Sunday, September 28, 2014

Oh Microsoft, why do you...(& why can't you, why don't you) - aka; The ongoing struggle to get and/or understand Msft "help".

To start with I want to say that Microsoft is far from the only one that makes using their software harder than it has to be, but they do it *so* well..

Today I was getting caught up on my email and was reading a SANS newsletter that included an entry:

Title: Microsoft reissues windows patches that previously caused blue screens

Description: Microsoft released updates to patch 2982791 to resolve the
bluescreen issues.  Microsoft strongly suggests all customers uninstall
patch 2982791 and install the updated patch, 2993651.



- So, I look in my installed updates and I see both. "updated patch, 2993651" is installed, and "patch 2982791" is also.. 

My first question is: Is there a reason that MS automatic updates didn't uninstall "patch 2982791" before installing "updated patch, 2993651"?

Then I read through the MS reference information related to the issue..
Instead of clarification what I find is more confusing (and conflicting) information.

In the "Update FAQ" section it says: "Customers do not need to uninstall the expired 2982791 update before applying the 2993651 update; however, Microsoft strongly recommends it.
Customers who do not remove the expired update will retain a listing for 2982791 under installed updates in Control Panel."

And in another area is the boilerplate: "Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically."

Tell me how Automatic Updates helped me in this case..

OK, so I am a 'customer who has automatic updating enabled...' and as so; "... will not need to take any action because this security update will be downloaded and installed automatically.", right? (underline added by me)

"[...] will not need to take any action [...]" 

-- OK fine, but what about where you say "Customers do not need to uninstall the expired 2982791 update before applying the 2993651 update; however, Microsoft strongly recommends it."  (underline added by me).

If you 'strongly recommend' it then why didn't you do that as part of your "automatic" updates?
If there was some technical reason that precluded doing that you don't mention it, neither do you say anything about whether or not to uninstall 2982791 if, as in this case, it's still installed after the 2993651 update.

You say "Customers who do not remove the expired update will retain a listing for 2982791 under installed updates in Control Panel.", but nothing is said about any issues that may arise as a result of leaving it.

It just doesn't make sense to me that you would make such a "strong" recommendation yet leave customers like me hanging like this. On the other hand it hardly surprises me, and one more time I'm left cursing Microsoft.

Saturday, August 20, 2011

The Security Consequences Of Mozilla's Rapid Release Schedule

'Mascot' image from the Mozilla ADD-ONS Blog

Continuing on a topic from my last post I want to focus on the security threat created by the 'rapid release' schedule the Firefox browser is now on.

I won't dispute the positive aspects of this move for Mozilla, however from a security standpoint it creates multiple hazards. A 'Ready or not, here we come' dictum may be OK in some cases, but it's a recipe for trouble when it comes to security.

Like it or not Mozilla bears the responsibility for not just it's browser alone, but also for taking into consideration the extended 'technosystem' of add-ons that have a somewhat symbiotic relationship with Firefox. They also have a responsibility to contribute to overall Internet security.

When so many of their users have security software that either integrates with or is a standalone 'add-on' to Firefox (and these users are to be commended for contributing to the overall security of the Internet),  rushing ahead and leaving them vulnerable is irresponsible and thoughtless.

Rushing to get something done often results in mistakes. You can rush things and get your product out first, but it rarely results in a quality product (and in this case you can add "secure" to that).

I realize that Mozilla can't simply wait until every 3rd-party piece of software is updated on their own schedule. There has to be some form of cooperative effort to find a middle ground however.

The consequences of the current situation are giving even more ground to the security threats confronting Firefox users. You wouldn't leave your children home alone (before the sitter gets there) while you go to work, and a wilderness guide wouldn't forge ahead and leave people behind to fend for themselves.... would you?

As people mature they learn to consider the consequences of their actions and hopefully become less self-centered. I realize that many businesses don't act this way, but good ones do (in varying degrees) and those get my respect (and patronage).

This world needs more cooperation not less.

Edit/add [8/20/2011 1:05 PM]:

I left out (in my haste!) the people on the security software side of the equation who need to do their part by starting their update process as soon as they can. They too have a responsibility to work in cooperation with Mozilla so both end up with a reliable product and safer users.

