Archive for the ‘Software’ Category
Andrea Peterson reports in the Washington Post:
“You’re lucky you don’t have to deal with this stuff, Mac,” a biohazard suit-clad PC played by John Hodgman said about viruses to Justin Long’s Mac in one of the ads in an iconic line of commercials that started airing in 2006. For years, Mac users have enjoyed a smug sense of superiority on this front. But a new vulnerability is the latest sign that the security of Apple products doesn’t actually live up to the hype.
When you see a lock icon next to the URL in your browser, that’s a sign that your communications are protected with the SSL encryption technology. But on Friday, Apple admitted that its version of SSL had a fatal flaw that could allow hackers to intercept and modify users’ secure communications. The situation became even worse over the weekend as researchers reported that the issue affected not only mobile devices running Apple’s iOS operating system but also many applications within theMac OS X laptop and desktop suite, including Mail and Safari. Apple told Reuters that the company was working on an OS X patch Sunday night.
The SSL bug is just the most recent of the company’s security woes. The company’s “Buy A Mac” Web page once proudly declared that OS X “defends against viruses and other malicious applications, or malware” with “virtually no” user effort. But that changed in June 2012, after up to over half a million OS X users were reportedlyinfected with a trojan malware called “Flashback.” Some computers on Apple’s own network were hacked in a 2013 breach that reportedly was similarly related to Java.
Apple’s tiny market share has always given the Cupertino, Calif., company an unfair advantage. Since the dawn of the Internet age, Macs have been far outnumbered by PCs, leading hackers to devote a disproportionate share of their resources to Windows malware. The payoff for discovering or exploiting a security vulnerability was much greater if you targeted the more popular operating system. So, as technology became networked like never before, Windows and its programs were put through a more rigorous gauntlet than Apple’s products.
While Apple products have risen to prominence again thanks to the success of mobile devices, Android controls the majority of that market – and attracts the vast majorityof the malware. The more rigorous app approval process for iOS devices is part of the reason for that, but it’s also likely that Apple is just not as juicy of a target as some of its competitors.
The latest revelations are hardly the first time Apple has faced security issues. . .
Crowd-sourced enterprises must deal somehow with the certainty that some in a crowd will be malicious and unprincipled and find ways to mitigate willful damage and outright sabotage. (The psychology of such persons is an interesting study.) Wikipedia uses very clever bots, whose evolution is described in this interesting article.
One of the drawbacks of moving from Windows to the Mac is that the invaluable Microsoft Office program OneNote was not available on the Mac. But now the application is available for free on the Web. Check out OneNote.com. It’s not quite as slick as the computer-resident program, but it does offer much of the capability. For example, you can start typing anywhere on the page. It’s also free.
I have a LOT of tabs open at a time as I browse—currently 34 tabs open in WhiteHat Aviator. That seemed to cause problems with Chrome (which has much the same interface as Aviator, both being built on the open-source browser Chromium), but so far no problems with Aviator.
But as tab size diminishes, I find that it hard to locate tabs, so this morning I tried three different open-tab-manager extensions. The best of the lot, so far as I’m concerned, is Tab Manager. It’s free, works well, and so far has only one drawback: it doesn’t show in the icon the total number of tabs currently open, a minor inconvenience. It’s an open source product, and you can see the listing at GitHub.
Once I installed it and found I could easily review what was in each tab, I immediately found myself opening more. After all, they’re now easy to find. So the number of open tabs increased, but I do find them easier to locate.
Both Google Chrome and WhiteHat Aviator are browsers based on the open-source browser software Chromium. Aviator, however, comes with all sorts of protections, while Chrome more or less harvests information about you as you use it.
I used Chrome for quite a while, but over the past year or so I have been plagued with a problem in which my MacBook seizes up and will do nothing—it requires a hard reboot (holding down the power key until the computer is forced to power down) since even the OS stops responding. It was an irritant, but Chrome and my other programs have good recovery so I seldom lost anything. Sometimes I would have to repair files (i.e., a program would automatically run through its data files and rebuild indexes or the like), but mainly it was just a royal pain, since the freeze up always happened when I was busy—and since I keep a lot of tabs open (probably part of the problem), it took a while to reload all the pages.
The news: I have not had a problem with this since I switched to WhiteHat Aviator. It may well be that the maze of cookies and the passing of data back and forth about my browser activity was what triggered the problem: Aviator doesn’t allow cookies and it uses Disconnect to keep my sessions private.
