« Reviews | Main | Software »
Bluetooth security advice
Last week I went to see F-Secure to hear about what's happening in the world of computer and internet security, and what they're doing about it. One of the many conversations was about mobile phones and their potential vulnerabilities. Most phones now run a complete operating system and, the more complicated a system, the more likely it is to be compromised.
The biggest risk as always though, isn't the technology but the user and this is certainly the case with Bluetooth. We haven't been convinced by the warnings about Bluejacking, but there are still many ways in which Bluetooth can be used to catch you out. Here's a quick summary of the advice from Sean, who contributes to the F-Secure blog.
Don't leave Bluetooth on when you're not using it
There's no point risking being vulnerable should someone manage to find a way to exploit Bluetooth. And in any case, Bluetooth uses valuable battery power.
Don't use a desirable name
You might be proud of your new phone, but if you advertise its model number you might be putting that advertisement in the way of someone who wants your phone.
Be careful of receiving messages
People can send you messages if Bluetooth is switched on and your phone is discoverable. If you're in a place where you don't expect to receive a text message, don't look at your phone. The example Sean gave was a mugger wanting to find out who owns the phone with the desirable name in a Tube carriage. A threatening message should produce a reaction identifying you to the potential phone thief.
Move if under attack
Bluetooth has a very short range, so if you think something is trying to attack your phone, just walk away. Granted that won’t work in the underground example given above but is more help with some of the Bluetooth enabled billboards that are being planned.
Are bundled security apps good or bad?
I’ve just installed an update to the Shockwave Player (interesting in itself as I only installed it yesterday) and had an offer to run a Norton Security scan as part of the installation.
My first reaction was irritation; I’ve already got security software. But then maybe there are people who don’t.
Maybe I’ll live with checking install options more carefully.
Using the clipboard with Internet Explorer
One of my frustrations with Internet Explorer is that it won’t just let me paste text from the clipboard without it asking me if I want it to.
It’s a security feature, and the inconvenience means that it is probably doing its job.
I found instructions to turn on clipboard access but didn’t really want it to apply to every single website, just in case I happen upon a hacked site.
The answer is to use the Zones in Internet Explorer to turn on clipboard access for my Trusted Zone and to make sure that the site I need is in that zone.
Start Internet Explorer and go to the webpage you want to give access to the clipboard. Click on the Tools icon and then Internet Options. Click on the Security tab and then on the green tick icon. Click on the Sites button below this section. The current website should automatically be added to the top text box so click on Add to include it in the Trusted Zone. You may need to click in the box labelled ‘Require server verification (https:) for all sites in this zone’ so that the tick disappears. Click on Close when the site has been added to the bottom box.
Now click on the Custom level button towards the bottom of the Internet Options window. Scroll down to the option ‘Allow Programmatic clipboard access’ option in the Scripting section, which is towards the bottom of the list. Click on the option Enable and then on OK.
If you want to check that this setting has not been changed for the normal Internet zone, click on its icon and then on the Custom level button. Find the clipboard option again and check that it is set to Prompt.
In fairness this is true of Firefox as well. In fact, Firefox is somewhat less helpful when it comes to changing the settings. Rather than the settings window like Internet Explorer, you have to go to the about@config page, promise to be careful, create a new value called signed.applets.codebase_principal_support and then set it to true. It’s not all pasting but only when Javascript is being used by the website.
Firefox 3.0.8 Security update
There’s a security update for Firefox. I’ve just applied the update, I hope you have too. Sadly not all of my add-ons are claiming compatibility, I shall have to wait before being able to download Flash videos again.
Hopefully, your About window will look like this.
The snoopers' charter, data mining and little elves
News reports today suggest that the British government is about to embark upon a full-scale assault on our civil liberties through surveillance of everything we say or do online.
The Home Office is proposing that social networking sites such as Facebook and Twitter be monitored to check on people who may be about to commit acts of terrorism. It's scary stuff.
The BBC says: "It is part of a plan to store details of all phone calls, e-mails and websites visited on a central database," adding that "Civil liberties campaigners have called the proposals a 'snoopers' charter'," which is predictable enough.
It's true, of course, that such a system would enable the authorities to snoop on everything we do, and any safeguards put into effect would likely not stand up to the holes certain to be present in the system (the government has a lousy track record on big IT projects - just look at the NHS National Programme for IT - and it has form in this area).
Now, the usual response from the other side of the fence is: "If you've nothing to hide, you've nothing to fear". This is fatuous and disingenuous. We talk and joke over email and the web about things we'd never do - there are plenty of George Bush jokes online, none of them written by people who want to kill the former American president.
Besides, as the comedian Robert Newman points out, the logical conclusion of that argument is that anyone who has anything to hide should be persecuted.
But then even if the proposals get put into place, there's the 'little elves' problem to worry about. This was theorised by John Grisham, of all people, in his novel The Brethren:
There were two types of phones at [the prison] Trumble, secured and unsecured. In theory, all calls made on unsecured lines were taped and subject to review by little elves in a booth somewhere who did nothing but listen to a million hours of useless chatter. In reality, about half the calls were actually taped, at random, and only about 5 percent were ever heard by anybody working for the prison. Not even the federal government could hire enough elves to handle all the listening.
A real-life example of this can be found in Peter Wright's controversial 1980s docu-drama Spycatcher:
So much raw intelligence was flowing out from the East that it was literally swamping the resources available to transcribe and analyse it. MI6 had a special transcription center set up in Earl's Court, but they were still transcribing material seven years later when they discovered that George Blake had betrayed the Tunnel to the Russians from the outset.
