Archive for the ‘Security’ Category

The Nasty Log4j Business

Monday, December 20th, 2021

log4j.jpg

It's been a wild couple of weeks for the log4j team... I mean, the problem with a logger is that you don't really want to limit it, and adding the url handlers probably seemed like a great idea at the time, but once they started to be used, it was understandably hard to drop support for them. And then the exploit hit.

It's just one of those nearly universal components of JVM systems that is being supported by volunteers, and trying to thread the needle between keeping as much of the functionality as they can... while restricting the vulnerability to something that can't be exploited. It's clearly not easy, as they've had at least three releases of the 2.x codebase to try and correct the vulnerability, and each time, there seems to be more there is to do.

This is certainly going to shift how some open source teams function... it's great to be the author, or maintainer of something as used as log4j, but to have this kind of attention... well... I'm sure it's not what they were hoping for this Christmas. 🙂

Google Fi and Regulated Utilities

Friday, November 15th, 2019

vote.jpg

This morning I saw an ad for Google Fi, and it got me to thinking about the relationships between AT&T, Verizon, regulations and tech companies, like Google, and my phone. I'm not saying I like the size of my phone bill - and this includes two kids and my Mom, but I at least understand why it is the size it is, and the way they are profiting from me. When I think about an unregulated tech company being a carrier, it makes the data collection even more invasive.

I'm not saying that the people working at Google have evil in their hearts, but power currupts, and the power some companies are collecting about each of us is really staggering, and I'm in the position to know just enough to be really concerned. The collection and matching of data made Finance really powerful - but that was all about tradable securities and related information. This is about individual people... and the aggregations that can be done now make it possible to really look at the individual within the crowd.

I just wonder if we're a cliche - allowing technology to outpace society - again. I think I'm all for spending a little more, to a regulated company, than pay less to an unregulated one - certainly for utilities that just need to work, and not be tracked.

Crazy Zoom Exploit

Wednesday, July 10th, 2019

Bad Idea

So yesterday, the Zoom Exploit hit the news feeds and web sites, and it was something that I have to say, I'm not surprised about. Zoom was never one of the video conferencing solutions I was a fan of... like most utilities - pick one of the standards, and then be done. Google Hangouts is fine for small groups, and GoToMeeting is fine for large groups, and these are cross-platform, and work just fine. I use FaceTime more than anything else, but that's because it's an Apple ecosystem, and I don't need to have to tell folks to install additional software.

But this secret web server - that's crazy.

As soon as I read this I deleted the app. Immediately.

The second thing I did was to message a good friend that I know uses Zoom - a lot and wanted him to know that he was exposing himself to this issue. I included the entire article, because I wanted him to read about it as well, but I know he took steps at the time as well.

So this morning, I'm double-checking on the details, because this secret web server is just crazy, and I want to make sure that I've got it all cleared out. So let's see if it's running, kill it, if it is, and then double-check that it's dead.

  $ lsof -i :19421
  COMMAND    PID  USER   FD   TYPE ...
  ZoomOpene 2385 drbob    3u  IPv4 ...
  $ kill -9 2385
  $ lsof -i :19421

OK... it's gone. Now let's remove the ~/.zoomus directory and put in a file to keep the directory from being created again...

  $ rm -rf ~/.zoomus
  $ touch ~/.zoomus

And finally, go into System Preferences and select Users & Groups, and then select your user, and go to the Login Items tab, and see if ZoomOpener is in the list. If it is - remove it with the - button at the bottom of the list.

Now it's out. For good.

The "explanation" from Zoom - that this is "a good way to present the user experience" is just nuts. I can't imagine how anyone in this era of computers and invasion of privacy would try to even justify that. Just call it a mistake, and move on.

[7/10] UPDATE: Overnight Apple released a non-UI patch that took care of this problem for all users. I can remember when this feature of forced updates without user-intervention was delivered in Mac OS - and I thought it was good. This proves that it was there for just such a case. Bad software.

Securing Google and Restoring GTalk

Wednesday, February 20th, 2019

Adium.jpg

Yesterday, I lost access to my GMail and GTalk accounts on my laptop - and it was saying that the password was bad. The first was covered in this post, and this morning I attacked the second. Overnight, I was just hoping that it was a transient thing, and that Google would restore whatever it decided to turn off, but that was not to be.

Given that Adium is now limited to just GTalk and ICQ, there really wasn't a lot of reason for me to keep it running, if I couldn't fix this authentication issue. So... knowing that Google wanted me to secure my account - but doing that would kill the old scheme for Adium, I decided to go ahead with it, and if it didn't work, then I'd just shut down Adium, and have to live with the loss of communication to my friends.

Securing Google

Police.jpg

So the first thing I needed to do was to turn off the Insecure Access in Google. This is just saying the old, plaintext, username and password being passed to Google. This was the only way the old Adium worked, and so I had to leave it like this. But that's all changing.

Once that was turned off, I knew I wanted to use Authy for the Authentication App for Google because I didn't like the SMS codes, and Authy is just a nice tool for exactly this purpose without worrying if your SIM card has been cloned. So I turned that on, and typed in the first code, and we're good to go.

Finally, I needed to generate a single Application Password for Adium, and that was all done from the Security tab in the Google Account Settings. Not bad at all, they generate a 16-character code, and you then use it for that app. You only get to see it once, so make sure you type it in correctly, but you can always make another.

Testing Adium

Once I had the 16-character application password for Adium, I pulled it up, typed it in, and BAM! it worked. I could almost not believe it! This was exactly like the POP3 issue - I'm guessing Google just got tired of the less-secure methods, and just shut them off. Period. Now with the 2FA on my account, the Application Password is as secure as Google wants to make it. 16 characters is gonna be really hard to guess.

And as I was testing Adium... still a little giddy that this all worked, and I had also locked down my account, I got a notice from Mail.app that I needed to enter my password.

Ah... IMAP was not using the 2FA, and I needed to pull up the accounts in Mail.app, and go through that login once to get the login using 2FA, and to to trust this device. When that was done, email was back online, and GTalk was too.

What a heck of a morning! Very good news!