Technosophy

Practical computer tips, with a smattering of digital philosophy

Protect yourself against the Android “stagefright” vulnerability

A severe security vulnerability has just been discovered in one of the core media-rendering components of the Android operating system. This component was introduced in Android 2.2, and the flaw affects all subsequent versions of Android, up to and including the current 5.0 (Lollipop). The flaw allows for remote arbitrary code execution through the delivery of maliciously-crafted media files to any app that relies on the “stagefright” library to process and display media.

What makes this vulnerability so bad is that the stagefright library is the primary media processing engine for all new versions of Android: apps that rely on this library include core staples such as the Android Messaging app, the Google Hangouts App, and most mobile web browsers. What’s more, many of these apps (especially Messaging and Hangouts) generally come with default configurations enabling the automatic display of incoming media files in the form of new message alerts — functionality which gives an incoming malicious media file access to the library’s security flaw without the phone’s user having to do anything at all.

Although there are many, many ways malicious media files might make their way onto an Android phone, you can significantly reduce* the attack space available to exploits targeting this vulnerability by simply disabling automatic media-loading features. In particular, I just took the following steps on my partner’s Android phone:

* In Messaging -> Settings (the button with 3 vertical dots at the upper-right hand corner of the app), I turned MMS Auto-Retrieval off
* In Settings -> Apps -> Hangouts, I disabled the Hangout app altogether, because I could find no indication that it was possible to prevent the auto-loading of incoming media content
* I checked for and installed all available updates to all of the web browsers installed on the phone

*DISCLAIMER: you should take this advice as only one suggestion that will *generally* improve the security of your mobile device against threats like the stagefright bug. These suggestions do not in any way constitute a “fix” for the stagefright bug — the only way the bug can be fixed is via an official patch for your version of Android, distributed by your phone’s manufacturer.

Ubuntu / Debian Linux drivers for the Canon MX 922 and other MX series multifunctions

It seems that the Canon MX series of multifunction devices is sufficiently new that no one (including the U.S. arm of Canon itself) has bothered to release updated support documentation for the product line. To save you the trouble of digging through mounds and mounds of outdated help pages, then, here’s a direct link to the official Canon Linux driver package for the MX 920 series (which should work for most other MX devices as well):

http://support-asia.canon-asia.com/contents/ASIA/EN/0100517002.html

Wireless networking slow, flaky, or crashing your router? Have an Intel 5300, 5100, 6205, 6300 wireless chipset? Disable 802.11n!

Has your Intel-based laptop’s wireless connection been bizarrely slow, buggy, or unstable since you can remember? Have you found that connecting to certain wireless routers can cause the routers themselves to crash?  If any of the above applies, you might want to try disabling your wireless card’s 802.11n functionality – even if you don’t ever connect to n-capable access points.

A large number of people in the Linux community have been reporting significant instability with many bgn-capable Intel wireless chips, and have found that disabling 802.11n usually outright fixes the problems. (See here, here, and here for ubuntu bug discussions on this subject.

Nor apparently, are the Linux folks alone: Windows users have been reporting similar instability with the 6300 chipset, most of which can also apparently be resolved by disabling 802.11n.

To do this on Linux, simply create a new .conf file in /etc/modprobe.d, with whatever name you like (as long as it ends with.conf, of course.  Mine’s iwlagn.conf, since iwlagn is the kernel module being modified), and add the line “options iwlagn 11n_disable=1” to the file.  Save, remove and reinsert the kernel module (or just reboot) and voila!

sudo -s
cat "options iwlagn 11n_disable=1" > /etc/modprobe.d/iwlagn.conf
modprobe -rf iwlagn
modprobe -v iwlagn
exit

For what it’s worth, I can personally confirm the existence of huge out-of-the-box stability problems on both Windows 7 and Ubuntu, with both 802.11g routers (without N capabilities), and routers with support for 802.11n.  I can also attest that disabling 802.11n does indeed immediately resolve all of the stability issues I’ve encountered (even if I’m connecting to a 802.11g-only router), at least on the Linux side of things.  Unfortunately, I haven’t had a chance to try implementing this fix on Windows, but I can confirm that updating driver stacks doesn’t help at all.

I should also note that both of my test-cases involve Lenovo laptops (R400 and T420), and that many of the posts in the threads linked above  reference Lenovo machines.  Granted, machines from other manufacturers are clearly being affected by this issue as well, but Lenovos seem to be disproportionally affected, for whatever reason.

How disconnecting plugs us back into the world

Random thought: is the open-source philosophy inherently libertarian, and capitalistic?

