Saturday, December 11, 2010

This is why I AdBlock+ and You Should Too

I occasionally get into arguments about the questionable ethics of blocking advertisements on web sites. Usually it's compared to piracy and the argument falls apart. The end-result is getting something for free and the publisher getting nothing, but that's where it ends.

One of the key difference is that (short of a few nasty DRM techniques some publishers insist on using), it's usually the pirates that have to worry about malware. Failing to block ads works the other way.

By failing to block advertisements, you're allowing a trusted third-party (who is usually using fourth-party) to serve you ... software. Software that you hope doesn't result in your computer becoming a zombie. That's trust that should only be given to the most savvy of third-party advertising networks, and the most savvy of publishers.

For a long time, if you didn't visit pr0n or warez sites, avoided P2P piracy or Usenet alt.binaries, and kept your AV up to date, you were unlikely to encounter trouble.

Such hasn't been the case for the last few years. Today's story of trusted third parties delivering malware comes from Google.

Saturday, September 25, 2010

It's difficult to dwell on a bad day . . .

A Joy Explosion. My daughter. Glory Anna Dippel.

Friday, August 20, 2010

Fix: MS10-049 and SSL problems connecting to https:// sites or Google Talk

It's been a long time since I've run into a Microsoft patch that blew something up that I felt it warranted a quick poke and it also seems like the impact of the problem is incredibly limited (google searches on this as of today yielded only one useful link).

Problem


When connecting to Google Talk, or to some other SSL based sites using Internet Explorer or any browser that uses the operating system's SChannel libraries, the connection to the site fails.

Other things you might see


TLS v1.0 is turned off.
Wireshark shows a reset happening very shortly after the Client Hello for SSL.

The Fix


Use SCVS for TLS:
For non Windows 7 hosts, apply this fix (Reference)
Fire up RegEdit, navigate to:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Create a new DWORD item called "UseScsvForTls" and set it equal to 1

I'm not sure if this was unique to our environment, but we discovered TLS 1.0 was disabled and the above fix didn't cover that. To enable TLS 1.0 in IE, select Tools|Internet Options|Advanced Tab. Scroll to the bottom and check the box that says TLS 1.0.

But why?


In at least some cases, a proxy server monitoring https traffic was interfering with the connection. If the proxy was bypassed, all was well with the world on Windows 7 and lower hosts. If the proxy was not bypassed, hosts failed without this registry key, and Windows 7 hosts failed at all times since the Windows 7 patch pays no attention to that registry key.
Obviously it's something related to the patch and the proxy server in my case, but I'm not sure what. I'll update this when I find out.

Other Posts on the Subject


Google Talk Support Forum Entry (No, I wasn't the original poster, but I replied)
Specific Incompatibility with Cisco VPN 3000 concentrators

Tuesday, April 20, 2010

The importance of taking intent into account

This story regarding the usage of GPS, speed cameras and license plate identification brought back a memory of an argument I had with a law professor several years ago.

The issue was (surprise) of intent. I was surprised to learn that in Michigan (at the time ... this may have changed), shop-lifting had to be intentional (or at least had an out for the absentminded). This protected the guy who forgot about the case of soda at the bottom of the cart while loading items on the belt while checking out.

I argued that intent was important based on a pre-WWW experience I had as a teenager. I had walked into a CVS, my girlfriend had purchased a few items and I had started reading the ingredient list on a pack of Certs (just what is Retsyn). Distracted, I walked out without paying for the breath-mints and we went to see a movie. I realized after the movie that I had not paid for the roll of Certs that I had half-eaten. Since I was now a common thief and wanted to rid myself of that personal blight, I went back to the drug-store, and paid up. All was well with the world. I got to keep up my streak of never shoplifting or stealing (to my knowledge) and the store got paid for the item I absentmindedly had forgotten to pay for.

This got into traffic law. Practically everyone thinks they're a good driver and yet everyone has had cause to be yelled at by another driver on the road entirely by accident. It's the single biggest reason that it's a bad idea to have something representing your church or political beliefs on your car, why inflict your mistakes on others?

I have no statistics to back it up, but I'm guessing that most of us have received a warning or citation for violating a speed limit, turning on red when there's a "no turn on red" sign, being the third car at the yellow light turning left or some other traffic law. Intent is not taken into account because you're *supposed to be paying attention* so as not to endanger the lives of other people.

