If you have a home theatre, or run a small business you likely have a Network Attached Storage (NAS) devices around. Or even if you just have a huge collection of photos and share the storage with other computers at home.
Over time these devices evolved from simple storage that you could access through your network to full computers, running web services, streaming, databases, even virtual machines (just check the TS-451 I had here for a while).
Obviously being a full computer we have to treat these endpoints as potential weak links – and the recently disclosed GNU Bash vulnerability is affecting at least one NAS vendor, according to an email just received. I would believe other vendors are also impacted but I have not seen any documentation yet.
If you have a NAS at home (or run any UNIX-like operating systems including Linux, BSD, and Mac OS X) then you should really look for a patch/update for your system and get this fixed.
Here’s the email QNAP sent to their customers:
QNAP Systems, Inc. has been looking into the recent concerns over potential Bash code injection (CVE-2014-6271) that can lead to security vulnerabilities on the Turbo NAS and other Unix/Linux-based systems. A partial solution for CVE-2014-6271 exists but may result in another security vulnerability (CVE-2014-7169). QNAP is actively working on a solution for this issue, but in the meantime encourages all Turbo NAS users to take the following immediate actions to avoid any possible exploitation of their system.
As a temporary measure until a solution is released for this issue, please ensure that the following services of the Turbo NAS are disconnected from the Internet:
Normally the local network is not accessible from the Internet easily, users can still use their Turbo NAS safely. If users still worry about the security of their local network, they can follow the steps to disable the QTS web UI completely, and only turn it on when necessary:
- Web administration
- Web server
- Photo Station, Music Station, File Station, and any other NAS app that uses a web-based interface
Note: The NAS web administration will become unavailable after taking the above steps. To restore it:
- Login to QTS and disable the Web Server in Applications
- Login to QTS and disable the secure connection (SSL) in General Settings
- Disable NAS web administration using a SSH utility (such as putty):
- Connect to the Turbo NAS with admin username and password
- Type the following command and hit the "Enter" key: /etc/init.d/thttpd.sh stop
- Restart the Turbo NAS, or
- Manually start the web administration via SSH by typing the following command: /etc/init.d/thttpd.sh start
QNAP will keep users updated with the latest information as addressing this issue. If users would like further assistance, please contact QNAP Technical Support at http://helpdesk.qnap.com.
UPDATE: Here’s Synology’s page on affected NAS models.
I got the confirmation I will be attending the TechEd as a Microsoft guest (same as in previous years) with other media presence.
In the meantime, I have just finished working on something with Intergen for their stand - you folks probably remember in previous years there were racing cars and the stand was quite popular.
This year, working with Microsoft Xbox and Activision there will be Guitar Hero competition - prizes include daily JB Hi-Fi voucher and a Xbox One with Kinect at the end of the competition. More information here: Intergen Guitar Hero Geek competition at TechEd.
It is time for the annual report on browser usage around Geekzone. At the bottom of this post you will find links to previous years so you can compare all the numbers.
These charts are based on Google Analytics data collected during the 30 day period ending 12th March 2014. I realise part of our audience is more technically inclined, so our numbers are different from those presented by other more mainstream websites (such as Trade Me and news sites) but we have a huge number of non-tech visitors landing in our pages from search results seeking solutions for their problems.
Overall since last year we’ve seen a small increase on Chrome usage (45% up from 40%), very small decline for Firefox (22% down from 24%) and a drop on Internet Explorer usage (18% down from 23%).
New Zealand numbers show a good jump up for Chrome, with both Firefox and Internet Explorer sharing the same space (and loss of audience):
It seems businesses are slowly moving away from Internet Explorer, with Chrome now showing 46% adoption, up from 39% last year. Firefox remains pretty much unchanged with most of the loss in the Internet Explorer side:
After hours we see a dip for Firefox with 19% of people using it this year down from 21%. Internet Explorer shows a dip from 19% to 16%, with Chrome again being the winner in share and increase (47% up from 41%). Safari remains with same numbers as last year.
How is Internet Explorer doing? Despite being a “newcomer” Internet Explorer 11 is coming strong at 44% usage from non-existent last year. Internet Explorer 8 comes second (24% down from 30%), Internet Explorer 9 is down to 17% from 50%, Internet Explorer 10 remains pretty much unchanged and Internet Explorer 7 just shows up (2% down from 7%). All other versions practically disappeared with below 1% usage.
And here is an OS distribution in New Zealand. It pretty much remains unchanged except that Android got up to 5% from 3%, while Linux dropped from 4% to almost nil (now in the “Other” category):
And below the Windows distribution:
Previous posts for comparison:
Many times we at Geekzone (myself or moderators) have to take swift action and ban someone from our forums (here is a visual collection of some banhameers used in the process). We have a strict Forum Usage Guideline (FUG) that serve as a guide to everyone in the community. Obviously banned users try to come back in, so we have mechanisms to deal with that.
Quite a few times I get emails with “you are infringing my free speech rights” or “you are being paid to censor me” and so on. As a policy I never reply to these emails and we all know those “free speech” rights are public ones. These rights protect people from being persecuted by the state for their thoughts and words.
Today’s XKCD “Free speech” explain it pretty well (although using the 1st Amendment it applies to other jurisdictions too):
I ran some speed tests with NirSoft USB Flash Drive Speed Test and here is the result:
For comparison, here is a C300 SSD in a USB3 external case:
Now, this is a Sony memory key, purportedly USB3 as well. Can you see the difference?
