Comodo up to more tricks

People occasionally ask me who they should buy security certificates from. I absolutely will not recommend anyone in particular – even the most honest and honorable Certificate Authorities are inherently swindlers, because the trade itself is pretty much a legalized extortion scheme – but I am willing to say who I don’t recommend – Comodo is the worst CA, hands down. Witness their latest hijinks:

When you install Comodo Internet Security, by default a new browser called Chromodo is installed and set as the default browser. Additionally, all shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices.
[Link to Chromodo download elided]
Chromodo is described as “highest levels of speed, security and privacy”, but actually disables all web security. Let me repeat that, they ***disable the same origin policy***…. ?!?..

This certainly isn’t the first time Comodo’s been caught doing things they shouldn’t, but somehow they still control around a third of the world’s certificate issuance. People need to stop giving business to known bad actors, even when it’s unclear whether the actions stem from malice or incompetence.

ISP hacked, blog savaged

Our ISP, iPower.com, was hacked and an amateurish attempt was made to plant various forms of malware on this site. Fortunately for my non-existent readers, the hackers weren’t particularly competent. Unfortunately for me, the same might be said of my ISP…

User registrations are disabled, for the nonce, which again will be a trial for my non-existent audience.

Internet soft spots

Want to build a ginormous botnet without doing a lot of work? Compromise one of the Internet’s soft spots.

If you take over bOINGbOING.net, you can use the site to inject malware in 1.3 million visitors. Chump change! How about TheChive.com, or Kottke.org, or whatever? Face it, you’re not going to get more than 15 million suckers. It’s just too much effort for a lazy man; you’d still be doing a lot of hard work to recruit a paltry few million zombies.

So, you take over jquery.com, or typekit.com. Now you’re cooking with gas! It’s become common practice for websites to use remotely sourced scripts – so there are thousands of sites that will blindly push out whatever is in the file jquery.js at jquery.com, and all that site’s visitors will run it just as blindly. So if you take over a popular script or advertisement source, you can leverage that into billions of individual attacks, quite easily.

And that’s my Halloween horror story for this year.

Automotive Grade Linux might save your life

A standard Linux-based software platform for the connected car would be huge, and at this point could even be a life-saving development.

Automotive Grade Linux is a collaborative open source project developing a common, Linux-based software stack for the connected car. The community’s first open source software release is now available for download, bringing the industry one step closer to realizing the benefits of open automotive innovation.

Read the press release or visit the AGL Wiki to learn more and download the code.

Recent Windows-based dashboards (for example the Nissan Leaf) are an abomination only slightly less dangerous than even-more-hideous automaker proprietary dashboards (for example the Toyota Prius Plug-in). With all the data that exists about the dangers of distracted driving, and state legislatures passing draconian laws against texting behind the wheel, why is it legal for auto vendors to create these potentially lethal user interfaces? How can a pure touch-screen interface, that must be visually examined to be used, possibly be less dangerous than texting while driving? I can drop or ignore a smartphone, or just turn the bloody thing off, but I am forced to interact with my dashboard!

A step in the right direction is to open up the dashboard software ecosystem, so sane designs have an opportunity to compete for driver approval. After all, you can’t expect the same people who designed backwards fake stickshifts (as commonly found in Nissans and Toyotas) to create a good user interface; these people have already demonstrated that they aren’t capable of understanding the task, much less reaching the goal. But a robust community of Open Source hackers would allow the computerized automotive dashboard to progress in the same way that automobile clubs, hot rod enthusiasts, and similar communities have driven innovation historically in the rest of the car industry – by finding more alternatives, and demonstrating them in action.

For every good design there will probably need to be a lot of bad ones. Let’s stop limiting ourselves to the bad (are you listening, Ford?) and start working on a dashboard that’s less likely to kill people.

I hope you’re not reading this with Internet Explorer

If you ever built a website that is only useable with a specific browser you should be ashamed of yourself. Get a job where quality doesn’t matter, OK? Be a banker or something.

The Internets are awash with reports that the US and UK governments are recommending nobody use Microsoft’s Internet Explorer web browser until CVE-2014-1776 is fixed.

And that’s great advice! Use Firefox or Chrome. They are free and work at least as well as Microsoft’s products do.

But various idiots have built systems that only work with IE… unsurprisingly, many of these idiots work for the government, and many of the systems that require IE were built with your tax dollars. A little more surprisingly, many of the hospitals I work with have purchased systems that require IE, although given the increasing reliance of modern medicine on high technology you’d hope that hospitals would know better than to buy any system that isn’t OS- and browser-agnostic. You’d hope in vain, unfortunately.

Oldest PC virus?

The first time I had to wipe out a nest of pesky MBR virii it was the Stoned virus; the next one I encountered was Pakistani Brain, which Mikko Hypponen is claiming is actually the oldest virus, and then Jerusalem B (which was nightmarish compared to the first two).

Since we don’t know when Stoned was written, it seems a bit presumptive to assume that Brain came first. They were both encountered in the wild in the same year.

Sophos says knoppix.net is hacked?

I’m used to getting my knoppices from knopper.de, so it’s not a big deal to me, but…

“High Risk Website Blocked
Location: knoppix.net
Access has been blocked as the threat Mal/HTMLGen-A has been found on this website.”

and

Mal/HTMLGen-A
Category: Viruses and Spyware
Protection available since: 16 Sep 2009 07:27:38 (GMT)
Type: Trojan
Prevalence: Small Number of Reports
Characteristics: Downloads code from the internet
How it spreads: Browsing
Affected Operating Systems: Windows Mac OS Linux

Sophos has been known to have a few false positives (cough, cough)…

flame off!

All the usual sources are reporting that flame has erased itself. Symantec’s blog has a writeup.

I’m assuming either somebody figured out how to sign a module (remember how Iran said they had the problem under control?) or the original authors are ready to deploy something new.