Lowes: Helping Build Better Homes and Even Better Botnets
March 11, 2013
I do a good bit of tech support and once every few months, I get a call from a contractor or vendor that works with Lowe’s Home Improvement and needs help getting LowesLink to work on their computer.
Each time I do, I am utterly amazed at how amazingly reckless the LowesLink service is and the state that it leaves a user’s computer in. In regards to computer security anyone who uses LowesLink, even more so if you actually follow their published instructions, has opened a gaping hole in their computer’s security.
For those who are not familiar with it, LowesLink is a web portal that makes invoicing and receiving payments from Lowe’s easier. It has been in my experience mostly been used by independent contractors, but I would imagine it is also heavily used on the corporate side of things too.
The Main Issues Are as Follows:
1) LowesLink discourages people from using a modern browser, stating a requirment of Internet Explorer 7 or 8. They tell IE9 users to downgrade.
2) LowesLink requires people to use the generally insecure Java Web Browser Plugin
3) LowesLink website tells users to download an old version of Java from 2010 – 2011, jre-6u20 (2010) – jre-6u27(2011)
4) LowesLink, through their published documentation and support staff, tell users NOT to update Java and instruct users to disable updates of java.
5) The LowesLink website, while using HTTPS, loads content insecurely. This results in a warning when visiting their page.
Why this is bad:
All of the above is a great way to ensure that their users are running an insecure and vulnerable system. It effectively creates the perfect storm of bad advice and insecure software.
The Java Browser plugin is ridiculously insecure by itself, not even taking into account that their website instructs people to install a 2+ year old version.
It would probably be quicker to point out the days over the last 3 years when there hasn’t been an unpatched java browser vulnerability being actively exploited in the wild. Consistently, Java is top of the list of insecure software that results in computer infections, along with Flash and Adobe Reader.
As a result, telling your users to install a version from 2010-2011 and then disable updates is amazingly reckless and irresponsible.
What makes it even worse is, at least in part, the instructions published on their website are incorrect. Not only is it possible to run it with the latest version of Java 6, but also IE9!
Also, telling users not to update java is insane, Java 6 has already been updated 3 times in 2013, with fixes for around 60 security issues. If you follow their instructions, you would never get these updates, unless preformed manually. Which most users are not going to do.
Event the US Government has come out stating that Java should be disabled in the browser, as it represents such a serious threat to security. And that is the most recent version! Not the version Lowe’s wants you to install!
Loading Mixed Content from a Secure URL
As any web-dev with even a bit of experience can tell you, if you are going to use HTTPS, then you should load ALL resources over HTTPS.
However, Lowe’s not only fails to do this, but because the user is required to use Internet Explorer, they will see an unintuitive warning each time they visit.
Browsers handle insecure content differently and how IE handles it by default is to display a warning about the insecure content each visit to the page. The question is one of those ones that is phrased a little awkwardly, where if you care about security you really should hit yes, rather then no. Hitting yes, which is what most people instinctively do when they encounter a popup, would tell IE to only load the secure content.
However, in this case if you want LowesLink to work and display properly, you would need to probably hit no, which tells IE to load both insecure and secure content.
Fix Your Documentation
Aside from just being horrible advice, the published documentation is actually incorrect.
I have been able to get LowesLink to work using a current version of Java 6 and using Internet Explorer 9. So, I know it works, while still less then optimal.
If Lowe’s isn’t prepared to invest in fixing this mess, at least spend some resources making sure it works on a modern browser stack!
Why I am Writing This
This is one of those posts that I almost write each time I encounter LowesLink, as it is just such overwhelmingly bad advice. Whenever possible, I end up urging the user to use Firefox or Chrome and then ONLY use Internet Explorer for LowesLink, in an effort to reduce the risk of infection.
I am writing in the hopes that Lowe’s will, as their support assures me each time I call, work to update to this system. However, they have been saying that for years and their system has been reducing the security of their users for just as long.
Lowes: Clean Up Your Act!
LowesLink is a disservice to all Lowe’s Users and those who support them. The LowesLink System, especially if you follow their published instructions, by design results in a computer that is vulnerable to infection.
This choice makes Lowe’s Contractors, Vendors, and Employees a very easy group to target and the low hanging fruit of the corporate world.
For years, support has been apologizing and saying they are working on something better, but here it is 2013 and they are still telling users to install a 2 version of Java from 2011 and disable automatic updates.
Further, this isn’t just some Java applet color picker we are talking about. This is a system used for invoicing, bidding, and a ton of other really important and likely sensitive tasks. I understand it costs money to update, but I can’t even wrap my head around the multitude of bad choices that has brought us to this point.
