Category Archives: Software

I know, I know, I have a case of this today:

…but forgive me.

There is a very serious error in the IT World posting Can you trust Chinese computer equipment?. I've written to the author to ask him to correct it, and to post the correction to Slashdot, which has repeated the error (which is how I came to find it).

The original item states,

Indeed, back in 1983, Ken Thompson, one the creators of Unix, admitted that he had included a backdoor in early Unix versions. Thompson's backdoor gave him access to every Unix system then in existence.

“Why am I always the last guy in the world to hear about this stuff?” I wondered. In this case, it is because it is not so. If you look at the actual article referenced, Ken Thompson's Reflections on Trusting Trust, his famous acceptance speech for the Turing Award, you will see it basically says the opposite of what the quote above suggests.

For starters, the very elegant backdoor attack presented in Ken Thompson's paper is a PROOF OF CONCEPT not an “admission” that anyone in fact did anything like it to early or late Unix builds. Ken Thompson in fact takes a very strong stand against such hacks. His point, though, is that the nature of compilers makes what have become known as “Thompson hack” or trusting trust attack very hard to detect.

It would be good if IT World ran a correction; if not maybe someone trying to chase down this latest piece of tin foil will find this posting instead.

So I am looking at Firefox's new plugin, Weave Sync.

Weave is a comprehensive synchronization tool for people who browse on multiple computers. It syncs everything between multiple versions of firefox except your plugins. Guess we'll have to get beyond version 1.0 for that. Even so, Weave offers near-instant sync of

• bookmarks
• open tabs
• browsing history
• passwords

(Um, passwords?)

Weave tries to sound secure: “all of your data is encrypted end-to-end to ensure your privacy.” But that is not what worries me.

I am, in most ways, the exact sort of person for whom this was designed. On any given day I may use four different computes: office, study, laptop, even maybe a short stint on the kid's game machine in our family room. I am heavily reliant on dropbox to sync working documents. I use xmarks to sync bookmarks. I'd love to be able to sync open tabs to make a more seamless experience as I migrate from machine to machine. (And sooner or later I'm going to migrate my scrapbook to dropbox so I have only one master set of archives instead of home and office versions.

Xmarks will store passwords, but it has a nice feature that allows me to choose on a machine-by-machine basis whether I want to require a special login before passwords become accessible. Since I travel with my laptop, and there's always a chance it might get stolen, I don't want to have my password-protected data accessible to someone who gets a hold of the machine. (But that's not without its risks too.)

If I understand the release notes, Weave has a feature similar to Xmarks to deal with the traveling password issue:

If you use a master password, Weave Sync will automatically connect after you enter in your master password. Weave Sync will stay disconnected until you enter your master password or you choose to manually connect.

I often hibernate my machine instead of turning it off. What worries me is that this sync will become so seamless that I'll forget my passwords are accessible. Either that, or I'll have to always at least close the browser between sessions. That's a risk with Xmarks, and I suppose it's not going to be much different with Weave?

I'd be interested in hearing in comments from anyone using Weave; I'm about to go out of town for a conference, and I don't think I'll do anything to change my workflow until I'm back, just in case something might break.

Exploit in the Wild for New Internet Explorer Flaw — Krebs on Security

Less than 24 hours after Microsoft acknowledged the existence of an unpatched, critical flaw in all versions of its Internet Explorer Web browser, computer code that can be used to exploit the flaw has been posted online.

This was bound to happen, as dozens of researchers were poring over malicious code samples that exploited the flaw, which has generated more interest and buzz than perhaps any other vulnerability in recent memory. The reason? Anti-virus makers and security experts say this was the same flaw and exploit that was used in a series of sophisticated, targeted attacks against Google, Adobe and a slew of other major corporations, in what is being called a massive campaign by Chinese hacking groups to hoover up source code and other proprietary information from these companies.

…

… this is a browse-to-a-nasty-site-and-get-owned kind of vulnerability. As such, Internet users will be far more secure surfing the Web with an alternative browser (at least until Microsoft fixes this problem), such as Google Chrome, Mozilla Firefox, Opera, or Apple’s Safari for Windows.

No doubt there will be a patch soonish, but until then…and even after then for folks who don't patch religiously.

Incidentally, do we actually know all those other browsers are safe, or is it just that no exploits are in the wild yet?

I have a house guest who is probably one of the few teetotal geek folksinger freelance journalists in captivity.

The guest described to me a potentially useful feature of Tweetdeck that I didn't know existed (dividing people you follow into 'groups'), so I fired it up. (I don't use Twitter very often, life is too full already). It wanted to be synchronized and updated. Adobe Air wanted to be updated. I complied. The result was that all my Tweetdeck columns were blank – “no updates”. And I knew this wasn't true since the house guest was telling me of a recent Twitter post commenting on a visible feature of my family room.

Google to the rescue. It seems if you close all your Tweetdeck columns and then reopen them, all is well again. And so it was.

[UPDATE 7/3/15: Google has killed the notifier function as part of its attempts to drive us all towards Chrome.]

I've been using Gmail notifier for some time. It's not that I particularly want to know when I get gmail, since I have that forward to my main account anyway. No, the great thing about gmail notifier is that I can set it to make Gmail the default email program for “mailto” links on web pages.

But a while ago I started getting error messages from the notifier; I didn't mind not having the unread mail count, but there's something about error messages at boot up that makes me grumpy.

An error has occurred.
Cannot connect to your mailbox.
Service temporarily unavailable.

Except it seemed permanent.

So I was happy to find out that the problem was because I forced gmail to use https, and that there's info on a patch,

If you've tried the new https setting and are using the Gmail Notifier, you've probably noticed a conflict between them by now. Good news for Windows users – we have a small download available that will set the Notifier to use https. Here's the instructions:

1. Download http://www.google.com/mail/help/downloads/notifier_https.zip http://www.google.com/mail/help/downloads/notifier_https.zip
2. Open up the folder.
3. Double-click on the file called notifier_https.reg to install it.
4. Click 'yes' when you're asked to confirm if you want to add the information to the registry.
5. Restart the Notifier.

And you're done! The Notifier will now work with Gmail set to always use https. If you decide you don't want to use that setting anymore, you'll need to install the other file in the zip folder – notifier_https_undo.reg – to reset Notifier.

And it works!

Has anyone here used Mendeley? I'm not entirely clear on the use case: do I upload the papers I've written? Ones I'm reading? Ones I mean to get around to reading?

And how much of what I upload is browseable by others? If I put up all the papers in my bibliography before I publish the paper, is there any risk of finding someone who writes faster writes it since I've acted as their research assistant?