Security | Steve Woods

Introducing Ubuntu Pro beta

11/10/2022 Steve WoodsLinux, Open Source, Security, Tech

Canonical is currently offering a public beta version of Ubuntu Pro, giving Ubuntu Linux users extended maintenance and security compliance for software packages ranging from the Node.js runtime to Python 2 and Rust. Security cover will be extended for average and high common vulnerabilities and exposures (CVE) for thousands of applications and toolchains including Ansible, Apache Tomcat, Apache Zookeeper, Docker, Drupal, Node.js, Puppet, Python 2, Rust and others.

A free thirty days trial is available for businesses. Ubuntu Pro is available for data centres and workstations. A free level is being offered for small-scale personal use (up to 5 machines).

Since the launch of Ubuntu LTS with 5 years support for the main operating system, businesses have asked the supplier to cover a larger area of the open source landscape under private commercial agreements. These benefits are now offered free of charge to anyone with a free personal subscription to Ubuntu Pro. This may also be combined with 24/7 enterprise level for the Ubuntu operating system.

Ubuntu Pro is available for all Long Term Support (LTS) versions of Ubuntu from version 16.04 LTS upwards. The standard Ubuntu Pro subscription covers security updates for all Ubuntu packages. In addition, Canonical’s Ubuntu Advantage for Infrastructure subscription has been renamed Ubuntu Pro (Infra-only) with no change in its price or range. The Infra-Only subscription covers the base operating system and the private cloud components required for large-scale and bare metal and excludes wider cover for applications. Subscribing to Ubuntu Pro costs US $25 dollars per year excl. tax for one workstation or US $500 dollars per year for a server. On public clouds Ubuntu Pro costs some 3.5% of the average cost of the underlying processing environment.
Family matters

10/10/2022 Steve WoodsBristol, Language, Politics, Privacy, Security

There are some writers whose importance does not diminish with their demise. Take, for example, the ancient Athenian playwright Aristophanes; his plays are still being staged nearly two and half millennia after his death; then there’s that genius in understanding human emotions and the human condition, William Shakespeare.

To these giants of literature, your ‘umble scribe would add the name of George Orwell. Even though he died in 1950, his works still seem startlingly relevant to life in the 21st century and its politics in particular. The major annual prize for political writing in the English Empire (which some still call the United Kingdom. Ed.) is named after him.

Nineteen Eighty-Four (in words, not numerals. Ed.), which was written in 1948 and published in 1949, was intended as a warning against authoritarianism and oppression. However, successive twenty-first century governments seem to have used it as a manual for the implementation of mass surveillance of the population and the removal of their right to privacy, particularly as regards the use of information technology (via e.g. the Regulation of Investigatory Powers Act 2000); and all in the name of so-called security.

What has been exercising your correspondent this morning is a particular passage from The Lion and the Unicorn: Socialism and the English Genius. This was an essay written in 1941 during World War 2 relating to the state of the English, as opposed to the British. In particular, it highlights the outdated English class system as a major impediment in the mid-20th century, as exemplified below.

England is not the jewelled isle of Shakespeare’s much-quoted message, nor is it the inferno depicted by Dr Goebbels. More than either it resembles a family, a rather stuffy Victorian family, with not many black sheep in it but with all its cupboards bursting with skeletons. It has rich relations who have to be kow-towed to and poor relations who are horribly sat upon, and there is a deep conspiracy of silence about the source of the family income. It is a family in which the young are generally thwarted and most of the power is in the hands of irresponsible uncles and bedridden aunts. Still, it is a family. It has its private language and its common memories, and at the approach of an enemy it closes its ranks. A family with the wrong members in control – that, perhaps, is as near as one can come to describing England in a phrase.

