Technical Tidbits

If you’re bored with the political mud slinging lately and would like a break from pigs, pit bulls, and lipstick, how about nice legal wrestling match with two big boys in the big brother browser battles?

Yes, that’s right folks! As if the US Department of Justice (DOJ) doesn’t have enough on their hands, they’ve hired an ace anti-trust litigator from none other than Disney! Walt Disney former vice chairman Sanford Litvack(and with all due respect, former chief of the Justice Department’s antitrust division during the Carter administration), has been asked to examine the evidence gathered so far and to build a case if the decision is made to proceed, the lawyers close to the review said.

According to the Wall Street Journal:

For weeks, U.S. lawyers have been deposing witnesses and issuing subpoenas for documents to support a challenge to the deal, lawyers close to the review said. Such efforts don’t always mean a case will be brought, however.

Okay, but here’s a side note that the Wall Street Journal leaves out! CNN Money today discussed the possibility that “cry baby” Microsoft may be behind this entire lawsuit, hiding behind the skirts of the Association of National Advertisers.  (And I take full responsibility for the term “cry baby” in reference to Microsoft-I said it, CNN DID NOT.)

Now, please note that in the media reports there are these comments:

The Association of National Advertisers, a trade group that represents major companies like Procter & Gamble Co. and General Motors Corp., sent a letter to the Justice Department Thursday calling the deal bad for advertisers and recommending that it be blocked.
(http://online.wsj.com/public/article/SB122091328430212195.html?mod=2_1563_leftbox)

And in an InternetNews Article:

On Sunday, the Association of National Advertisers, a prominent trade group representing many of the nation’s largest corporate advertisers, announced that it had appealed to the DoJ to block the deal.
(Source: http://www.internetnews.com/government/article.php/12268_3770376_2)

Everyone is commenting about how the Association of National Advertisers is against this deal. First of all, wouldn’t the major advertisers like Procter & Gamble, General Motors, and all the others in this organization benefit from increased advertising exposure due to the Yahoo/Google advertising partnership?

Or is it because of this member on their membership list that this whole thing has become an issue?

Could it be SATAN? Close! Microsoft!

I mean after all, I’m sure P&G, General Motor’s, Chrysler, and the rest object because they want to start their own online advertising search engine right?

And perhaps DoubleClick (who is also on the list and is owned by Google) is objecting because they feel like a “red headed step child” now that Yahoo is in the picture, right?

I could go on, but you can look at the members list yourself here:

http://www.ana.net/join/memberlist

My personal message to Balmer, “Go home, wipe your cry baby nose, get counseling, get over it. And if you really want a job throwing temper tantrums and crying foul, I know of a political campaign I can hook you up with.“

As much as I’ve been on Google’s case for their Big Brother Browser Chrome, I wish them well in this case. I am very happy they saved Yahoo from the evil clutches of Microsoft because I like Yahoo for what I use Yahoo for.  And I commend the Yahoo board and shareholders for having the presence of mind to not allow Microsoft to frack up yet another thing they touch.

May your DOJ scrutiny pass mustard - I mean muster - but you could pass the mustard with a nice corned beef sandwich if you’d like!

written by Admin \\ tags: Association of National Advertisers, big brother browser, chrome, doj, general motors, google, lipstick, Microsoft, pigs, pit bulls, procter & gamble, Sanford Litvack, Yahoo

Well, they just keep coming out of the woodwork don’t they? Okay, bad metaphor to use woodwork in reference to the web. But you get the picture.

Yet another security flaw has been found in Chrome. Thank God it’s still in beta!

InformationWeek has published that a Vietnamese security company, Bach Khoa Internet Security (BKIS) has posted a proof of concept demonstrating how a long title and the SaveAs command in Chrome can create a buffer overflow and allow a hacker to remotely attack the computer and gain full control.

(And to all my Advanced PC Students….. what did I tell you about the buffer overflow problem??)

For those of you who don’t understand a word of what I just wrote in the explanation, here comes a Debbie explanation.

You’ve experienced a buffer overflow whether you realize what it was or not. Have you ever sent a BIG job to your printer and suddenly have it start printing out weird characters at the top of each page and just continued and continued and continued to keep printing these one line, three character pages? If so, you’ve experienced a buffer overflow on your printer!

This happens in programs when programmers fail to program into the code a way to handle too much data coming into it. We call this an “unchecked buffer” because the programming code doesn’t check or handle limits to the data it can hold.

