This week discussions of Java and its latest security flaw has dominated information security discussions It’s not often that the U.S. Department of Homeland Security tells users point blank to temporarily disable java in their web browser. As one would expect, every blogger seems to have an opinion and they range from “they sky is falling” to “DHS is over-reacting.” Standing out from the crowd, Brian Krebbs deserves kudos for his solid, well-researched article on the issue.
So what’s my take on it?
First of all, there are three reasons that DHS may have made such a strong recommendation:
- Their intelligence may indicate that the vulnerability is (or has the potential to be) exploited so frequently that it is a legitimate national security concern;
- They may be over-reacting; or,
- They may be frustrated with Oracle and applying pressure to fix Java.
While I don’t know what intelligence they have, I’d bet on a combination of 1 and 3.
For an exploitation to occur, a user has to visit a web site containing the malware. Those at highest risk are those who visit marginal web sites looking for porn, music, movies, and other material to download. However, malware may be left on compromised web sites and users directed to malware-laden sites through phishing-like emails. To some degree, we are all at risk.
So the question users face: To Java or not to Java?
At the risk of stating the obvious, if you don’t really need Java uninstall it completely from your computer. Java has a poor security record. There is simply no point to having it installed if you don’t need it. If you’re unsure whether you need Java on your personal computer, uninstall it anyway. It’s easy to re-install the latest version if it turns out you really need it.
If you have a genuine need for Java applications installed on your PC, disable the java plug-in in your browser. Instructions to disable it in all browsers or selectively are here.
If you must use a web site that uses Java, the two browser approach is likely your best bet. Note that there is no way to selectively disable Java in Microsoft Internet Explorer (one of many reasons that IE should not be your routine use web browser), so your best bet is to install Google Chrome and disable the java plug in. (For a shortcut, type “chrome://plugins/” into the URL box.)
On the topic of Chrome, if you prefer a more secure browser environment in general, try turning on Chrome’s “click to play” option for plug-ins. Instead of plug-ins running automatically, you’ll have to click on them to load. Some users might find it annoying, but it will stop web sites from automatically launching plug-ins, including Java. You can find the option at “chrome://chrome/settings/content”:
*** UPDATED 2013-01-14 ***
Oracle has released an out-of-cycle update to Java to address this issue. Windows users who wish the patch ASAP should go to Control Panel -> Java, select the Update tab, and click on “Update Now”.
In most Canadian cities, home owners require permits to put up fences and some types of sun decks. For example, here in Ottawa, if I want to build a deck behind my house that is more than 24 inches high, I need a permit and the deck must be inspected at three different points during construction.
We subject homeowners to these stringent requirements, even though if their deck collapses few people are likely to be affected. Yet we apparently allow those hosting thousands at concerts to build unsafe structures.
Isn’t it about time we start taking this seriously?
This presentation (via YouTube) is worth watching!
(Or follow this link)
The web is buzzing with contempt over a statement by Motion Picture Association of America (MPAA) Chairman and CEO Chris Dodd to Fox last Thursday:
“Those who count on quote ‘Hollywood’ for support need to understand that this industry is watching very carefully who’s going to stand up for them when their job is at stake. Don’t ask me to write a check for you when you think your job is at risk and then don’t pay any attention to me when my job is at stake.”
As pointed out on the MPAA web site, Dodd is also a former US Senator from Connecticut. Surely he understood the implications of publicly confirming what we have always expected — that Hollywood spends a lot of money on politicans and expects a return on their investments. Rather than condemn him, perhaps we should be thanking him for putting this out in the open.
The movie industry, like many others, is facing a harsh new reality — one that, for the most part, they appear to be in denial about. Pushing for draconian, ill-informed legislation such as the Stop Online Piracy Act (SOPA) and the Protect IP Act isn’t the solution. Perhaps it’s time that Hollywood stop trying to purchase politicians and apply some creativity to their business model instead.
CNET ran an interesting article yesterday on how a PayPal dispute ended in the destruction of a violin. In summary, the allegation is that the purchaser disputed the authenticity of his $2,500 puchase, PayPal agreed, and they instructed the purchaser to destroy the violin it in order to obtain a refund.
People are asking a lot of questions about this one, and while I haven’t heard directly from the seller, her letter is posted on Regretse. (The buyer’s identity has not been disclosed.) The dispute appears to focus on the violin label. I’m certainly not qualified to discuss violin labels and associated traditions, but these folks are and have something interesting to say.
I was a bit surprised to hear that PayPal had the instrument destroyed rather than returned to the vendor, but I found this in PayPal’s user agreement:
If a buyer files a Significantly Not as Described (SNAD) Claim for an item they purchased from you, you will generally be required to accept the item back and refund the buyer the full purchase price plus original shipping costs. You will not receive a refund on your PayPal fees. Further, if you lose a SNAD Claim because we, in our sole discretion, reasonably believe the item you sold is counterfeit, you will be required to provide a full refund to the buyer and you will not receive the item back (it will be destroyed). PayPal Seller protection will not cover your liability.
Merchants take heed — “in our sold discretion” gives PayPal at lot of power.
In response to my query, a PayPal spokesperson replied via email,
A lot of small businesses rely upon PayPal, and this type of incident causes concern among merchants. For example, one commenter on Regretsy pointed out,
This scheme of PayPal’s makes a great way to perpetuate fraud. Want to swap the fake Vuitton bag you bought on Canal Street for a real one? Just buy that real one on eBay, pay through PayPal and report the ‘fake’!
Credit card transactions in general place the burden of proof on the merchant. For example, if I ordered goods and subsequently advised the credit card issuer that the product didn’t arrive, the merchant would face a chargeback unless they were able to provide strong evidence to the contrary. PayPal adds an additional layer. If a buyer who has purchased through PayPal using a credit card is not satisfied and disputes the charge through their credit card issuer, the burden of proof falls to PayPal.
My point is not to excuse PayPal of their responsibilities. They’re in the payment game and need to treat all parties fairly as well as manage their own risk. However, it’s also not fair to assume that these type of disputes or the potential for merchant losses are specific to PayPal. It’s also not realistic for sellers to assume that PayPal will protect them from all potential fraud scenarios.
I’m happy to see PayPal take a strong stand against counterfeit goods, but I just wonder if destroying a violin — even if the label was wrong — was the right answer in this case. I suspect executives at PayPal are asking that same question.