menu

Month: May 2018

Updated Posted by Arnon Erba in News on .

It’s May 25th, and the European Union’s new General Data Protection Regulation (GDPR) is ready to enjoy its first day of enforcement. This new set of regulations, approved by the EU Parliament in April 2016, marks a massive change in the way companies across the world will be forced to operate with regards to privacy.

What Is the General Data Protection Regulation?

GDPR is a set of privacy regulations governing how companies must handle EU citizens’ personal information. The GDPR builds on existing EU policies but sets a much higher bar by requiring companies to gain explicit consent from users before gathering any personal data. It also requires that affected companies provide tools for users to view, modify, and request deletion of any of their stored information, and it provides a fairly broad definition of what personal information means.

The new rules also come with hefty fines for companies that aren’t compliant. Just a few hours into the GDPR enforcement period, Facebook and Google have already been hit with lawsuits, even though they’ve spent months preparing for GDPR compliance. The wide-reaching and, in some cases, vague language of GDPR means that the road to compliance is not straightforward and that regulators will have a fair amount of leeway in how they enforce the new rules.

GDPR also introduces new breach disclosure laws, requiring companies (aka data controllers) to notify the proper authorities within 72 hours:

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority . . . unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Not Just for Europe

Even though GDPR only protects European Union citizens, it affects businesses and organizations around the world. Anyone who stores or processes the data and personal information of EU citizens is forced to comply with the new regulations or risk the steep fines. Even with two years to prepare, this caveat has left several US companies unprepared for the new regulations, and has resulted in some wholesale bans of all European Union IP addresses in an attempt to prevent accidental collection of EU citizens’ data.

A Last-Minute Scramble

Companies have been scrambling to reach compliance, resulting in a steady stream of privacy policy and terms of service updates from leading technology firms. Still, not even the regulators are ready. With such a wide-reaching and widely interpretable set of regulations, it remains to seen what will happen as companies finally settle into compliance. For now, we can site back and enjoy the GDPR Hall of Shame.

Updated Posted by Arnon Erba in News on .

Today, the Google Chrome security team announced the next step in their plan for handling plain HTTP pages in Chrome. Over the past couple years, the Chrome team has been slowly increasing the negative visual feedback users get when they interact with unencrypted HTTP sites, and back in February 2018 the team announced a plan to eventually mark all plain HTTP pages as “Not secure” in the address bar. That visual change is still scheduled to take effect in July 2018, but the team has already announced another big change, this time to the way Chrome visually handles already-secure HTTPS sites.

A Little Less Carrot, and a Little More Stick

Starting in September 2018, Google Chrome will no longer display the word “Secure” in the address bar for sites that support HTTPS. The rationale behind this change is that users should only be warned when a site is not loaded securely. Otherwise, users have to look for the absence of a padlock or the “Secure” text, and an obvious warning about insecure content is generally more noticeable than the lack of a positive visual indicator. As shown in the screenshot below, the padlock icon will still stick around for awhile longer, although it will no longer be colored green.

Later, in October 2018, the forthcoming “Not secure” warning on HTTP pages will turn red when users try to enter data into any form loaded over HTTP. Currently, the “Not secure” warning is only shown on HTTP pages with password forms, and when shown it is colored grey to match the site’s URL.

Still a Controversial Change

Google’s significant push towards universal adoption of HTTPS has not been without controversy. It’s generally accepted (for fairly obvious reasons) that sites handling the submission of sensitive data — like passwords and credit card numbers — should use HTTPS, but advocates of universal HTTPS suggest that even the most insignificant sites can still benefit from encryption.

For one, some sites still only use HTTPS for their login pages and serve the rest of their content over HTTP, which can open users up to very real attacks like session hijacking. Also, since all HTTP traffic is sent over the Internet completely unencrypted, it can be modified in transit, censored, scraped for tracking purposes, or have advertisements injected into it. While rare, ad injection by ISPs is very real, and the fact remains that HTTP traffic can be snooped on by anyone from local Wi-Fi hijackers to national governments.

On the other hand, opponents of universal HTTPS raise several complaints. Some claim that HTTPS is simply not needed for sites that do not handle sensitive data and do not care what happens to their content in transit. Others suggest that deprecating HTTP will kill off old, unmaintained websites from the 90’s and early 2000’s that contain valuable information and will likely never be migrated to HTTPS.

