Posted on

The Crazy Politics of Age Verification

The UK government required age verification for pornographic website to protect children. Australia was the first country in the world to ban children from social media. Children, of course, circumvented all such restrictions immediately. And now the UK government and others around the world are thinking “This plays well with the public” and is trying to follow suit, in spite of the fact the teenagers are laughing at the restrictions.

Rather than getting an informed opinion on the practicality of such measures from technology experts, the politicians, as usual, get their technical understanding from some random teenagers on social media.

This lack of tech savvy would be hilarious if it wasn’t such a serious matter. It’s nothing new. And these proposed technological solutions to problems in society are doing nothing to fix the very real issues they’re trying to address. You cannot fix social problems using technology. Leave a comment if you can think of any example where this has been the case.

Next Monday there’s a vote in the commons on just this, and I fear grandstanding arts-graduate politicians will let it through, regardless of the technical impossibility of complying. And there’s no end to this nonsense.

There’s crazy, then there’s California

And just when you think it can’t get any worse, the Californians have taken it to the next level with a new bill called Age Verification signals: software applications and online services.

Here’s an extract:

1798.501. (a) An operating system provider shall do all of the following:

(1) Provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or both, of the user of that device for the purpose of providing a signal regarding the user’s age bracket to applications available in a covered application store.

(2) Provide a developer who has requested a signal with respect to a particular user with a digital signal via a reasonably consistent real-time application programming interface that identifies, at a minimum, which of the following categories pertains to the user:

(A) Under 13 years of age.
(B) At least 13 years of age and under 16 years of age.
(C) At least 16 years of age and under 18 years of age.
(D) At least 18 years of age.

Having an handy OS function to determine the age of the user seems like a good idea, doesn’t it? Naughty software can refuse to run if the user is under-age. But it’s technical nonsense; not thought through at all. For example, it’s referring to a “real-time application programming interface” – so this only applies to a RTOS? Obviously they saw the phrase, thought it sounded good and included it.

But the concept has some merit – rather than everything doing age verification, why not dump the problem on Microsoft, Apple and Google? They’ve got the resources, and with their penchant for knowing everything about their customers, their OS could easily provide age verification information along with their shoe size and taste in pot plants.

Except… you need to consider the chilling effect this will have on anything called an Operating System. The lawmakers probably wouldn’t recognise an OS if it jumped out at them waving a flag, but this is important here. For starters, every embedded system has software that fits the definition of Operating System. Do they have to provide age verification?

And what about, say, servers? They don’t have a user as such, but they have people using them (administrators). How can you tell the age of the administrator at any given time? The account may well be shared by a number of people.

But the most damage from this nonsense will be to FOSS operating systems like Linux. They don’t have a KYC culture like Microsoft/Apple/Google to make it easy and don’t have the time, money or resources to solve the problem. An open source operating system is community owned, and the community has no incentive to track the personal details of who might be using it.

Although Linux is free, it’s still licensed using the GPL and has a vendor – even if no money changes hands. If this bill ever passes, the State of California may well go after the vendor for non-compliance and try to force them into it by fines and suchlike.

The logical solution to the problem for Linux distributions (and FreeBSD and whatever) is to change the terms of their license saying “You may not download or use this software in the State of California”. Microsoft, Apple and Google will love that.

Posted on

Bad software and security

Today, LinkedIn decided I might want to see this post from Thomas Barnett:

“Most businesses don’t get hacked because of bad software.
They get hacked because someone clicked.”

(Apologies if the link doesn’t work – it’s a Microsoft site).

He is, of course, quite correct in that phishing and trojans are the most exploitable vulnerability in most organisations, but it hinges on the term “bad software”. If you’re new to the world of computing you won’t remember a time when this wasn’t a problem, but it has become one largely thanks to Microsoft thinking of profits before security, with features to “create a richer user experience”. I’d classify this as “bad software”, and it very much is the cause.

In the early days of the Internet there was assumed security, as any miscreants could be apprehended by the system operator checking which terminal they were on and paying them a visit. Unencrypted data flew back and forth on the network without it being a huge risk, as access to the wires was controlled by bricks and mortar. It took a while to add encryption when the Internet went public, but that’s done. Logins require security certificates. SMTP relays are closed. It should all be good.

Then some fools decided it would be “cool” to embed software in network traffic.

“Let’s allow people to send executable files by email that look like any other file and can be opened by clicking on them.” Bad software.

“Let’s embed JavaScript in web pages so we can run stuff on the user’s machine.” Bad software.

