Denplan customer, I’d suggest writing to them to point out this gobbledygook and get it fixed.

It’s a simple web page!

No it’s not.

Most pages on the web nowadays:

1. draw content from multiple sources
2. execute programs (scripts) on your computer, also from multiple sources

What does this mean for you?

Well, for starters it’s important to leave behind the misconception that a web page is a simple thing. There is usually a lot going on in the background that you don’t see. But it’s there. This is how online advertising revenue is generated, and how “advanced” online services operate.

It’s also important to realise that “trust” is a very thorny issue. Visiting the website of (for example) National Geographic shouldn’t be an issue – I mean they’re a respectable business, right? But hang on, on closer examination, look what happens when you visit a single page:

All of a sudden it’s evident that this web page, hosted on nationalgeographic.com  is requesting content from EIGHT (8) different domains, not all of which have an obvious relevance to the web page you are trying to see.

Do you know and trust all of them?

Further, aggregating content from many different domains in one web page usually translated to executing code in your browser, on your computer, from all those different domains you had no idea you were communicating with!

In summary:

All you did was request to see a web page from nationalgeographic.com – which you trust.

Subsequently, and without your express permission or knowledge, your computer was instructed by nationalgeographic.com to download content from virtualearth.net, zozi.com, google-analytics.com, 207.net, quantserve.com, dl-rms.com, imrworldwide.com and ngeo.com.

Your computer also downloaded and executed programs (scripts) from the following domains: googleadservices.com, google-analytics.com, 2o7.net, quantserve.com, virtualearth.com, dl-rms.com, scorecardresearch.com, and doubleclick.net.

I’m only aware of this carnage because of two Firefox addons I use: NoScript and RequestPolicy. But they’re cumbersome to use and require constant adjustments.

Have that in mind next time you catch yourself thinking “I’m safe online because I don’t visit random websites”.

Here come the “smart” phones

I’m very glad someone took the effort to prove this can be done, for all the denialists and optimists-to-the-point-of-criminal-negligence out there to get a grip:

“A team of security researchers has created a proof-of-concept Trojan for Android handsets that is capable of listening out for credit card numbers – typed or spoken – and relaying them back to the application’s creator.”

Source: ThinkQ article

This means that installing a single malicious “app” for your smartphone can turn it into the ultimate tool to steal any of your confidential information. Notice that anything you *say* over the phone is also suspect.

Blog post by Bruce Schneier with good links here.

The funny part with this is that the optimists will say “yeah, but it needs user permission!”, as if they know exactly where each and ever piece of software they installed on their computer/phone came from. Or as if automated remote installation of smartphone apps will not come knocking on our doors as it did for personal computers.

Quidco cookies

I’ve been using Quidco lately to benefit from cashback deals for stuff I purchase on the Internet.

It’s always been on my mind to figure out how such businesses make their money and I suspected there would be a lot of tracking going on (for a little bit of extra cash).

Well, last week I got some time to play with this, so I deleted all browser cookies and then booked a train ticket and a hotel room for my next trip. The result was 67 cookies on my local disk! Other than the obvious ones (the train company, the hotel company, quidco itself), the standard ones that are linked to everything and you can’t avoid grabbing a cookie from (facebook, yahoo, twitter etc), the list still sported an impressive assortment of sites I had no idea my computer was doing business with:

Needless to say, purchasing anything through Quidco is very difficult with privacy-enhancing plugins like RequestPolicy and NoScript (it takes too much work to manually allow all cross-site communications, scripts etc) – so I just use my “throwaway” browser (Internet Explorer) to use Quidco and then wipe out all cookies with Ccleaner.

PDF file listing all cookies dropped to my machine during that session: Quidco cookies log

A “perfect storm” of cyber attacks

What an utter load of baloney:

Not that I expect any self-respecting reader to pay heed to what such papers tout, but this fear mongering is still impressive.

Here’s what a more respectable organisation (BBC) has to say on the exact same issue:

Risks of cyber war ‘over-hyped’ says OECD study

And here is the OECD study itself (pdf)

Now, why is the Metro trying to mislead and scare the public like that?