In any event, WhiteHat Aviator has been remarkably stable. It does have its quirks: if I want to make a comment using Disqus, for example, I’ve found it easier to do that in Firefox. But almost all of my browser activity is now on Aviator. Firefox I mainly use to write blog posts.
I am happier and happier with my switch to WhiteHat Aviator. Take a look at this Ars Technica article by Ron Amadeo:
One of the coolest things about Chrome is the silent, automatic updates that always ensure that users are always running the latest version. While Chrome itself is updated automatically by Google, that update process also includes Chrome’s extensions, which are updated by the extension owners. This means that it’s up to the user to decide if the owner of an extension is trustworthy or not, since you are basically giving them permission to push new code out to your browser whenever they feel like it.
To make matters worse, ownership of a Chrome extension can be transferred to another party, and users are never informed when an ownership change happens. Malware and adware vendors have caught wind of this and have started showing up at the doors of extension authors, looking to buy their extensions. Once the deal is done and the ownership of the extension is transferred, the new owners can issue an ad-filled update over Chrome’s update service, which sends the adware out to every user of that extension.
We ought to clarify here that Google isn’t explicitly responsible for such unwanted adware, but vendors are exploiting Google’s extension system to create a subpar—and possibly dangerous—browsing experience. Ars has contacted Google for comment, but we haven’t heard back yet. We’ll update this article if we do.
A first-hand account of this, which was first spotted by OMGChrome, was given by Amit Agarwal, developer of the “Add to Feedly” extension. One morning, Agarwal got an e-mail offering “4 figures” for the sale of his Chrome extension. The extension was only about an hour’s worth of work, so Agarwal agreed to the deal, the money was sent over PayPal, and he transferred ownership of the extension to another Google account. A month later, the new extension owners released their first (and so far only) update, which injected adware on all webpages and started redirecting links. Chrome’s extension auto-update mechanism silently pushed out the update to all 30,000 Add to Feedly users, and the ad revenue likely started rolling in. While Agarwal had no idea what the buyer’s intention was when the deal was made, he later learned that he ended up selling his users to the wolves. The buyer was not after the Chrome extension, they were just looking for an easy attack vector in the extension’s user base.
This isn’t a one-time event, either. About a month ago, I had a very simple Chrome extension called “Tweet This Page” suddenly transform into an ad-injecting machine and start hijacking Google searches. A quick search for the Chrome Web Store reveals several other extensions that reviewers say suddenly made a U-turn from useful extension to ad-injector. There is even an extension that purports to stop other extensions from injecting ads. Injected ads are allowed in Chrome extensions, but Google’s policy states that which app the ads are coming from must be clearly disclosed to the user, and they cannot interfere with any native ads or the functionality of the website. . . .
WhiteHat Aviator is a very nice browser indeed, and I’m gradually adding the bookmarks I need and learning how it works. Since shutting it down wipes the slate clean (it doesn’t remember what tabs you had open, all cookies are gone, etc.), I do have to note any tabs I want to re-open, and of course log back in to all sites. Since I use LastPass, logging in again is no problem (though I do have to log into LastPass each time by hand, but then things go smoothly).
I can understand why some might want a browser that remembers more, but then you definitely should install Disconnect. It’s amazing.
All software linked to above is free.
I recently posted a link to a ProPublica article about steps you can take to increase your security on-line. I just now downloaded and installed the recommended browser, White Hat Aviator, which got me to looking at Disconnect. I am very impressed: certainly much more powerful (and flexible) than AdBlock, which I’ve used previously, and I’m astonished at the number of sites tracking (or, with Disconnect, failing to track) my every move on the Web. A benefit: pages load faster without all the overhead of passing out tracking information for 30 or so sites that want to know what you’re doing.
A few notes: you can see various tracking entities in a detail list on the Disconnect dashboard. If the block is checked, the tracker is being blocked; if it’s unchecked, the tracker is not being blocked. (That information is currently not included in the FAQs or explanation.)
Also: if you see “Whitelist” on the screen, then trackers are being blocked. If you click “Whitelist”, it changes to “Blacklist” and trackers are NOT blocked.
UPDATE: On the Disconnect button in my browser, a white numeral in a green box shows the number of tracking requests being received for the current site. I am just writing a blog post in WordPress: 59 tracking requests received. Wow. The front page of the NY Times shows only 15 tracking requests…
Another: Salon shows 89 trackers, foiled by new use of Disconnect (and White Hat Aviator).
A very nice collection of links to science-oriented (and science-helpful) games.
