Month: August 2014

Microsoft is finally doing the right thing… it is killing off it’s old browsers. Now, if we could just get it to kill off Internet Explorer all together! Well, I can dream, can’t I?

Support for old versions of Internet Explorer to be dropped – in 2016

Ars Technica – By: Peter Bright – “Microsoft has supported Internet Explorer for an awfully long time. Each new version of Windows comes with a minimum of five years of mainstream support and five years of extended support. That support window covers all bundled and integrated software—including Internet Explorer—and any software updates.

Windows Server 2003, for example, is supported until July 2015. As such, Internet Explorer 6 (bundled with that operating system), Internet Explorer 7 (available as an update for that operating system), and Internet Explorer 8 (likewise, an update) are all supported until July 2015.

But all that is set to change under a new support policy announced today that is scheduled to take effect in about 18 months. Starting January 12, 2016, only the newest version of Internet Explorer for any given version of Windows will be supported. Older versions will cease to receive security fixes and other updates.

Once the new policy takes effect, Windows Vista and Server 2008 users must use Internet Explorer 9, and Windows 7 and Server 2008 R2 users must use Internet Explorer 11. Windows Server 2012 users must use Internet Explorer 10, while Windows 8.1 and Windows Server 2012 R2 users must have Internet Explorer 11.

The Windows Server 2012/Internet Explorer 10 pairing is due to Microsoft’s slightly odd handling of the transition from Windows 8 to 8.1, and 2012 to 2012 R2. There is no version of Internet Explorer 11 for Windows 8. However, for Windows 8, the Windows 8.1 update is essentially a service pack, and this includes Internet Explorer 11. Windows 8 and 8.1 have two years of ‘parallel’ support, during which both receive updates. After that period, the (free) 8.1 update becomes mandatory anyway. The cut-off date for Windows 8.0 is also January 12, 2016.

Windows Server 2012 is the server counterpart to Windows 8 and ships with Internet Explorer 10. However, Windows Server 2012 R2, the counterpart to Windows 8.1, isn’t treated like a service pack and isn’t a free update (except for Software Assurance customers). Instead of two years of parallel support, both Windows Server 2012 and Windows Server 2012 R2 are supported all the way through 2023.

Unless Microsoft remedies this somehow (either by treating the server operating system the same way as the desktop operating system, or by releasing the new browser for the older operating system), Internet Explorer 10 will continue to be supported and updated.

Even with this anomaly, the new support policy represents progress. As we note each month, while the majority of Chrome and Firefox users are all using the newest version of those browsers, Internet Explorer has a large user base that’s using old versions. Internet Explorer 8 is currently the most widely used version of the browser.

Microsoft started making Internet Explorer updates automatic with Internet Explorer 9 and made them automatic from day one with Internet Explorer 10. The result was that versions 10 and 11 spread much more quickly than their predecessors. But unlike the competition, the carrot of better performance and standards compliance never had a corresponding stick of non-support.

In 2016 that will finally change, a move that should help push old versions of Internet Explorer off the Internet. As we’ve seen with Windows XP, that change sadly won’t be instant, but any bit of pressure to discourage the use of old browsers can only be a good thing.”

I have a Nexus 10, so I already have access to Google Now… but now anyone with a late enough version of Android can use it!

Formerly Nexus-only Google Now Launcher out for all Android 4.1+ devices

Ars Technica – By: Andrew Cunningham – “When KitKat was released on the Nexus 5 last year, it included a new application launcher that we spent quite a bit of time on in our review. That launcher wasn’t actually a part of KitKat, though—it was exclusive to the Nexus 5 for several months and was only made available to other Nexus and Google Play edition phones well after they had been updated to KitKat. Now, Google is casting an even wider net. The company just announced that the Google Now Launcher can be installed on any phone running Android 4.1 or newer, regardless of manufacturer.

As we’ve covered previously, the Google Now Launcher isn’t really a launcher in and of itself—it just ties in to code that’s been shipping with the Google Search app for around a year now. If you try to install the Google Now Launcher on a phone with an older version of the Search app, you’ll be prompted to update it before you can actually switch home screens. Previous versions of the launcher could often be sideloaded onto newer phones and tablets with no issue, since the launcher is just part of the Search app, and the Search app is installed on all Google-approved Android devices.

If you haven’t experimented with it before, the Google Now Launcher replaces your phone’s home screen with the same one Google first released on the Nexus 5 late last year. It offers its own wallpapers, and it has voice controls that can be activated by saying ‘OK Google’ when sitting at the home screen. If you’ve opted into Google Now, you can see all of your cards by swiping right from your primary home screen.

When you first install the launcher, you can activate it by tapping your phone’s Home button, selecting the Google Now Launcher from the list that appears, and selecting ‘Always’ to make it the default launcher. If you decide you don’t like it later, you can switch back to the old launcher using the Home panel in the Settings, or you can uninstall the launcher completely (this isn’t an option on the Nexus 5). The first time you open it, it will offer to import your icons and widgets from your existing home screen, and it will prompt you to opt into Google Now if you haven’t already (it’s not mandatory, but it’s part of the launcher’s raison d’être).