Both of the above quotes come from Quentin Campbell of the UK Crypto mailing list.
Aside from the question of how it'll be able to function (and how much that will cost), can it actually do its job?
The technique of going through this kind of information automatically is called 'data mining', and it can be used in quite interesting ways. The diligent Ben Goldacre has produced a fine analysis of why it can't work in this case:
Even with these infeasibly accurate imaginary tests, when you screen a general population as proposed, it is hard to imagine a point where the false positives are usefully low, and the true positives are not missed. And our imaginary test really was ridiculously good: it's a very difficult job to identify suspects, just from slightly abnormal patterns in the normal things that everybody does.
He points us in the direction of security guru Bruce Schneier's 2005 essay on the same topic, in which he says: "In hindsight, it was really easy to connect the 9/11 dots and point to the warning signs, but it's much harder before the fact. Certainly, many terrorist plots share common warning signs, but each is unique, as well."
So is there anything to worry about over this plan? Yes. The government's record on such projects makes it highly unlikely that the project will be useful for what it's designed, and highly likely that it'll be costly and will be open to abuse in specific cases. But the likelihood is remote that any of us will find ourselves in the British-American prison on Diego Garcia with unspeakable things being done to our nether regions, simply because in this case probability is on our side, not theirs.
Picture from Flickr user André-Pierre.
Update your PDF software
I hope you’ve all done this already but there are some important updates for Adobe Reader and the Foxit PDF Reader. Adobe Reader should update itself automatically, but it’s worth checking.
Thanks to the F-Secure blog for the update.
New net scam arrives... by phone
A reader has contacted us with news of a new take on a relatively old scam.
He received a call from someone to say his PC had been infected by a virus and that if he cared to boot up, the caller would kindly take him through the process of removing it.
Fortunately, the reader had his wits about him and challenged the caller for his company's details; a click and brrrrr indicated the caller wasn't keen on that idea.
Many PC users are familiar with pop-ups that claim to scan your computer and then cleanse it of the many threats it finds. None of which exist of course but as long as you're willing to pay, why ruin a good scam with facts.
Taking this approach by phone is a new one on us.
Never use this list!
Pick and mix security and utility software
Here’s an interesting idea. Tell Comodo Software what sort of stuff you get up to on your computer and the website will suggest the software you need.
Personally I didn’t get on with their firewall, but the backup software was particularly good with the option of backing files to an ftp location. Most important was the option to run differential backups; only copying files that have changed to avoid hitting bandwidth problems.
Cebit 2009, Hannover: Day One
Hannover's Cebit is the world's largest technology fair, and the place where manufacturers from the world over come to show off their latest and greatest products. Computeractive is there too, and today started trekking between the 26 (yes, 26 - our feet hurt already) exhibition halls of the Hannover Messe to find the latest and greatest products. Over the next few days we'll show you what to expect over the coming six months.
One of the most striking stands at the show belongs to Asus. The company is showing off a vast selection of Eee PC notebooks and Eee desktops, not all of which will be available in the UK. A few in particular caught our eye, though. First, the Eee PC 1000HE:
This looks similar to the Eee 1000, but with a new Macbook-like keyboard and a battery that, Asus claims, will run for 9.5 hours - perfect for a full day's work, a long flight or just if you tend to forget to plug your laptop in. It'll arrive in the UK in March, at a price yet to be confirmed.
Other interesting Eee laptops included a tablet:
And this newer, shinier, thinner netbook:
Aside from the mini laptops, Asus was showing off its Lamborghini notebook range - now available in a rather nice ivory white as well as gaudy yellow - and the Eee Keyboard, first shown at CES and now, unfortunately, locked safely away in a cupboard when we attempted to find and photograph it.
We spoke to Asus CEO Jerry Shen, who suggested an interesting future for the Eee computers encompassing both low-cost netbooks and more powerful and featured products.
"We will try to provide more value", he told us. "In the future, when the Eee Top, Eee Box and Eee Keyboard become more popular we will try to separate into two markets".
He denied, though, that the more powerful computers might outgrow the Eee name, saying that "the most important thing for the Eee is "easy"... ease of use is still the key. We still want to keep the soul of the Eee" [in the more featured computers].
One major focus of Cebit 2009 is the environnment, and one of the biggest displays in the "green" hall belongs to Fujitsu-Siemens computers, here to demonstrate its "zero watt PC" - a computer that, unlike most, draws zero watts of power when turned off. A demo unit was on display, complete with power meters for us to examine:
We switched it on and off a few times and, as you can see, it seems to work quite well - that's the PC power meter in the middle. The zero watt PC will be available from July, in two versions - a desktop and a small form factor PC - at prices to be announced.
Away from computers, we spotted a few other interesting products. Synology, makers of network storage devices, were showing off this tiny NAS, designed to hold up to four laptop-sized hard disks:
That's the DS409 Slim, available in the UK from April. And finally for today, we caught up with Absolute Software. It'll be launching its laptop recovery system, LoJack for Laptops, in the UK in the next few months - it'll initially be sold online. The software buries itself in the computer's BIOS, calling home periodically and, if you report the laptop stolen, either wiping its contents or attempting to pass its location back to the company, and so to the police: Absolute told us it has a 75% recovery rate for stolen equipment using its business Computrace product.
We'll bring you more from the show over the next few days.
