Antivirus software company admits antivirus is useless. Flame malware signed with Microsoft keys.

Two interesting stories on The H Online regarding the Flame malware for Windows.

Antivirus company F-Secure has had samples of Flame since 2010, other antivirus companies have as well, yet they were unable to detect Flame until recently.

This means that Flame has been out there for over two years and no antivirus software has done anything about it.

Flame was signed with a forged Microsoft cryptographic key.

The forgery was simple to pull off since Microsoft’s Certificate Root doesn’t keep proper track of their keys and uses weak DES which most e-commerce sites haven’t bothered to use since the EFF demonstrated that it could be easily cracked using commodity PC hardware from 1998.

This demonstrates a couple things I’ve been saying all along.

1. Why do browser makers not bother to make sure that “Trusted” certificate roots can actually be, you know….trusted? You have Mozilla, Google, and Opera conspiring to keep CACert out, but all of them would trust insecure Microsoft keys from Microsoft’s certificate authority. What’s more disturbing is that Windows apparently recognizes Microsoft’s DES keys. I doubt that it would allow you to sign a kernel module with them, but it would be sufficient to suppress the security warning that pops up that says the software isn’t signed.

2. Antivirus software is pointless. It has marginal effectiveness against common malware, and no effectiveness at all with more sophisticated malware. It’s hard to tell whether this is incompetence or because the US government and Israel write malicious Windows software all the time, and they’d rather that users of Windows not be protected from it.

Should Mozilla support h.264? It depends.

There’s news that Mozilla is considering supporting the patent-encumbered and dangerous MPEG-4 formats known as “h264″ and “aac”. LINK (As reported by The H Online)

It’s unfortunate that it has come to this, but I am in favor of doing it in the way they have described. Albeit unenthusiastically…

We know that there is a dangerous and criminal organization out there called the “MPEG-LA” that doesn’t innovate or produce anything, but acts as a “patent pool” to sue victims who try to implement media codecs without their permission. They “own” several thousand “essential” patents (meaning that you can’t implement the spec without violating them) describing what h264 with aac does.

Microsoft and Apple, which are also criminal cartels, are also members of the MPEG-LA, and are trying to wipe out the open and unencumbered VP8 and Ogg Vorbis combination known as WebM by refusing to support it in Safari and Internet Explorer.

Mozilla and Opera have so far not implemented MPEG codecs because they would be gouged by the MPEG-LA’s innovation tax.

The problem for the user, which is caught in the middle, is that sites that are out there today and insisting on MPEG-4, such as Vimeo, won’t work in Firefox or Opera in HTML 5 mode, and require the proprietary binary blob with gazillions of security problems known as “Adobe Flash” to play their content.

Mozilla is not proposing to ship the offending codecs themselves, but to just use the ones on the system, if any. On Windows, they can hook into DirectShow, on OS X they can hook into Quicktime, and on Linux they can hook into and use anything Gstreamer can play. Of course Android,  iOS, and Windows Phone (with all three people who have one) all have their own media codecs.

The problem with this is that it shifts the responsibility to the user to make sure they have codecs. In most cases, the platform in question is promoted by some big company that sees the MPEG-LA siphoning their profits as a cost of doing business, but the codecs are there nonetheless and Firefox is currently not making use of them. It’s the case where a person uses free and open source software, such as a Linux distribution,  and doesn’t want top be gouged and run nonfree MPEG Cartel-sponsored gstreamer codecs (from Fluendo), that they have to make a choice about whether to use the codecs that infringe US patents (such as the free and open source gstreamer codecs). In the case of proprietary software, the choice was already made for them, as most choices usually are.