Traffic/road laws where I'm from are strict and extensive. Enforcement, however, is limited by ratio of traffic patrol officers to ... well ... traffic. This is balanced by the idea that traffic enforcement officers take intent into account, if for no other reason than to be efficient with their own time.

On the right roads, there's no time to waste on the folks going 1-5 MPH over the limit, or the folks who cut a yellow light a little too close.

Take the human judgment aspect out of the picture, though, and those restrictive laws turn us all into "criminals by accident". Automation without human oversight and "Zero Tolerance" laws eliminate good judgment. (see fark.com or drudgereport.com for examples).

The child who brings a butter knife to school to better manage his turkey sandwich is being treated like the kid who brought a gun. The responsible driver who looks in his rear-view mirror, and assesses the road conditions before deciding whether or not to slam on the brakes at a yellow light is trained to choose between his life at the will of a cement truck driver or a ticket and higher insurance rates. A red light camera doesn't take that into account even if a judge might. Time and court costs are money.

As someone with a 60 mile round-trip trek for work, speed cameras are the worst. While attempting to safely drive you might focus less on the dashboard and more on the vehicles around you, especially if you're surrounded by someone who appears to be in more of a hurry than they should be. The idea of being hit with a ticket without the circumstances or "intent" being taken into account is scary to me.

But maybe I'm wrong?

Friday, March 12, 2010

Buy.com and Amazon.com, are they family now?

Why do I save $53.10 buying from buy.com via amazon.com, rather than just buying directly from buy.com?


In my ever "deadline missed" project of getting my basement and home theater setup finished, as well as free up a rec room upstairs, I was looking for a wall mountable server/network equipment rack.
Through my favorite resource, I was able to find a 12U model that fit my needs precisely.

I have a pretty large gift card balance at buy.com (I am an affiliate as well, so take that how you want), so I thought I'd check to see if they offered the rack. They did.

Racks of the type I'm looking for are heavy, so the shipping was $53.10. I expected that.

Coincidentally, I also have a gift card balance at Amazon.com so I decided to check them out, knowing that they usually offer free shipping over a certain price.

Here's the result:

Buy.com sells via Amazon and I get free shipping! (The part number in the title omit's the "WALL", but it's there if you scroll down)


Buy.com's own web site costs me $53.10 more, and I can even use Amazon Checkout!

Here's the e-mail I sent to Buy.com via their customer service interface (I didn't bother calling, this basement project is not getting completed any time soon):

Please refer to these two links:
http://www.buy.com/prod/startech-com-12u-19-wall-mounted-server-rack-cabinet-19-12u/q/loc/101/203033503.html

and

http://www.amazon.com/Looking-Protect-Networking-Equipment-RK1219/dp/B000IE7ZE2

Identical product, and ironically, YOU are the ones selling it through Amazon. However, if I purchase it indirectly from you via Amazon, I don't have to pay $53 shipping. As I have a larger gift card balance with you, I'd prefer to buy it directly from you instead of indirectly from you via Amazon. Can you credit me the shipping or match your offer on their site?


I've gotten the auto-reply, and another one a day later indicating that they had to look into the issue and that it will take another 1-2 business days.

Based on my gift card balances, it would be less expensive to buy it from buy.com, but it would make far less sense financially. Buy.com sells everything and a lot of what they sell is reasonably priced -- I know I'll use that balance in the future.

I can only guess that this is an algorithmic failure. The listings on amazon are likely automatically posted by buy.com (it's possible that they're farmed out and done manually with so little oversight that something like this could slip through, or even maybe something in the middle, but my bet goes to automated listing). Decisions made by algorithms sometimes have funny outcomes.

/wonders how many people have to see this post before I no longer have an affiliate account with buy.com
//which I haven't made a penny on.

Update 3/16/2009 6:30 AM:
Response from Buy.com via Facebook (...and a fix)
Looks like they are both in sync now. I see free shipping on both Buy.com and Amazon.

Our site is real-time; our Amazon updates have a little delay. If we run out of a product from a distributor, we source it to another when available. Sometimes pricing and shipping changes. In this case, our primary distributor received more stock faster than the system could update.

MD: Sort of as I suspected. Supply chain automation algorithm failure, pretty common problem I suspect.