Technical Storyteller
This week’s Friday Photo is posted on the following Monday due to technical challenges (yep, even engineers sometimes fat finger the keyboard).
Several years ago we went to the Big island of Hawaii, and visited the Hilo Zoo. It’s a really cool facility, especially for a small town. Near the entrance there’s a lake, and the lilies were in full bloom. The day was so still that the water perfectly reflected the cascading flowers – all that’s missing is a big bullfrog on one of the pads.
In the past couple of weeks, there’s been a number of stories breathlessly proclaiming that one state endured 150,000 ‘hack attempts’ on election day, that another was hit five times per second, 24 hours per day prior to the election, and so forth. But notice how none of the articles talk about how many ‘hack attempts’ were made the day after the election? Or the month before? Or six months after?
Now I don’t have access to the actual data from those states, but I strongly suspect that these numbers, while legitimate, are being spun to grind a political axe. Any IP address is going to be hit with port scans on a regular basis. Government sites are absolutely hit with many thousands of both targeted and drive-by probes. Sure, there might have been an uptick in activity approaching the election, but what I really want to know is how many focused, targeted sophisticated attacks happened versus non-election season? Then we might actually know something. We need a baseline of both general and targeted attack traffic to be able to judge if there’s anything statistically significant in the data – and ideally, to have comparison data for the previous election too. Until then, well, folks should take partial data with a grain of salt.
One last note – I am surprised that only 39 states report hacking attempts. Either the bad guys were slacking, or we have 11 states that don’t have good monitoring in place.
Java and Flash are two of the most celebrated and reviled web technologies – they enabled active content on the early Internet, and both far outlived their useful, and insecure, lives. Now at last we have a sunset date for Flash. It’s longer than IT and security folks would like, and too soon for the web developers who are – still – deploying solutions that require it. Looking at you NHL.com.
I suspect that one of the key changes that’s enabling the sunset was the addition of DRM support into HTML. That change has not been without controversy, with the ‘information should be free’ crowd getting almost hyperbolic in their predictions of doom, and the content producers unhappy as they won’t have complete control over the entire lifecycle of their product. I find the former irrational (I’m a capitalist at heart), and the latter annoying (locked down clients are often sub-par).
I’m a content creator – some is free, like this blog, and some isn’t, like my books. And that’s the key point – it’s up to each content creator to decide their own business model. If we want the web to evolve to a more modern, secure, and capable platform, we need to incorporate support for both sides of the argument. DRM in HTML does that, and it’s far better to have it in the open standard, than to simply replace one locked-in proprietary technology like Flash with another.
Ok, enough of that tangent. Flash will still be around for another three years in one form or another. Businesses should immediately change procurement requirements to prohibit purchases or renewals of new solutions involving Flash (that should have been done a while ago). For consumers, you don’t need to wait – you can get rid of it right now, and you probably won’t miss it at all. Removal instructions for Windows: https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html and Mac: https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-mac-os.html are at those links. If you do run across a site that requires it, use Google Chrome and its built-in support, but make sure you lock down all the privacy settings. Here’s a good overview: https://www.howtogeek.com/100361/how-to-optimize-google-chrome-for-maximum-privacy/
While I’d like to see Adobe’s last update to include a forced-uninstall as well – no sense leaving vulnerable, inactive code out there, the good news that Mozilla, Google and Microsoft are all planning to completely disable Flash once security patches are no longer available. Flash was an amazing technology that allowed the ‘net to grow and flourish. Let’s celebrate its successes, and wish it a fond – and long-overdue, fade into the sunset.