* Posts by Martin Edwards

44 publicly visible posts • joined 7 Apr 2008

Have a Linksys router? Now's a good time to update that firmware

Martin Edwards

Usual lack of clarity

Unfortunately, many articles like this – both on The Register and elsewhere – fail to be clear enough about the threat for people to understand whether they are at risk. In this case, the reader is recommended to disable or limit WAN-side management of the device, something that is not only common sense, but also typically the default. Given the mention of it, then, one goes on to ask "Does prohibiting management from the WAN side prevent this attack?". Because it either does or it doesn't; this should be black and white — but the reader is left confused.

From Antennagate to WikiLeaks: the year in tech lunacy

Martin Edwards

Antennagate?

I'd have called it five-bar gate.

Patchy Windows patching leaves users insecure

Martin Edwards

Google Updater

I'm sure some of you will already know this. But it's worth mentioning Google's efforts with Google Updater, which can be configured to take care of updates to Firefox, Adobe Reader, Skype and RealPlayer in addition to Google's own programs.

Researcher spies new Adobe code execution bug

Martin Edwards

How to get Reader and Flash Player without the download manager

If you want the standalone installers because you look after a number of machines (or simply want to avoid the download manager) it's very easy: just ignore the prompt to install the download manager, and click the "If your download didn't start automatically..." link. As a bonus, in the case of Reader, you get it without the AIR and Adobe.com crapware.

MS probes bug that turns PCs into 'public file servers'

Martin Edwards
Stop

Terminology

The description of this situation does not tally with any common definition of a public file server. There's no excuse for such misinformation and hype.

Firefox 3.6 goes live and final

Martin Edwards

100 MB of memory for a browser with six pages open

That's good is it? Aye, how times have changed...

Exploit code for potent IE zero-day bug goes wild

Martin Edwards

Absolutely

I'm glad you've said this. Maybe if someone answers they can also tell me how to prevent users from changing preferences in Firefox. Because I've a feeling there isn't a nice Group Policy setting for that...

National Rail website buried ahead of snow storm

Martin Edwards

Perhaps if it wasn't half a megabyte...

When the new National Rail Enquiries website appeared, I thought it was a bit slow to load, so checked and found that the home page -- complete with its rich background images and Flash advertising -- weighs in at around 500 KB. I was astonished. I notice that the current "lighter version" is still more than 200 KB.

I should add though that I'm yet to completely trust Chrome's "Web Inspector", from which I took these readings. It sometimes reports some curious file sizes, like 0 or -1 bytes.

DNS attack hijacks Twitter

Martin Edwards

Pharming

I'm pretty sure he means imagine the potential if a fake login page was used (pharming). That didn't happen did it? There wasn't anywhere for users to enter their details? The potential for stealing cookies... yeah, I guess you can't rule that out.

It highlights what a weak link DNS can be. In future, pharming might become more of a reality -- and no amount of client-side security or user education will help.

Malvertisers slapped by Microsoft lawsuits

Martin Edwards

What's code doing in an advert?

Advertising should be limited to static images and plain text. I make no apology for stating the bleeding obvious because it's obviously not obvious enough to MSN (obviously).

Microsoft purges AutoRun from older Windows

Martin Edwards

U3

Doesn't a U3 device appear as two disks, with only the part containing the U3 software appearing as a CD (and isn't that part read-only and thus won't be carrying malware anyway?)? Correct me if I'm wrong.

Anyway, now we just need something to block U2 albums...

Microsoft warns of 'irreparable harm' on court's Word injunction

Martin Edwards
Stop

OpenOffice a viable alternative, are you serious?

Am I the only one here who couldn't honestly recommend OpenOffice to anybody? Every time I've used it I've been stumped by the lack of what should be commonplace features, and UI behaviour that feels a decade old. Correct me if I'm wrong, but doesn't OO lack the ability to visually crop images, or adjust character spacing, for example?

I look forward to OpenOffice being a true Microsoft competitor (and hopefully Ubuntu too, for that matter). But I think this moment is still a little while away.

IE icon too familiar for Microsoft EU settlement?