Buffer overflows are so old and so well known it makes me sick to think that programmers are still not checking this in the code! It’s probably the most widely known method of hacking or exploiting there is.  But I won’t go on one of my rants. That’s not what this is about.

Just wanted you to be aware that this is yet another reason not to be using this browser. And remember, it’s yet another Big Brother Browser disguised as nice, “do no harm” Google.

written by Admin \\ tags: big brother browser, browser security, buffer overflow, chrome security, google, google browser, google chrome, Security, security flaw, unchecked buffer, vulnerability

I didn’t realize when I wrote the last post that everyone thought I was NOT going to write about security! I’ll have to watch my words since so many of you are really reading them! (Don’t let those numbers fool you on the side up there! I’ve found out I have a following that doesn’t subscribe!)

I’ve pointed you in the direction of the comic book about the making of Google Chrome, and if you didn’t get a chance to read it, or didn’t understand it, let me tell you a bit about the way this was built.

It was built on the same framework as Apple’s Safari and many other browsers using an Open Source application building program called Webkit but also borrowed and modified certain code from Mozilla Firefox.  Mozilla Firefox however, is built using C++ programming code and JavaScript. It’s open source code, meaning it’s available to see and use, but it’s not built on some pre-existing kit so to speak, as Webkit has allowed for programs like Safari and now the Google Chrome.

If that’s confusing to you, that’s okay. You are probably not a programmer! And that’s okay too!

The point I want to make is that Google Chrome and Mozilla Firefox are built on two different types of programming bases and while they are being compared to each other by many a reviewer out there today (and some who are using my Big Brother Browser phrase!), they are built in two distinctly different ways.

As all of my students are used to, I’ll use one of the Debbie analogies I’m famous for.

Think of Google Chrome and Mozilla Firefox as two houses in a subdivision. Google Chrome is a pre-fab where the developer has already built the frames, walls, and sub-structures for the house and delivers them to the lot. The builder puts the pieces together to make the house that is unique to the home buyers by the way they put the pieces together.

Firefox however, is built from the ground up by a developer who drew the plans, poured the foundation and started adding the structural pieces by cutting the wood and pounding the nails.

Now, does that make either house better than the other? Structurally, no. That’s not what this comparison is about. I just wanted you to see that these two browsers are constructed differently. So let’s not confuse the issues.

That being said, Google Chrome states in the comic book that they put their pieces together in a segmented way that is called sandbox threads. What this means to the average user is that instead of the browser being exposed to a bad guy because it is constructed in one single thread that handles all the interaction with a website, the individual pieces are like rooms of their own that are meant to keep the bad guys away from the main house.

Mozilla Firefox is built similar to that concept in that the bad guys cannot access the main structure of the house, but the entire browser is built on one thread, so the rooms have hallways connecting them to the house but no doors to isolate a single room.

Does that make sense?

What this means to us as users is that Google Chrome claims that because the way they built their browser they are theoretically more secure than the other browsers because their doors are supposed to slam shut should a bad guy get in.

We’ve all experienced the lock up of a browser whether it is Firefox, Internet Explorer, Safari, or Opera. When something goes wrong in one of those rooms, because they all connected, the browser (or house) locks up.

Google Chrome states it’s not supposed to do that. But in my previous post, I pointed out that my LinkedIn Flash utility to add a contact manually did lock up the browser - however briefly. (Now mind you I have Dual Core processor too!)

Now you may be asking, “Ok, Debbie. What does this have to do with security?” Well, I’m glad you asked! (SMILE)

Aviv Raffon, a security research created a file that showed how Google Chrome could be exploited by a technique called Carpet Bombing. I tested his research (which is called a Proof of Concept), and it didn’t work with me. Why? Because I had already configured the options in the Chrome browser NOT to automatically download files but to always ask me where to put them! And this is standard security procedure on any new installation! (But then again, no one probably knows that because no one believes it will happen to them! As is evidenced by our lack of sales on our anniversary course special! Sorry, had to rant for a second.)

But, on the assumption that most users don’t have the knowledge I do and leave the browser as its default setting, then yes, people can be exploited without even knowing it.

Now, does that alone make Chrome unsecure? No. Then what does?

Well, the problem lies in the mash up of the way Chrome is put together. By borrowing and modifying the code from Mozilla’s Firefox and using it within the Webkit framework, we’re not too sure what we are dealing with.

