On one of my computers, I have Windows Vista. I mostly use that computer for linux, but I do occasionally use Windows. For anti-virus, I have MSE (Microsoft Security Essentials).
At present, the computer is telling me that the virus tables are 6 days old.
Although I would prefer to use that computer with linux, on Wednesday, I left it running Windows for around 12 hours. It failed to update the AV definitions. On Thursday, I left it running Windows for 14 hours. Again, it failed to update the AV definitions. On Friday, I left it running Windows for 16 hours. And, again, it failed to update the AV definitions. Today (it is still Saturday local time), it has been running Windows for over 10 hours, and has failed to update the AV definitions.
On Wednesday, I also booted my laptop to Windows. I had not used the laptop for several days, so the AV definitions were three days old. It updated after around 3 hours. But the Vista system still has not updated.
This is the third consecutive month when I have had problems with updating MSE, at around the time of patch Tuesday. The previous two months, I attempted to manually update. On the manual update, it did a search for virus updates, then seemed to hang there forever not actually downloading. It did eventually update, after repeating this for two days. This month, I decided to allow it to update without manual intervention, with the results described above.
It seems pretty obvious that, recently, Microsoft has worsened the priority for updates to Windows 7 and to Vista. The priority worsening is greater for Vista than for Windows 7. It affects monthly patches as well as MSE virus table updates.
The message to malware producers is loud and clear. Malware producers should distribute their malware on patch Tuesday, and Microsoft will give them a free run for several days.
My goal here is to attempt to describe the technical details of the situation. I’ll discuss my personal position (I favor Apple) on my other blog, and add a link here.
Let me be clear at the outset. I do not have any inside information on this. What I know comes from public news reports. I have been attempting to understand the issues based on that. It is entirely possible that I have some of the details wrong.
This is about an iPhone, used by the San Bernardino Terrorists. The FBI wants access to that iPhone to help in their investigation. It is entirely reasonable for the FBI to want access.
It is now a little over two years since I first acquired a computer with UEFI support. That was a Dell Inspiron 660. It came with Windows 8 (since upgraded to Windows 8.1). I have left secure-boot enabled for most of that time, “to keep Windows happy”. In fact Windows does not complain at all if I disable secure-boot.
My second UEFI box is almost one year old. I do not have Windows installed there. It is a Lenovo ThinkServer TS140. When I first purchased it, secure-boot did not work all that well so I left it off most of the time. I did turn it on for some testing, but it required modifying the opensuse “shim” to get it to work. The problem that I had with secure-boot is described here under the heading “Booting the Machine that supports only one signature with vendor provided Keys”. After a BIOS update a few months ago, secure-boot now works quite well on the TS140, so recently I have been leaving it enabled most of the time.
When support for legacy grub (or grub1) was dropped for opensuse 13.2, one of the reasons was to make it easier to support encryption without a separate unencrypted “/boot” partition. Recent releases of grub2 have some support for accessing encrypted file systems, so it was mostly a matter of adding support to the installer.
I decided to test how that works. So I did a test install of opensuse 13.2 into an encrypted LVM, without a separate “/boot”. The Yast installer was happy with that. It did not complain that there was no “/boot”. So I continued through the full install.
There were no install errors reported. But it didn’t work. Instead, while booting, I got a grub shell. And the grub shell did not offer any commands related to crypto.
After updating my Tumbleweed system last week, I noticed that something had changed with “gpg”. Or, more explicitly, “gpg” was not working at all. This was immediately noticeable, because I had configured “kdewallet” to use “gpg” for encryption.
Okay, that’s a bug. It will presumably be fixed before opensuse 13.3 is released. For now, I had to find out what was up and how to work around the problem.
The specific Tumbleweed change was an update of gpg from version 2.1.0 to 2.1.1. The major change was already there in 2.1.0, but I had not noticed it because everything that I was doing still worked. The 2.1.1 update broke that.
The specific change was to remove support for old pgp2 keys. These are the type of key introduced with pgp2 in the early 1990s. They use RSA (for the public key encryption) and the md5 digest algorithm for hashing. These days, the md5 hash is considered too weak.
[Update: 9/25/2014 – A quick check shows that opensuse has a patch for this for 13.1, and presumably for 12.3. You should update your system as soon as possible. An email message in the factory mailing list explains why this is not yet fixed for factor and contains a pointer to where you can update bash if your system is running public services (such as a web server.]
This will be brief. Information is coming out about CVE-2014-6271, a bash bug which is potentially remotely exploitable.
I suggest you do a web search for “CVE-2014-6271” if you are looking for information. Information on this bug was embargoed until a few hours ago, so better information will soon start turning up.
The bug itself is with the use (and mishandling) of environmental variables, particularly when they define shell functions. The concern is that this might be a vector of attack via shell scripts that can be invoked remotely, such as cgi-scripts on web servers.
I’m not personally concerned. I am not running a web server, and I doubt that I have any easy attack points for this bug.
There’s no information on when opensuse will fix this, though they are working on it. The bug is mentioned in the opensuse mailing list, which is where I heard about it.
The TrueCrypt home page now says:
The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP.
The page now offers advice that Windows users should switch to BitLocker, and gives advice on how to do that.
If you are a linux user, the best choice would be to use LUKS encryption.
There are rumors floating around as to what is behind this. But maybe the developers are just deciding that the original need for TrueCrypt has passed, now that most recent systems have their own way of handling encrypted disks.
Personally, I chose LUKS for encryption on linux. So the apparent end of TrueCrypt does not affect me.
If you have an account at Ebay, then you should change the password. Apparently, Ebay data was compromised recently.
On my first attempt to change password, I got a “page unavailable”. I was able to change it an hour later. Other people are also reporting problems. Possibly, there is more traffic than the site can handle (for password changing), so you might not succeed on the first try.
If you use the same password for paypal as for Ebay, then you should also change the paypal password. If they are not the same, then your paypal credentials should be safe. The reports indicate that paypal data was not compromised.
Ebay does send an email message to your registered email address, when the password is changed. This is protection against the hackers trying to change your password. If you receive such email,, but did not change your password, then you should report that problem.
In my recent review of “chromium”, I mentioned that it offers to save passwords, and stores them in kwallet. This suggests that they should be stored in encrypted form, due to the way that kwallet works.
Unfortunately, things may be worse. I recently tested out “chromium” while logged into Gnome. And when I visited a site where chromium had a saved password, it filled in the password field. But I was never prompted for the key to unlock kwallet.
It now looks as if “chromium” is saving the passwords in kwallet, where they are encrypted. But it is apparently also saving them in an unencrypted (but obscured) file in the user chromium profile directory.
This is not good.
According to an announcement that I saw today, it is now possible to use “cryptsetup” with “truecrypt” volumes.
The announcement was on the lizards mailing list, and also showed up in opensuse forums.
I have not tested this. The “man” pages for “cryptsetup” do explain how to use it to access a truecrypt volume. There is currently no support for creating a “truecrypt” volume with “cryptsetup”.
The other way of using “TrueCrypt” is to install “realcrypt” from the packman repos (also not tested).