Triclosan, Still

May 21, 2013

I’ve written here a number of times over the past couple of years (most recently here) about triclosan, an anti-bacterial and anti-fungal agent that is used in a wide variety of consumer products, including anti-bacterial soaps, toothpaste, deodorant, mouthwash, other cosmetic products, and household cleaning supplies.   The US Food and Drug Administration [FDA] has been conducting a safety and effectiveness review of triclosan for some time now. The review was originally scheduled to be released in April, 2011; last summer, it was promised by the end of the year (2012).  We’re all still waiting.

The Singularity Hub site has an article on this ongoing saga.  It gives a bit more of the history: the FDA issued draft guidelines in 1978, which classified triclosan as “not generally recognized as safe and effective”.  Since the guidelines were never finalized, nothing changed.

The FDA has not given an updated timetable for the release of its review.

Is It Warm in Here?

May 18, 2013

The May 11 issue of The Economist has an interesting, though disturbing, short article on one measure of global climate change: the percentage of carbon dioxide [CO2] in the atmosphere.  This has recently reached a new high in recent history.

AT NOON on May 4th the carbon-dioxide concentration in the atmosphere around the Mauna Loa Observatory in Hawaii hit 400 parts per million (ppm).

Now, 400 ppm does not sound very high; after all, it is only 0.04%.  However, as the article goes on to point out, this concentration of CO2 has not been routinely present since the Pliocene epoch, about 4 million years ago.

The data series  is from the observatory at Mauna Loa in Hawaii, run by the Scripps Institution of Oceanography, part of the University of California at San Diego.  This series (sometimes called the Keeling Curve in honor of the scientists who initiated the project) is of particular interest for two reasons:

  • The observation site is remote from large centers of human population, minimizing fluctuations due to temporary pollution spikes.
  • The observations have been made consistently, at the same place, since 1958.

There is a regular seasonal fluctuation in CO2 levels, tied to plants’ growth cycles.  In the northern hemisphere, levels tend to peak in May, and then fall until about October, as plants’ growth removes carbon dioxide from the atmosphere.

Carbon Dixoide Levels at Mauna Loa

Source: Scripps Institution of Oceanography

The seasonal pattern is clearly visible in the graph.  The more striking thing, of course, is the steady rise in the carbon dioxide levels, an increase of more than 25% over the observation period.  And there is no evidence that the rate of increase is getting smaller.

Social Network Risks

May 17, 2013

Yesterday’s Washington Post has a report on the concerns raised by parents and child advocates about the use of social networks by pre-teenagers.  The story focuses on the photo sharing service, Instagrambut the general issues are relevant to other sites as well: is the site collecting the personal information of susceptible children, and does it do enough to protect them from miscellaneous predators.

The Instagram service is an offshoot of Facebook, the social networking giant, which has about 1 billion users.  The company’s policy requires users to be at least 13 in order to open an account, but the Instagram site does not even ask the user’s age when (s)he signs up.  (The main Facebook site does require a bit of verification, requiring the user’s real name and age; however, the effectiveness of this is questionable, since there is no way to check the user’s answers.)  The result is that many children under 13 have set up Instagram accounts.

There is some reason for concern about this; looking at the site (or at Facebook, for that matter, where I have an account) shows that many users post a great deal of what might be regarded as fairly personal information.  Most readers are probably familiar with news stories of people whose employment or other prospects have been damaged by indiscreet posting and photos on Facebook and other social sites.  Even if one grants that adults have a right to behave like complete idiots if they wish to, it seems reasonable that children, who lack both mature judgment (such as it is) and experience, deserve some protection.

However, people need to realize that, outside the realm of science fiction, this is not a problem that has a technological solution.  Even if it were possible to develop a peripheral device that would automagically detect a persons age, it really wouldn’t solve the problem; all the server on the other end of the transaction can do is to verify that the bit pattern it receives indicates the user is 13 (or 18, or 21).   Were such a device to be developed, I would not expect it to be long before some enterprising teenage hacker produced a “spoofing” device.

Facebook and other social-media sites have said that authenticating age is difficult, even with technology. A Consumer Reports survey in 2011 estimated that 7 million preteens are on Facebook.

It’s not difficult; it’s effectively impossible.

The other thing that all of us, kids and adults, need to remember is how businesses like Facebook work.  It may seem, as you sit perusing your friends’ postings, that you are a customer of the service.  But the customers are actually the advertisers who buy “space” on the service, which has every incentive to provide the customer with as much personal information as possible, in order to make ad targeting more effective, thereby supporting higher ad rates.  When you use Facebook, or other similar “free” services, you are not the customer — you are the product.

Mozilla Releases Firefox 21, Updates Thunderbird

May 14, 2013

Not wishing, apparently, to be left out of the Patch Tuesday festivities, Mozilla today released the next major version, 21.0,  of its Firefox browser for Mac OS X, Windows, and Linux.  This version fixes eight security vulnerabilities, three of which Mozilla rates as critical.  The new version also incorporates some new features, including:

  • Enhanced “Do Not Track” interface
  • Support for multiple providers in the Social API
  • Suggestions on how to improve application start-up time, if needed

Further information on the new version is available in the Release Notes.  You can download installation packages, in a variety of (human) languages.

Mozilla also released a new version, 17.0.6, of its Thunderbird E-mail client, for all platforms.  The new version provides an update to the Twitter API is uses, and also fixes six security vulnerabilities, three of which Mozilla rates as serious.  Further information is available in the Release Notes.  You can download installation packages for all languages and platforms.