I accept, please, no more!

Clearly, all passengers of trans-Atlantic flights do read the four lengthy legalese documents necessary to book a flight…

This is an interesting problem.

Companies can insert whatever terms they wish in those documents on the safe assumption that (statistically) nobody will read them. Why does that happen? Probably because these pesky things stand in the way of the customer’s primary task*, which is booking the flight and getting it over with.

Perhaps a more automated solution similar to P3P might be worth considering, to make contracts between vendors and customers more meaningful. As it is, we’re at the mercy of whatever Terms & Conditions the vendors decide to impose on us.

Remember, you’re voluntarily entering this contract. It will be very difficult to complain afterwards.

* See page 40 of Peter Gutmann’s security usability book chapters for a good (and funny!) example of how this problem-solving model works.

Don’t worry, it’s as secure as Chip and PIN!

MBNA (Bank of America) customers getting new credit cards might notice a new feature thrown in for free: A card that does not require the owner to insert the card anywhere, but instead communicates with the payment terminal wirelessly.

The cards come with an A5 sheet of paper explaining the new features:

You may be thinking – what about security?

The asterisk points to the following footnote:

Let us go through some of these statements:

“Even though you aren’t entering a PIN, your transaction is still completely secure as your card has the latest chip in it…”

This, on its own, is hogwash.

“…and uses the same payment technology as a Chip & PIN transaction.”

Here the bank is saying that *not* using your PIN is secure because you’re using the (presumably infallible) Chip & PIN technology. It’s like saying it’s okay not to use your seatbelt, because your car has got power brakes & seatbelts. Only with Chip&PIN it’s worse, since the security of the whole system falls apart without the PIN.

Further down we read:

“To speed up the transaction you generally won’t be given a receipt…”

Great. There are very good reasons receipts are mandatory for any kind of transaction, whether it’s buying a toothbrush or electing the next president of a nation. Let’s teach the next generation that receipts are pesky pieces of paper that slow us down.

“You will also still be covered for any fraudulent activity on your card just the same as chip & PIN transactions”

Fabulous. All these “completely secure” systems and they’re slapping this warranty on top! It’s just too good to be true.

“…providing you let us know as soon as you notice any unrecognised transactions on your statement or notice your card is missing.”

Ahh, here’s the catch. You need to check your statement every month, putting the onus on you to find the fraudulent transactions. If you don’t, it’s your fault and the bank will not refund the money stolen from your account.

Doesn’t look like such a hot deal after all.

The banks are using the term “Chip & PIN” as a magic wand – hoping that some of its “complete” security will spill over to the new contactless, PIN-less world. They are using something that is already broken to argue that a not-obviously-related product is also secure. If this is really the foundation these systems are built on, it’s not sound.

How is that not a harbinger of trouble for consumers?

Tracking good samaritans

I got the following email from hotels.com the other day, asking me to provide feedback on their service and the last hotels I stayed at.

Nothing wrong with that – I have no direct benefit from this but believe in the power of community feedback etc. So I thought what the heck, let’s take the time to complete a quick survey.

So I clicked on the “write a review” link in the email, which directed me to this URL:

http://click.mail.hotels.com/?qs=d022f9b41a16aff5d6ebfc436e6bb406416e73ed4926ea9826856a4c9a1a5fe9571b8d186c7913567898645f30c4bdb9

…which redirected me to:

http://ad.doubleclick.net/clk;229503547;53487117;m?http://www.hotels.com/submitreview.html?lastName=mylastname&itineraryId=53807570&intlid=review&rffrid=eml.hcom.UK.400.00.2011.01.18.src00.00.00.0000.0000.00.0000&pos=HCOM_UK&locale=en_GB&et_jb=2&et_j=17173477&et_e=my_email_address&et_l=1935712_HTML&et_u=196887636&et_mid=198875&_dc_ck=try