“Let’s embed software in Microsoft Office documents.” Bad Software.

“Let’s use passwords for accessing important data instead of security certificates tied to a host.” Bad Software.

There are other forms of idiocy around, such as downloading software from a package repo, placed there by anyone on the Internet, simply because there are so few actual software engineers around who can configure a server without a Docker image. But using passwords to log into remote systems, encrypted or otherwise, where the user has no way of knowing whether it’s the real login page is nuts. So is embedding software in electronic communications.

A cybersecurity industry has built up trying to place mitigations on this bad software. People like me have been warning about the fundamental dangers of Microsoft’s “Rich user experience” mantra for decades. I remember writing a piece for PCW in November 1996 when Netscape (not Microsoft, for once) proposed adding JavaScript to web browsers. (Previously Java Applets* were theoretically sandboxed).

Before this, when Microsoft added WordBasic in Word for Windows and DOS, people like me who’d been on the forefront of antimalware in the 1980s, were scarcastingly asking “What could possibly go wrong?”

So Mr Barnett is right to say these things are the most effective attack vector. Organisations should be very afraid. But they’re only attack vectors because the software is bad.

*JavaScript and Java share the name but are nothing like the same thing.

Posted on

Microsoft sued over Windows 11 debacle

I’m not normally a fan of vexatious litigation, but when someone decides to harras Microsoft over their outrageous move to force 240 million Windows PCs onto the scrap heap I can only applaud.

The heroic litigant is a chap called Lawrence Klein, and is from Southern California in case it wasn’t obvious.

He’s not actually after them for billions, but reckons they’re abusing monopoly power and wants the judge to force them to provide security updates for Windows 10 until it’s only 10% of the installed base. It seems very reasonable to me.

The complaint was filed in San Diego. Mr Klein is right on the button and isn’t holding back.

The text of the complaint can be found on the Courthouse News web site here.

Posted on

Christmas Come Early for Scammers – Thanks Microsoft

As a reminder that Microsoft never lets security considerations get in the way of a Good Idea, it’s emailed 50,000 gift cards to random addresses it has on file. To quote:

To help spread holiday cheer, Microsoft Store has surprised a total of 50,000 U.S. customers with virtual gift cards via email. 25,000 customers will receive a $100 Microsoft Gift Card while 25,000 others will receive a $10 Microsoft Gift Card ahead of this holiday season. These randomly selected recipients can redeem their gift card on Microsoft Store through December 31, 2021 and spend it within 90 days of redemption

Publications in the US are advising punters to check their spam folder in case they’ve got an e-voucher for free Microsoft goodies. Presumably these email address are of lusers with a Microsoft account of some kind.

With the media coverage starting to appear in the US, anyone phishing for Microsoft account credentials now has the perfect social engineering exploit, available between now and the New Year. Nice one Microsoft.

Posted on

NHS not exactly target of “cyber-attack”

The Security and Intelligence Committee takes all this cyber-thingy stuff very seriously.

I got home, put on BBC News and there was some dope being interviewed about a “cyber-attack on the NHS”, blithering on about their M3 network and how secure it is. I turned over to Sky, and there was someone from Alienvault talking sense, but not detail. Followed by the chair of the Security and Intelligence Committee, Dominic Grieve, blustering on about how seriously the government took cyber-security but admitting he didn’t know anything about technology, in case it wasn’t obvious. I have never met anyone in parliament who does (see previous rants).

So what’s actually happening? It’s not an attack on the NHS. It’s a bunch of criminals taking advantage of a bug in Microsoft’s server software. Almost certainly MS17-010. An attack based on this exploit was used by NSA in America (Equation Group) until someone snaffled it and leaked it (allegedly Shadow Brokers). It’s been used in a family of ransomware called WannaCrypt, and it’s being used to extort money all over the place. I see no reason to believe the NHS has been targeted specifically. It’s targeting everyone vulnerable, all over the world. Poorer countries where they are running  more old software, or running bootleg version that don’t receive updates,  are worst hit.

So why is the news full of it being the NHS, and only the NHS? One reason is that Microsoft issued a patch for MS17-010 a good while back. And the NHS didn’t apply it. Why? Because they’re still using Windows XP and Microsoft didn’t issue the patch for Windows XP. Simple.

A lot (repeat A LOT) of companies use older Microsoft systems because (a) they’ve bought them, why should they pay again; and (b) Microsoft abandoned backward compatibility with Windows 7, so a lot of legacy software (dating back to the 1980’s) won’t run any more. Upgrading isn’t so simple.