After having read a fascinating essay on Julian Assange, my train of thought somehow brought me to a rather startling conclusion that I wanted to write down before it slipped my mind.  Namely, that the open source philosophy is not particularly conducive to helping people actually get along with each other. Instead, it is an outgrowth of a kind of utopian libertarianism, predicated on the idea that a system that encourages each individual to do whatever he/she wants will maximize the value of the system for the entire collective.  Indeed, when resources are infinite, and conflict easy to ignore or escape (as is the case, to some extent, in digital spaces), this may be the case.

But even in the world of information, this approach has costs.  For example, there is a a hefty bias in the open source community in favor of a very narrow kind of power: technical wizardry, association with powerful techno-business interests, etc.  In some senses, this bias stems directly from the mandate for each individual in the “Linux community” to extract maximum individual value from the community – either in substantive terms, or in terms of garnering increased authority and respect (social capital).  That is, the “open source community” is something of a hyper-competitive meritocracy, with different individuals (or teams) each working to amass the greatest possible shares of technological achievement – the only kind of authority universally recognized by the “community” at large.  Thus, the core value of the open source “community” is distinctly anti-social (ie, vehemently, obsessively technical) in nature, and that fact sets the tone for much of what goes on within it.

And so voices with less technically-oriented priorities (eg, user education; accessibility; social responsibility etc.) are often ignored and discarded, left to either break off to form their own splinter groups (Fedora, Ubuntu, and LibreOffice being the most notable examples) or be quietly suffocated by disinterest.  As a result, unfathomable resources are wasted on parellel but independent efforts, undertaken by various splinter groups who couldn’t quite reconcile their differences, to accomplish almost exactly the same ends.  The guiding principle on which the entire Linux “community” is based is that if something isn’t quite right, it is the responsibility of the individual(s) who find it so to make the necessary corrective adjustments.  And so the entire “community” is maintained primarily by means of powerful individual-centered enticements: people give back, when they do, either as an accidental by-product of pursuing their own agendas, or to increase their own of fame, reputation, and authority within the community.   So if the Linux community at large doesn’t seem to be entirely comfortable embracing any kind of a broader social vision, that’s because it isn’t, at least not intrinsically.

After all, what happens when there is more than one metric of influence and worth in a community?  When people who have vastly different priorities must live and work side-by-side, and do not have the space to fork away from each other because of minor differences in philosophies?  When the resources needed to support such forks are physical rather than informational, and must come from a finite pool, shared by all?

The open-source movement has some intrinsically libertarian characteristics, it would seem, and while some of these – an emphasis on personal responsibility, democracy, egalitarianism, etc. – may be positive, they cannot be separated from their accompanying shadows: deprioritization of social responsibility, the rise of single-factor meritocracy, and the failure to recognize, much less address, pre-existing inequalities (in education, access to resources, and social status within the community) that place potential entrants into a given community on distinctly unequal footing.

Consider the following observation taken from an excellent Ars article on the “app-store” model of software governance, which presents the converse of the argument being made here:

Indeed, from the perspective of the ordinary user, the PC software market may not seem especially free. Lacking the sophistication to distinguish good software from bad, many users don’t feel free to install software at all. In a sense, a curated app store actually increases the freedom of the typical user by enabling him to buy software without the help of his IT-expert sister-in-law.

In other words, because the so-called curated computing philosophy of software governance takes into account and adjusts for differing levels of user competence, it actually gives users on the lower end of the technical spectrum much greater choice and autonomy than does the laissez-faire model of governance, by providing some basic level of user education and support, and safeguards to prevent users from doing something to harm themselves.  Admittedly, all this comes at something of a cost to the most advanced users, who would rather have unfettered control over every aspect of their own “user experience.” But if the goal of the open source community is actually to create a completely egalitarian information society (see Barlow), why shouldn’t this sacrifice be seen as necessary and proper?  The fact is, of course, that it isn’t, because the open source philosophy as a whole is not based on any unifying social ideal – save the dubious deification of individual autonomy.

The overall point, I suppose, is simply that governance is complex and nuanced.  Despotism is not universally evil, and democracy is not universally good.  Hopefully we’ll eventually be able to figure out better ways to incorporate the best elements of both, while discarding the worst.