Martin Edwards

@Andy france

Now THAT is a really interesting and worthwhile point!

Adobe spanked for insecure Reader app

Martin Edwards
Thumb Down

And for corporate users...

At work I dutifully registered for Adobe's site license thing (I forget the name) for the 50-machine network I manage. I'm frustrated to report that when I follow the link in the resulting e-mail to download Reader (there's a version without AIR and Acrobat.com, which is nice) I'm served the 9.0 installer. After installation, on first run this prompts to be updated but only to version 9.1.0, then restarts Reader but fails to re-run the Updater; manually starting it this second time reveals the 9.1.2 patch which can then be installed.

(These version numbers are from memory... I hope I've got them right).

Apple releases Java patches (finally)

Martin Edwards
Thumb Up

@Gilbo

Well said, good summary.

Chrome update completes busy browser patch week

Martin Edwards

Re: Aint WebKit Apple?

WebKit is an Apple fork of KDE's HTML and JavaScript engines, but is open source and Apple code has gone back into Konqueror. In making Chrome, WebKit was Google's choice of engine.

The relationship between Apple and the KDE developers hasn't been plain sailing (if you are interested, Wikipedia summarises some of the difficulties).

Apple's big week: the good, the bad, the ugly

Martin Edwards
Dead Vulture

PowerPC support

Isn't dropping PowerPC processor support a large part of the point of Snow Leopard? Cleaning up the code for the future and contributing to the 6GB reduction in required disk space? I'm sure when Snow Leopard was first talked about a year ago, the lack of PPC support was a _feature_. A selling point almost.

Twitter profile hack pwns Mormons

Martin Edwards

Spread the word

So I was reading this and thinking "yeah, another account hijacking that's only in the news because it involves a famous name" and I wondered what value such an article has. I'll tell you the value: it reminds readers of the importance of using strong passwords. But this is lost on most people as such stories are casually reported badly or lacking in detail by the mainstream media. How many people who use "rover" or "hammy" to log in to all their accounts are going to hear this story on the BBC and think "crikey yeah, I must start using a better password"? I think probably none of them.

Data-sniffing trojans burrow into Eastern European ATMs

Martin Edwards
Stop

STOP THIS NONSENSE FORTHWITH

Judas Priest, this has **** all to do with Windows, OK. Other than perhaps that it's easier to write software for Windows than for some custom ATM platform. Physical access is physical access. You're talking like this thing got in by itself through some unpatched buffer overflow condition in Paint.

Adobe convenes 'Come to Jesus' meeting for buggy Reader app

Martin Edwards
Thumb Up

Adobe Updater

Adobe Updater suffers the same problem as Firefox (as mentioned above) in that it needs administrative privileges. Also, it's only invoked when an Adobe program is run. Now that more people are starting to understand the importance of running as non-admin, this has got to change. By contrast, Google Updater runs a Windows service so it can install patches regardless of who is logged on. For this reason alone, Chrome is now my browser recommendation for the many novices who rely on me for computer advice. I'm interested to see, though, that Google Updater can also update some non-Google software too, including Reader and Firefox. I've yet to try this, so I wonder if anyone here can say whether it patches these third-party products in the same way (and thus under a non-admin account)? If so, big thumbs-up for Google.

Six months on, Macs still plagued by critical Java vuln

Martin Edwards
Gates Halo

Microsoft Java VM

It's a shame the Microsoft JVM is no more. Because now every few months we have to log on as an admin and click through an unnecessarily lengthy wizard and be shown adverts for OpenOffice. I'd much rather have Windows Update do it for me while I'm asleep.

Lame Mac 'email worm' limps into view

Martin Edwards

@Tony

>No doubt there will be a stream of MAC users laughing at this lame duck. However, you should take this seriously.

I'll certainly take it more seriously than anyone who writes Mac in all-caps.

Newfangled rootkits survive hard disk wiping

Martin Edwards
Paris Hilton

Unfettered root access?

Could anyone elaborate on "unfettered root access"? If it means running as administrator, then that's obviously (unfortunately) a very common situation, and surely doesn't belong in the same breath as physical access in terms of how difficult these attacks might be to pull off. Paris, because... wait, no.