Mainly, opponents claim that Google is exercising an unreasonable amount of monopolistic authority over the future of the Web. Google has already been using HTTPS as a positive ranking signal in its search results since 2014, and as a company it does have a significant amount of influence over the Web.

An Ideological Dispute

At some level, the pro-vs-anti-HTTPS debate boils down to an ideological dispute over who should control the future of the web. Proponents claim that universal HTTPS is genuinely in everyone’s best interest, while opponents rankle at the thought of the Web being influenced by Internet companies rather than being the free-to-enter, open-to-everyone system that they feel it began as. Realistically, Google isn’t the only major company backing universal HTTPS, and with the amount of support behind the movement it’s unlikely to show any signs of slowing down.

Updated Posted by Arnon Erba in Meta on .

It’s been almost exactly two years since I left Blogger for WordPress, and I haven’t looked back since. This month, I’m excited to announce the first major update to Arnon on Technology since its 2016 reboot.

Ancient History

I’ve been writing about technology on and off since 2012, when I set up a simple blog on Blogger. After discovering that my chosen URL of technology.blogspot.com had been taken, I settled on the name “Technology by AE” and immediately published a rant about the new tab bar layout in Safari 6.

In the years that followed, my blog went through several major iterations. I posted extensively throughout 2013 and 2014 and refined my original electric green Blogger theme. In fact, the header image for this post is the original background image from 2012. However, by 2015, I had become tired of Blogger’s limitations, and was struggling to find time to write and post articles.

Finally, I manually migrated all my old posts to a fresh WordPress blog. Google had recently released its new design language, Material Design, and I built a Material Design-inspired WordPress theme to accompany the new site. “Technology by AE” became simply “Blog – Arnon Erba”, and it entered life as a sub-page under my own personal website.

Over the next few years, I worked on refining the content I posted. I launched the Server Logs Explained series and wrote some exhaustive posts about specific computer problems I had faced and how I fixed them. I rolled out HTTPS and worked on optimizing the layout and design for speed and accessibility. Still, the site felt like it was still hiding in the shadows, not quite used to its full potential.

What’s New

The first major change was to choose a real name for my blog, something I should have done from the start. In keeping with some of my favorite industry blogs — Joel on Software, Krebs on Security, and of course SwiftOnSecurity — I am excited to finally call this site Arnon on Technology. No more esoteric or ambiguous page titles.

I’ve made a lot of other changes, some obvious and some less so. I fixed some issues with the <h1>-<h6> header tags, making the site more accessible and more easily discoverable by search engines. I’ve continued to make some backend optimizations, and have made the site fully accessible via IPv6. But mainly, I’ve substantially changed the design once again.

Ever since rolling out my original Material Design theme (dark grey text on a white background), I’ve always wanted to try a light-on-dark variant. This theme is the realization of that dream, and is reminiscent of my original eye-searing Blogger theme. Personally, I like the new theme, and it comes with a wide variety of subtle improvements, especially for mobile devices. Hey, if Ars Technica can still offer a dark theme…

Looking Forward

My goal has always been to post useful or entertaining content — ideally both. I hope I’ve achieved that goal, at least occasionally, and I have a reasonably large stock of drafts stored up that I’m hoping to finish and post in the coming months. At any rate, it seems like two years is the average life of my site-wide redesigns, so we’ll see what the future holds.

Updated Posted by Arnon Erba in News on .

A little over a month after the release of Red Hat Enterprise Linux 7.5, CentOS Linux 7.5 (1804) is now generally available. Releases of CentOS, the free Red Hat Enterprise Linux (RHEL) clone, usually lag behind the releases of its enterprise counterpart, but are identical as far as package selection and day-to-day use and administration are concerned. CentOS, like RHEL, is highly regarded for its stability and its enterprise-readiness, and it fills in the gap between the stable but license-restricted releases of RHEL and the fast-paced releases of Fedora.

CentOS 7.5 is available as an easy in-place upgrade for existing systems and brings an updated kernel and dozens of updated packages. Since 7.5 is a minor release, upgrading an existing system is as easy as:

yum clean all && yum update

After updating, you’ll want to reboot to take advantage of the new kernel and to restart any services that have been modified. If you’re provisioning a new system, it’s a great time to go grab some updated installation media. If you’re upgrading an existing system, you can always check your CentOS or RHEL release version with cat /etc/system-release and your kernel version with uname -r.