Thursday, April 24, 2014

Nasty Surprise - Thanks Micro$oft!


To hell with Micro$oft, we are getting royally “scr***d” over. “We” here being every home user with Windows 8! We have to decide if we want to stay on version 8.0 or upgrade to 8.1 and then to 8.1 Update.

Watch the capital U in Windows 8.1 Update, it is a major distinction, sort of like of but not quit like a service pack. What is Micro$oft thinking - if somebody is thinking there at all?

There is no big harm in staying with Windows 8.0, Micro$oft is going to supply at least two more years of updates. But after these two years? Not a word ... yet.

Totally out of the blue Micro$oft has decided that Windows 8 users need Windows 8.1 and on top of that 8.1 Update if we want to receive future updates. No warning, no information that gives us time to prepare, nothing. You can read the truly puzzling, no almost confusing details here.

Remember, these Updates are mandatory for the average non-geek home computer user.

Micro$oft defenders put it like this: “If you want security patch C, you need to have installed security patch B first. In this case, security patch B just happens to be the 8.1 Update.” What a joke, what an arbitrary and confusing labeling system!

While there is some merit in above point of view, it overlooks three important facts:

  1. Many people are having problems installing Windows 8.1 and Windows 8.1 Update — and Micro$oft hasn’t fixed the problems.

    Not the least problem being the huge size of 8.1 (ca. 8.2GB!) and of 8.1 Update (ca. 890MB); it is a pain to download that on “slow”, in our area regular DSL connections.

  2. Windows 8.1 Update is a lot more than a security patch. It includes some significant changes to the Windows User Interface.n The latter luckily is no problem for my customers because of the way I set up Windows 8 computers.

  3. Micro$oft is going to continue making patches for Windows 8.1. It just won’t give these updates to the average Windows user. That hurts.
And as if to add insult to injury Micro$oft puts a deadline of May 13th on having Windows 8.1 Update installed!

It all boils down to trust, trust that Micro$oft is recklessly playing with.

And here is an important side note: The whole process takes a lot of time. Basic DSL connections and slower computers will be greatly affected. Brace yourself and prepare for many hours of work. Thank you Micro$oft!


For anybody with original Windows 8 and wanting to update to 8.1 I hope to be able to amend this article with instructions on how to get from Windows 8 to 8.1 and then to 8.1 Update. Hopefully I can do this on the upcoming weekend. Please stay tuned and check back if you are interested.

Update 4/25/2014:

For users with Windows 8:
  • If you want to avoid the pain of updating to 8.1 you can stay on Windows 8.
     
  • If you want the newest and greatest then you should update to 8.1 and then to 8.1 Update. Please consider the implications, especially the extreme time it takes to download over 9GB of updates on average Internet connections!
     
  •  On slower computers the installations can easily take two to four hours!
For users with Windows 8.1:
  • Micro$oft has made that decision for you: You have to download and install 8.1 Upate if you want to receive future security updates via Windows Update. 
As usual I welcome suggestions and comments right here in the blog.

Click here for a categorized Table Of Contents.
  


Saturday, April 12, 2014

Heartbleed - Internet Wide Risk


You may already have heard about the Heartbleed bug. This article is meant to be a simple rundown:

Web sites encrypt (or should encrypt) important traffic over the Internet such as usernames and passwords for example.

All web sites use some sort of special encryption software for this. Many web sites use a freely available (free as in no money) encryption software named OpenSSL.

Many OpenSSL versions are perfectly safe, only a few versions are affected, that is they contain a bug that allows encrypted information to be decrypted, that is finally to be read in clear text.

There is little we can do on our computers to avoid Heartbleed except avoiding affected web sites. Here are two places where you can check web site addresses for this bug. A web site address is the URL, what you type in the address bar of your web browser.
  1. Heartbleed Test by Filipio.io seems to be privately run; just type over the example "Facebook" entry in the form. This site has lots and lots of detailed information about Heartbleed  and a lengthy Q&A page.
     
  2. Heartbleed Test by Lastpass.com is professionally run by Lastpass.com, a password management service.
    For full disclosure: I use Lastpass, I am one of their customers.
And last but not least here is a list of affected web sites. A warning: This link leads to a forum entry with lots of subsequent discussions that you can safely ignore.

What to do if you use an affected web site?

Assuming that you have done above checking and you have in the past used an affected web site there is only one thing we can do:
Do not log into accounts from afflicted sites until you're sure the company has patched the problem. If the company hasn't been forthcoming -- confirming a fix or keeping you up to date with progress -- reach out to its customer service teams for information, said John Miller, security research manager for TrustWave, a security and compliance firm.
PLEASE give that website or company feedback; tell them that you will shun them if they don't fix their servers soon. If we don't speak up we give them the liberty to stay lazy and to ignore our concerns about this.

Don't be shy about reaching out to small businesses that have your data. Make sure their web site is secure. While high-profile companies like Yahoo and Google certainly know about the problem, a small businesses might not be aware of it, said TrustWave's Miller. Be proactive about the safety of your information.

Keep a close eye on financial statements for the next few days. If attackers can access stored credit card information it can't hurt to be on the lookout for unfamiliar charges on your bank statements.

Once you have gotten confirmation that the web site is fixed change passwords of sensitive accounts like banks and email immediately.

What to do if you have used the same password on more than one web site? Immediately stop this dangerous practice.

On important web sites, where money is involved for example, establish unique passwords for every such web site. And as usual, write the passwords down where you can find the note when you need it - you will need the note, believe me.

And last but not least at all: Your sleek Android smartphone could be affected as well! You find more about that here.

As usual I welcome suggestions and comments right here in the blog.

Click here for a categorized Table Of Contents.
 

Monday, April 7, 2014

2014-04-07 WTKM Talking Points (Apr 07 2014)


Windows 8.1 Update 1 will go to Automatic Updates April 8th. Be warned, that will be up to 6 updates. BE patient!

Apple has fixed 27 vulnerabilities in it's Safari web browser for OS X

Linksys Routers can be hacked.You own any Linksys or Cisco router? Update router firware NOW.Many common models are at danger. Test if your Linksys/Cisco router is still supported. If not you have to replace it. "Not supported" means that the firmware can not be updated any more.

Cisco fixes SIX different vulnerabilities in it's Cisco and Linksys routers! Check your router for firmware updates now if you have a Linksys or a Cisco router!

Banking Trojan Caphaw distributed through Youtube ads! If you get ANY ads when on YouTube you need to call me; you are using the wrong web browser and/or your browser is not set up for safe browsing. Firefox and AdblockPlus rule.

"Micosoft scam calls" abound. I asked one of these callers which one of our five computers he was talking about. Fun...

Public WiFi-Hotspot? UN-safe by design! Do nothing requiring a password!

Malware in hoax emails warning
recipients that they may have cancer.

Microsoft Word 2003, 2007, 2010, 2013,
and Office for Mac 2011 are vulnerable to a newly discovered bug in handling RTF files. No fix yet.

Banks charge Target and one of it's suppliers (of computer security advice!) in a class action lawsuits. Already $172 million damage to banks and more to come.

New ransomware CryptoDefense made programming error and left decryption key behind. Be very careful opening ANY attachments. When in doubt ask!

Search all now-public NSA surveillance docs at your leisure. See The NSA Archive.

Microsoft spells out new rules for adware classification. Won't tolerate privacy probes or auto-installs. Let's see what that does to PuPs

.