Therefore, my position is… With the objection to the MPEG-LA cartel even being allowed to exist at all. That Firefox should use whatever the user has installed. Refusing to play formats for which the user already has codecs is ridiculous. The user should ideally be using software that respects his or her freedom (such as the gstreamer-bad and gstreamer-ugly codecs, which is where ones with patent problems end up). Even more ideally, the laws should be changed to invalidate every last software patent out there so that the user is free to do what they wish with their own computer, and programmers are free to make software that can compete with established monopolies like Microsoft and Apple. Until then, a couple of minority browsers ignoring those codecs won’t make those codecs go away any more than some Linux distributions not officially providing MP3 codecs has made MP3 go away. Those sites are out there, and users should not feel compelled to use proprietary software such as Internet Explorer, Safari, and Google Chrome to simply view them. Just as users who encounter MP3s, while this is unfortunate, should not have to use proprietary software to play those MP3s.

As a second point for this position, we know Microsoft slips trojan horses into competing browsers on Windows, and so if Mozilla doesn’t do it, Microsoft will wedge in another broken plug-in that is full of security problems to Firefox users on Windows. By making the change in Firefox, they can preempt Microsoft infecting Firefox with more things the user may not have approved of.

It’s unfortunate that this method will make it the user’s problem to decide if they care about using untaxed codecs, but you can thank Microsoft and Apple that someone is going to be stuck with the check.

AT&T finds another way to mug their customers…

Bandwidth caps:

Or “If I had only known then what I know now, I may not have left Comcast”

I just checked my more or less abandoned Hotmail account the other day because I needed to retrieve a license key for a particular piece of software I bought a long time ago (and they only send the key to the email address you gave them when you bought it).

While I was digging, I noticed a letter from AT&T. The letter was very unprofessional because it didn’t even mention what service that it was in regards to. My mother, who is computer-illiterate, had them send her cell phone account info to that email address because she needed it in order to get “rebates” on her cell phone plan. Ever since then I’ve resigned myself to the fact that anything I see from AT&T that lands there is hers. I couldn’t get them to stop because it’s her account, she can’t get them to stop because she called one day, spent a typical AT&T hour on hold, got someone that said he fixed it and didn’t. (Again, everything I’ve come to expect out of AT&T).

So I get something from AT&T that said I went over my “data plan”. I didn’t notice, but AT&T has had a DSL cap of 150 GB a month since March. I figured my DSL didn’t have a cap, because it was “unlimited” when I started subscribing to it. So I figured it was talking about her cell phones. So I called over to their house, told my step dad that they might want to watch how much data they use over there and inadvertently started a fight that hasn’t let up between them yet. As soon as I found out that this was not about them, but was about AT&T DSL, I have never felt so pissed off in my life. I started World War III over there over something AT&T did to screw me over that has nothing to do with them.

Now that I’ve gotten that out of the way, here goes the obvious rant about data caps:

The nature of the DSL system makes it very very cheap for AT&T to solve congestion problems. Likely a few upgrades to DSLAMs here and there would clear up any problems (if there are any). For a company that makes record profits and gets to overcharge so much already due to being a near monopoly in the United States, these upgrades would be peanuts.

What is really happening, obviously, is that someone at AT&T noticed that if they can extract $10 a month extra here and there from their existing customers, that’s pure profit. Some of them may even not notice right away due to AT&T’s tendency to use cram methods so you never know quite what you’re paying for, and I doubt anyone is going to sue over $10-$20 in overage. Another fact, like in my case (where I got the two warnings this year), is that I changed email services quite some time ago and AT&T had an old Hotmail address I was barely using. Why aren’t they sending this crap to my ATT.NET email account? That’s my official AT&T email account. They sent those hilarious and absurd warnings about IRC being Windows malware to that address earlier this year. I do check it now and then to see if there are any account notices. Not quite as often as I could, but anyone who relies on ISP email is stupid. It is instant lock-in. If you ever leave that ISP, like I likely will with AT&T in the coming months, then they simply delete your email address and give you no forwarding options. Yet the fact remains that it is the official email address tied to my account and they should be using it in all official communications with me.