Now, according to an InformationWeek article, a researcher has shown that Google Chrome can be crashed by a malicious link.

Another security researcher, Rishi Narang, claimed to have found a way to crash Chrome with a malicious link.

“An issue exists in how chrome behaves with undefined-handlers in chrome.dll version 0.2.149.27,” Narang explained on the Evil Fingers Web site. “A crash can result without user interaction. When a user is made to visit a malicious link, which has an undefined handler followed by a ’special’ character, the Chrome crashes with a Google Chrome message window ‘Whoa! Google Chrome has crashed. Restart now?’ ”
Source:http://www.informationweek.com/news/internet/google/showArticle.jhtml?articleID=210300297

Curious about this crash and undefined-handlers - which I also preach about in my hacking course - I went to Rishi Narang’s website quoted in the article. What concerns me is that in his research he found:

It crashes on “int 3″ at 0×01002FF3 as an exception/trap, followed by “POP EBP” instruction when pointed out by the EIP register at 0×01002FF4.
Source: http://evilfingers.com/advisory/google_chrome_poc.php

For my students who’ve taken my hacking course, you should remember the assignment that covered the EIP register hacking example. This is NOT good!

The EIP register is a name for memory access. It’s hard to say without more testing just how far this could allow a malcode writer to get into your system. Either way, it’s an early warning sign for me that more security testing needs to be done and that preliminary indications are that this is not a secure browser as being touted.

As for me, I’m rolling back to IE 7 and giving the Big Brother Browser the boot. I’m also uninstalling Google Chrome. I’ll let the hard-core researchers test it more fully. I don’t care to get spied on any more than I already am even if it is for free! I’ll stick with my Mozilla Firefox and browse happy with my extensions and plug-ins.

If you are still foolish enough to use these unsecure wolves in sheeps clothing - aka big brother browsers, please consider taking our courses. You’re going to need them one day!

Coming soon…….
Our Director of Emerging Technology is currently very angry. He’s reformatting and reinstalling his not-even-3-month old hard drive. Reason? ZoneLabs ForceField. He’s got a story to tell you!

In the meantime, I’ll be commenting on the death of Web 2.0 over the weekend. So stay tuned…..

written by Admin \\ tags: Big brother, big brother browser, browser security, chrome security, firefox, google, google browser, google chrome, google comic book, Internet Explorer, mozilla, Security

In my past two previous posts about Google Chrome, I’ve covered the facts about how easy it was to install and some immediate signs of incompatibility.

But, we never covered the privacy and security issues. In this post, I’ll deal with the privacy issues.

Let’s look at the EULA (End Users Licensing Agreement) first. Or the Google Chrome Terms of Service. (http://www.google.com/chrome/eula.html)

The beginning part of the terms is the usual blah, blah legalese, but we find a similar thread with Google as we do with Microsoft….

4.1 Google has subsidiaries and affiliated legal entities around the world (”Subsidiaries and Affiliates”). Sometimes, these companies will be providing the Services to you on behalf of Google itself. You acknowledge and agree that Subsidiaries and Affiliates will be entitled to provide the Services to you.

4.2 Google is constantly innovating in order to provide the best possible experience for its users. You acknowledge and agree that the form and nature of the Services which Google provides may change from time to time without prior notice to you.

Same rhetoric found in Microsoft’s terms also.

But here’s an interesting twist in Google’s EULA that even Microsoft doesn’t have! (My emphasis added!)

4.5 You acknowledge and agree that while Google may not currently have set a fixed upper limit on the number of transmissions you may send or receive through the Services or on the amount of storage space used for the provision of any Service, such fixed upper limits may be set by Google at any time, at Google’s discretion.

Huh? Fixed upper limits on the number of transmissions??? So, are you going to monitor my bandwidth through your browser??? WTF does this mean?

Then I find it totally CA (Corporate America) that they put their Privacy Policy under another link as described here:

7. Privacy and your personal information

7.1 For information about Google’s data protection practices, please read Google’s privacy policy at http://www.google.com/privacy.html. This policy explains how Google treats your personal information, and protects your privacy, when you use the Services.

So, much like Microsoft, Google figures 99.8% of the users are not going to hunt down the privacy policies.

I went to take a look at the Google Privacy Policy and I find the same BS that Microsoft included about third-parties having access to your data. (Again, my emphasis added!)

Information sharing

Google only shares personal information with other companies or individuals outside of Google in the following limited circumstances:

* We have your consent. We require opt-in consent for the sharing of any sensitive personal information.
* We provide such information to our subsidiaries, affiliated companies or other trusted businesses or persons for the purpose of processing personal information on our behalf. We require that these parties agree to process such information based on our instructions and in compliance with this Privacy Policy and any other appropriate confidentiality and security measures.
* We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against imminent harm to the rights, property or safety of Google, its users or the public as required or permitted by law.

If Google becomes involved in a merger, acquisition, or any form of sale of some or all of its assets, we will provide notice before personal information is transferred and becomes subject to a different privacy policy.

We may share with third parties certain pieces of aggregated, non-personal information, such as the number of users who searched for a particular term, for example, or how many users clicked on a particular advertisement. Such information does not identify you individually.

Please contact us at the address below for any additional questions about the management or use of personal data.

Information security

We take appropriate security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of data. These include internal reviews of our data collection, storage and processing practices and security measures, as well as physical security measures to guard against unauthorized access to systems where we store personal data.

We restrict access to personal information to Google employees, contractors and agents who need to know that information in order to operate, develop or improve our services. These individuals are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they fail to meet these obligations.
(Source: http://www.google.com/privacypolicy.html)

So again I ask Google as I’ve posted the same question to Microsoft - HOW WILL YOU KNOW? How will you know if your third parties violate your confidentiality?? How will I know they got my information from you?

And look at the same BIG BROTHER LEGAL DISCLAIMER! Again, you cannot give to the government even under court order what you DO NOT have!

For as much as Microsoft and Google supposedly hate each other, it almost sounds like they have the same law firm working for them: Dewy, Cheatem, and Howe.

And let’s not forget the fact that at the beginning of their Privacy Policy they state the usual disclaimers with links to other pages for more privacy policies! (I’ve left out the links but you can go their privacy policy and check them out if you are so inclined.)

At Google we recognize that privacy is important. This Privacy Policy applies to all of the products, services and websites offered by Google Inc. or its subsidiaries or affiliated companies except DoubleClick (DoubleClick Privacy Policy) and Postini (Postini Privacy Policy); collectively, Google’s “services”. In addition, where more detailed information is needed to explain our privacy practices, we post supplementary privacy notices to describe how particular services process personal information. These notices can be found in the Google Privacy Center.

And if you click the privacy policy link from within the Google Chrome page for the download and acceptance of the EULA or Terms of Service you receive this statement:

Transparent Privacy?

(Click to view larger image)

What is also fascinating is that as “transparent” as Google claims to be, you can look at the Chrome EULA page yourself and see if it references any other Privacy Policy. Because right now, I’m sitting on an exact duplicate of theirs (copied and pasted in a text document) and I don’t see any reference other than the part in section 7.

And guess what I found? YET ANOTHER Privacy Policy for Chrome!
http://www.google.com/chrome/intl/en/privacy.html

Now where have we seen this kind of statement before?

In addition, some Google Chrome features send limited additional information to Google:

* When you type URLs or queries in the address bar, the letters you type are sent to Google so the Suggest feature can automatically recommend terms or URLs you may be looking for. If you choose to share usage statistics with Google and you accept a suggested query or URL, Google Chrome will send that information to Google as well. You can disable this feature as explained here.
* If you navigate to a URL that does not exist, Google Chrome may send the URL to Google so we can help you find the URL you were looking for. You can disable this feature as explained here.
* Google Chrome’s SafeBrowsing feature periodically contacts Google’s servers to download the most recent list of known phishing and malware sites. In addition, when you visit a site that we think could be a phishing or malware site, your browser will send Google a hashed, partial copy of the site’s URL so that we can send more information about the risky URL. Google cannot determine the real URL you are visiting from this information. More information about how this works is here.
* Your copy of Google Chrome includes one or more unique application numbers. These numbers and information about your installation of the browser (e.g., version number, language) will be sent to Google when you first install and use it and when Google Chrome automatically checks for updates. If you choose to send usage statistics and crash reports to Google, the browser will send us this information along with a unique application number as well. Crash reports can contain information from files, applications and services that were running at the time of a malfunction. We use crash reports to diagnose and try to fix any problems with the browser.
* You may choose Google as your search engine using Google Chrome, and you may also use Google Chrome to access other Google services such as Gmail. The Privacy Policies of Gmail or other services apply when you access them, no matter which browser you use. Using Google Chrome to connect to Google services will not cause Google to receive any special or additional personally identifying information about you.