While the Google Now Launcher can make any phone feel a good deal closer to the ‘stock’ Android Google is shipping on Nexus devices, it’s only a replacement for your home screen and application drawer. Any modifications your phone’s OEM or carrier has made to the notification center, the quick settings panel, the multitasking switcher, or any settings menus will remain intact, for better or worse.

Releasing the Google Now Launcher to all phones is just the latest step down a path that Google started down when it began updating certain Android apps through the Google Play store rather than through major Android updates. Now that the home screen has been added to that list of apps, it’s even easier to get a Google-approved, Google-designed experience on your phone, even if your OEM doesn’t keep your phone up to date. We have no doubt that the Google Now Launcher will be tweaked to reflect Google’s new Material Design initiative, alongside many other Google-controlled apps.”

We’ve got to be careful out there, to slightly misquote “Hill Street Blues!” Apparrently, USB is inherantly easier to lend itself to misuse!

Why the Security of USB Is Fundamentally Broken

Wired – By: Andy Greenberg – “Computer users pass around USB sticks like silicon business cards. Although we know they often carry malware infections, we depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work.

That’s the takeaway from findings security researchers Karsten Nohl and Jakob Lell plan to present next week, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken. The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted. And the two researchers say there’s no easy fix: The kind of compromise they’re demonstrating is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue.

‘These problems can’t be patched,’ says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. ‘We’re exploiting the very way that USB is designed.’

‘IN THIS NEW WAY OF THINKING, YOU HAVE TO CONSIDER A USB INFECTED AND THROW IT AWAY AS SOON AS IT TOUCHES A NON-TRUSTED COMPUTER.’

Nohl and Lell, researchers for the security consultancy SR Labs, are hardly the first to point out that USB devices can store and spread malware. But the two hackers didn’t merely copy their own custom-coded infections into USB devices’ memory. They spent months reverse engineering the firmware that runs the basic communication functions of USB devices—the controller chips that allow the devices to communicate with a PC and let users move files on and off of them. Their central finding is that USB firmware, which exists in varying forms in all USB devices, can be reprogrammed to hide attack code. ‘You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s ‘clean,’’ says Nohl. But unless the IT guy has the reverse engineering skills to find and analyze that firmware, ‘the cleaning process doesn’t even touch the files we’re talking about.’

The problem isn’t limited to thumb drives. All manner of USB devices from keyboards and mice to smartphones have firmware that can be reprogrammed—in addition to USB memory sticks, Nohl and Lell say they’ve also tested their attack on an Android handset plugged into a PC. And once a BadUSB-infected device is connected to a computer, Nohl and Lell describe a grab bag of evil tricks it can play. It can, for example, replace software being installed with with a corrupted or backdoored version. It can even impersonate a USB keyboard to suddenly start typing commands. ‘It can do whatever you can do with a keyboard, which is basically everything a computer does,’ says Nohl.

The malware can silently hijack internet traffic too, changing a computer’s DNS settings to siphon traffic to any servers it pleases. Or if the code is planted on a phone or another device with an internet connection, it can act as a man-in-the-middle, secretly spying on communications as it relays them from the victim’s machine.

Most of us learned long ago not to run executable files from sketchy USB sticks. But old-fashioned USB hygiene can’t stop this newer flavor of infection: Even if users are aware of the potential for attacks, ensuring that their USB’s firmware hasn’t been tampered with is nearly impossible. The devices don’t have a restriction known as ‘code-signing,’ a countermeasure that would make sure any new code added to the device has the unforgeable cryptographic signature of its manufacturer. There’s not even any trusted USB firmware to compare the code against.

The element of Nohl and Lell’s research that elevates it above the average theoretical threat is the notion that the infection can travel both from computer to USB and vice versa. Any time a USB stick is plugged into a computer, its firmware could be reprogrammed by malware on that PC, with no easy way for the USB device’s owner to detect it. And likewise, any USB device could silently infect a user’s computer. ‘It goes both ways,’ Nohl says. ‘Nobody can trust anybody.’

But BadUSB’s ability to spread undetectably from USB to PC and back raises questions about whether it’s possible to use USB devices securely at all. ‘We’ve all known if that you give me access to your USB port, I can do bad things to your computer,’ says University of Pennsylvania computer science professor Matt Blaze. ‘What this appears to demonstrate is that it’s also possible to go the other direction, which suggests the threat of compromised USB devices is a very serious practical problem.’

Blaze speculates that the USB attack may in fact already be common practice for the NSA. He points to a spying device known as Cottonmouth, revealed earlier this year in the leaks of Edward Snowden. The device, which hid in a USB peripheral plug, was advertised in a collection of NSA internal documents as surreptitiously installing malware on a target’s machine. The exact mechanism for that USB attack wasn’t described. ‘I wouldn’t be surprised if some of the things [Nohl and Lell] discovered are what we heard about in the NSA catalogue.’

A new version of LibreOffice 4.3 is out, and Steven J. Vaughn-Nichols likes it! (So do I!)