Because of the security content of these releases, I suggest updating your systems as soon as it’s convenient.

Microsoft Patch Tuesday, May 2013

May 14, 2013

As expected, Microsoft today released its regular monthly batch of security bulletins and associated patches.  This month there are ten bulletins, addressing 32 identified vulnerabilities.    Two bulletins have a Critical severity rating, and the remaining eight are rated Important.   Five of the bulletins are for Windows and its components; every supported version of Windows is affected, and all desktop versions have one or more Critical vulnerabilities.

The remaining five bulletins, all of which are rated Important, apply to other Microsoft software products.   There are three bulletins for Microsoft Office and its components (including Word Viewer).  Microsoft Lync has one bulletin, and there is one for Windows Essentials.

Microsoft says that three of the Windows bulletins will definitely require a system reboot, and the others may require one, depending on the configuration of your system.

For more detailed information, and download links, please see the Microsoft Security Bulletin Summary for May 2013.

As usual, I recommend applying these patches to your systems as soon as you conveniently can.

The handlers at the SANS Internet Storm Center have posted their usual summary and evaluation of this month’s patches.

Update Tuesday, May 14, 14:40 EDT

According to the folks at the SANS Internet Storm Center, one of these bulletins, MS13-038, which applies to Internet Explorer 8, fixes a vulnerability that is being exploited currently.

Critical Updates for Adobe Reader, Acrobat — and Flash

May 14, 2013

As expected, Adobe has released new versions of its Acrobat and Reader software, incorporating critical security updates.  There is also a critical update for Flash Player, though this was not included in the preview announcement.

The updates for Reader and Acrobat address a total of 27 identified vulnerabilities. According to the Security Bulletin [APSB 13-15], the vulnerable versions of Acrobat and Reader are:

  • Adobe Reader XI (11.0.02) and earlier 11.x versions for Windows and Macintosh
  • Adobe Reader X (10.1.6) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.5.4 and earlier 9.x versions for Windows, Macintosh and Linux
  • Adobe Acrobat XI (11.0.02) and earlier 11.x versions for Windows and Macintosh
  • Adobe Acrobat X (10.1.6) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat 9.5.4 and earlier 9.x versions for Windows and Macintosh

The Security Bulletin lists the appropriate new versions for these. Users of Reader or Acrobat on Windows or Mac OS X can get the new version via the update mechanism built into the software, which is set to check for updates automatically by default; to initiate a check manually, choose Help / Check for Updates from the product menu. Alternatively, you can download appropriate Reader updates from these links:

Please see the Security Bulletin for Acrobat update downloads, and for further details.

As noted above, Adobe has also released Critical updates for Flash Player; according to the Security Bulletin [ASPB 13-14], these fixes address 13 identified vulnerabilities. Affected versions of the software are:

  • Adobe Flash Player 11.7.700.169 and earlier versions for Windows and Macintosh
  • Adobe Flash Player and earlier versions for Linux
  • Adobe Flash Player and earlier versions for Android 4.x
  • Adobe Flash Player and earlier versions for Android 3.x and 2.x
  • Adobe AIR and earlier versions for Windows and Macintosh
  • Adobe AIR and earlier versions for Android
  • Adobe AIR SDK & Compiler and earlier versions

Users on Windows or Mac OS X systems should received the update automatically, if they have enabled the option “Allow Adobe to install updates”. Otherwise, they can obtain the new version from the Flash Player Download Center, as can Linux users. Please see the Security Bulletin for Android updates. Google Chrome ships with its own version of Flash Player, and I would expect a new version of Chrome, incorporating these updates, to appear “real soon now”. I’ll update this post when it’s available.

Because they are so widely installed across platforms, Reader and Flash Player have been tempting targets for the Bad Guys. I suggest that you update your systems as soon as you conveniently can.

Update Tuesday, 14 May, 13:05 EDT

According to a post on the Chrome Releases blog, Google is now pushing Flash Player updates for the Windows and Mac versions of Chrome.  (Mea culpa: I had forgotten that they had added to capability to update things like Flash without doing a whole new version.)

OUCH on Passwords

May 13, 2013

One of the “Useful Links” in the sidebar here is to the SANS Internet Storm Center [ISC].  The site, staffed by volunteer “handlers”, a group of highly skilled and experienced security professionals and systems/network administrators,  is a very valuable source of the latest security news.  It is, however, a site aimed at IT professionals, and tends, understandably, to be fairly technical, and to assume a fair amount of basic IT knowledge for starters.

However, to their credit, the folks at ISC have not neglected the ordinary user.  It has had, for a couple of years now, an initiative called Securing the Human, which attempts to address security policy issues considering the users’ perspective.  (In the interests of honesty, from personal experience, I am bound to say that this is probably not entirely from altruistic motives — better educated users are, on the whole, less likely to make terminally stupid mistakes.)    The Securing the Human initiative has also involved publishing a newsletter called OUCH!, which is oriented toward end users.

The latest issue of OUCH! has a short (three-page) article on good password practice [PDF].  It has some good, common sense advice that will help you use passwords securely.  If you are a systems admin person, you might want to consider giving copies to your users.

I’d just make one final suggestion: using a password manager, such as Bruce Schneier’s PasswordSafe, can be a big help in managing your passwords, and using them well.

%d bloggers like this: