Mozilla Releases Firefox 3.5.5

The Mozilla organization has released a new version, 3.5.5,  of the Firefox Web browser.  This release fixes a handful of stability-related (or, more accurately, instability-causing)  bugs.   It is available via the built-in update mechanism (main menu: Help / Check for Updates); alternatively, versions for all platforms — Mac OS-X, Windows, and Linux — are available in 70+ languages from the download page.  There’s more information in the Release Notes.

Since these updates are not security-related, I don’t expect to see a new version in the 3.0.x series, which is only scheduled to be supported till January of next year.

Fear and Risk

Bruce Schneier has an excellent essay up on his “Schneier on Security” blog, about the instinctive responses to threats of different species (including ours).  He points out that these responses have typically evolved to balance the trade-off between the cost of reacting and the risk of not reacting when reaction is necessary.  Birds (to use his example) will fly away from a bird feeder (free food) at the slightest possible threat.  This may seem to be over-reaction, but the cost of flying away is probably quite small compared to the risk of being eaten, at least in the kind of environment in which the birds evolved.

Evolution generally does quite a good job of optimizing these trade-offs, but it doesn’t do a quick job.  So, when the environment changes, old behavior patterns persist even though they are no longer really adaptive.  Birds at a suburban backyard feeder or in a zoo aviary exhibit the same kind of reactions.

People are, or at least can be, different, since we have the capacity to use our reasoning abilities to override our “wired-in” evolutionary response.  As he has argued many times (notably in his excellent book, Beyond Fear), Schneier thinks we need to practice this much more than we do.

Our reflexive defenses might be optimized for the risks endemic to living in small family groups in the East African highlands in 100,000 BC, not 2009 New York City.

When we rely mainly or solely on our instincts, we tend to do systematically dumb things.  We conflate a feeling of control with a reduction in risk: driving a car is statistically much more dangerous than traveling on a commercial airline, but most peoples’ instincts have it the other way around.  We tend to over-react to rare but spectacular risks.  But it is possible to be sensible:

One night last month, I was awoken from my hotel-room sleep by a loud, piercing alarm. There was no way I could ignore it, but I weighed the risks and did what any reasonable person would do under the circumstances: I stayed in bed and waited for the alarm to be turned off.

False alarms are much more common than serious hotel fires.

Adopting this approach is not easy — it is by definition counter-intuitive — but it can help keep us safer in two ways: it will allow us to make more sensible decisions in everyday situations, like the hotel alarm; and it will help immunize us against people who attempt to push our “fear buttons” in order to advance their own agendas.

Laptop Carelessness

Back in October, I posted a note about the Evil Housekeeper attack (sometimes called Evil Maid)  that was developed by Joanna Rutkowska of Invisible Things Lab . The attack, which enables a person (the Evil Housekeeper) with physical access to a laptop computer to plant a software Trojan on it, is effective even if the laptop’s hard disk is protected by encryption.

In case you are not yet convinced that it is important to look after the physical security of your laptop, you might want to compare notes with an unnamed “senior Syrian government official”, who, according to an article published this week by the German magazine Der Spiegel, had his laptop “bugged” by Mossad, the Israeli intelligence agency, while he was staying at a hotel in London in 2006:

… a senior Syrian government official checked into a hotel in the exclusive London neighborhood of Kensington. He was under Mossad surveillance and turned out to be incredibly careless, leaving his computer in his hotel room when he went out. Israeli agents took the opportunity to install a so-called “Trojan horse” program, which can be used to secretly steal data, onto the Syrian’s laptop.

The Mossad was interested because the laptop contained construction plans, correspondence, and photographs of the Al Kibar complex being constructed in the Syrian desert.  Their suspicions had been aroused by, among other things, a high level of communications traffic between the site and North Korea.  The site was bombed and destroyed in September 2007, presumably by the Israelis, although the event has never been officially acknowledged, even by the Syrians.

Now it is doubtless true that most of us don’t have to worry about having our hotel rooms “cleaned” by a foreign intelligence agency.  But this is one more example of how important it is to get the basics right:  don’t leave your laptop lying around.

Microsoft Black Tuesday Preview, November 2009

Next Tuesday, November 10, Microsoft will release security patches for Windows and related software on its usual monthly cycle. According to the Security Bulletin Advance Notification, Microsoft will issue six security bulletins next Tuesday to address a variety of different vulnerabilities. All supported versions of Windows, except for the recently released Windows 7, are affected by at least one Critical vulnerability; Microsoft Office software, specifically Excel and Word, is also affected in all supported versions. The table below gives the breakdown:

Windows Version	Critical	Important
Windows 2000	2	1
Windows XP	1	1
Windows Vista	1	1
Windows Server 2003	1	1
Windows Server 2008	1	2
Microsoft Office	—	2

Most of these, unfortunately, will probably require a reboot. As usual, the severity ratings and other details may change when the final advisory is issued on Tuesday, I will post an update here on Tuesday once the actual bulletins are released.