TrueCrypt – No longer safe?

Bad news.  A serious flaw in TrueCrypt has been found that potentially allows full system compromise.  The worse news?  There’s no truly trustworthy TC successor for Windows out there in the wilds so far.  Microsoft and Symantec both offer encryption solutions, but surely they’re rife with back doors.  VeraCrypt is a fork of TC, but so far there’s nothing to generate any confidence that it too isn’t compromised.

The good news, I suppose, is that so far it appears that TrueCrypt on Linux doesn’t have this newly found flaw.  Also, it seems this flaw requires the machine to be on and in Windows.  In other words, if your fully disk encrypted machine is powered down, or your drives are removed or are external and the machine isn’t with them, your data remains safe.  Cold comfort, really.

AVG selling your browser history?

According to this reddit thread, yes.  Time to move on if you’re using it.  See below from their current privacy policy.  Emphasis mine.

We collect non-personal data to make money from our free offerings so we can keep them free, including: Advertising ID associated with your devices Browsing and search history, including meta data; Internet service provider or mobile network you use to connect to our products; and Information regarding other applications you may have on your device and how they are used. Sometimes browsing history or search history contains terms that might identify you. If we become aware that part of your browsing history might identify you, we will treat that portion of your history as personal data, and will anonymize this information. We may also aggregate and/or anonymize personal data we collect about you. For instance, although we would consider your precise location to be personal data if stored separately, if we combined the locations of our users into a data set that could only tell us how many users were located in a particular country, we would not consider this aggregated information to be personally identifiable.

That’s a huge italicized if.  Basically a get out of jail free card.  IF we become aware that we’re collecting identifying data.  If we don’t, well, sorry.  We weren’t aware.

Server has a weak ephemeral Diffie-Hellman public key


The other day my neighbor headed to a United Airlines affiliated site in Chrome to book a trip and was greeted with “Server has a weak ephemeral Diffie-Hellman public key.”  Full stop.  She could not continue on to the site.  This is occurring because there is an attack in the wild that takes advantage of a flaw in the Transport Layer Security protocol (a fancy way of saying the supposedly secure way in which a web server communicates to your browser) in order to watch your traffic.  This is called a Man in The Middle Attack.  Essentially it inserts itself between you and your destination and logs your conversation.  You can read more about this here.

The solution is, unfortunately, out of your hands.  Your browser isn’t broken –  The site you’re trying to get to is.  And, as evidenced by it affecting a United Airlines site, there are some heavy hitters who are vulnerable. Any site that’s running 1024 bit or less encryption needs to upgrade to 2048 to close the hole.

But in the meantime, what if you really, really need to get to that site?  I’d tell you to try to contact the site owners and tell them to get it together, but realistically that’s not so easy (can you imagine calling United’s customer service and saying to the phone jockey who answered “Hey, y’all need to upgrade your public keys on your site because currently it’s vulnerable to the Logjam attack and any decent browser isn’t allowing your site to resolve.”  Yeah, you’ll get traction there).  So how do you get to the site?  So far there doesn’t appear to be a way to tell Chrome to continue.  You can try switching from HTTPS to HTTP, but most likely you’re hitting a login page and will be forced back to HTTPS (and the error).  You can, however, weaken Firefox to allow navigation on these sites.   Open a new tab and in the address field enter:


This opens the browser’s sekrit settings.  Get past the warning, and then locate these two settings:



By default these are set to True.  Change them to False and you’ll be able to hit the effected site.  I STRONGLY recommend only doing this on a site you absolutely trust, and only in situations where there’s absolutely no other recourse, and I recommend changing these back to True as soon as you’re done on that site.

More info on Microsoft’s push to track Windows 7 and 8 users

Surely you’ve already read that Windows 10 includes some pretty disappointing user tracking baked into it.  Microsoft is also pushing this tracking down to its Windows 7 and 8 operating systems.

Aside:  I get the Win 10 thing.  It’s free.  Do what you want with your free operating system.  But quietly inserting anti-privacy shit into operating systems that people have already paid for?  Ludicrous.  Offensive.  Ridiculous.  It’s prompted me to finally get off my ass and move all the machines I can off of Windows and onto Linux, for good.

Anyway, yeah, MS is pushing this stuff into your operating system without really giving you any indication.  The current list of updates that should trouble you are as follows:

You can remove these updates via command line thusly:

wusa /uninstall /KB:2952664 /norestart /quiet
wusa /uninstall /KB:2990214 /norestart /quiet
wusa /uninstall /KB:3021917 /norestart /quiet
wusa /uninstall /KB:3022345 /norestart /quiet
wusa /uninstall /KB:3035583 /norestart /quiet
wusa /uninstall /KB:3044374 /norestart /quiet
wusa /uninstall /KB:3068708 /norestart /quiet
wusa /uninstall /KB:3075249 /norestart /quiet
wusa /uninstall /KB:3080149 /norestart /quiet

In fact, you can save the above to a .bat file and run it.  This takes them off, but unfortunately doesn’t prevent them from presenting themselves for install in the future.  To fix that you’ll have to head to Windows Update, let it scan what you’re missing, and then go through that list hunting for each of these.  When you come across one, right click it and choose to hide it.

This is the list for now… I sincerely doubt this is where it will end, however.  Have you tried Linux lately?

Sickbeard and The Late Show With Stephen Colbert

My Sickbeard doesn’t like it, and doesn’t find it when it’s out there.  Turns out the problem is how it’s being named out there in usenet land, and Sickie can’t figure it out.  It also turns out Sickie has an exceptions database just for handling these sorts of situations.  Problem is, this database doesn’t get updated very often.  Good news is, you can update it yourself!