Looking at the cupboards bursting with skeletons, one only has to look at the colonial oppressors and crooks that our Victorian forebears sought to elevate to figures of admiration, such as Robert ‘Lord Vulture’ Clive, who used his position in the East India Comp;any for personal enrichment and the likes of Waterloo hero Thomas Picton, formerly a sadistic and cruel governor of Trinidad. Both Clive and Picton have featured in the recent statue wars where the right wing, including government ministers, sought to deny the brutality of empire and its legacy. Sorry, but introducing the system of common law and the game of cricket are not adequate compensation for centuries of plunder, expropriation, conquest, repression and genocide.

Looking at the deep conspiracy of silence about the source of the family income, there has yet to be any official acknowledgement that the family income from the late 16th century onwards was based upon piracy and then increasingly upon slavery, for which some former British Caribbean colonies are clamouring increasingly for reparations.

Finally, let’s come to that family with the wrong members in control. They don’t come more wrong than the current occupant of Number 10 Downing Street, one Elizabeth Mary Truss.

Truss is clearly an admirer – and blatant imitator – of her Tory predecessor Margaret Thatcher, who did so much to destroy the British economy and society in the 1980s. However, what really grates with many people is the manner in which Truss was elevated to the premiership, i.e. elected to the leadership of her party by its 160,000 strong membership which is mainly elderly, white, male and racist (occasionally referred to as a ‘selectorate‘. Ed.), and thus hardly representative of the country.

If England truly is akin to a family, it is one that is deeply dysfunctional.
DuckDuckGo blocks Microsoft trackers

10/08/2022 Steve WoodsPrivacy, Security, Tech

French IT news site Le Monde Informatique reports that DuckDuckGo has decided to block Microsoft’s trackers in its mobile browser applications and browser plug-ins in an effort to extend its approach to privacy protection. It had already been criticised at the start of the year on the matter.

Protecting internet users from tracking and protecting their anonymity is not simple. DuckDuckGo is part of this move and was very upset to find out that as part of its agreement with the Bing search engine, Microsoft had given the green light for user tracking. This is no longer the case since from that date onwards DuckDuckGo’s CEO, Gabriel Weinberg, has stated that blocking the loading of scripts on websites by the browser was extended to Microsoft’s scripts in DuckDuckGo browser applications for iOS and Android and browser extensions (Chrome, Firefox, Safari, Edge and Opera) and that beta applications will follow next month.

DuckDuckGo is attempting to block tracking scripts from search engines and sites such as Facebook, as well as other types of tracking scripts or software. It uses what it calls third-party tracking loading protection to prevent these third-party scripts or cookies from being loaded into the browser. If they did, they could track movements on the web and build a profile of the user, their preferences, etc. If other browsers and browser plug-ins also enable users to protect their privacy, DuckDuckGo has made privacy its priority.

Delayed neutralising

Mr Weinburg’s decision was taken after the discovery at the start of the year by security researcher Zach Edwards that DuckDuckGo was blocking trackers from Google and Facebook, but was allowing some of Microsoft’s trackers via Linkedin and Bing. The discovery was then reported by BleepingComputer. “Previously, we were limited in how we could apply our third-party tracker download protection to Microsoft tracking scripts due to policy requirements related to our use of Bing as the source of our private search results,” Weinberg explained, adding that, “We’re glad that’s no longer the case. We didn’t have and don’t have similar restrictions with any other company.”

DuckDuckGo still has an advertising relationship with Microsoft, which it will maintain. Clicking through on advertisements on DuckDuckGo is anonymous and Microsoft has undertaken not to profile DuckDuckGo users. If Microsoft continues to save the user’s link, it will not associate them with a profile. On an updated support page, DuckDuckGo has provided a summary of everything which its its browser authorises and does not authorise, as well as providing details of web tracking protection.
Prying Google is not your friend

20/05/2022 Steve WoodsGDPR, Media, Privacy, Security, Tech
The Irish Council for Civil Liberties (ICCL) is pointing its finger at Google for spying on users, French IT news website Le Monde Informatique reports. A real-time bidding (RTB) system which is actively used by the company enables it to follow and share what everyone is looking at or doing online and note down this activity’s location. RTB is the technology underpinning all online advertising and it relies on sharing of personal information without user consent, according to the ICCL.

