Dr. Bill | The Computer Curmudgeon

We’ve got to be careful out there, to slightly misquote “Hill Street Blues!” Apparrently, USB is inherantly easier to lend itself to misuse!

Why the Security of USB Is Fundamentally Broken

Wired – By: Andy Greenberg – “Computer users pass around USB sticks like silicon business cards. Although we know they often carry malware infections, we depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work.

That’s the takeaway from findings security researchers Karsten Nohl and Jakob Lell plan to present next week, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken. The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted. And the two researchers say there’s no easy fix: The kind of compromise they’re demonstrating is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue.

‘These problems can’t be patched,’ says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. ‘We’re exploiting the very way that USB is designed.’

‘IN THIS NEW WAY OF THINKING, YOU HAVE TO CONSIDER A USB INFECTED AND THROW IT AWAY AS SOON AS IT TOUCHES A NON-TRUSTED COMPUTER.’

Nohl and Lell, researchers for the security consultancy SR Labs, are hardly the first to point out that USB devices can store and spread malware. But the two hackers didn’t merely copy their own custom-coded infections into USB devices’ memory. They spent months reverse engineering the firmware that runs the basic communication functions of USB devices—the controller chips that allow the devices to communicate with a PC and let users move files on and off of them. Their central finding is that USB firmware, which exists in varying forms in all USB devices, can be reprogrammed to hide attack code. ‘You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s ‘clean,’’ says Nohl. But unless the IT guy has the reverse engineering skills to find and analyze that firmware, ‘the cleaning process doesn’t even touch the files we’re talking about.’

The problem isn’t limited to thumb drives. All manner of USB devices from keyboards and mice to smartphones have firmware that can be reprogrammed—in addition to USB memory sticks, Nohl and Lell say they’ve also tested their attack on an Android handset plugged into a PC. And once a BadUSB-infected device is connected to a computer, Nohl and Lell describe a grab bag of evil tricks it can play. It can, for example, replace software being installed with with a corrupted or backdoored version. It can even impersonate a USB keyboard to suddenly start typing commands. ‘It can do whatever you can do with a keyboard, which is basically everything a computer does,’ says Nohl.

The malware can silently hijack internet traffic too, changing a computer’s DNS settings to siphon traffic to any servers it pleases. Or if the code is planted on a phone or another device with an internet connection, it can act as a man-in-the-middle, secretly spying on communications as it relays them from the victim’s machine.

Most of us learned long ago not to run executable files from sketchy USB sticks. But old-fashioned USB hygiene can’t stop this newer flavor of infection: Even if users are aware of the potential for attacks, ensuring that their USB’s firmware hasn’t been tampered with is nearly impossible. The devices don’t have a restriction known as ‘code-signing,’ a countermeasure that would make sure any new code added to the device has the unforgeable cryptographic signature of its manufacturer. There’s not even any trusted USB firmware to compare the code against.

The element of Nohl and Lell’s research that elevates it above the average theoretical threat is the notion that the infection can travel both from computer to USB and vice versa. Any time a USB stick is plugged into a computer, its firmware could be reprogrammed by malware on that PC, with no easy way for the USB device’s owner to detect it. And likewise, any USB device could silently infect a user’s computer. ‘It goes both ways,’ Nohl says. ‘Nobody can trust anybody.’

But BadUSB’s ability to spread undetectably from USB to PC and back raises questions about whether it’s possible to use USB devices securely at all. ‘We’ve all known if that you give me access to your USB port, I can do bad things to your computer,’ says University of Pennsylvania computer science professor Matt Blaze. ‘What this appears to demonstrate is that it’s also possible to go the other direction, which suggests the threat of compromised USB devices is a very serious practical problem.’

Blaze speculates that the USB attack may in fact already be common practice for the NSA. He points to a spying device known as Cottonmouth, revealed earlier this year in the leaks of Edward Snowden. The device, which hid in a USB peripheral plug, was advertised in a collection of NSA internal documents as surreptitiously installing malware on a target’s machine. The exact mechanism for that USB attack wasn’t described. ‘I wouldn’t be surprised if some of the things [Nohl and Lell] discovered are what we heard about in the NSA catalogue.’

A new version of LibreOffice 4.3 is out, and Steven J. Vaughn-Nichols likes it! (So do I!)

LibreOffice 4.3: The best open-source office suite gets better

ZDNet – By: Steven J. Vaughan-Nichols – “Ever since LibreOffice split off from the troubled OpenOffice in 2010, this open-source office suite has gotten better and better. With this new release from The Document Foundation, LibreOffice 4.3 has established itself as the best non-Microsoft office suite.

The new LibreOffice 4.3 brings many new useful improvements and features to the program. These include:

Document interoperability: Support of Microsoft’s Office Open XML (OOXML, aka OpenXML) Strict, OOXML graphics improvements (DrawingML, theme fonts, preservation of drawing styles and attributes), embedding OOXML files inside another OOXML file, support of 30 new Excel formulas, and support of MS Works spreadsheets and databases. The new LibreOffice also supports Mac legacy file formats such as ClarisWorks, ClarisResolve, MacWorks, SuperPaint, and more.

