I’m trying out a new way to update my blog. Hopefully it will lead to me updating more often.
In the meantime, check out the editor I’m using:
Getting Started With ScribeFire - Scribefire: Fire up your blogging
ScribeFire for Firefox!
Google Native Client security implications
This is a great article about the security of Google’s new research program that could eventually replace ActiveX: http://www.matasano.com/log/1674/the-security-implications-of-google-native-client/
For those not familiar with the subject: ActiveX - Very useful, and very vulnerable. If you would physically hand your computer to the owner of the website, then it’s okay to run ActiveX; otherwise it’s not.
Java - Solves the same problems as ActiveX solves, but it’s slower and safer. Not the safest, but a lot of the safety issues have been crash-tested and fixed at this point.
Adobe Flash/Flex - It’s faster than Java because it does less. In theory it could be easier to secure than Java; but it’s a younger product than Java and so probably has more security surprises on the horizon.
Google Native Client - Easy to port old software to; and could do even more than Java. But it still has a lot of security fixes to make to catch up to the others in terms of safety. It’s still safer than ActiveX, but everything is.
Silverlight - Microsoft’s new solution to replace ActiveX. It’s more secure than ActiveX because everything is; but it probably suffers the same symptoms of youth as the Google Native Client.
For safety with any of these, only allow them on websites that you thoroughly trust. The NoScript add-on for Firefox is the best way to control which websites are allowed to run these.
Google Result Hijacking
Yahoo Tech News reports that a virus called ‘Gumblar’ is usurping control of vulnerable websites and then vulnerable home computers that visit those websites. Once installed, it redirects your Internet Explorer Google search results to spam pages or more virus delivery pages.
This is a classic technique, not a new one; but the article is a nice way to learn about it.
The most important thing to note is that ‘Gumblar’ is targeting vulnerabilities that are almost a year old now. In a sane world, that wouldn’t work because everyone would apply security patches. In the real world it works just fine. Applying software updates is the digital equivalent of washing your hands. Knowing that some of your neighbors don’t even do it once a year is incentive to take extra care with your own computers.
Here’s the article: http://tech.yahoo.com/news/pcworld/20090514/tc_pcworld/newwaveofgumblarhackedsitesinstallsgoogletargetingmalware