Cron jobs not running properly? Check your paths (and other troubleshooting ideas)

It took me several hours of poking around to figure out why certain cron jobs were quietly failing to run, while others (which were seemingly far more complex) were running just fine.  The answer, it turns out, was sitting squarely in the middle of the manpage on crontabs (man 5 crontab):

Several  environment  variables  are  set  up automatically by the cron(8) daemon.  SHELL is set to /bin/sh, and LOGNAME and HOME are set from the /etc/passwd line of the crontab’s owner. PATH is set to “/usr/bin:/bin”

What this means is that even if a certain executable runs just fine from your own command prompt, cron may not know where to find it, because most user shells have PATHs far more extensive than the bare-bones default relied on by cron.  And if cron cannot find an executable, it simply won’t run the task in question.   There are two solutions to this problem.  First, you can tell cron to check all of the paths that are active in your own shell session (issue: echo $PATH at a terminal, then put the results of that command on its own line at the top of your crontab file, like so:

PATH = <what you just got from echo $PATH>

Alternatively, you can just make sure to always use absolute pathnames for every exectuable you invoke in your crontab.  To find the exact location of an executable, issue whereis <simple name of executable>.

 

Should you run into other problems getting your cron jobs to run (which is likely, given that any flaw in syntax anywhere in a crontab line can result in the entire line silently failing to execute), you can use output and error redirection to force the line in question to dump more information about why it’s failing to a specified location (basically, you’re creating your own mini-logging system).  Set up such a log, and then try running the troublesome task every minute (* * * * *) until you get it to work.

 

Socially responsible alternatives to Amazon.com

There seems to be an unwritten natural law that corporations beyond a certain size must engage in highly unethical behavior of one form or another.  Sadly, Amazon.com is no exception, as demonstrated by recent revelations about the way it treats its workers and its ongoing campaign to interfere with the political process in various states.

In response to Amazon’s behavior, I have begun looking for alternative shopping hubs that are at once more socially responsible, but also do not ask me to sacrifice too much in the way of selection, convenience, or savings.  Believe it or not, I’ve had a fair amount of success, and have managed to stay almost completely Amazon-free throughout the holiday season.  Here are a few of the sites I’ve uncovered, to which I’ll be returning frequently until Amazon decides to clean up its act:

Better World Books (Books)

This site is simply extraordinary, matching or exceeding Amazon on nearly every practical metric (selection, pricing, speed, etc.) while also expressing a firm committement to making the world a better place in multiple ways.  As the website puts it:

Better World Books uses the power of business to change the world. We collect and sell books online to donate books and fund literacy initiatives worldwide. With more than 8 million new and used titles in stock, we’re a self-sustaining, triple-bottom-line company that creates social, economic and environmental value for all our stakeholders.

Wayfair (Home furnishings):

The socially-beneficial bona fides of this group aren’t quite as obvious, but they at least seem to genuinely care about their workers’ well-being – and their workers, in turn, seem to be a pretty socially-conscious lot.

I’ll post more as I find them!

the shopping center of the Internet

Are the PROTECT IP and Stop Online Piracy (SOPA) acts irrelevant?

It seems that many of the provisions of the widely-vilified PROTECT IP (House) and Stop Online Piracy (Senate) bills may already be in operation, at least as far as the U.S. court system is concerned.  Ars Technica reports that a federal judge has decreed that “nearly 700” domain names associated with sites that are allegedly selling counterfeit Chanel goods must be immediately seized from their registrants.  What’s more, the court ordered that “all Internet search engines” and “all social media websites” must immediately remove all references to the confiscated domain names.

This saga clearly has countless interesting and troubling implications.

Read more of this post

A letter to Pandora regarding its new look, and increasingly close relationship with Facebook

I am a Pandora One subscriber, though I’m starting to doubt that I will continue to be after my subscription expires next year.  Since I use the Pandora One Desktop applet, I was unaware until very recently of your recent interface overhaul, which seems to be the next stage in a partership between Pandora and Facebook that I was already exceedingly uncomfortable about.  As far as I can tell, your new interface is either designed to replicate the Facebook experience, or directly interface with Facebook’s own code in an even more integral fashion than before, or both.  Whatever the underlying rationale, I wanted to express my extreme dismay at your ongoing choice to incorporate into the Pandora site more and more elements (including tons of privacy infringing javascript) of what I consider to be one of the most unappealing and hazardous sites on the Internet.

Read more of this post

Mac OS X: How to toggle among multiple open windows of a single application

Since it took considerably more effort than I expected to find this information via scroogling, I figured I’d record it here for posterity.

As someone who is fairly new to the Mac OS GUI, I was flummoxed and peeved by the fact that <Alt><Tab> cycles only through each of the open applications on any given system – not the individual windows of each of those applications (the window you get when you toggle from application X to Y is always the one you were working on last within application Y).  Apparently, move among windows within application Y, one must instead use <Alt><~> (Yes, that’s a tilda).

Many thanks to Apple for unnecessarily tweaking yet another nearly-universal standard for the purpose of “enhancing user experience”