LibreOffice 4.3: The best open-source office suite gets better

ZDNet – By: Steven J. Vaughan-Nichols – “Ever since LibreOffice split off from the troubled OpenOffice in 2010, this open-source office suite has gotten better and better. With this new release from The Document Foundation, LibreOffice 4.3 has established itself as the best non-Microsoft office suite.

The new LibreOffice 4.3 brings many new useful improvements and features to the program. These include:

Document interoperability: Support of Microsoft’s Office Open XML (OOXML, aka OpenXML) Strict, OOXML graphics improvements (DrawingML, theme fonts, preservation of drawing styles and attributes), embedding OOXML files inside another OOXML file, support of 30 new Excel formulas, and support of MS Works spreadsheets and databases. The new LibreOffice also supports Mac legacy file formats such as ClarisWorks, ClarisResolve, MacWorks, SuperPaint, and more.

Intuitive spreadsheet handling: Calc now allows the performing of several tasks more intuitively, thanks to the smarter highlighting of formulas in cells, the display of the number of selected rows and columns in the status bar, the ability to start editing a cell with the content of the cell above it, and being able to fully select text conversion models by the user.

3D models in Impress: Support of animated 3D models in the new open glTF format, plus initial support for Collada and kmz files that are found in Google Warehouse, in order to add a fresh new look and animations to keynotes. This feature is currently supported only on the Windows and Linux versions.

Comment management: Comments can now be printed in the document margin, formatted in a better way, and imported and exported – including nested comments – in Open Document Format (ODF), DOC, OOXML and RTF documents, for improved productivity and better collaboration.

It is this last improvement that I’m most excited about. Trouble with reading and writing comments between different formats and office suites has long annoyed me. This looks to be a real step forward to solving this nuisance.

LibreOffice 4.3 also support ‘monster’ paragraphs exceeding 65,000 characters. In addition, the accessibility technology on Windows has become a standard feature, thanks to the improvements based on IBM’s IAccessible2 framework.

For the complete list of new features and improvements of see the LibreOffice 4.3 release notes.

The program’s code quality has also been greatly improved in the last two years. Coverity Scan found the defect density per 1,000 lines of code has shrunk from an above the average 1.11 to an industry leading 0.13 since 2012. According to Coverity, ‘LibreOffice has done an excellent job of addressing key defects in their code in the short time they have been part of the Coverity Scan service.’

Like previous versions, LibreOffice is available for Linux, Mac, and Windows systems. You can also run an older version, LibreOffice 4.2, from the cloud using a Software-as-a-Service (SaaS) model.

With the United Kingdom making LibreOffice’s native ODF its default format for government documents, LibreOffice is certain to become more popular. Other cash-strapped governments, such as Italy’s Umbria province, have found switching to LibreOffice from Microsoft Office has saved them hundreds of thousands of Euros per thousand PCs.

‘The LibreOffice project shows that a large free software community can live and thrive without the patronage of a software vendor, to liberate PC desktops,’ said Thorsten Behrens, Chairman of The Document Foundation in a statement. ‘Today, you can’t own a better office suite than LibreOffice, in term of features, interoperability, support for document standards and independence. After many years, LibreOffice brings the control of the PC desktop back into the hands of the users.’

LibreOffice 4.3 is available for download now. Extensions and templates to add specific features can be found at the LibreOffice Extensions page.”

So, now we can make personal decisions with our own equipment. What an amazing idea!

As of today, Americans can legally unlock their phones again

The Verge – By: Adi Robertson – “It’s finally happened: as of today, unlocking your cellphone to work on other networks will be legal again in the US. The White House and Senator Patrick Leahy (D-VT), who helped pass legislation earlier this year, announced that President Barack Obama is signing the Unlocking Consumer Choice and Wireless Competition Act. The bill will restore a copyright exemption that allows customers (or authorized third parties) to modify a phone’s firmware, removing the restrictions that most carriers place on their phones.

President Obama made clear last week that he would be signing the bill, a version of which was recently agreed upon by both the Senate and the House of Representatives. The rule was one of several proposals floated last year in response to a call from the White House, and the White House itself was responding to an official online petition, which collected over 100,000 signatures in favor of legalizing phone unlocking. This series of political dominoes leads Leahy and White House advisor Jeff Zients to call the pending law an ‘example of democracy at its best: bipartisan congressional action in direct response to a call to action from the American people.’ Cellphone unlocking, with varying degrees of freedom, has gotten broad support. Outside the lawmaking process, the FCC previously reached a deal with major wireless carriers that would standardize how customers can get their phones unlocked once the terms of their contract are up.

Despite this, today’s signature doesn’t mark the end of debate. Until last year, cellphone unlocking was allowed through a temporary exception to the Digital Millennium Copyright Act’s ban on breaking copy protection. The bill reinstates that exception, but it’s still temporary — every three years, the Librarian of Congress has to decide whether it should continue to apply, though the bill does instruct them to carefully consider whether unlocking should be extended and possibly expanded to other devices. Regardless of whether that happens, it’s no replacement for larger copyright reform. But, at least for today, you can celebrate by unlocking all your phones (or telling someone else to do it) without fear of fines or lawsuits.”