Rubénerd!

I've been promising for a while to list all the extensions I use for Mozilla Firefox. Given I have a stack of homework to do and other chores and errands, it seems now is as good a time as any.

Each of these are reasons why I use Firefox over other browsers!

NoScript

If you're only ever going to install one add on, make it this one. NoScript cops a lot of nonsense and flack from people for being tedious and a pain to use, but it really is very simple and with a few days of using it, it becomes second nature.

NoScript works as a whitelist by blocking all dynamic content on pages by default such as Flash and JavaScript, but when you go to a page you trust you click the NoScript icon and choose "Allow Site". You can even "Temporarily Allow" pages that you suspect aren't working properly without JavaScript but that you don't necessarily want to permanently add to your whitelist.

As for customising, I suggest disabling the "Show message about blocked scripts" because it's a bit redundant. I also suggest removing the NoScript icon from your toolbar and accessing it from the status bar instead, it takes up less space and will be conveniently located next to other extensions with menus.

SSL Blacklist

This protects you for suspect root certificate authorities, and if you prefer not pinging their server every time you access a secure page, you can also download their database as a extension. As a bonus in the newest version it will also warn you if you're accessing a site that uses the now vulnerable MD5 hash that I've talked about before, very cool.

BetterPrivacy

Protects you from so called Super Cookies such as Adobe Flash LSOs [Wikipedia link] which can be used to track you. Spooky stuff.

Cookie Monster

NoScript got me used to the idea of blocking everything by default and only allowing sites I trust to execute code. Cookie Monster is a lightweight extension that does the same thing for cookies.

Another such pair of extensions are CookieSafe and CS Lite, the latter of which I used to use for a while. They're both extremely sophisticated but I found I never used any of their advanced features.

BlockSite

BlockSite is a simple, lightweight and very easy use blacklist utility which does what you think it does. The only thing I wish it did was allow you to right click (or CTRL click on Mac) a link and add the target site to your blacklist.

Adblock Plus (discussed on my usability Firefox extensions post) used to be able to block entire websites, but later versions removed this functionality for some reason: BlockSite fills this void nicely.

The SSL Blacklist add-on warning screen after loading a page

If you're a Mozilla Firefox user and you haven't installed the SSL Blacklist add-on from CodeFromThe70s.org yet, you should absolutely go there right now and click the sslblacklist-4.0.30.xpi link. By installing this plugin you can help protect yourself from suspect SSL root certificate authorities, as well as make sure the sites you're visiting are no longer using the demonstratively flawed MD5 hash algorithm.

ASIDE: I'd argue this plugin along with NoScript are the two greatest arguments for using Firefox. No other browser with these plugins are a match. I feel naked, cold and scared using anything else now.

MD5 is still probably safe, but the fact it has been shown to have problems should alert people running websites to move over to an SHA hash instead. If you find such a site, you absolutely want to let their admins know about it.

So far I've installed SSL Blacklist on my dad's, sister's and my machines and we've been warned the following sites are using MD5:

• Twitter
• Facebook (UPDATE: Are no longer using)
• Neopets

If we find any more we'll add them to the list. Feel free to post a comment with links too. Be careful though, my spam filters block anything with more than three links so you may need to space them out. Cheers.

My feedback regarding the latest episode of Security Now:

To whomever Gibsons and Laportes this may concern,

I'm not Bill Kurtis.

I thought I'd just throw a message over to you guys to clarify one point that was raised on Security Now Episode 181 "Crypto Rehash".

Steve, you commented that you failed to see the point of putting MD5 or SHA hashes on websites that offered downloads given that if a website was compromised the hash could easily be changed as well. I must admit I had never thought of it that way myself either; I had a hearty chuckle on the train along with you guys much to the bewilderment of my fellow commuters!

I would comment though that I was under the impression that hashes under download links are not provided for the purposes of verifying a file hasn't been tampered with for security reasons, but was instead provided so you could verify that the downloaded file had been received intact. As a FreeBSD user I download ISO images and regularly use the hashes to verify that the finished download wasn't corrupted while downloading before I burn a coaster with one. Not sure if this is really necessary, but it has alerted me to a couple of failed downloads in the past.

Thanks for the great show and all the effort and preparation you put into each one.