The long road to Reader and Flash security Nirvana

Martin Edwards
Unhappy

A great problem indeed

Adobe's updating definitely isn't what it should be. Adobe could choose the Apple approach -- install an updater utility that checks for updates and notifies the user -- but as far as I know, currently Flash and Adobe Reader will never phone home for updates unless they're already running. And I'm sure some Reg readers will commend this (arguably) less-intrusive approach. What definitely isn't cool is Flash's default check-for-updates interval of 30 days.

Perhaps the greatest problem with so many third party products, though, is that they can only be updated from an administrator account. Flash, Reader and Firefox suffer from this. I'm fairly certain that non-administrators won't even be notified that there are update(s) waiting, in the case of these three examples. Yet running day-to-day on an account with limited priviledges is something we are told we should do, and something I certainly recommend to all the people for whom I'm "the computer guy". So I think this is a great problem.

Grifters punt 'get rich quick' scams at Facebook users

Martin Edwards

Blame game

It's inexcusable that Facebook has not removed these ads.

HOWEVER, this is yet another example of an important difference between the online and offline worlds. History has shown that trying to track down and prosecute online criminals is usually futile, thanks to the huge scale and anonymous and global nature of the 'net. The same factors allow us the freedom we all enjoy online. So instead, the onus must be on the user to educate themselves, protect themselves, and use common sense. If users were to stop clicking bad links, falling for scams, and trying to grab bargains from spam e-mails, the criminals would be bled dry. Let's start laying more blame on users, no?

Most Americans without broadband don't want it

Martin Edwards

What about the updates?

Something I've never seen cited as a reason for needing broadband is software updates. To keep it healthy, the average user's computer needs to be downloading virus definitions regularly, Microsoft updates monthly (or the equivalent from Apple), patches for Adobe Reader, Flash, iTunes, and any alternative web browser they're using, and so on. And this just doesn't happen over dialup, at least not before the user finishes whatever it is they're doing and disconnects it or logs off. I mean say you bring home a new machine and install Office 2007 -- that's, what, 300MB of updates lined up straightaway!

Apple drops white Macbook processor speed

Martin Edwards
Thumb Up

It's a bargain

Really, it is. 2 GB of memory is loads and loads in OS X terms. And... *drumroll and sigh of relief*... it's still got Firewire.

PlusNet customer invited to opt-in to BT's Phorm trial

Martin Edwards

Love PlusNet

I like and trust PlusNet. It offers good value, fast and knowledgable non-outsourced support, a good connection speed, good user control panel and features, and 'openness' beyond that of any other tech company I can think of. It upsets me that it's owned by BT, and this Phorm incident is clearly a worrying cock-up, but I wouldn't consider switching ISP because of it.

PayPal top-up card is titsup

Martin Edwards
Joke

Free whitepaper: The Critical Role of Data Loss Prevention

... right below the article! The Register's new contextual ad system is working!

Famed investor backs away from web-obsessed Microsoft

Martin Edwards
IT Angle

Money, money, money

Bollocks to the lot of it.

UK cybercrime overhaul finally comes into effect

Martin Edwards
Stop

Re: Bad Peter bad! Bad Trixie Bad!

"he causes a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable such access to be secured"

It's not as clear as it could be. I assume it means "he causes a computer to perform any function with intent (i) to secure access, or (ii) (with intent) to enable such access to be secured". Thus, whether you're actually performing the function, or merely enabling it to be performed, it's the _intent_ that matters. Otherwise, indeed, most programmers would be guilty (not just for vulnerabilities; any program that accesses data can be used with intent to access data without permission)!

Microsoft's Hotmail hybrid struggles to life

Martin Edwards

"calling for a return to the exiting version"

"calling for a return to the exiting version"

Argh, how Facebook-esque!

Ballmer gives Norwegian students free love

Martin Edwards

Express Editions

The Visual Studio Express Editions are free anyway, and contain more than enough of the full feature set for most student developers.

Brits happy to hand over password details for £5 gift voucher

Martin Edwards
Stop

Double standards

Argh! Too many virtually identical and off-topic comments!