Even my Aunts and Uncles are tech savvy enough to pick up on all the Java related news, but apparently Lowe’s can’t or won’t invest the money to protect their users. Instead, they simply leave their users computers open to infection!
You Can’t Setup Everyones Computer Like Your Own
March 5, 2013
Over the years, I have learned a lot about computers not just in regards to fixing computers, but also troubleshooting, the right types of questions to ask, how to walk people through simple repairs over the phone, and also how different people use computers. One lesson that it took me some time to learn is that you can’t always setup other people’s computers like your own.
I would classify myself as a power user and have been for some time. I became the computer guy for my friends and family pretty early on and was often called to setup a computer for the first time or figure out why something wasn’t working. Back then, I would lock down their internet browser, tweak security settings, and generally setup the computer just like mine. However, most folks aren’t power users and this often had the effect of making their life more difficult or meaning that they would see a warning due to a security setting and just click through it. It took me a while to figure out that while this type of computer use was preferable for me, most people don’t want or need that type of experience.
Eventually though it clicked and while I still take great care setting up peoples computers, I now try to do it from the perspective of a normal non-technical user, rather than a power user.
The Case of the Locked Down Router
I ran into a great example of this today, while dropping off a laptop.
The client had been having problems getting their work computer to connect to the network. Their laptop and ipad worked fine, but just not their work computer. So, they asked me to take a look at it while I was over there.
The network was saved with the wrong security settings, WEP instead of WPA, so I deleted the saved network profile and re-addded it. It worked right away.
However, I have found that it is always a good idea to restart the computer after making these types of changes (or any changes really), to make sure it still works on reboot. And, sure enough, as soon as I rebooted I could no longer connect to the network. So, I logged into the router to see what was going on.
After a few minutes of playing, I discovered that it was setup to only allow 2 DHCP leases at a time. As a result, unless they manually set an IP address in your network adapter, it would only ever be possible to connect two devices to their router.
In retrospect, me being able to connect right away made sense. I had their personal laptop long enough for its lease to expire, so when I came back to their house and started the work computer, it filled the second slot that their personal laptop would normally have taken.
I set it to a higher limit and problem solved, they were able to connect with multiple devices.
During the work, we talked for a bit and I discovered that the person who setup their router was a friend who works in networking.
In addition to limiting the number of DHCP leases, he also made a few other changes, like setting the SSID to not be broadcast, which were geared at locking down the router. While this is similar to how I would setup a personal network, with a limited number of DHCP leases, MAC filter, reduced subnet, ect, setting up a non-power user’s network like this isn’t generally a good idea, as they would never have thought to check the DHCP limit and didn’t know how to reset their router.
So, I think this ends up being a great example of why you should try to put yourself in the shoes of the user when setting up a computer(or network,) rather than approaching it how you would a personal system.
Getting Steam Beta Running in Fedora 17
December 22, 2012
Update 01/13/2013: Since writing this, the opensuse packages have been removed from their site, at least in part due to “the unclear permissibility regarding the distribution.” However, instructions for converting the deb steam package using the “ar” command are available via GitHub. I used this to do the update(although had to install the old version,) as steam notified me a new version was available.
While I used to play computer games a good deal in the past, I haven’t really played in a while, largely due to time constraints. At the risk of dating myself, I think the last time I gamed Unreal Tournament 4 was still pretty popular, so it has been awhile.
However, now that steam is running a Linux Beta and has opened it to the public, I decided to give it a shot and see how it works.
Steam Native Client Support
Valve is only currently officially supporting Ubuntu, but if you goto their support page, they have links to openSUSE, Gentoo, Fedora, and Arch packages. UPDATE: These have largely been removed, see update above!
The Fedora repo page was initially 404ed, which is sadly par for the course when using Fedora, but the openSuse page has Fedora packages which I was able to get running and they have since updated their wiki to use the link to openSUSE page.
I am currently running Fedora 17 64-bit, with XFCE, Nvidia Drivers, with dual monitors.
The Steam Client runs and I have downloaded and played a Team Fortress Mulitplayer without any issues.
Steam Native Client in Fedora 17 64-Bit w/XFCE
The basic Process to get the Steam Client Running in 64-bit Fedora Linux is:
- Checkout the readme on Github github.com/xvitaly/steamrpm/blob/master/README.md for instructions.
- Process involves downloading the deb, available directly from steam here
- Use the ar command to convert the deb to an RPM, install as normal.