Google’s troubles are far from over. Widely singled out for its actions in terms of the use of personal data, the company is now in the spotlight for its tracking and advertising targeting activity. A report (PDF) published by the ICCL on 16 May accuses the search giant of an unprecedented data breach. The report sheds light on the RTB system, which works in the background on websites and in applications. “It tracks what you are looking at, no matter how private or sensitive, and it records where you go. Every day it broadcasts this data about you to a host of companies continuously, enabling them to profile you,” the report states.

The ICCL report claims it presents the scale of this data breach for the first time.

This data breach takes place throughout the world. The RTB system “tracks and shares what users are viewing online with their location in real time 294 bn. times in the USA and 197 bn. times in Europe each day”, it states. On average a person in the USA has their online activity and location tracked 747 times a day by those using RTB. In Europe, RTB exposes personal data 376 times a day. In Germany alone, Google sends 19.6 million broadcasts about German Internet users’ online behaviour every minute that they are online. “Europeans and U.S. Internet users’ private data is sent to firms across the globe, including to Russia and China, without any means of controlling what is then done with the data”. It is a high-earning business generating more than $117 bn. in the USA and Europe in 2021.

Advertising is an indispensable condition of this system as the majority of advertising on websites and in applications is placed there using RTB. Advertisers spend $100 bn. annually in the USA and Europe. The RTB market’s estimated value was $91 bn. in the USA in 2021 and €23 bn. in Europe in 2019. It therefore highlights that Americans’ online activity and their locations is exposed 57% more frequently than that of users in Europe.

Google is one of the five largest users of this real-time bidding system. No fewer than 4,698 US companies are authorised by Google to receive RTB data on people, whilst in Europe the number drops to 1,058 companies. More specifically, the data collected by Google, like what people are looking at online or doing with an application and their ‘hyperlocal‘ geographical location is broadcast 42 bn. times per day in Europe and 31 bn. times daily in the USA.

The ICCL is working to end the RTB data breach in Europe and has litigation ongoing in three European courts, as follows:
- at the Landgericht in Hamburg against the tracking industry standards body IAB TechLab and against Microsoft’s online advertising exchange Xandr (https://www.iccl.ie/rtb-june-2021/);
- at the Irish High Court against the Data Protection Commission, for its failure to investigate the ICCL’s complaint about Google’s RTB data breach (https://www.iccl.ie/news/iccl-sues-dpc-over-failure-to-act-on-massive-google-data-breach/); and
- in the Brussels Market Court, the ICCL is a party against IAB Europe’s appeal of an order by the Belgian Data Protection Authority, and 27 other EU data protection authorities, against IAB Europe’s “TCF” consent spam system. (https://www.iccl.ie/news/gdpr-enforcer-rules-that-iab-europes-consent-popups-are-unlawful/).
Research reveals websites collecting information without consent

13/05/2022 Steve WoodsGDPR, Privacy, Security, Tech

Today’s Journal du Geek reports that some unscrupulous websites do not clutter up their webpages with a Submit button when visitors are filling in a form.

If you have already filled in a web form before changing your mind, your data has doubtless been sucked up by an unscrupulous website. In a recent study carried out by researchers from 3 European universities, which will be presented at the Usenix Security conference in August, we learn that some platforms are capable of spying on every character typed on a keyboard.

By analysing 2.8 mn. webpages on the world’s 100,000 most visited websites, the research’s assessment is definitive: in the case of a web form filled completed in Europe, nearly 2,000 of them are capable of collecting the user’s email address before that user has clicked the Send button. One of the joint authors Güne Acar of Radboud University in Nijmegen states: “We were very surprised by the results. We thought we might find a few hundred sites where your email address is collected before you send it, but the result far exceeded our expectations”.

