How much Java do you need?

Sun Oracle has been giving us a few reasons to get rid of the Java Runtime Environment (JRE) from end-user machines for a while now.

I’ve been struggling with this decision, as I need Java for my favourite mind mapping software but I don’t want it to be used against me by Internet criminals.

My initial reaction was to remove Java completely and just keep the installation package around, for whenever I needed to do mind mapping. This soon got ridiculously cumbersome, so I’m now on to the next model:

Keep Java for local use, but disable Java for the browsers.

This still allows local applications to use Java, but stops Web-borne remote exploits from being delivered to my machines.

First of all: Get the latest Java

First things first. Always ensure you run the latest software. Visit http://java.com/en/download/installed.jsp?detect=jre&try=1 to verify that you have the latest version (currently 1.6.0_24)

If you haven’t got the latest version, download and install it from http://www.java.com/

Then verify that auto-update it turned on and frequent enough. For Windows users, go to Control Panel -> Java. Switch to the “Update” tab of the window that comes up and then click the “Advanced…” button. This should show you something like this:

The default is to check for updates once a month, which is a bit pathetic. Change this to weekly at the very least, or daily if you’re serious about your computer’s security:

Then click “OK” to save & close this dialog and “OK” again to save & close the Java settings window.

Now, onto the browsers:

Firefox 3.x

Go to Tools -> Add-ons and you see something similar to this:

Click on “Disable” for both Java extensions, to get this result:

Don’t restart Firefox just yet! Now, onto the “Plugins” tab of the same window:

Click on both Java entries and on the corresponding “Disable” button of each entry, until the window looks like this:

Now it’s time to hit that “Restart Firefox” button in the Add-ons window to restart your browser.

After you’ve restarted, visit http://java.com/en/download/installed.jsp?detect=jre&try=1 with Firefox to verify that Java is disabled.

You should get the following result:

Congratulations – Java has been disabled in Firefox!

Note: Some people may point out that using the NoScript plugin achieves the same goal in a more elegant way – i.e. it allows one to selectively allow the execution of Java code in Firefox. The problem here is that NoScript works on the premise that websites you trust will not deliver malicious code to your machine. Unfortunately there are reports that claim that up to 75% of websites serving malicious code are legitimate websites that have been compromised. Add to that the fact that malicious code can be delivered to your machine through ads served from trusted domains like google.com and yahoo.com.

The only way of protecting against this headache is really to keep all browser plugins updated and disable the ones you don’t absolutely need. Java is not the only culprit here, Adobe’s PDF reader and Flash plugin, as well as Microsoft’s DirectShow and Media Player are also repeat offenders.

Internet Explorer

If you’re forced to use Internet Explorer (e .g. because some luminary in your organisation had the brilliant idea that the “free” SharePoint server was a good developing platform for your corporate websites…), follow these steps:

First, make sure you have the latest version of the browser. Microsoft itself is begging people to stop using IE6, as it’s an open window for remote control of your machine by criminals. Download and install the latest version of IE.

Now, let’s disable Java in Internet Explorer:

Go to the menu “Tools” -> “Manage add-ons”.

(this example is from IE version 8 on Windows XP, your version might be slightly different)

In the “Manage add-ons” window, select “Show add-ons” on the left hand side pull-down menu:

Now you can see all Java add-ons listed. Select each of them with a single click and hit the “Disable” button:

The final result should look like this: (all Java add-ons disabled)

Now click the “Close” button on the bottom right and close your browser.

Annoyingly, I’ve found it necessary to also disable the Java plugin from the Java Control Center – as disabling it from IE only seems to not be enough…

Go to Control Panel -> Java and then to the “Advanced” tab. Make sure the options look like below:

Save & close with “OK” – you will get a popup similar to this:

Click OK and then fire up Internet Explorer to visit http://java.com/en/download/installed.jsp?detect=jre&try=1 to verify that Java cannot be executed in IE.

You should get one or more of the following popups:

(this means you disabled the add-on in IE but not in the Control Panel. Unfortunately this seems to result in Java code somehow getting executed regardless!)

(surreal web page, telling you both that Java *is* and *isn’t* working, but there you have it)

If you’ve disabled everything appropriately you should see the following:

Clicking “OK” will eventually land you in this page:

…which is lying to you. You don’t have an old version of Java. You just have a disabled installation.

If you need to use Java for local applications, that’s the best place to be.

Otherwise, if you’re tired with all this faffing about, just uninstall Java completely to get it over with and have one less thing to worry about.

How difficult can Denplan make it for customers to protect their personal information?

It turns out the answer is “quite”.

Consider the following gem from the “corporate claim form” – this is a piece of paper you have to sign and send to Denplan if you’ve had treatment and are claiming back the costs, as covered by your corporate dental insurance:

(Click the image for a larger version)

This is how I understand this part (let’s call it “Part 1″):

• As long as you use our services, we’ll send your personal information to anyone we like.

