Law: Who controls your cloud data?


This is an interesting situation, and one that I think does need to be addressed in an international forum.   When dealing with data "in the cloud", who controls it?  Does it depend on the country of citizenship of the content owner?  Does it depend on the home country of the service being used?  Or does it depend on the physical location of the server?

Naked Security:  Microsoft: US would be outraged if another nation ransacked its servers

Oracle Java: Just say no?

Java. I do not like it, and I never have. Originally, back when Sun Microsystems owned it, I disliked it because the user interface of applications written in it did not match the "look and feel" of native applications, making for a rather visual jarring experience. Then there was the performance issue of the Java based application having to run through an interpreter in order to run.

Now that Oracle owns it, my problems with Java are security related. I would have assumed that Oracle has some of the most talented and qualified software developers there are, but apparently not. Every single version of Java that they eventually release has major security flaws, and to make matters worse, Oracle intentionally lets them stay that way for months on end because they apparently cannot be bothered to

  • validate their product for such issues
  • interrupt their glacially slow development cycle to issue critical security updates
  • care

There was a serious flaw discovered last November - three months ago - (I no longer remember what it is) and Oracle did two things: They acknowledged the flaw and then stated that they had no plans to fix it until their next release, in February. By contrast, Microsoft issues security patches at least once a month (on Tuesdays) via Windows Update, but if the issue is severe enough they'll issue it immediately, out of sequence.

Today, I saw a notice of another one (or maybe it's really the same one, the articles I've seen on it do not specify). But apparently it's so bad that the US Department of Homeland Security has gotten into it, advising computer users everywhere to disable Java in their web browsers.

Mozilla, makers of the Firefox browser, has activated a remote security feature in Firefox to automatically disable the Java plugin (when Firefox checks for updates to itself or installed plugins, this will get activated). Apple reportedly is doing the same thing with their Safari web browser.

Me, I've gone beyond merely disabling it in my browser, I've already uninstalled it, and unless this breaks my ability to use things I have no plans on ever reinstalling it.

My source information for this opinion article consists of these articles:

Experts urge PC users to disable Java, cite security flaw

U.S. warns on Java software as security concerns escalate

Protect against latest Java zero-day vulnerability right now: Mal/JavaJar-B


Oracle has stated that they will fix this, but declined to say when.

So much SPAM!

I was curious as to how much spam I actually get in a day, so rather than delete it as it came in, I just let it accumulate for a day.  There were 90, most of which came in dribs and drabs steadily throughout the "business day", none at all overnight.  This tells me that they are being sourced through a zombie network of infected computers.

Most of these have headers useless for tracing, at least with the tools I have at my disposal since I am not an actual computer security or forensics expert, but they do follow a general pattern that confirms that they come from a zombie network.

The days of "Oh, I don't need antivirus software" are long gone.  While the virus/trojan/whatever that is installing the spambots on your computers are likely otherwise harmless, they are sucking up your computer's resources, your network bandwidth, your neighbor's bandwidth, and generally making the online life of everyone less enjoyable because we are receiving the crap that you do not know your computer is spewing out.

There are many reputable antivirus software packages out there, and many that are actaully malware themselves.  Personally, I wouldn't touch Symantec or McAfee's home products with a ten foot USB cable, but their business software is good.  And there are other alternatives, some you can buy off the shelf at Best Buy, some online, some both, and some that is freeware.  Personaly, I use the freeware version of Avast!, and I also periodically spot-check with the freeware version of MalwareBytes (do not have two antivrus packages in always-on realtime mode, or trouble will result, but you can have one always-on and one for on-demand scans).

Now that you've installed your antivirus software, something that is even more important:  DO NOT OPEN THOSE MYSTERY EMAIL ATTACHMENTS!  You did not just win the national lottery, the defense minister of that African nation is not asking you to help smuggle $50 million US dollars out of the country, and FedEx is not trying to deliver a package to you via email.

Other things you can do to prevent problems is to not use Internet Explorer.  While many applications use Internet Explorer as a back-end display engine (because many software engineers are lazy and Internet Explorer is preinstalled on every Windows machine on the planet), that does not mean that you have to use it for web browsing.  There are three common and better alternatives, and several less common ones including Apple Safari (I'm talking about Windows users, not Mac users).  The three are, in my order of preference: Mozilla Firefox, Google Chrome and Opera.   Why?  Because unlike Internet Explorer, these other browsers either have built-in or the ability to install add-ons that make your web use safer and more enjoyable by blocking the annoying ads.  And on "some" sites (like porn and pirate software sites), you don't even have to directly interact with the ads for their malware payloads to be installed on your computer, merely visiting these sites can do that.

Security vulnerability in Java to remain unfixed until February?

According to several sources, there is a critical security flaw in all versions of Oracle Java that was discovered in September, that Oracle is declining to fix until February. There are no known actual exploits using it, but still... many security sites are recommending that users disable Java in their web browsers because of this.

Some sites with technogeek info about the issue are: @RISK: The Consensus Security Vulnerability Alert, Kaspersky Lab's ThreatPost, and's Full Disclosure.

What I find depressing about this isn't that there is a found security flaw, but that Oracle is refusing to fix it. Reportedly, their stated reason is that the report came too late for them to include the fix in their most recent update and that it would take months of research, development and testing to prove a fix. Yet the guy who found and reported the issue to them included a fix in his report, a fix that he said took him about a half hour to code and prove.

How to disable Java (note, not JavaScript which is completely different) depends on your browser.

In Firefox, it's a Plugin accessed via the AddOns section. Just click on the Firefox button and select AddOns, then Plugins and locate Java(TM) Platform and disable it.

In Chrome, type chrome:plugins into the address bar, scroll down and click the Disable link for Java.

In Internet Explorer 9, click on Tools, Manage Add-Ons, select Java(TM) SSV Plugin and disable it. If there are more than one and the other(s) do not automatically also disable, disable those too.

Note that this may brake some web pages. There are many legitimate reasons to have Java in web pages. If disabling Java in your browser does break things you regularly use, you can re-enable it by going back to where you disabled it and enable it again.