Intuitive spreadsheet handling: Calc now allows the performing of several tasks more intuitively, thanks to the smarter highlighting of formulas in cells, the display of the number of selected rows and columns in the status bar, the ability to start editing a cell with the content of the cell above it, and being able to fully select text conversion models by the user.

3D models in Impress: Support of animated 3D models in the new open glTF format, plus initial support for Collada and kmz files that are found in Google Warehouse, in order to add a fresh new look and animations to keynotes. This feature is currently supported only on the Windows and Linux versions.

Comment management: Comments can now be printed in the document margin, formatted in a better way, and imported and exported – including nested comments – in Open Document Format (ODF), DOC, OOXML and RTF documents, for improved productivity and better collaboration.

It is this last improvement that I’m most excited about. Trouble with reading and writing comments between different formats and office suites has long annoyed me. This looks to be a real step forward to solving this nuisance.

LibreOffice 4.3 also support ‘monster’ paragraphs exceeding 65,000 characters. In addition, the accessibility technology on Windows has become a standard feature, thanks to the improvements based on IBM’s IAccessible2 framework.

For the complete list of new features and improvements of see the LibreOffice 4.3 release notes.

The program’s code quality has also been greatly improved in the last two years. Coverity Scan found the defect density per 1,000 lines of code has shrunk from an above the average 1.11 to an industry leading 0.13 since 2012. According to Coverity, ‘LibreOffice has done an excellent job of addressing key defects in their code in the short time they have been part of the Coverity Scan service.’

Like previous versions, LibreOffice is available for Linux, Mac, and Windows systems. You can also run an older version, LibreOffice 4.2, from the cloud using a Software-as-a-Service (SaaS) model.

With the United Kingdom making LibreOffice’s native ODF its default format for government documents, LibreOffice is certain to become more popular. Other cash-strapped governments, such as Italy’s Umbria province, have found switching to LibreOffice from Microsoft Office has saved them hundreds of thousands of Euros per thousand PCs.

‘The LibreOffice project shows that a large free software community can live and thrive without the patronage of a software vendor, to liberate PC desktops,’ said Thorsten Behrens, Chairman of The Document Foundation in a statement. ‘Today, you can’t own a better office suite than LibreOffice, in term of features, interoperability, support for document standards and independence. After many years, LibreOffice brings the control of the PC desktop back into the hands of the users.’

LibreOffice 4.3 is available for download now. Extensions and templates to add specific features can be found at the LibreOffice Extensions page.”

So, now we can make personal decisions with our own equipment. What an amazing idea!

As of today, Americans can legally unlock their phones again

The Verge – By: Adi Robertson – “It’s finally happened: as of today, unlocking your cellphone to work on other networks will be legal again in the US. The White House and Senator Patrick Leahy (D-VT), who helped pass legislation earlier this year, announced that President Barack Obama is signing the Unlocking Consumer Choice and Wireless Competition Act. The bill will restore a copyright exemption that allows customers (or authorized third parties) to modify a phone’s firmware, removing the restrictions that most carriers place on their phones.

President Obama made clear last week that he would be signing the bill, a version of which was recently agreed upon by both the Senate and the House of Representatives. The rule was one of several proposals floated last year in response to a call from the White House, and the White House itself was responding to an official online petition, which collected over 100,000 signatures in favor of legalizing phone unlocking. This series of political dominoes leads Leahy and White House advisor Jeff Zients to call the pending law an ‘example of democracy at its best: bipartisan congressional action in direct response to a call to action from the American people.’ Cellphone unlocking, with varying degrees of freedom, has gotten broad support. Outside the lawmaking process, the FCC previously reached a deal with major wireless carriers that would standardize how customers can get their phones unlocked once the terms of their contract are up.

Despite this, today’s signature doesn’t mark the end of debate. Until last year, cellphone unlocking was allowed through a temporary exception to the Digital Millennium Copyright Act’s ban on breaking copy protection. The bill reinstates that exception, but it’s still temporary — every three years, the Librarian of Congress has to decide whether it should continue to apply, though the bill does instruct them to carefully consider whether unlocking should be extended and possibly expanded to other devices. Regardless of whether that happens, it’s no replacement for larger copyright reform. But, at least for today, you can celebrate by unlocking all your phones (or telling someone else to do it) without fear of fines or lawsuits.”

We will have no Dr. Bill.TV show this week, due to the press of work related activities this week. Also, I have had to work nearly all day today (Sunday.) So, I encourage you to watch this very special edition of the VirtZine Netcast!

Schools are choosing Chromebooks because they are inexpensive, and versatile!

With 1M Sold In The Last Quarter, Google’s Chromebooks Are A Hit With Schools

TechCrunch – by Frederic Lardinois – “During its earnings call this week, Google announced that it — and its partners — sold a million Chromebooks to schools in the last quarter. Overall PC sales worldwide were about 76 million in the last quarter, according to Gartner’s latest numbers, so a million Chromebook sales just to the education market is a pretty good number.