Goto OpenSuse and Download RPM for your package: software.opensuse.org/package/steamLocate and install the correct RPM for your package, will install some additional dependencies.- Install libtxc_dxtn.i686, because it is apparently needed for Team Fortress II.
The steam client would not start right away, largely due to missing 32-bit packages and my 64-bit system and I ran into the below issues.
Additional Dependencies when running XFCE – 64 Bit (see below for Steam Client Error Message and Resolution): xorg-x11-drv-nvidia-libs.i686, openal-soft.i686
Troubleshooting Client Startup Issues:
VGUI_Setup failed
Fixed by installing xorg-x11-drv-nvidia-libs.i686
Fatal Error: Could not load module ‘bin/FileSystem_Steam.dll
Fixed by installing: openal-soft.i686
Finding Missing Dependencies
Thanks to a forum thread on steam, I was able to find what was missing regarding the dll error by issuing the following commands:
cd ~/.local/share/Steam/ubuntu12_32 LD_LIBRARY_PATH=.:$LD_LIBRARY_PATH ldd * | grep "not found"
The result of the above command was: libopenal.so.1 => not found
Which pointed me to downloading the 32-bit version of openal.
SE Linux Issues
I also temporarily disabled SE-Linux, because switching to “Big Picture” in the steam client caused a “steam.sh: line 287″ crash, due to it trying to access execheap.
What Works So Far
Currently, the client, including registration works correctly and I am currently installing Team Fortress. I will post an update when it finishes downloading.
Update: Team Fortress is installed and I did not run into any issues playing the tutorial. The graphics look pretty nice too, although I haven’t done any configuring!
Update 12/29/2012: I have had a few issues with Team Fortress thinking I am not logged into the steam client, even though it is running. Starting Steam from the command line, as opposed to the XFCE Desktop icon, seems to fix this.
Copy Paste Sharing in Virtual Box!
November 15, 2012
If you go back through some of my posts, it is no secret that there is a lot of things about Oracle I don’t like, including what happened to many of Sun’s products after they bought them out. While ultimately, it worked out for the better in some cases, like with the fork of Open Office -> Libre Office, I don’t think that is always the case.
Having said that, I do use VirtualBox a good bit, primarily for checking websites in various forms of Internet Explorer. It is really convenient to be able to fire up a VM for IE7, IE8, IE9, Windows XP, Windows 7, ect all from the same machine. Overall, it works fairly well too. However, I have been really slow to upgrade it since Oracle took over.
Recently though, after upgrading Fedora, my older 4.1.0 version of Virtual Box wouldn’t rebuild with the new Kernel. Rather than debugging it, I decided to give the new version a shot and was pleasantly surprised with some of the updates between my rather old version and the current build.
One of the biggest ones for me is the ability to share the copy/paste clipboard between my host machine and my virtual machine. That is so insanely useful and one of the features I have been really wanting for some time. It looks like you can drag and drop items between virtual machines too.
The only downside is it looks like you have to install the Virtual Box Guest Extensions, which I have held off in the past due to performance issues. I suppose there may also be a security risk to it as well, with the remote machine potentially being able to write to the host. However, that looks like it was disabled by default and can be set to only go one way, IE only copy from the host machine to the VM.
In anycase, just being able to copy-paste between my linux desktop and the VM is really cool, such a timesaver especially when trying to type out a url or something!
Amazing What a Simple WordPress Comment Blacklist Can Do
November 10, 2012
While very effective, I worry that my sites don’t fall inline with Akismet’s TOS, so don’t use it on any of my personal sites. Nor on those I do for clients, as I know they don’t fall under the non-commercial clause. I have never really been bothered by Comment spam on my wordpress sites though, as it is easy enough to ignore or disable comments, not to mention sometimes a ton of comment spam can provide a one-off metric of how well ranked a page or site is.
Having said that, one of my personal wordpress sites did start to get hit pretty bad and it became a pain to sort through the spam comments to find the one or two actual legitimate responses. Further, I noticed that some of my clients were bouncing emails due to spam content, which I think would likely cause issues maintaining a good reputation for their domain and server.
So, I began to look for a solution. Initially, I was going to roll my own simple WordPress comment spam plugin and got as far as playing with the comment hooks. However, I didn’t make it too much further than that after deciding to take advantage of the Discussion->Comment Blacklist setting.
After spending a few minutes going through my old-spam to generate a keyword list, then updating it for the next few weeks when stuff squeaked through, I have been able to cut-out the overwhelming majority of comment spam on that site. I think the Comment Blacklist alone has been responsible for catching over 1.5K spam comments over the past few months. With only around 80 words cutting out probably ~90% of the spam on that site.