Google Suggest feature = Microsoft Suggest a site feature. And if you click the here link (that I didn’t include) about turning off the feature, it doesn’t tell you if it stops sending information back to Google or not! Not so transparent after all! (And if you want to read something really scary, read the EULA and privacy policies for Google search and Gmail along with some of the other apps!)

Okay, granted we know Google makes its money in the search and online advertising business. And unlike Microsoft, who takes your money and then covertly spies on you, Google tells you they are spying but they give you the stuff free!

On the other hand, we have Firefox 3. The most secure browser produced to date by Mozilla and Open Source with no spying and free. Hmmmmmm, which one do you suppose I’m leaning toward?

And while I’m on the subject of Firefox 3, can I request an extension? There is one thing that Google has that I’d like to see in a modified version. Their Most Visited websites page.

Most Visited Web Pages

(Click to view larger image)

See the cool 9 boxes that previews the pages you visit most frequently? Well, I would like a Firefox extension that would allow me to make a home page with customized little previews like Google Chrome. 9 boxes just like that, but I put in the websites I want to display as my home page. Any takers?

It looks to me that this is just Google’s version of YET another Big Brother Browser!

Tomorrow, Google Chrome Security! Hint: NOT!

written by Admin \\ tags: Big brother, big brother browser, end users licensing agreement, eula, firefox, google, google chrome, Microsoft, personal information, privacy, privacy policy, spying, spyware, Terms of Service

After my sad disappointment about IE 8, I tempered my excitement this morning when I heard that Google was releasing Chrome - their new browser offering.  I’m assuming it’s their answer to the Microsoft Big Brother Browser - IE 8.

I guess I’m jaded. We all know Google makes a ton of money on it’s search engine advertisers. So, I just kind of assumed that there would be the same kind of issues with Chrome as their was IE 8.  More spying, more lining their pockets, yada, yada.

Well, I’m a bit more hopeful, although still a bit skeptical because I have not used it fully yet. But so far, it’s looking good! Okay, no. It’s looking GREAT!

Before I downloaded it, I took a look at their comic book describing how it was made. I don’t want to ruin that experience for you so I will not comment on it in this post. I’ll probably give you a day to read the full thing first.

So, if you haven’t heard about this or read their comic book, do so before you download the program. You will miss a significant amount of information if you pass that book up! (But I will be discussing much of it in Part 2.)

It took me a while to find the actual download, but I did. There it was on the page in all it’s Google glory!

Download Google Chrome

(Click to view larger image)

Doesn’t it just look like a shining beacon of hope?

So, I click to download and I’m taken to this page:

Download Page

(Click to view larger image)

Oh, I get it! Here’s the gotcha! They want me to report my crashes so they can spy on me! I click the privacy link and expected to see the litany of legal jargon I received from Microsoft and here’s what I see:

Privacy Policy for Crash Data

What a refreshing sight after the nightmare from Microsoft! I guess I should also tell you that unlike Microsoft’s proprietary IE 8, Google’s Comic book let’s you in on the secret that this is all Open Source! I felt I should tell you that before we go further because Open Source licenses are much different then Microsoft’s licenses and legal mumbo-jumbo.

Okay, now for the install.

Do you remember the setup process I had to go through to install IE 8?

Check out the setup screens from Google Chrome below:

Simple Setup Screen

Pick Browser and Shortcuts

Sadly...?

Now I have to pause here for a second. Isn’t this screen a refreshing difference from Microsoft’s esoteric and obscure error messages? How cute is this??

Set-up Done!

(Click to view large image)

Oh! And guess what they have too? Incognito mode! And guess what? They don’t need to send back information on your browsing habits to do it!  Imagine that!

Incognito Mode

(Click to view larger image)

If you just can’t wait, you can install Google Chrome here:
http://tools.google.com/chrome/

But remember, I haven’t investigated it thoroughly yet. So keep a healthy dose of skepticism - although I know it’s hard for me to do that right now! This is really a fun browser!

Hey Google! I need a Tor proxy plugin! (GRIN)

written by Admin \\ tags: big brother browser, chrome, chrome beta, google, google browser, google chrome, google comic book, google new browser, incognito, Microsoft, microsoft IE 8, privacy, private browsing, Security