There’s a lot of money (from Crapita Illogica (CGI), Atos and G4S – amongst others) in flogging dodgy Microsoft-based IT to government projects. Microsoft Servers are considered Job Security for people who can only understand how to use a wizard, but know it’ll break down regularly and they’ll be called upon to reinstall it.

No one who knows how computers work would ever use Microsoft servers except as a last resort.

Update 13-May-2017

Guess what? Microsoft has now released a patch for older versions of their server software (ie. Server 2003 and Windows XP). That was jolly quick; it’s like they had it already but didn’t release it to punish those who refused to “upgrade”.

Posted on

ParentPay seriously broken (again)

400 Bad Request
ParentPay, the Microsoft-based school payment system that’s the bane of so many parents’ lives, has yet another problem. Since Saturday, every time I go to their web site I get a page back that displays as above. Eh? Where does this page come from – it’s not a browser message. A look at the source reveals what they’re up to:

<html>
<head><title>400 Request Header Or Cookie Too Large</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>Request Header Or Cookie Too Large</center>
<hr><center>nginx</center>
</body>
</html>
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->

 

Okay, but what the hell is wrong? This is using Chrome Version 56.0 on a Windows platform. Can ParentPay not cope with its standard request header? If a cookie is too large, the only culprit can be ParentPay itself for storing too much in its own cookie.

I’ve given them three days to fix it.

Unfortunately, parents of children at schools are forced to use this flaky web site and hand over their credit card details. How much confidence do I have in their technology? Take a guess!

Solution

So what to do about this? Well they have the URL https://parentpay.com, so I tried that too. It redirected to the original site, with a slightly different error message sent from the remote server – one that omitted mention of cookies. So it was definitely Chrome’s header? Upgrade Chrome for 56.0 to 57.0, just in case…. No dice.

A look at the cookies it stored was interesting. 67 cookies belonging to this site? I know Microsoft stuff is flabby, but this is ridiculous! Rather than trawling through them, I just decided to delete the lot.

That worked.

It appears ParentPay’s bonkers ASP code had stored more data in my browser than it was prepared to accept back. Stunning!

 

Posted on

Windows 10 Free Upgrade failure

Last Friday was the last chance to get a free upgrade/downgrade from Windows 7 to Windows 10. The Microsoft checking utility confidently announced my system was compatible, but I doubted that as I was running stuff in XP Mode, and some old Chicago (Windows 9x) software. But I thought I’d give Microsoft the benefit of the doubt and try. But before that I backed up the entire hard disk.

Giving Microsoft the benefit of any doubt is always a bad plan, and in my case the installation died half way. The update was apparently downloaded, but I left it all weekend and it failed to install.

It’s hard to see why anyone who knows about computers used for serious purposes would consider “upgrading” to Windows 10 a good idea. I’m not sad I had to revert to the backup and get my Windows 7 machine back. Windows 8+ completely failed to implement the backward compatibility that Microsoft used to do so well. Upgrading DOS or Windows meant you could keep your legacy applications and hardware, but switching to OS/2, Apple, UNIX or Linux meant you could not. Now upgrading Windows means ditching older software too – in my case, I suspect my company’s accounting system. If you’re going to do anything as rash as that, you might as well break free from Microsoft completely and choose a whole new platform.

I was expecting to write something slamming Microsoft for messing up my PC this morning, but thanks to their complete incompetence, the upgrade didn’t work anyway.

Posted on

ParentPay won’t support “insecure” browsers

This week that ParentPay, the Microsoftie payment system used by many schools, rolled out a web site update to support an even more limited range of browsers. This included dropping support Internet Explorer before 9 for “security reasons”.

By coincidence, in the same week Microsoft trumped their loyal fanobois at ParentPay by announcing that everything prior to version 10 was hereby deemed unsafe. ParentPay has yet to comment.

However, the notion that any version of Internet Explorer is “safe” is stretching the truth badly. All the mainstream browsers are dodgy; they all support unsafe scripting and embedded code. Microsoft may have the worst reputation, but they’re all undermined by their code and add-ons – and host operating system, to be fair. Only a few niche browsers, that don’t support things like JavaScript and ActiveX, can be considered safe; and those are the ones that ParentPay refuses to support because they don’t allow “rich content”. (And their developers are Microsoft fans). It’s definitely a case of form over security, yet again.

As an illustration of just how feeble their new browser support policy is, here’s a list  of those they’ll accept, taken from their web site:

  • Chrome 35 or higher
  • Firefox 30 or higher
  • Internet Explorer 9 or higher
  • Safari 6 or higher.