Reading on, we reach Part 2:

(again, click on image for larger version)

Here we are told: “You may be contacted by phone, telephone or electronically if appropriate. If you DO NOT wish us to do this please tick below as appropriate.”

This is how I understand this:

• Ticking below will stop us from contacting you.

And then, the million-dollar statement:

“Denplan Limited may send you details of other products and services.”

The way this is phrased, putting a tick right next to it directly implies “YES, you may”! Even though the sentence above implies the exact opposite.

The lunacy continues with Part 3:

(click on image for larger version)

This part says “To enable them to send you details of their services we may also share some of your details with other AXA group companies based within the European Economic Area [TICK?] and with other carefully selected companies based within the European Economic Area [TICK?]“

Again, it’s not clear how the customer can indicate “No, I don’t want my details shared with others!”, as both phrasing and intuition say “don’t tick here”, but the instructions tell you to “tick as appropriate if you don’t want this to happen”.

Absolute rubbish. Certainly a strong candidate for the Plain English Campaign‘s Golden Bull Award.

If you’re a Denplan customer, I’d suggest writing to them to point out this gobbledygook and get it fixed.

It’s a simple web page!

No it’s not.

Most pages on the web nowadays:

1. draw content from multiple sources
2. execute programs (scripts) on your computer, also from multiple sources

What does this mean for you?

Well, for starters it’s important to leave behind the misconception that a web page is a simple thing. There is usually a lot going on in the background that you don’t see. But it’s there. This is how online advertising revenue is generated, and how “advanced” online services operate.

It’s also important to realise that “trust” is a very thorny issue. Visiting the website of (for example) National Geographic shouldn’t be an issue – I mean they’re a respectable business, right? But hang on, on closer examination, look what happens when you visit a single page:

All of a sudden it’s evident that this web page, hosted on nationalgeographic.com  is requesting content from EIGHT (8) different domains, not all of which have an obvious relevance to the web page you are trying to see.

Do you know and trust all of them?

Further, aggregating content from many different domains in one web page usually translated to executing code in your browser, on your computer, from all those different domains you had no idea you were communicating with!

In summary:

All you did was request to see a web page from nationalgeographic.com – which you trust.

Subsequently, and without your express permission or knowledge, your computer was instructed by nationalgeographic.com to download content from virtualearth.net, zozi.com, google-analytics.com, 207.net, quantserve.com, dl-rms.com, imrworldwide.com and ngeo.com.

Your computer also downloaded and executed programs (scripts) from the following domains: googleadservices.com, google-analytics.com, 2o7.net, quantserve.com, virtualearth.com, dl-rms.com, scorecardresearch.com, and doubleclick.net.

I’m only aware of this carnage because of two Firefox addons I use: NoScript and RequestPolicy. But they’re cumbersome to use and require constant adjustments.

Have that in mind next time you catch yourself thinking “I’m safe online because I don’t visit random websites”.

Here come the “smart” phones

I’m very glad someone took the effort to prove this can be done, for all the denialists and optimists-to-the-point-of-criminal-negligence out there to get a grip:

“A team of security researchers has created a proof-of-concept Trojan for Android handsets that is capable of listening out for credit card numbers – typed or spoken – and relaying them back to the application’s creator.”

Source: ThinkQ article

This means that installing a single malicious “app” for your smartphone can turn it into the ultimate tool to steal any of your confidential information. Notice that anything you *say* over the phone is also suspect.

Blog post by Bruce Schneier with good links here.

The funny part with this is that the optimists will say “yeah, but it needs user permission!”, as if they know exactly where each and ever piece of software they installed on their computer/phone came from. Or as if automated remote installation of smartphone apps will not come knocking on our doors as it did for personal computers.

Quidco cookies

I’ve been using Quidco lately to benefit from cashback deals for stuff I purchase on the Internet.

It’s always been on my mind to figure out how such businesses make their money and I suspected there would be a lot of tracking going on (for a little bit of extra cash).

Well, last week I got some time to play with this, so I deleted all browser cookies and then booked a train ticket and a hotel room for my next trip. The result was 67 cookies on my local disk! Other than the obvious ones (the train company, the hotel company, quidco itself), the standard ones that are linked to everything and you can’t avoid grabbing a cookie from (facebook, yahoo, twitter etc), the list still sported an impressive assortment of sites I had no idea my computer was doing business with:

Needless to say, purchasing anything through Quidco is very difficult with privacy-enhancing plugins like RequestPolicy and NoScript (it takes too much work to manually allow all cross-site communications, scripts etc) – so I just use my “throwaway” browser (Internet Explorer) to use Quidco and then wipe out all cookies with Ccleaner.

PDF file listing all cookies dropped to my machine during that session: Quidco cookies log

Tracking good samaritans

I got the following email from hotels.com the other day, asking me to provide feedback on their service and the last hotels I stayed at.

Nothing wrong with that – I have no direct benefit from this but believe in the power of community feedback etc. So I thought what the heck, let’s take the time to complete a quick survey.