Wednesday, August 17, 2011

Caught In The Middle

Numerous issues are impacting me that have me caught in the middle and [nearly?] powerless to change (at least in the near-term). The first two affect many people, not just myself.

The first is the recent (and ongoing) fight over the debt ceiling and budget. I and many people like me that are living solely on their Social Security/Disability income had to wait literally until the last moment, not knowing if they could pay their bills. You know, little things like rent, utilities, food & medications..

The right-wing's lack of concern for some of the more vulnerable citizens is disheartening, and the notable favoritism shown towards the upper class and corporations combined with their manifest contempt of those in need is despicable. I want to mention that the silence ("willful ignorance"?) on this subject by vast majority of the media is disgraceful, and will be looked back on (along with many other examples) as a major failure of the Fourth Estate during this time in our nation's history. The abdication of power and responsibility by this Fourth Estate has enabled  those with selfish and dangerous ambitions to take our country in a direction far from the ideals so thoughtfully laid out by our Founding Fathers.

Caught between Mozilla - Firefox and security software

Since Mozilla started it's rapid release schedule for the Firefox browser many of the security add-ons & extensions I rely on haven't been updated to work with the current version (at the time of this post Firefox 6.0 has just been released). Previously, security software companies such as AVG (LinkScanner), Symantec-Norton, M86 Security (SecureBrowsing) and others had plenty of time between 'major releases' of Firefox to update their software (so it will work with whatever changes the new version of Firefox has).

That time has been drastically cut since this 'rapid release' initiative began.

This is from the "Mozilla Firefox: Development Process" page:

"Firefox uses a schedule-driven process, where releases take place at regular intervals. That means each release happens regardless of whether a given feature is ready, and releases are not delayed to wait for a feature to stabilize. The goal of the process is to provide regular improvements to users without disrupting longer term work."

- Further down the page:

Security Releases

"This proposal makes security updates occur along with Firefox releases, meaning we'll no longer be maintaining old branches. Having security branches for each major update is untenable if we release as often as we aim to."
Extension Compatibility 

"Extension compatibility is the trickiest part of the transition. In particular, it's not what the policy should be when a user has extensions that are incompatible with a new Firefox release. Each release will have at least 12 weeks to identify extensions that are no longer working, but this issue will be complicated."
On the Future Release Blog there's a post named "Every Six Weeks".
"We’re studying the effects of the process carefully; it’s a big change and we will be flexible in our approach as new information comes in. We may decide that 6 weeks is the wrong interval, for instance, though it’s worth remembering that Firefox maintenance releases have been released on 6-8 week intervals for years, and sometimes included major changes. We’re also paying close attention to the impacts this cycle has on our ecosystem of add-ons, plugins, and other 3rd party software that interacts with Firefox. We’re working with large organizations, too, to understand how rapid release can fit into their software deployment systems."

"Whatever adjustments we make, it’s clear that rapid release is a major improvement in our ability to respond to the needs of our users and the web. Every 6 weeks we have a new Firefox to evaluate and, unless some surprising and irreconcilable breakage is discovered, release to the world. No one will have to wait a year for the developer scratchpad now in Beta, or the massive memory and performance improvements already on Aurora, or the slick tab management animations soon to land on Nightly. Rapid release is already paying dividends, and we’re just getting started."

Johnathan Nightingale
Director of Firefox Engineering"

Now as far as the security software (companies) side of things, I haven't read any comments directly from them about this issue. 
I have heard directly from M86 Security after I posted a comment on Twitter about their "SecureBrowsing" browser add-on:
Firefox just updated to v5. When will your plug-in be updated?
(Posted 22 Jun)
Their reply:
@TRDaggett We do not have a definitive date at this time, as we are currently reviewing Firefox 5. We'll keep you posted
(Posted 27 Jun)
It's now August 17th and Firefox 6.0 has now been released.... and if you go to the M86 SecureBrowsing (FAQ) page it says:
5. Q: Where will SecureBrowsing work?
    A: SecureBrowsing has been designed to work on the most commonly-used Internet tools.
         The current version of M86 SecureBrowsing supports the following:

 Web Browsers:
  • Microsoft Internet Explorer 6.0, 7.0, 8.0 and 9.0
  • Mozilla Firefox 3.x and 4.0
  • Google Chrome 10
 BTW, Google Chrome's current version is 13x.
Despite the fact that @M86Security told me "We'll keep you posted", I've heard nothing from them [to date]. So if they were "reviewing Firefox 5" and still haven't gotten back to me by the release of Firefox 6..... 
1.) They don't care enough about their users to (proactively) keep them informed.
2.) They're not able to keep their SecureBrowsing product updated (for 2 major browsers) in a timely manner leaving those users unprotected.
3.) M86 Security SecureBrowsing needs to append the FAQ page "Web Browser" information with a note regarding future updates to Firefox and Chrome or remove them from the list.
(Make a decision M86 Security. Then please inform your users.)
I also use the (free to Comcast Internet customers) Norton Security Suite. This version complicates the update issue even further because it's different from both Norton Internet Security and Norton 360 and [probably] has it's own 'team' of people working on it's updates (including various browser add-ons).

I noticed that if I open up the Norton interface on my desktop and click on Identity Protection [View Details] it says that Norton Safe Web and Identity Safe are both on and working!

I called the Norton Security Suite support folks today and was told that they were working on the browser compatibility updates but they wouldn't provide any time table as to when they would be released. I want to mention that the support call must have gone to India because there was a noticeable delay and the woman was very hard to understand, So the combination of those two factors made for a poor quality support call (which I have to say has not been the case with most of my previous support calls involving outsourced support centers in India). It was unfortunate that I was already irritated by several factors including the fact that this was my second call to Comcast support about this matter. The first customer tech support person tried to transfer me to Norton support but used the wrong number, aborted, came back to tell me what she did, and then on the second attempt ended up transferring me to Netgear support!
Finally, AVG LinkScanner (which I've used for years, since before AVG bought them out and ruined incorporated LinkScanner into their products) partially works with Firefox 6.0 but the feature that checks web [page] links and search results (like Google) hasn't been updated yet. AVG has been quite a bit quicker than Norton to update their Firefox add-ons. I can still use the AVG Toolbar to search via the AVG secure search feature or open the desktop LinkScanner interface and enter (and scan) a URL manually. It's not as convenient, but it adds a valuable security resource to my kit.

Mozilla's rapid release schedule has created a security issue for Firefox users who rely on various security add-ons and extensions. I'm not saying that the problem is solely because of the faster schedule though. Other security add-ons (like Giorgio Maone's "NoScript" and Wladimir Palant's "Adblock Plus" ) have kept pace, but it seems likely that the security software produced by the bigger security companies has a much different (and complicated) process that it has to go through. A good analogy is probably that of an aircraft carrier vs. a Coast Guard cutter.
As I recall after Firefox version 5.0 was released my Norton Toolbar* and IPS 'broke' and after a few weeks some protection features (like search results) were updated but the toolbar wasn't (and still hasn't been updated).

Ultimately I hope to see [at least] two things happen. Security software companies who's products integrate with Firefox (and Google Chrome) will adapt to a faster update schedule, and Mozilla will adapt their release schedule to better enable security add-on software to stay current (and 'on the job'!). Rapid release schedules are great but not if it results in leaving your users vulnerable. 
Best practices call for a 'layered' approach to security. We need to work together as much as possible to increase Internet security.

*The Norton Toolbar includes the Identity Protection features like the 'Identity Safe' that I used daily. [Among other things] It securely stored passwords for websites and automatically logged me in to those sites. It also held 'cards' that I could fill with customized identity information which in turn could be automatically entered into forms on web pages.

Tuesday, May 10, 2011

On Newspapers & Paywalls

There are some basic requirements that must be met before I'll consider paying for online news. In my case it's [specifically] the Concord Monitor.

First let me preface this by explaining that I survive solely on my disability check from Social Security each month (which hasn't increased for a year or two, and isn't likely to next year either). So every expense I incur comes out of a fixed amount. I have to consider the value of every cent spent and also weigh it against every other expenditure. And despite what the CPI* indicates, the cost of many of these are going up.