And below are a couple of USB2 devices (HP-branded and generic one). See how the write speed on the Sony USB3 is no better than USB2?
There’s no end in sight for Telecom email users. While the company’s move to require the use of SSL for email access (Really, all those email passwords were transmitted in the clear over those WiFi access points around the world up until now?) is a Good Move™, the fact they got the SSL certificate with the wrong server name is troubling.
Apparently this certificate was issued to pop3r.xtra.co.nz instead of pop3.xtra.co.nz. People are accepting this certificate just so they can get to their emails. This is bad because I’ve seen comments such as “just accept it I need to get to my emails”.
@freitasm That would explain a lot. Had to add an exception for the cert when my Mum started shouting at Thunderbird.— Indy (@Indy_Griffiths) March 17, 2014
Not everyone is seeing this error, which points to multiple servers having a good certificate and at least one of them having a bad certificate.
What happens next time these users see a certificate error? They will repeat the “just accept it” routine, thinking it’s just another small problem? Do these people actually know the implication of accepting SSL certs left, right and centre? Probably not. And here is the problem.
Windows XP was released mid-2001. It was a different world then. Things changed a lot in terms of security, safety and privacy online over these 13 years and the OS needs updating to front the new, more evolved risks as well as the avalanche of data we now receive.
I was surprised someone on Twitter posted “This Windows XP update exists solely to tell you that it is Windows XP and Microsoft wants you to pay more money to upgrade.”
Interesting way of putting it. Apple launched OS X 10.0 around the same time of Windows XP and they have been launching new versions of OS X over the years, and every few versions software need to be updated or it won’t run properly. But I never read anyone saying “they’re doing it to get people to pay more”.
A big difference here is that software that run on Windows XP will most likely continue to run on Windows 7 and Windows 8, with few exceptions including drivers (if you have devices that old they are probably reaching the end of their lives anyway).
For users of Microsoft’s platform this is good and bad. It’s good because reduces the cost of going to newer OS versions. It’s bad because (some argue) newer OS versions need to keep supporting these older software and APIs, keeping the OS rather large and the maintenance costs (in both time and number of developers) adding over time.
It’s also bad because adding security safeguards to old OS versions is not always possible, due to limits in the original implementation.
For consumers who still haven’t received the message about security, safety and privacy Windows XP still seems a pretty good OS. Most of the current software still run on this old OS, it doesn’t need big hardware and it’s pretty easy to use. The end result? From January 2014 – March 2014 around 29% of Internet-connected computers were still running Windows XP (down from 39% the year before). This shift is not moving fast enough.
The next Windows Update for Windows XP will add a message that will be presented to users to let them know this OS is no longer supported.
Still, many people using pirated copies of Windows don’t get updates anyway (security or otherwise) and most likely don’t care. And I guess most will just click the box “Don’t show this message again” and be done with it.
Microsoft has extended support for its anti-malware software until July 2015. For enterprise customers, this applies to System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection and Windows Intune running on Windows XP. For consumers, this applies to Microsoft Security Essentials.
Also note this end of support doesn’t apply only to Windows XP but Windows Server 2003 as well.
Someone commented that the malware developers need only reverse engineer the first few security updates released for Windows 7/8 but not for Windows XP to create new tools to attack and control those unprotected machines. Let’s see what happens in June 2014.
Yahoo! has acquired Vizify… And it proceed to do what it’s done with 30 startups it previously bought: close the service down. According to people following the tech industry this means the company has closed 31 out of 38 startups it acquired since Marissa Mayer took the helm. But this doesn’t happen on Yahoo! only. All other large tech companies acquire technology to incorporate into their own products and differentiate themselves in the market. If this works out well for consumers or not is another story.
But that’s not what I am thinking about here. I am thinking about your online security. Every now and then I take ten minutes to go through the Twitter authorised apps list and remove some of them:
I also do this on Facebook and LinkedIn. My reasoning? Who knows what is going to happen with those tokens granting account access that are stored in these databases? How do I know the new owners can be trusted?
Sure, you’d say “It’s Yahoo!, they won’t go around spamming your followers from your account”.
My original “contract” was not with the new owners and I have no idea of their plans. The best thing, the safe thing, to do when a service is acquired is to revoke those tokens. Go through your Twitter Apps list (Twitter | Settings | Apps) and look through it. See the number of apps you gave permission to access your information, impersonate yourself to post in your stream, read your friends/followers lists, etc?
Some of those you only used once. Some of those you don’t even remember what they are.
Go on, clean up the mess and you will be safer.
Getting to Auckland was easier said than done, with the Wellington airport being closed due to a fog that came down and lasted for more than 12 hours, resulting in almost all morning flights being cancelled. Even so I managed to take off only two hours later than originally planned.
Netguide’s Sean Mitchell said there was a record number of votes this year (290,000 for all categories in the whole competition if I’m correct), so it is great to be able to receive this award. It is really our great community that make it happen and keep it pumping, with help from our team of volunteer moderators. So it’s really for all of us, not just me. Well done folks.
The event was fully packed at the Hilton Hotel where people in attendance had the opportunity to mingle before the doors opened to the conference room. After the event I had dinner with the ESET NZ team, including Steve Smith who had earlier taken this photo:
Telecom's decision to stick with Yahoo! as a mail provider after a review in 2013 was wrong and email accounts hacks happened three times since that decision.
It's time they start a serious project to protect their customers. At this rate we may soon see more than just spam being sent out but successful phishing attempts leading to loses from both sides.
It will be a long project. No one likes moving a million email mailboxes, but it must be done. Now.