Now that we’re past the parts where AT&T made me to be an asshole and inadvertently start a war between my mother and step-father, then almost surprised me with a whopping bill full of overages, let’s talk a little about Adblock Plus and other ad blocking, like Privoxy or host files or Chrome Adblock or Opera’s content filter…or……you get the point.

I looked at my monthly usage for the last year, ad blocking the entire time. and I noted that there would have been an additional ~5-6 times that I got so close to either the 150 GB cap or the next cap (they sell you additional 50 GB chunks at $10 each), that I would have essentially paid AT&T another $50-$100 over the last year if I had turned my ad blocker off.

Note to website owners: Sure I feel for you, but I am not going to turn my ad blocking off and pay another $10-$20 a month in overage fees for the bandwidth that your 10 foot tall Microsoft ads in flash (the example I used was Phoronix.com at one point). If you would like to replace them with ONLY static ads or Google text ads, which do not chew bandwidth, and then apologize and promise on your site to never resort to that behavior again, then I promise to consider whitelisting your site. As it is though, I don’t feel like paying highway robbery to get Microsoft ads in flash and “buzzing mosquitoes” and “shoot-the-monkeys”.

In the kind of networks where there really are congestion issues by design, such as cable, it’s likely that this abusive advertising is what is actually “clogging the pipes”.

 

 

 

 

 

Microsoft to auto-destroy many copies of Windows with IE “upgrade”

U INFECTED BRO?

Today on The Heise Online, they mention that Microsoft is set to automatically download and install the latest version of Internet Explorer that manages to run on the particular Windows version installed. Since XP is the oldest thing they support, those users will get the obsolete Internet Explorer 8 browser, and Windows 7 users will no doubt get IE 9, which is only barely an improvement over IE 8.

I have no idea how they plan on updating Windows Vista users, but that will no doubt be another surprise for anyone foolish enough to actually be using it. There is IE 9 support for Vista (Which is where they will cut off support), but to get it you need a humongous “platform update” full of select backported crap from Windows 7.

Regardless of what version of Windows the user has, an Internet Explorer update is always dangerous since Microsoft continues to claim it is a system component and not a web browser. It means that at best, you need to reboot your computer, and if the upgrade goes wrong it can mean anything from Internet Explorer not working to the Windows shell failing in inappropriate ways. Internet Explorer installations and upgrades have had a significant number of cases of destroying the operating system beyond being salvageable since at least Windows 95.

No decent operating system claims the web browser is an integrated component that can’t be removed. The Internet Explorer situation is a continuing monopoly abuse and Internet Explorer itself is a relic from the 1990s, when Microsoft tried killing Netscape by forcibly installing their own web browser into Windows.

While we’re on the topic, most other operating systems don’t need to reboot after the user updates their web browser, file manager, media player, email client…..

This “almost comical if so many Microsoft victims weren’t suffering through it” situation makes me wonder what kind of a contrived setup those Microsoft funded “studies” used to get “99.999% uptime”. As soon as you apply any patch or update for Windows, it needs rebooted before the new files are used. Even if the user doesn’t want to reboot. Windows will pester them until they do or better yet, start a countdown and reboot the computer without regard to any work the user has left open and unsaved.

This was one factor, out of many, that frustrated me enough to leave Windows. Another factor is that they routinely triage security patches and frequently leave critical flaws open until the next month, like they did with BEAST this month.

That graph is funny, isn’t it? It’s not that Windows has gotten safer, it’s simply that Microsoft is stretching to classify updates that once would have rated critical as “important” based on the factors of “security improvements” in Windows that are often ineffective. (ASLR not being as random as it could be. NX/DEP being off by default for 32-bit software, many applications don’t bother using stack smashing protection because it exposes their programming flaws and causes them to crash, etc.) In many cases the user is left less than protected by what passes as Windows “security improvements” which is why malware is still rampant.

How can any human being tolerate this?

Help yourself to a decent operating system or at least a decent web browser. Firefox Chrome Opera