Fascinating brief column by Brad Plumer—and scary, too. It’s about how many tracking cookies get planted on your computer at some sites.
Evernote is a terrific program, one that I’ve used for years. Paul Boutin in the NY Times has a good write-up of the program:
Some photos are on your smartphone. Others sit on your home computer. Your digital work documents, favorite web clippings and notes from meetings? Scattered like confetti after New Year’s Eve.
If you’ve embraced a digital lifestyle, this situation is probably all too familiar. Thankfully, there are services available to help those of us in need. Dropbox lets you upload files to a central online repository. Google Drive has a search engine with image recognition technology so you can search for a photo of the Statue of Liberty from your last vacation. The Doo app is focused on organizing documents of any kind — presentations, receipts, tickets — on your phone. But the easiest catchall tool for saving anything you might need later is an app for computers and mobile devices called Evernote.
Evernote provides a comprehensive single archive of your digital life, giving you one location to store and find practically everything saved on a computer or phone. And the files are automatically backed up on Evernote’s servers. It even makes sharing things with others far easier than emailing attachments around — but it will do that, too.
The only real downside with Evernote is that it has so many features, which can make getting started with the app daunting. But once you understand how to do a few things with it, you can get working and worry about the rest later.
Here’s the big point to understand: Use Evernote as the place you put everything you might need later. You can drag it in, tap it in or forward it in, and then search for it, share it or post it later. When you need to dig it up, you don’t first ask yourself which device it’s on — it’s in Evernote, from whatever device is at hand.
The free version of the app lets you add up to 60 megabytes of content to your folders every month, enough for a couple of dozen full-size iPhone photos or a hundred big Word documents. The archive can grow as big as it needs to be. The premium version costs $5 a month, which increases the limit to a gigabyte a month, enough for hundreds of photos, and adds a few more features for heavy users.
To begin, download Evernote onto every computer and mobile device you own and create an account. Evernote works on Windows and Mac computers, and on iPhones, iPads, Android and Windows phones and tablets, BlackBerry devices, and even Hewlett-Packard’s WebOS gadgets. In other words, you should be covered. The interface is a little different on each platform, so plan a few minutes to figure out each one.
The best way to start is . . .
Software is an algorithm and thus should not have been patented according to the Supreme Court’s own past decisions. Tim Lee reviews the current case coming up for a decision. His conclusion:
Now the Supreme Court will have an opportunity to weigh in on the case. And while the high court could issue a narrow ruling based on the details of the patents in this case, it could also take the opportunity to fix the software patent mess more broadly. All it would need to do is to reiterate its earlier position that patents claiming mathematical processes — a.k.a. computer software — isn’t eligible for patent protection unless it’s tied to a specific machine or physical process.
The high court will be reluctant to do this because it would be disruptive. Reiterating that mathematical algorithms can’t be patented would call into question thousands of patents held by major software companies. And these companies could complain, with some justification, that the Supreme Court’s failure to rule on the issue for more than 30 years was a tacit acceptance of rulings by the Federal Circuit.
Still, the federal circuit cannot overrule Supreme Court precedents. And the federal circuit’s experiment with software patents has been a disaster. As the patent scholar James Bessen has argued, the patent troll crisis is really a software patent crisis. Software patents are far more likely to be involved in litigation than other types of patent. The result: According to Bessen’s calculations, troll-related litigation cost the U.S. economy $29 billion in 2011 alone. Reiterating that “pure” software can’t be patented wouldn’t just be good law — it would also save the nation billions of dollars in litigation costs.
People are aghast at the development disaster of Healthcare.gov. Even though that development was managed by the Centers for Medicare and Medicaid Services (CMS) within the government, the bulk of the development work has been done by CGI Federal, a private company.
If only, people say, the government would have let a private company—so much more efficient than government employees—do all the development work. Like, say, Oracle, which was given the task of implementing Oregon’s healthcare-insurance exchange.
Or maybe not: zero people signed up to date. Bupkis. Nada.
Brian Fung writes in the Washington Post:
Ten years ago, the word “smartphone” didn’t exist. By necessity, neither did the word “dumbphone.”
In a decade, we might talk about all of our appliances in similar ways. From ovens to garage doors to insulin pumps to vehicles, many of our devices are going to be connected to the Internet in the same sense that our phones are now. Certain such products are already on the market; one company, SmartThings, sells devices that help consumers control their lights and locks while they’re not at home, for example. Eventually, these items will be able to respond to signals from one another independent of human input. Your bathroom scale might tell your refrigerator that you’re overweight, and your fridge might start recommending healthier recipes.
