As End of Life Nears, More Than Half of Websites Still Use PHP V5

Found on Threatpost on Sunday, 21 October 2018
Browse Software

Despite end-of-life in the horizon, a new report by Web Technology Surveys found that PHP version 5 is still used by 61.8 percent of all server-side programming language websites. And, of those using version 5, 41.5 percent of websites are using version 5.6, the report said.

What this means is, security patches, upgrades and bug fixes will cease for end-of-life technology – putting that percentage of PHP-based websites using PHP 7.0 and below at risk.

With no doubt the writer of this article has not done any research at all and makes the same mistake as many so-called security analysists: blindly relying on version numbers. First of all, every admin should by default set expose_php to off to disable version information so it cannot be collected. That already messes up the numbers in the article. Even worse however is not knowing that the biggest player in the field of server operating systems, namely RedHat (and thus all others based on it, like CentOS), actively supports older PHP versions by backporting security patches. So, as long as admins keep their OS updated, bugs will be squashed, no matter if PHP itself has dropped support or not. Not knowing that should be embarrasssing to anybody who talks about webserver security. So in short, the article is completely misleading and entirely useless without taking the underlying server OS into the count.

Vivaldi 2.0 review: The modern Web browser does not have to be so bland

Found on Ars Technica on Saturday, 20 October 2018
Browse Software

Vivaldi has recently hit the 2.0 milestone. You can download the latest version from the Vivaldi site or install it through the app store or package manager of your OS. And at first blush, perhaps the most shocking thing about this release is that it's merely 2.0. This release is a throwback to an earlier time when version numbers had meaning, and a major number increment meant that something major had happened.

The most important thing for browser is that it actively protects the privacy of the user by all means possible to break tracking and data collection.

You like HTTPS. We like HTTPS. Except when a quirk of TLS can smash someone's web privacy

Found on The Register on Friday, 19 October 2018
Browse Internet

The privacy risks associated with web tracking, however, persist, and now it appears there's yet another mechanism for following people online. Blame researchers from the University of Hamburg in Germany for the latest expansion of the privacy attack surface.

They note that Facebook and Google, due to their behavioral ad businesses, specify longer session resumption ticket lifetimes than most. Facebook's lifetime hint setting of 48 hours is higher than 99.99 per cent of all session ticket hints found. Google's 28 hour value exceeds 97.13 per cent of Alexa's top million websites.

Facebook and Google track you. Facebook in the most aggressive way. Clearly they have learned absolutely nothing from the privacy scandals they went through and just keep on doing business like before.

Remote South Atlantic Islands Are Flooded With Plastic

Found on Smithsonian on Thursday, 18 October 2018
Browse Nature

Now, reports Marlene Cimons at Nexus Media, that pollution is getting even worse. A new study in the journal Current Biology shows that plastic trash on the beaches and in the ocean has increased tenfold in the just the last decade and a hundredfold over the last three decades.

“Three decades ago these islands, which are some of the most remote on the planet, were near-pristine,” lead author David Barnes of the British Antarctic Survey says in a statement. “Plastic waste has increased a hundredfold in that time, it is now so common it reaches the seabed. We found it in plankton, throughout the food chain and up to top predators such as seabirds.”

If only it was possible to dump that junk onto those who created it. Instead, global politics fail so very hard at something so important as protecting the world everybody lives in.

Printer Makers Are Crippling Cheap Ink Cartridges Via Bogus 'Security Updates'

Found on Motherboard on Wednesday, 17 October 2018
Browse Hardware

Printer maker Epson is under fire this month from activist groups after a software update prevented customers from using cheaper, third party ink cartridges. It’s just the latest salvo in a decades-long effort by printer manufacturers to block consumer choice, often by disguising printer downgrades as essential product improvements.

Hardware makers began cooking draconian restrictions into printers, ranging from unnecessary cartridge expiration dates to obnoxious DRM and firmware updates blocking the use of “unofficial” cartridges.

Along with net neutrality, there is a clear need for ink neutrality too.

Web browsers sharpen knives for TLS 1.0, 1.1, tell protocols to dig their own graves for 2019

Found on The Register on Tuesday, 16 October 2018
Browse Internet

The Internet Engineering Task Force has been considering when to hold the funeral of TLS 1.0, which will be 20 years old in January 2019, as well as a burial for TLS 1.1, since June this year. Its Internet-Draft on the matter is expected to formalize the 'net standards body's “die die die” recommendation later this year. When the draft progresses to standard status, the IETF will no longer fix new protocol vulnerabilities in TLS 1.0 and 1.1.

That's going to be similar to the adoption of IPv6 probably.

Internet operator challenges network tapping by German spy agency

Found on Reuters on Monday, 15 October 2018
Browse Internet

DE-CIX said it received orders from the Federal Intelligence Service (BND) to allow it to access data at its internet exchange in Frankfurt. The BND has in recent years received a mirror image of the traffic as part of its counter-terrorism and cyber-security efforts.

In Germany, the right to privacy of correspondence, posts and telecommunications is protected by Art. 10 of the constitution. This is restricted by a law that allows federal and state spy agencies to tap such communications, subject to review by a control commission on which lawmakers sit.

Pretty sad that you're more protected from being spied on if you send just a letter.

Yale users locked out of homes after 'smart' home app crashes

Found on The Inquirer on Sunday, 14 October 2018
Browse Technology

Users of Yale's so-called 'smart' locks were trapped out of their homes for more than 24 hours following after the company's smartphone app went to Borksville.

Yale blamed an "unforeseen issue while carrying out unplanned network maintenance", but claimed to have resolved the problem on Friday morning. However, users still claim that notifications - such as whether an alarm has been armed or disarmed - aren't coming through.

While the app was down, customers complained of being 'stuck' in their homes, while others were forced to wait outside until the problem was fixed.

Oh the sweet irony. Nothing would have happened if clients would have just stuck to something so very old-fashioned like mechanical locks with keys; but no, even unlocking your door has to be "smart". Now imagine someone would find a way to remotely brick all those locks...

branch.io bug left '685 million' netizens open to website hacks

Found on The Register on Saturday, 13 October 2018
Browse Various

That staggering nine-figure number is because the security issue was actually within a toolkit, called branch.io, that tracks website and app users to figure out where they've come from, be it Facebook, email links, Twitter, etc.

Among the sites found to be using the vulnerable components were reviews site Yelp, cash wiring biz Western Union, Shopify, and photo-sharing site Imgur, it is claimed. Hochstadt estimated the sites together handle around 685 million user accounts.

So basically, all that happened because those websites want to analyze their visitors even more; and then they wonder why privacy addons in browsers are so popular.

Firefox removes core product support for RSS/Atom feeds

Found on Gijsk on Friday, 12 October 2018
Browse Software

After considering the maintenance, performance and security costs of the feed preview and subscription features in Firefox, we’ve concluded that it is no longer sustainable to keep feed support in the core of the product. While we still believe in RSS and support the goals of open, interoperable formats on the Web, we strongly believe that the best way to meet the needs of RSS and its users is via WebExtensions.

Likewise, the feed viewer has its own “special” XML parser, distinct from the main Firefox one, and has not had a significant update in styling or functionality in the last seven years.

Styling RSS feeds? What for? To stuff annoying advertising and tracking into the textblocks? Maintaining your own "special" XML parser is like maintaining your own "special" encryption: in other words, pretty much a really bad idea.