How efficient this is, especially on a large scale is debatable and it doesn’t do much to block the off-topic praise and copy/paste spam*. However, it really has been effective on that particular site. I still want to try to come up with my own solution to get the other bit, to reduce overhead and for fun, but using the keywords has been a really easy and quick fix.
*I am sure there is a better term, but this includes the “You are such a great writer” spam that plays upon peoples ego, as well as the comments that have been copied from other, sometimes legitimate comments, and then mass submitted to multiple sites.
Taking the Bing Challenge(BingItOn)
October 10, 2012
I was doing a little research on webmail and unsolicited emails from email providers, when a Hotmail email campaign drew me in(bad I know.)
They are running a Bing vs Google promotion, bingiton.com, where you can view search results side-by-side and choose one or the other as being the best. After viewing and rating 5, they show you who you selected, with some nice marketing speak that indicates that Bing is typically the winner.
Out of curiosity, mostly regarding how they would present the results, I decided to take the ‘challenge’.
Unsurprisingly, I feel it is probably weighted in favor of Bing, largely because they filter out Google’s sidebar and other components.
For example, if you search for ‘Raleigh’:
What bingiton shows you:
What the real results look like:
By filtering out the sidebar, Microsoft is able to significantly decrease the usefulness of the Google query and present a rather biased display, where the obvious choice if you want to know weather and such would be Bing.
I think the real Google presentation is not only more useful, but positioned better, as it is not within the search results and reduces clutter.
I did end up picking Google’s results 4/5 times when taking it too, but really they are both very very similar results. Most of the reasoning behind my choice was due to the presentation of the results, like how the Result Title and description is chosen. Well, that and how Bing seems to still be much more polluted with eHow and other low-quality spam like wikianswers.
Of course, having said that, I think the actual results of Google vs Bing are probably more similar than they are different for most queries. The difference of presentation, however, like the above or how if you do a search for a math result on Google, you get a spiffy calculator you can use, sets them apart more for me.
IE 6: No longer Good Enough to Download a Better Browser
September 15, 2012
While doing a fresh XP install this morning and waiting on a few updates to finish, I fired up IE6 to get a few of the downloads out of the way.
However, MSN.com, the default landing page for a clean XP install, is unusable in Internet Explorer 6. To be sure, I did a reboot too, with same effect, as I had been installing drivers[1][2].
Unusable to the point that it simply freezes and errors out each time I open it. This isn’t the first time I have run into this, but the furthest I can generally get before IE6 crashes is typing a word or two in the search box.
The work-around is to go into the control panel and change the default home page to Google, as even just opening IE 6 on MSN.com crashes it, when it tries to load.
As a web-developer, IE is often a source of pain. I don’t generally run into layout issues, aside from occasional bugs, certainly not as often as when I first started developing anyway and much less after the rise of IE7/8. However, it is still quite problematic and ties ones hands, not to mention obscure javascript issues and/or limitations, especially when you start working with forms or want to get even a little fancy.
I dropped free IE6 support some time ago too, now providing only IE7/8 legacy(occasionally very minimal) support with new designs, so I am more than ready to let the time-sink that is Internet Explorer 6 fade to obscurity.
So, I do see the humor in writing a post bemoaning the lack of IE6 support for anything.
However, it was Microsoft that saddled us with abomination that is Internet Explorer 6 and then essentially dropped it on us for 5+ years, basically as soon as Netscape(competition) went belly up stopping innovation. There is no telling the developer hours that move alone cost, not to mention the huge security problems Internet Explorer is responsible for. IE7/8 were fairly bad too, just the horror that was IE6 made them look so much better.
As such, I don’t think it is unreasonable to expect a Microsoft to, at minimum, assure that their flagship pages will load in IE6. Even better, provide a simple landing page to facilitate upgrades could make life so much easier.
Windows XP install still has at least 2 more years of official support(longterm support being a selling point of windows,) and being able to do a search and or open the browser from a fresh install doesn’t really seem like asking a lot. Especially when there is so much opportunity there to get people to upgrade to IE8.
[1] Because I was curious, I checked again after installing Service Pack 3. It just redirects to a blank page that appears to be related to a Facebook error, MSN.com is still unusable, unless you click on something before the redirect, but it isn’t crashing anymore.
[2] Don’t get me started on having to install a Lan driver in 2012, so fundamental and a basic need to do anything else. I understand XP, but even sometimes with Windows 7 I find that I need to dig up a network driver.