So for me to take a portion of this [shrinking] pie and spend it on the local newspaper there has to be:

1. Exclusive content that I value and is well written, informative, complete & accurate.
2. A well laid out & easy to navigate website.
3. A website that is secure and well maintained (best security practices incl. 3rd-party audits/pen testing).
4. Also a secure payment system utilizing the best security available to protect customers including full encryption of transactions and storage of customer data. Also requiring the same of 3rd-party payment processors (or *other*) are used.
5. Plenty of local content.
6. Lots of compelling photography.
7. Blogs (but EXCLUDING political** blogs!)

I'd also like to see a local 'Technology' section, possibly getting local experts to contribute regularly with advice & tips (that could even be done/sold? [tastefully] as 'Adver-Tips') and regular 'cybersecurity' information (similar to my [former] BlogsNH blog*** "TechAlert"), because caring about computer & Internet safety needs to be force-fed (subtly) to the public at every opportunity.

Finally, even though it's expensive and time consuming (and takes a certain amount of institutional intestinal fortitude), some investigative journalism would be nice to see. Frankly I see too much ...... (trying to think of the right word[s]) .. quick, superficial, non-confrontational articles, and I'm trying to recall the last time I read anything that exposed some serious wrongdoing or corruption concerning local public officials, organizations or businesses. To be fair, my memory is awful and I'm sure there have been some, but we both know the larger percentage goes unreported (and/or undiscovered).

I'm going to give the Monitor a shot and see how it goes, although I hope that I can pay 'in person' instead of online. I've been victim of numerous database breaches over the years including Concord Hospital, the VA, Student Loans, and most recently the Sony PlayStation Network (where thankfully I chose to use their prepaid cards instead of a credit/debit card). I hope they consider this option and develop a way of implementing it.

- BTW, I hope that it's only the AP [text] content the Monitor's opting not to use and not Jim Cole's outstanding photography!

* Consumer Price Index
** Too divisive & (many of) the regular 'article' comments are *more* than enough negativity/fringe (especially for the moderators).
*** This is the page you see if you look today.. Hey Clay, I must have missed your alert to save our blogs before they weren't available anymore? (I'm glad that I saved most of mine and didn't leave it to chance..).

Monday, December 27, 2010

A Long Winter's Nap

ZZzzzzzzzz -------------
Napping is what I seem to be doing the majority of the time these days. Not by choice mind you, but finding the energy and motivation to do much of anything has been a struggle over the past months.

As evidenced by my previous post my cognitive abilities are much less than they were even at the beginning of this year. Composing posts used to take a long time, mainly because I have a hard time coming up with the precise words I want to use (in my mind I know what I want to say but the word is maddeningly elusive), but now the whole process has slowed greatly.

Still, every once in a while I'm sharper, I have energy, and actually feel like getting things done and/or getting out of my apartment. When it happens I try to take advantage of it and get all the chores like cleaning (vacuuming, dusting, laundry, kitchen & bath) done. Before the effects of diabetes complicated things I would do a lot of writing during these periods, but since then it's like someone opened up my brain and poured molasses inside (this post took me over 3 hrs to complete).

I'm posting this because I feel like I need to let people know why my activity has been even slower than usual (and more disjointed) and kind of depressing. I really want to post a bunch of much more positive and interesting things, honest! 

It's funny (not really, but..) when I lay down for a nap my mind starts thinking about all kinds of things. It's much more focused than when I'm up and about. But if I try to write down notes or even put it on tape I can't get past the first one! The process of doing that seems to disrupt the original thoughts (like a computer log set so low that it 'overwrites' itself). If there was a way of recording thoughts (passively) directly from my brain it would be such a help. I'd be willing to bet that in the future it will be possible, and by the time that happens getting it from a clinical/research setting to an affordable consumer device will be the easy part.

Now that I think about it, by the time [that] is possible scientists should have a much clearer picture of how brain chemistry works, hopefully developing much more effective treatments for things like depression, Alzheimer's, Parkinson's, etc.. Perhaps some combination of gene and neurogenesis treatment..


So now, tomorrow I go to talk about changing primary care physician and working on a more effective personal care plan (is that what it's called?) between health care providers and myself.
I need some kind of support 'cause all this is really hard to accomplish and deal with on my own..... I don't even have a pet

NOTE TO SELF: Make your next post much more positive!