Most humbly and securely yours,
Ruben Schade in A Little Street in Singapore

--------------------------
THIS MESSAGE HAS BEEN SCANNED WITH SUPER AWESOME VIRUS SCANNER 2009. IT WILL SELF DESTRUCT IF DELETED.

Another quickie to serve as much as a reminder for me as a how-to post.

If you've configured the SFTP daemon on your target system to use a non-standard port as part of your security precaution mix, you can't pass this port number by appending a colon and the port to the address. Instead, use the SFTP options flag to declare the port:

% sftp -oPort [PORT] (USER@)[ADDRESS]

For example, to connect as user NotBillKurtis to a local 192.168.1.128 server on port 50000 you would enter:

% sftp -oPort 50000 NotBillKurtis@192.168.1.128

Screenshot of Windows 7. Hehe, wait a minute...

Don't read too much into the heading for this post and assume that the Mac and FreeBSD guy all of a sudden thinks Windows Vista is peachy. I'm not defending the security record of Windows, I'm arguing against the assertion that fewer UAC dialog boxes will result in less security. I feel as though I'm beating a dead horse with this issue, but it keeps coming up.

Ina Fried over on CNET News.com has written an article titled Windows 7 less annoying, but also less secure? where she reports that Windows 7 will be displaying fewer of those irritating UAC warning dialog boxes whenever a user tries to do something:

Microsoft's efforts to make Windows 7 less annoying than Vista may also be making it less secure than its predecessor.

With Windows Vista, the operating system popped up a warning any time a major change was being made to the system, whether by the OS or by a third-party application. With Windows 7, users can choose how often to be notified, with the current default set to notify only when a third-party application is making a change.

The assertion here is that UAC security dialog boxes somehow make computers more secure, and that the removal of some situations where these messages would appear therefore makes Windows 7 less secure.

The [primary] problem with this line of reasoning is that UAC security dialog boxes don't improve security to start with. All they do is train users to click the Allow button as a reflex. On Mac OS X and free software desktops such as the ones on GNU/Linux or FreeBSD, before any destructive or hardware based changes can be made, most of the time it results in a dialog box prompting the user for their password, or for a root users password. This seems to be a far more sensible way to go.

To quote a post I wrote back in May 2007 when I was rebutting another CNET article that claimed the Mac versus PC advertisement for Vista was inaccurate:

Irritating pop up messages that appear so often that people just get used to hitting "Allow" without reading what they say is no argument for security. The advertisement in question is not saying that Windows computers are too secure, the advertisement is saying that because Windows computers have so many security problems, Microsoft had to take drastic action. The result was a poorly implemented warning system that did everything to irritate end users and nothing to improve security.

Reducing the number of situations where these messages would appear in Windows 7 won't reduce security. Microsoft has made a lot of really bad moves with regards to security of their products, but reducing the verbosity of this flawed system isn't one of them. I'm not Bill Kurtis.

I got a kick out of these tounge in cheek Motivational Posters that take at jab at Debian GNU/Linux for their embarrassingly severe low entropy security hole in their implementation of OpenSSH in May 2008.

I remember seeing some funny FreeBSD Motivational Posters at some point recently too that asseted that FreeBSD users are reliable but boring (I'm a FreeBSD guy of course!), but for the life of me I can't remember where. You'll all be the first to know when I do, even though I'm not Bill Kurtis.

The BBC is reporting Microsoft's opinion of their latest web browser offering: Internet Exporer 8:

Microsoft has stepped up the battle to win back users with the latest release of its Internet Explorer browser.

The US software giant says IE 8 is faster, easier to use and more secure than its competitors.

"We have made IE 8 the best browser for the way people really do use the web," said Microsoft's Amy Barzdukas.

At the end of last year, data from Net Applications showed the software giant's market share dropped below 70% for the first time in eight years to 68%.

I reiterate this one Bruce Schneier quote I've been saying here for years: security isn't claimed, it's proved. Internet Explorer 8 might be easer to use than 7 (and here's hoping the interface isn't as messed up too, for people who have no choice), but real world performance once it's released will be the real test of its security.

Microsoft has a history of delivering the aforementioned claims, but not the results. This is slowly changing, but they've got a very, very steep climb ahead. I'm not Bill Kurtis.

