CromeyFBI

FBI Weighs Looser Pot Rules for New Hires – Funny

From todays WSJ – quote from FBI Director James Comey
 
Congress has authorized the FBI to add 2,000 personnel to its rolls this year, and many of those new recruits will be assigned to tackle cybercrimes, a growing priority for the agency. That is a problem, said Mr. Comey, as a lot of the nation's top computer programmers and hacking gurus are also fond of marijuana.
 
"I have to hire a great work force to compete with those cybercriminals, and some of those kids want to smoke weed on the way to the interview," Mr. Comey said. He added that the agency was now "grappling" with how to amend its marijuana policies.  Full Article
 

logo of OSX Disk Utility

Fixing the “ACL found but not expected on …” error during OSX Volume Repair

Symptom – Running the OSX Disk Utility program and selecting Verify Disk permissions results is multiple error of ACL found but not expected on [filename]”  While these errors can be safely ignored (ACLs are Access Control Lists) it does make reading the results of the disk verify difficult.    Fix – Fletcher Tomalty has written a python script that can be run from the command line to remove these unexpected ACLs.  The script uses the OSX Disk Utility to find the files and then does a sudo chmod -h -N on each of them. I have used it successfully on Mountain Lion 10.9.9.

Expect Delays Sign Photo

FCC’s New Rules Could Threaten Net Neutrality

Federal Communications Commission Chairman Tom Wheeler is circulating a proposal for new FCC rules on the issue of network neutrality, the idea that Internet service providers (ISPs) should treat all data that travels over their networks equally. Unfortunately, early reports suggest those rules may do more harm than good.  READ MORE

NA-CA854_MONEY_G_20140418181251

Why You Shouldn’t Put Your Money Where Your Mouth Is

 

By ROBERT LEE HOTZ
Wall Street Journal
April 18, 2014

Talk about dirty money: Scientists are discovering a surprising number of microbes living on cash.
 
In the first comprehensive study of the DNA on dollar bills, researchers at New York University’s Dirty Money Project found that currency is a medium of exchange for hundreds of different kinds of bacteria as bank notes pass from hand to hand.
 
By analyzing genetic material on $1 bills, the NYU researchers identified 3,000 types of bacteria in all—many times more than in previous studies that examined samples under a microscope. Even so, they could identify only about 20% of the non-human DNA they found because so many microorganisms haven’t yet been cataloged in genetic data banks.   READ MORE at WSJ
 

Viewing a winmail.dat Attachment

Problem – you receive an email that has an attachment named winmail.dat that your Mac Mail program can't view.

Reason – The Winmail.dat file is used in Outlook when sending a Rich Text-formatted message however OS/X Mail as the receiving client does not use or recognize the winmail.dat file format.

Solutions

Ask the sender of the email to change their default email settings.  Microsoft suggests 4 methods here.  Then have the sender re-send the attachment.  This is often impractical as it places the burden on the sender who may be someone you don't want to burden.  It also only the solves your problem with this one sender and not the hundreds of millions other of Outlook users. 

There are well established technical standards for email and so it may seem unfair that you are stuck with this problem because Microsoft  chose to use a proprietary format.  Life isn't fair.

   It is faster and more practical to install an add-on to view winmail.dat files on a Mac. I use TNEF's Enough written by Josh Jacob.

  Download the latest version, open the dmg file and drag the program into your applications folder.  If you receive the occasional winmail.dat attachment, save it to your desktop, open TNEFF's Enough and select FILE ->   OPEN, double click on the attachment listed in the TNEFF's Enough program window and select a save location.  If you receive winmail.dat files often, drag the TNEFF app into your dock then drag the winmail.dat file from your email and drop it onto the TNEFF icon in your dock.

 

The Heartbleed Bug – What to Do Now

Websites that exchange sensitive information with users have, for many years now, secured the connection between a users browser and the web site by encrypting the information.  The system is called SSL for Secure Sockets Layer and TLS for Transport Layer Security and up until the begriming of 2012 the software that implemented these techniques, OpenSSL protected the information as it flowed over the  Internet by making it unreadable to anyone other than the intended recipient.  A programming mistake (A missing bounds check)  introduced into the software introduced a flaw in  a function of the TLS protocol called heartbeat.  

 

That flaw allowed a non-standard heartbeat command to return 64 KB or about 32 pages of text of unencrypted data.  In effect, the programming error allowed an attacker to access the very information that SSL/TLS was intended to protect.    Named for the heartbeat function that allows the data to be viewed by attackers, the bug has become known as Heartbleed.

The bug was first reported to OpenSSL by Neel Mehta from Google Security  Matti Kamunen, Antti Karjalainen and Riku Hietamäki from Codenomicon Oy and was reported publicly by the group that wrote OpenSSL on April 7, 2014.  The notice itself may well be one of the most understated alerts in the history of computer security with no mention of the catastrophic impact on the Internet and Online commerce. A conservatively estimated is that two-thirds of the Internet's Web servers use OpenSSL to cryptographically prove their legitimacy and to protect passwords and other sensitive data from eavesdropping. Many more e-mail servers and end-user computers rely on OpenSSL to encrypt passwords, e-mail, instant messages, and other sensitive data. 

What to Do Now

If you operate a website you have a great deal of work to do including updating the vulnerable Open SSL library, updating all the other system software and libraries that depend on that software, figuring out what software those changes broke and fixing them and revoking and reissuing new security certificates.  If you're like most people you just want to know if some cyber-criminal has stolen the password to your online banking.  The most conservative approach is to change all of your passwords once the websites you use have been protected from Heartbleed.  Joseph Bonneau, a security researcher makes a good argument in Heartbleed and passwords: don’t panic that Heartbleed is not as catastrophic as the media reports would suggest.  

If you want to be certain you should change all your passwords –

Step 1 – Test if the site has fixed the Heartbleed bug by going to https://www.ssllabs.com, enter the site URL and verify the test  shows the site is not vulnerable to the Heartbleed bug.

Step 2 – Change your password.  As long as you are going to all the trouble of changing your password in every single site that you have a password, consider using good passwords and using them properly.  You can read my take on good password hygiene here.

Repeat steps 1 and 2 for every site you have used.  If you no longer use the site, login to it and delete your account.  

If in the past you used the same password on multiple sites then you definitely need to change them anyway.  Check back for my Password Pyramid approach.