Category Archives: Software

Tracking Protection Greatly Speeds Firefox

Firefox’s optional Tracking Protection reduces load time for top news sites by 44%.

How to turn on Tracking Protection:

  1. In the Location bar, type about:config and press Enter.
    • The about:config “This might void your warranty!” warning page may appear. Click I’ll be careful, I promise! to continue to the about:config page.
  2. Search for privacy.trackingprotection.enabled.
  3. Double-click privacy.trackingprotection.enabled to toggle its value to true.

This will turn on Tracking Protection. If you later want to turn it back off, repeat the above steps to toggle the preference back to false.

Posted in ID Cards and Identification, Internet, Software | Comments Off on Tracking Protection Greatly Speeds Firefox

Link to Firefox 38 Without DRM

no-drmKeep DRM off your computer. Firefox updated to version 38 today, and it comes with DRM built in (without which, I’m told, you can’t watch Neflix).

The link above is to the US-English version of Firefox. Here’s the multi-lingual index to other language DRM-free versions of Firefox.

You can install this instead of the ver 38 update, or on top of it. In my experience it remembers all your customizations, such as plugins.

(Image from L[P]SI Blog)

Posted in Law: Copyright and DMCA, Software | 1 Comment

I’ve Been Looking for This!

Google search link fix:

This extension prevents Google, Yahoo and Yandex search pages from modifying search result links when you click them. This is useful when copying links but it also helps privacy by preventing the search engines from recording your clicks.

In other words, when I get google search results and right-click on them, instead of getting useless garbage, I get a link I can use in blog post or a footnote — especially handy for linking to .pdf files where the URL doesn’t show up in the program that pops up to display the document.

Most folks won’t need this extension. But those who do will love it.

Posted in Software | 5 Comments

DETEKT

EFF and other fine groups announce DETEKT, a spyware detection tool. It’s a joint project with Amnesty International, Digitale Gesellschaft, and Privacy International. Read the disclaimers and instructions carefully.

Note also that they seem to be on a very short release cycle: I downloaded version 1.1 at work yesterday (nothing detected), and just downloaded version 1.3 at home today.

Disclosure: I’m a proud member of the Electronic Frontier Foundation Advisory Board.

Posted in Software, Surveillance | Comments Off on DETEKT

Shellshock Still Kicking

arghOh, joy: despite a vigorous round of patching, Shellshock isn’t dead, and isn’t even resting:

Google security researcher Michal "lcamtuf" Zalewski has disclosed to iTnews that over the past two days he has discovered two previously unaddressed issues in the Bash function parser, one of which is as bad as the original Shellshock vulnerability.

"The first one likely permits remote code execution, but the attack would require a degree of expertise to carry out," Zalewski said.

"The second one is essentially equivalent to the original flaw, trivially allowing remote code execution even on systems that deployed the fix for the initial bug," he added.

— iTnews.com.au, Further flaws render Shellshock patch ineffective. Spotted via Slashdot

Posted in Internet, Software | Comments Off on Shellshock Still Kicking

Shellshock: It’s as if Flesh-Eating Bacteria Were Poised to Eat Your Server

arghAnd all your linux-embeded devices with any Internet access. From the sound of it, that’s about how bad the “shellshock” bug in Bash is:

A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux, and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271. This affects Debian as well as other Linux distributions. The major attack vectors that have been identified in this case are HTTP requests and CGI scripts. Another attack surface is OpenSSH through the use of AcceptEnv variables. Also through TERM and SSH_ORIGINAL_COMMAND. An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation.

— Slashdot, Remote Exploit Vulnerability Found In Bash.

Shellshock name spotted on Errata Security (good blog BTW), and the faithful INQ, which shares the cheerful fact that the NIST vulnerability database “rates the flaw 10 out of 10 in terms of severity.”

Update: It looks as if patching severs will be easy – mine is already done. The real problem will be patching devices with embedded linux. To achieve that the consumer needs (1) to know the device exists, is connected to the internet, and is under your control — all sometimes much less obvious than one might imagine; (2) the device has to be patchable; (3) there has to be a patch; (4) the consumer has to know where to go to get the patch; (5) the consumer has to be able to apply it.

Internet of Things considered dangerous?

Update2: This is a nice test for the Shell Shock / shellshock vulnerability:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If it returns something like

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test

You are fine. But if it says,

vulnerable
this is a test

Then you have the bash bug.

Posted in Software, Sufficiently Advanced Technology | Comments Off on Shellshock: It’s as if Flesh-Eating Bacteria Were Poised to Eat Your Server