The the the the That’s All Folks!

Schools should be seriously considering their relationship with ParentPay, given the cost and inconvenience they’re forcing parents to go through in order to use it. Analysis of the traffic across my servers suggest that IE has around a third of the browser market. Of these, more than half are using IE 9 or earlier.

ParentPay’s assertion that this will only affect a “..small proportion of parents” may be literally true, but it’s disingenuous. Let’s do some simple arithmetic. Say there are 1500 parents in a secondary school. A third of these use IE – that’s 500. Half of these use an old IE (on an old PC) – that’s 250/1500 parents at each school who’ll be grossly inconvenienced. Cancel the fraction out and it’s 1/6, which could be described as a small proportion, but it’s still 250 per school.

The number of people who would be using”unsupported” browsers on tablets or mobile devices is probably very high. Anecdotally, parents have access to a PC somewhere that they currently have to go to in order to use ParentPay. Many would rather use a tablet.

It’s about time someone set up an alternative to ParentPay and schools were educated in to the benefits of open standards.

Posted on

How to stop Microsoft Windows 10 upgrade

Famously, Microsoft announced that the “upgrade” to Windows 10 would be free of charge. How nice of them. Given that historically Microsoft has made a lot of money selling consumer upgrades, this is a little puzzling until you realise what happened to Windows 8 in the commercial IT world. Basically, it’s as popular as a rattlesnake in a bran tub. Commercial users are still demanding, and getting, Windows 7 whilst home lusers have had no choice – having only Windows 8 pre-installed.

Since then, Windows some users have been “encouraged” to “upgrade” to Windows 10 by having a pop-up nag screen turn up on top of their work at regular intervals. This is produced by an update called GWX (“Get Windows Ten” in Roman numerals). An update you don’t seem able to un-install. Nice!

However, Microsoft has bottled out of doing this on Enterprise versions of Windows. They’re not that crazy. Imagine what would happen if every corporate customer got “upgraded” to a version of Windows that didn’t support their bespoke CMS, all at once. Every IT support person in the world would be heading for Seattle with a pitch-fork and flaming touch. ARM and embedded Windows won’t auto-upgrade either; nor (I believe) will machines connected to a domain controller – indicative of being used in a business.

As usual, it’s the voiceless SMEs using Windows 7 Pro that left paying the price for choosing Microsoft, and I’ve heard of plenty of people falling for the nag screen and getting in to trouble.

In repose to customers’ requests, demands and threats of physical violence, Microsoft has told the world how to disable the activities of GWX, in a KB article found here. Basically you have to add the following registry keys and it should stop. To disable OS upgrading add:

Subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DWORD value: DisableOSUpgrade = 1

And to stop the nag screen add:

Subkey: HKLM\Software\Policies\Microsoft\Windows\Gwx
DWORD value: DisableGwx = 1

The free “upgrade” offer only extends until July this year, so it will be interesting to see what happens then. In spite of Microsoft’s threats to drop it, Windows 7 is still being used in new installations, and from where I’m sitting, it’s the default option.

Posted on

Microsoft Security Essentials hangs during a full scan

First off, can I be clear about one thing – endpoint virus scanners don’t make your computer “secure”. A lot of the most dangerous stuff gets past them, but trusting lusers believe they’re safe and will therefore take risks they outerwise wouldn’t. See my posts and academic papers passim ad nauseam. Now that’s out of the way, I favour Microsoft Security Essentials (or Microsoft Endpoint Security) on Windows as I find it less likely to make the system unusable. I don’t recommend it, except as the least-worst option.

On with the problem…

Sometimes, especially in the last year or so, I’ve found Security Essentials will stall when its doing a background scan. You may not notice its done this, but some symptoms are that web browser file downloads won’t work (it’ll download 100% but never finish) and the PC won’t hibernate automatically using the power-saving settings.

I’ve looked for solutions to this, as well as searching the web for an answer. You’ll often see people posting (without references) that this is bug and Microsoft are working on, or have now fixed it. I’ve tried theories myself to see if it’s caused by compression or archive formats causing a decompresser to break (I’ve noticed this often fits the facts), but this is little help when finding a solution, and even then it sometimes still hangs when the option to check compressed files is turned off.

What I’ve yet to find is anyone giving a real solution, so here it is:

  1. Deinstall Security Essentials.
  2. Download and install Security Essentials.

I’ve never known this not to work. On the other hand, I’ve known all the other theories you see posted on forums fail to work pretty consistently.