The database is cache.db, found in the program directory for Sickbeard.  To add to this file you need to use a SQLite shell interface.  You can see basic information on obtaining and using the shell interface on a previous post here.

Once you’re ready to go, fire up your interface from a command line:


Open the database (Pay attention to pathing.  In this example I’m already working from within the directory containing cache.db) :

.OPEN cache.db

And use the following to insert “Stephen Colbert” as a general search term:

INSERT INTO scene_exceptions (exception_id,tvdb_id,show_name,provider) VALUES (9999,289574,'Stephen Colbert','custom_provider');

Breaking down this line a bit: 9999 is the exception ID you’re assigning to this exception.  We’re just looking to get past all the existing exceptions without conflict.  As of this writing my scene_exceptions table has 777 legit autofilled exceptions defined in it.  289574 is the ID for the Late Show,  the next field is a the search term to be used for the show name (Stephen Colbert), and the final field is the provider, which is the tvdb.

Restart Sickbeard.

Ubuntu Linux The cache has no package named “wine1.7-i386”

That’s the error that seemingly randomly popped up on my screen.

The cache has no package named “wine1.7-i386”

I’m using Wine because there are some Windows specific things I need to be able to run.   It seems that the updater may just not like Wine too much, because when I manually ran updates with a simple sudo apt-get update it upgraded without a problem and the error disappeared.

Virtualbox and Ubuntu (MATE)

I might be bailing from Windows, but I still need it for work.  Luckily I’ve been using Virtualbox for my work machine (for a variety of reasons I won’t get into here).  However, I installed Vbox 5.02 on my Ubuntu MATE laptop, imported my virtual machine, and upon first run was greeted with:

Kernel driver not installed (rc=-1908)

The VirtualBox Linux kernel driver (vboxdrv) is either not loaded or there is a permission problem with /dev/vboxdrv. Please reinstall the kernel module by executing

‘/etc/init.d/vboxdrv setup’

as root. Users of Ubuntu, Fedora or Mandriva should install the DKMS package first. This package keeps track of Linux kernel changes and recompiles the vboxdrv kernel module if necessary.

I tried what the error said, but no dice.  It could not recompile the vboxdrv kernel module.  After a bit of searching around I found the following solution:

sudo apt-get install dkms build-essential linux-headers-generic; sudo /etc/init.d/vboxdrv setup

Removing AVG from Ubuntu

I’m using Ubuntu Mate 1.8.2 and for some unknown reason installed, or tried to install, the AVG deb package (avg2013flx).  Well, the install failed. I did some research to attempt to rectify this and instead came to the conclusion that I didn’t need AVG in the first place.  So I tried uninstalling it… and that failed:

Turns out part of the install failure involved the installers inability to fire up the AVG service, avgd.service, and that’s where the uninstaller was choking – trying to turn off that service that wasn’t on in the first place.  What a stupid ass uninstallation script.  Thankfully the fix was pretty easy:

  1. Open an elevated (sudo) text editor of your choosing and navigate to /var/lib/dpkg/info and open the file avg2013flx.prerm
  2.  Locate all instances of the following lines (my prerm had two sets) and comment them out by placing a pound sign (or a number sign or hashtag depending on your age, geographic location or level of nerdiness) at the beginning of each line.
  3. Save the file, and then attempt to uninstall the app again:
    sudo apt-get remove --purge avg2013flx

If you were having the same problem I was, that should do the trick.

Microsoft slips it to you on Windows 7 and 8

Microsoft is slipping into Windows 7 and 8 the same data mining and privacy violating tracking that has made news for being a part of Windows 10.  I’m in the midst of absorbing it all, but for now further info, including updates to block, can be found here.

Also, instructions on how to opt-out of their CEIP (Customer Experience Improvement Program) which if you’ve installed Office you’ve surely inadvertently joined, can be found here.

This is getting to be a bit much.

CMS dangers: Plugins. This episode – Sweet Captcha

First, an apology for anyone who recently visited this site and found themselves bombarded with pop up ads or alarmist claims that they’d contracted viruses.  I’m incredibly sorry.  A plugin that I use(d), SweetCAPTCHA, is now injecting pop ups in what appears to be an attempt to monetize their plugin.

Now, whether SweetCAPTCHA’s been compromised (I don’t think so) or has turned to nefarious means to try to fill their coffers (ding ding!), the ease at which this happened should set off alarm bells for CMS users everywhere (after all, SweetCAPTCHA’s not WordPress specific).  I’ve been absolutely guilty of thoughtlessly hitting the “upgrade” link on plugins, especially on sites of my own.  I’m a bit more cautious with client sites after having been bit more than once by an upgrade that rendered inoperable an important plugin, but I’d be lying if I didn’t admit that sometimes I don’t do sufficient research before and adequate QA after some upgrades.   And that leads to a night like tonight, logging into all my personal and client sites in a panic to see who had SweetCAPTCHA installed and activated (thankfully no clients – only this site and one other personal site).

Plugins are third party.  They’re dangerous.  We’re trusting them to do what they say they do and nothing more.  And we placing that trust in them again and again each time we agree to an upgrade.  We need to be careful.

So again, I sincerely apologize.  This site doesn’t get a whole lot of traffic, but the traffic it does get are mostly people looking for help.  Every time I receive an email or comment from someone telling me this little site of mine has helped them it makes me a bit warm inside.  That SweetCAPTCHA hijacked my little warmth generating site to take advantage of its visitors pisses me right the fuck off.

Read more about SweetCAPTCHA’s shitty new business model here and here.