That could be great, but it also vastly expands the universe of things that could go wrong, particularly when it comes to privacy. This might seem obvious, until you consider that many of the businesses that make these devices have never really needed to worry about securing their products before. Take dishwashers. At heart, they’re very simple machines. But a hacked dishwasher might start running on overdrive, going through multiple cycles, wasting gallons of water and costing you extra and possibly flooding your house. Although the folks who make dishwashers may be fantastic engineers, or even great computer programmers, it doesn’t necessarily imply they’re equipped to protect Internet users from the outset.
“It’s not just that the consumers don’t understand the technology,” said Jeff Hagins, co-founder of SmartThings, at a Federal Trade Commission workshop Tuesday. “It’s also that the people building it don’t understand it.” Hagins added, hypothetically: “Just because I know how to write PHP doesn’t mean I understand these vulnerabilities at all.”
The same holds true for the auto industry, where many companies have begun to experiment with new technologies that let cars communicate with one another. Tadayoshi Kohno is a researcher at the University of Washington who’s spent a lot of time deliberately hacking into cars to test their vulnerabilities.
“Very often we see sectors of the broader industry that are not computer science experts starting to integrate computers into their systems and then start to integrate networks into those systems,” said Kohno. “Because they don’t have experience being attacked by real attackers, like Microsoft and so on, their level of security awareness … appears to be dated.”
Hacking is just an extreme case. Short of that, . .
Very interesting after-action report, looking at contributing factors to HealthCare.gov’s abortive launch. Amy Goldstein and Julian Eisperin report in the Washington Post:
In May 2010, two months after the Affordable Care Act squeaked through Congress, President Obama’s top economic aides were getting worried. Larry Summers, director of the White House’s National Economic Council, and Peter Orszag, head of the Office of Management and Budget, had just received a pointed four-page memo from a trusted outside health adviser. It warned that no one in the administration was “up to the task” of overseeing the construction of an insurance exchange and other intricacies of translating the 2,000-page statute into reality.
Summers, Orszag and their staffs agreed. For weeks that spring, a tug of war played out inside the White House, according to five people familiar with the episode. On one side, members of the economic team and Obama health-care adviser Zeke Emanuel lobbied for the president to appoint an outside health reform “czar” with expertise in business, insurance and technology. On the other, the president’s top health aides — who had shepherded the legislation through its tortuous path on Capitol Hill and knew its every detail — argued that they could handle the job.
In the end, the economic team never had a chance: The president had already made up his mind, according to a White House official who spoke on the condition of anonymity in order to be candid. Obama wanted his health policy team — led by Nancy-Ann DeParle, director of the White House Office of Health Reform — to be in charge of the law’s arduous implementation. Since the day the bill became law, the official said, the president believed that “if you were to design a person in the lab to implement health care, it would be Nancy-Ann.”
Three and a half years later, such insularity — in that decision and others that would follow — has emerged as a central factor in the disastrous rollout of the new federal health insurance marketplace, casting doubt on the administration’s capacity to carry out such a complex undertaking.
“They were running the biggest start-up in the world, and they didn’t have anyone who had run a start-up, or even run a business,” said David Cutler, a Harvard professor and health adviser to Obama’s 2008 campaign, who was not the individual who provided the memo to The Washington Post but confirmed he was the author. “It’s very hard to think of a situation where the people best at getting legislation passed are best at implementing it. They are a different set of skills.”
The White House’s leadership of the immense project — building new health insurance marketplaces for an estimated 24 million Americans without coverage — is one of several key reasons that the president’s signature domestic policy achievement has become a self-inflicted injury for the administration.
Based on interviews with more than two dozen current and former administration officials and outsiders who worked alongside them, the project was hampered by the White House’s political sensitivity to Republican hatred of the law — sensitivity so intense that the president’s aides ordered that some work be slowed down or remain secret for fear of feeding the opposition. Inside the Department of Health and Human Services’ Centers for Medicare and Medicaid, the main agency responsible for the exchanges, there was no single administrator whose full-time job was to manage the project. Republicans also made clear they would block funding, while some outside IT companies that were hired to build the Web site, HealthCare.gov, performed poorly. . .
This topic interests me because I’ve worked on quite a few software projects, some of which did have launch problems, though no so severe as HealthCare.gov (which is probably more complex than the systems on which I worked).
It’s actually operational—not sign-up, I think, but health-plan comparisons. Read about it here.