However, the situation in Europe remains better than that in the United States. Whereas the old continent recorded “only” 1844 cases of abusive data sucking, the same request, when sent from the United States triggered 60% more instances, for a total of 2,950 cases, a difference which can be explained in particular by the presence in Europe of the GDPR , which since 2018 has obliged platforms to obtain users’ consent before collecting data..

How do websites record one’s data without consent?

For all practical purposes the majority of sites collecting data before submission forwards email addresses (encrypted or unencrypted) to third party sites are generally specialist advertising campanies, which collected the data to serve up personalised advertising (aka corporate graffiti. Ed.). In some less frequent instances a key logger is used to enable the keystrokes made to be directly recorded.

In Europe, the matter is even more sensitive since a good number of major sites, including Facebook owners Meta and TikTok were amongst the sites tested.
No Microsoft account, no Windows 11

20/02/2022 Steve WoodsPrivacy, Security, Tech

French tech news site Frandroid reports that there has been a very unobtrusive but significant change to the installation procedure for Windows 11, but one with major implications for users’ privacy and security.

Since the launch of Windows 11, users of the home edition have been obliged to have a Microsoft account and an internet connection for the initial configuration of a machine if a fresh installation is involved. The company could soon extend this obligation to the operating system’s Professional edition.

Do I look like a Mac in this?
Image courtesy of Wikimedia Commons.

This week Microsoft has released build 22557 to members of the Windows Insider programme. This is a rather ambitious new version of Windows 11 packed with new “features“, including a change in policy regarding Windows 11 Pro.

As Microsoft wrote on its blog announcing the release:

Similar to Windows 11 Home edition, Windows 11 Pro edition now requires internet connectivity during the initial device setup (OOBE) only. If you choose to setup device for personal use, MSA will be required for setup as well. You can expect Microsoft Account to be required in subsequent WIP flights.

As you have read, Microsoft has stated in black and white that people will need to have an internet connection and a Microsoft account, even from Windows 11 Pro to enable a machine’s personal use (as distinct from business or educational use).

As a matter of fact, Microsoft is stating what the obligation will be included in all future versions of Windows 11 in the Insider programme. It can therefore be assumed that this new constraint only affects the initial configuration of machines with versions of Windows 11 from the Insider programme.

We will have to await the next major update of Windows 11 which incorporates the new features of build 22557 to check if having a Microsoft account has really become mandatory for the operating system’s Pro edition.

The use of an online account has long been required by Apple and Google on iOS and Android respectively, but less so for Windows, since historically there has not been any Microsoft account to connect, much to the chagrin of the software publisher. Users are therefore not accustomed to such a requirement, which Microsoft has been trying to promote since the launch of Windows 8
Google and Microsoft finance open source security campaign

04/02/2022 Steve WoodsLinux, Open Source, Security, Tech

A new initiative by the Open Source Security Foundation (OpenSSF) should improve the security of open source applications, German news site heise reports. The campaign, called the Alpha-Omega Project, is the result of negotiations at the White House between representatives of technology companies, US authorities and non-profit organisations. The initial funding of $5 mn. is being financed jointly by Google and Microsoft.

Image courtesy of opensource.com

OpenSSF is organising the project in two parts – Alpha and Omega. In the Alpha section expert groups are analysing the security situation of the most-used open source applications to find and remedy vulnerabilities. This should train software operators and users in security awareness. In the Omega section a team of software developers is working on automated tests for over 10,000 distributed open source project to propose possible security measures to their user communities.

Open source projects and libraries are widely used in software development. The Log4Shell vulnerability in the widely-distributed Log4j Java library recently showed how critical an attack can be. Even after a month and a half it still remains unclear whether companies have survived the worst. Users and companies should therefore investigate their own systems for vulnerable instances of the Log4j library and install current patches.

More details of the Alpha-Omega Project can be found in the official announcement.