…which finally takes me to a webpage that demands I download and execute Javascript code in my browser before displaying anything:

http://reviews.hotels.com/7014h-en_gb/7310/writereview.htm?format=embedded&user=6bf4d77c00a3e7254a885e86b510cf53646174653d3230313130313138267573657269643d35333830373539305f2d3130342650726f6475637449443d37333130264850726f706572747949443d32373431363226545049443d2d31303426545549443d3533383037353930264c6f6249443d33264974696e49443d3533383037353930264c69643d32303537264272616e6449443d39264f726967696e3d73697465&submissionurl=http%3A%2F%2Fwww.hotels.com%2Fsubmitreview.html

Asking for the “Privacy Policy”, takes me here:

http://ad.doubleclick.net/clk;229503547;53487117;m%3Fhttp://www.hotels.com/customer_care/privacy.html?rffrid=eml.hcom.UK.400.00.2011.01.18.src00.00.00.0000.0000.00.0000&pos=HCOM_UK&locale=en_GB&intlid=FTR.TR.SUR.eml.privacy&et_jb=2&et_j=17173477&et_e=my_email_address&et_l=1935712_HTML&et_u=196887677&et_mid=198875

(I substituted my real information for the red text in the above URLs)

It’s an Orwellian world when requesting a privacy policy sends one’s personal information to a DoubleClick tracking page…

PS: If you want to know & control which websites your browser connects to, use Firefox with the RequestPolicy addon.

How do I clean up my computer after a virus infection?

Good question.

There is ample information on the Web chastising people for doing this and that wrong, for clicking on things, for being tricked into agreeing to install a “plugin update”… reams of articles saying “DON’T DO IT – whatever it is, JUST DON’T!”

But realistically, with drive-by malware attacks picking up and malware being created to specifically evade traditional antivirus programs, people don’t have much chance… it’s just too easy to get infected with malware.

What nobody out there seems to have an answer to, is the simple question: What do you do on the day after?

I am also unaware of a simple answer.

Microsoft publishes a Malicious Software Removal Tool every month. Commendable effort, but it doesn’t stand a chance against resident malware.

Online articles that advise you to “scan your computer with the latest antivirus software” are dangerous because they lead to a misinformed public. The truth is that there are simply too many ways to avoid detection and too much money to be made in the online crime industry. This means that highly skilled, organised and motivated people are writing malware to avoid all known safety nets. Malware has it much easier than all the defenders in the world – the attackers need only one way in, and they have control of your computer for good. And running all the antivirus scan in the world won’t change that.

The only thing you can do, is backup your important data (you do have backups, don’t you?), find your Operating System installation discs, erase your entire hard drive and then re-install everything from clean, trusted media, being extremely careful not to be re-infected by your old files or devices. E.g. infected USB sticks can re-infect the new installation.

To (hopefully) avoid this, follow these rules:

1. First thing you do after reinstalling the Operating System: Connect the system to the Internet and immediately download and apply all critical updates. Don’t even check your emails.  Update, update and then update some more until everything is at the very latest version.
2. Users of Windows, disable the automatic execution of stuff on USB sticks and disks. (KB967715 for details)
3. Install *working* antivirus software. Not the cracked version of Kaspersky your cousin gave you on a CD and said “it’s okay, you don’t need to pay for it”. Not the nod32.exe you downloaded off some “free downloads” site. You may think such pieces of software protect you, but they don’t. They just lie to the users about operating properly and install malware behind your back. They are the enemy.No, you need to get a *legitimate* antivirus solution. See this blog post for free antivirus software that actually detects malware (or at least tries to).
4. Only after you’ve successfully completed these first 3 steps, may you reconnect your old media (like USB sticks or disks) to restore your files. Before you touch any of those files, you will run an exhaustive scan (that will take hours) on the removable media you used. This will increase your chances of not getting re-infected straight away. After the scan, you may start restoring your files, reinstalling programs etc.
5. At this point, you have a clean slate and your files back. You should proceed to follow safe computing practices, especially when you’re on the Internet, and hope that someone, some day, will actually improve this sad state of affairs of being unable to trust your own computer and having to be vigilant all the time to not be infected soon again.