The real point in this article is the "double standards" issue. It's a point I put to several friends earlier in the year when cases of lost personal data were making the headlines: in general, the average person is careless about account security, whether through using easy passwords and PINs, sharing passwords, letting keyloggers etc. onto their computers (or using web cafés for banking and such), clicking links in phishing e-mails, and so on. Yet they expect to remain blameless for any consequences, or, furthermore, to be bailed out at the expense of their bank (or whoever) when someone steals their money/identity.

Apple 2G iPod Shuffle

Martin Edwards
Thumb Up

Good review of an underrated product

I still love my Shuffle, a year on. The battery life is amazing. Speaking of which, pedants like myself will spot the awkward double-negative on the first page: "The manufacturer reckons you'll get about 12 hours' continuous playback out the gadget. Our testing over the past week or so gave us no reason not to doubt that figure." Sorry (!)

OMFG, what have you done?

Martin Edwards
Thumb Up

Line spacing

Fixed-width is great. It keeps the words-per-line under control which is essential for readability. I've long wanted to see an increase in line spacing though. I was delighted when BBC News increased theirs.

Apple code of secrecy imperils Aunt Mildred

Martin Edwards
Jobs Halo

I think it's ideal

I can't speak for the Windows version, but on OS X (as Muscleguy says above), Software Update lists the iTunes and QuickTime updates separately, and each has a line in the description that reads "For detailed information on the security content of this update, please visit...". The QuickTime update also says "...changes that increase reliability, improve application compatibility and enhance security...".

I think that's ideal: the average user doesn't get bogged down reading the details, while the curious and the technically-minded can follow the links and read them. They're well-written and clearly laid-out, too.

http://support.apple.com/kb/HT3025

http://support.apple.com/kb/HT3027

Sophos DNS snafu creates update problems

Martin Edwards

UK site unaffected?

I can't access either the .com or the .co.uk. Maybe that's just a freak coincidence at my end!

Spice up your Apple applications

Martin Edwards

Font size

I'm glad to see I'm not the only one who's frustrated by the tiny font! I've only used Logic on my 17" screen. I had previously wondered how users with larger monitors fared, and I thought that maybe the font scaled up automatically with increasing screen resolution. I gather from the comments that it doesn't!

Exploit code targets Mac OS X, iTunes, Java, Winzip...

Martin Edwards
Thumb Down

Irresponsible

I don't understand how Infobyte can possibly think it is OK to make this tool publicly available. I understand that there are circumstances in which publicising a vulnerability helps encourage people to fix it, but this seems like such a blatantly irresponsible move. I guess I could say the same for Metasploit?

Peers call for cybercrime shakeup (again)

Martin Edwards
Stop

More blame on customers

AC further up the page rightly suggests that we should be more willing to blame customers for their own losses if they are careless with malware or using weak passwords. The biggest cybercrime problem is the average user. Better systems to educate the public will be necessary, but once they're in place, I think it really will be fair that customers who are careless with security pay the price for such carelessness themselves.

Google crawls The Invisible Web

Martin Edwards

Watch out!

Soon, the Googlebot will be commenting on El Reg articles! It might even choose the Paris icon! No wait, it only does it on "high-quality sites" ;-)

But really, does this mean Google might start inadvertently spamming forums, sending queries to helpdesks, requesting password resets, and even (although highly unlikely) logging into websites' member areas and then indexing the results?

UK's most popular Wi-Fi router defaults to insecurity

Martin Edwards

Still more secure than most

Much as I dislike the Home Hub, it must be pointed out that the fact it actually ships with a pre-set WEP key makes it more secure than most home routers on the market, which come with blank passwords. And my experience is that the average user leaves them this way.

Yahoo! to Microsoft: No surrender!

Martin Edwards

Clash of philosophies

Paul and Ishkandar are completely right about capitalism. Otherwise, not only might the letter mention the interests of the consumer, it could also cover the clash of philosophies between Microsoft's proprietary systems and Yahoo!'s love of (and contributions to) the open source community. The possibility of Microsoft trampling on Yahoo!'s infrastructure with its own bloated and insecure 'equivalents' is what worries me the most.