So I clicked on the “write a review” link in the email, which directed me to this URL:

http://click.mail.hotels.com/?qs=d022f9b41a16aff5d6ebfc436e6bb406416e73ed4926ea9826856a4c9a1a5fe9571b8d186c7913567898645f30c4bdb9

…which redirected me to:

http://ad.doubleclick.net/clk;229503547;53487117;m?http://www.hotels.com/submitreview.html?lastName=mylastname&itineraryId=53807570&intlid=review&rffrid=eml.hcom.UK.400.00.2011.01.18.src00.00.00.0000.0000.00.0000&pos=HCOM_UK&locale=en_GB&et_jb=2&et_j=17173477&et_e=my_email_address&et_l=1935712_HTML&et_u=196887636&et_mid=198875&_dc_ck=try

…which finally takes me to a webpage that demands I download and execute Javascript code in my browser before displaying anything:

http://reviews.hotels.com/7014h-en_gb/7310/writereview.htm?format=embedded&user=6bf4d77c00a3e7254a885e86b510cf53646174653d3230313130313138267573657269643d35333830373539305f2d3130342650726f6475637449443d37333130264850726f706572747949443d32373431363226545049443d2d31303426545549443d3533383037353930264c6f6249443d33264974696e49443d3533383037353930264c69643d32303537264272616e6449443d39264f726967696e3d73697465&submissionurl=http%3A%2F%2Fwww.hotels.com%2Fsubmitreview.html

Asking for the “Privacy Policy”, takes me here:

http://ad.doubleclick.net/clk;229503547;53487117;m%3Fhttp://www.hotels.com/customer_care/privacy.html?rffrid=eml.hcom.UK.400.00.2011.01.18.src00.00.00.0000.0000.00.0000&pos=HCOM_UK&locale=en_GB&intlid=FTR.TR.SUR.eml.privacy&et_jb=2&et_j=17173477&et_e=my_email_address&et_l=1935712_HTML&et_u=196887677&et_mid=198875

(I substituted my real information for the red text in the above URLs)

It’s an Orwellian world when requesting a privacy policy sends one’s personal information to a DoubleClick tracking page…

PS: If you want to know & control which websites your browser connects to, use Firefox with the RequestPolicy addon.

Free antivirus for Mac

Sophos recently made available a free antivirus application for Macintosh users. Haven’t tried it yet, but it looks promising and it fills a glaring gap.

For all you Mac users out there who think that “Macs don’t get viruses” – please wake up and smell the capuccino.

Grab the software from
http://www.sophos.com/products/free-tools/free-mac-anti-virus/

A glimpse into reality – the world’s response to wikileaks

They say you can see the true nature of people in a time of crisis. All sorts of organisations, from media outlets to governments, consist of people. So, what has the publication of low-secrecy US diplomatic cables taught us?

An Australian citizen is denied bail in the UK, because of a misdemeanor charge in Sweden. The charge, if proven to stand, would amount to a crime on the same level with *graffiti*. (jurisdiction? innocent until proven guilty? Habeas corpus?

Parts of the US government are blocking access to newspaper websites. Others are ordering or threatening their own personnel and university students not to read the leaked diplomatic cables.

“News contributors” on (predictably) FOX news (and politicians) are going on the record on national television, stating that Julian Assange should be assassinated.

If this is what gets shamelessly thrown out in the open, can you imagine what’s going on behind closed doors?

For more on the above: DemocracyNow! December 15th broadcast

Access to Justice

Quoting the Guardian:

As part of a scheme called “access to justice”, prison authorities are arranging for Assange to be given a computer so he can work on his case. The computer will have limited internet access.

Assange asked for one of his legal team to be allowed to bring him a laptop, but was refused – prisoners are not commonly allowed their own computers.

Intriguing.

“Access to Justice” sounds like “we’ll be happy to know all your passwords & contacts” to me. I’m sure Mr. Assange is smart & informed enough to know this, but other prisoners might not.

Bringing your own laptop raises the bar just a notch, but doesn’t offer any protection against an organised adversary:

• All your network traffic will be observed (Man In The Middle attack)
• Anything you type on the keyboard will be known by the adversary, even if they’ve never touched your laptop.
• Anything on your screen can be “seen” by the adversary from the adjacent room.
• You better not leave the laptop from your sight, because if you do, you might as well assume it has a keyboard logger installed next time you touch it.

Bit of a pickle, really.

Remove junk, win disk space, better privacy

A didactic run of the simple (yet mighty) CCleaner on a colleague’s laptop:

2,1GB of disk space reclaimed:

Thousands of cookies (most of them used to track your online behaviour) deleted:

Note to antivirus administrators: Please keep SEP under control, as it tends to aggregate a lot of junk:

This is not a thorough clean – there is a lot more junk and privacy-compromising stuff on this machine, but a CCleaner run is a dead-easy first step.