The story was summarised by the BBC in their RSS feed this morning as a question addressed for people who had jumped ship:

Will Microsoft's new browser help persuade users who have flocked to other alternatives come back to Internet Explorer?

A few perhaps, but certainly not me or anyone I advise.

It's official ladies and gents, the Rubenerd Show and Rubenerd Blog are no longer being blocked by The Cathay wireless system and Starhub Internet in Singapore for hosting malware. I appealed the filtering and stated that my shared webserver was the victim of a very brief internal lax group permission enforcement code injection attack and that I had swiftly cleaned my sites of the spam malware links.

I received a message back this evening stating that my appeal had been successful and I'm now typing this blog post without using a proxy server! Hallelujah! I suspect my traffic from Singapore may start crawling back to the highs it had in December last year again.

This by no means has deterred me from moving to a new web host though; I'm already in the process of moving archived Rubenerd Show files over to the Internet Archive (you can track my progress here) and am in the process of upgrading my Segment Publishing account so I can host this blog, my podcast, my pontifications and my anime blog on there instead of just my lightly used university blog whatsit. It's going to be a massive, all in one site with everything, I'm looking forward to it!

But being serious again for a second though, this whole experience has taught me a valuable lesson: the ramifications of hosting your media on a budget web host that doesn't enforce sufficient internal security (even more important than external security) is not worth any financial savings you may glean, no matter how significant. Thousands of gigabytes of capacity and transfer per month for less than $10 may sound like a better deal than a few gigabytes of capacity and transfer a month for a similar price, but as they always say: "if it sounds too good to be true, it probably is.".

If you're interested in these exploits, a quick search for "Servage Hacked" on Google or Yahoo will tell you all about it and give you an idea of the extent of the damage and fallout from their lax approach to security. Scary stuff.

In any event, I'm off to brew myself a cup of green tea in celebration :)

When I initially moved back over to Firefox on my Mac so I could use Greasemonkey to make Google Reader usable again, I had no idea that in a matter of weeks I would become a Firefox addict again. Not necessarily because of the interface (on Mac the Firefox 3.0 interface is quite clumsy and certainly not as streamlined as Camino or Safari), it's because of the extensions.

For example, yesterday CNET announced that Google's Chrome browser would be made available for Mac OS X and Linux at some point in the next 100 years:

Showing signs that it's working to meet requests for new developments to its Chrome browser, Google on Friday said it hopes to release versions for Mac OS X and Linux by the first half of the year, and it released a new version Wednesday that paves the way for the most requested feature: extensions.

While I was impressed initially with the Windows version as I wrote about last year, I soon yawned and moved back to Firefox. As someone who used to use KDE constantly I appreciated the fact that WebKit was being so well endorsed by being used by another vendor's browser, but I couldn't really see the market it was attempting to fill other than perhaps the idea that each tab is a separate process.

The fact such a large web company is also producing it does scare me a little too.

But back to extensions, now that I've read a few reports that Chrome will include extension abilities I'm somewhat appeased, but what I'm more immediately concerned about are the extensions themselves. While I value a few themes which make Firefox look more Mac like, I've become so used to using a handful of security extensions that moving to a browser that doesn't either have similar built-in functionality or the ability to extend the browser to do the same thing would make me feel unsafe using the web.

This is probably more paranoia than anything else, but I've become so used to blocking all the JavaScript, suspect advertisements and cookies loaded on a page and keeping meticulous whitelists that the alternative of allowing essentially a free-for-all scares me. Which is ironic, because less than a year ago I didn't have problems with this at all. I'd also miss the ability I have now to scrub URLs to remove unnecessary redirects, and being able to check whether or not secured certificates are using MD5 or not, or whether super cookies are active... the list goes on. This will be the topic of an upcoming post.

Who knows, perhaps Chrome will finally release versions for other OSs and allow extensions which will generate enough interest as to create replacement extensions for their equivalents for Firefox. Unfortunately this will take time, and to be honest I think Firefox and Chrome target two different groups of people, the latter of which perhaps aren't as security obsessed. I guess time will tell.

It's official folks, the Hong Kong Post Office certificate registrar uses the secure SHA1 hash algorithm not the now-vulnerable MD5. Security Now in-joke :-)

For what it's worth, the official title for the Hong Kong government is sure a mouthful isn't it? And here I was thinking the various Australian government departments had unnecessarily long and complicated names!