In the early days of Chrome OS, it often seemed like a doomed project. Who, after all, would want to buy a laptop that would just run a browser? Google has one big advantage, though. It’s massive advertising income allows it to stick with projects, even if they don’t catch on right away. As web apps developed, Chromebooks started to get significantly more useful, and these days, when you can do almost everything on the web (and yes, I know Photoshop isn’t one of those things), only having access to web apps really isn’t such a big deal anymore.

A lot of schools were sold on iPads right after those became available and students probably still prefer them over Chromebooks, but they are relatively expensive compared to Chromebooks and harder to manage. Google also offers admins easy ways to manage large Chromebook deployments from a single console while Apple is still catching up when it comes to this.

At its I/O developer conference last month, Google quietly announced that it was expanding its Google Play for Education app and e-book store from Android tablets to Chromebooks, too. That announcement didn’t get a lot of hype, but it’s a huge deal for Google’s push into the education market and for the schools that have bought into this ecosystem.

As Rick Borovoy, Google’s product manager for Google Play for Education, told me back then, many schools deploy both tablets and Chromebooks for their students.

Apple has always been very strong in the educational market, but even though its hardware is arguably superior, it’s also much more expensive. And as long as U.S. schools have to hold bake sales to raise funds, a $200 Chromebook is simply within reach for more of them.

Microsoft, of course, has long been aware of Google’s push, too. It loves to make fun of Chromebooks (remember its Pawn Stars ad?), but the fact that it does so only means it is aware of the threat Google poses in the lucrative education and enterprise markets. It’s now making a counter-push with low-end, low-priced laptops, but while price definitely matters, Microsoft doesn’t have the full ecosystem available that has made Chromebooks so popular in schools. While it offers plenty of apps for textbooks, for example, Google lets schools fund a Google Play for Education account for teachers that allows them to easily buy apps and books for their whole class and for individual students.

Microsoft and Apple should be concerned about Google’s success in schools. Once students get used to working with Google’s products, after all, they are likely to stick with them as they grow older. Apple and Microsoft used to play this game very well with its discounts for schools, but it feels like Google has clearly learned from this and is now a real challenger in this space.”

Chrome can be a bit of an energy hog, but it sounds like help may be on the way!

Chrome’s been eating your laptop’s battery for years, but Google promises to fix it

PCWorld – By: Jared Newman – “Google is just now responding to a bug in Chrome for Windows that may have been sapping users’ batteries for years.

Chrome’s battery drain problem was brought to wider attention by Forbes contributor Ian Morris, who noticed that Chrome for Windows was using considerably more power than other browsers.

The issue, he wrote, is that Chrome doesn’t return the system’s processor to an idle state when it’s not doing anything. Instead, Chrome sets a high ‘system clock tick rate’ of 1 millisecond, and leaves it at that rate, even if the browser’s just running the background.

By comparison, Microsoft’s Internet Explorer only ramps up the tick rate for processor-intensive tasks such as YouTube, and otherwise returns it to the default rate of 15.625 milliseconds. According to Microsoft, setting the tick rate consistently at 1 millisecond can raise power consumption by up to 25 percent depending on your hardware configuration.

This bug wouldn’t be too surprising if it was introduced in a recent update. But according to Morris, the first report of it popped up in 2010, and a more recent bug report in Chromium has been racking up new comments since November 2012. So if your Windows laptop isn’t getting the battery life you’d expected, it’s possible that Chrome is the culprit.

In any case, the new reports have finally gotten Google’s attention. In a statement to PCWorld, the company noted that the bug has been assigned internally, and that the Chrome team is working to fix it—though only after Morris shined a spotlight on the issue. The long-standing bug report has been bumped up to priority one.

In the meantime, consider shutting down Chrome when you’re not using it on your laptop, or trying out a different browser.”

I think I might just go for this one… especially as many Star Trek books as I read!

Amazon’s Kindle Unlimited offers all-you-can-eat e-books for $10 a month

Engadget – By: Matt Brian – “After teasing us with a possible launch, Amazon has confirmed Kindle Unlimited, its all-you-can-read e-book subscription service. For $9.99 per month, Kindle Unlimited offers 600,000 books and ‘thousands’ of audiobooks across a range of devices. As expected, many of the major publishers aren’t fully represented, but there are number of popular titles listed, including Harry Potter, Lord of the Rings and the Hunger Games, as well as a whole catalog of Kindle exclusives. Like Prime, Amazon initially offers a free 30-day trial to draw you in, but it’s also throwing in a three month subscription to Audible and access to 2,000 audiobooks via its Whispersync service (which lets you seamlessly switch between reading and listening whenever the mood takes you). For a service that bills itself as ‘unlimited,’ there’s a few constraints on Amazon’s Netflix-for-books service. In addition to the fact that it doesn’t have the support from all of the major publishers, of course, there’s also the small matter that it’s only available in America. At least, for now.”