PC Pro

JON HONEYBALL

Jon isn’t in the best of moods as he goes to war with vulnerable firmware and takes aim at Facebook’s new look – before explaining how to get rid of it

Jon isn’t in the best of moods as he goes to war with vulnerable firmware and takes aim at Facebook’s new look – before explaining how to get rid of it.

Iknow I’m becoming a grumpy old man ( grumpier – Ed). My tolerance for manufactur­ers that deliver poor products is getting smaller by the year. I haven’t yet got to the point of going nuclear with a company over the shoddy products that they ship, but I came close recently.

Much of this upset comes down to the way that companies are handling security issues, especially fixes in firmware. The inescapabl­e reality is that new security exploits are found all the time – one of this summer’s treats has been the Ripple20 set of exploits, which was found by JSOF ( jsof-tech.com/ripple20).

In essence, JSOF found 19 vulnerabil­ities, including multiple remote code executions. What was special about Ripple20 was the way in which it got out into the wild. The back story here is that these exploits were present in a low-level TCP/IP software library developed by a company called Treck Inc. This library was incorporat­ed into a huge range of products by developers, who essentiall­y bought it as an off-theshelf component and put it into their products. I’m sure there are vendors who aren’t even aware that the Treck stack was used in their products, especially if they outsourced their software and firmware developmen­t to a third party.

Now for the scary part: the best estimates put the number of exposed devices into the billions. Not millions, billions. Treck has released an updated library (version 6.0.1.67 or later) without the issues, which can be compiled up into a new software and firmware stack by a vendor and then released as an update. However, this presumes that the vendor is aware of the issue and can be bothered to do an update.

Examples found of the issue in the wild include just about every major manufactur­er. APC, maker of fine power supplies, has said that Ripple20 is in its network management cards ( pcpro.link/314apc). APC’s website currently says that update firmware is “coming soon”. Ricoh has Ripple20 in some of its products but has already issued firmware for a selection of its devices ( pcpro.link/314ricoh). Dell has released new firmware for Intel chipsets, and also for the Teradici firmware and remote workstatio­n cards used in Dell Precision devices ( pcpro.link/314dell).

The list goes on and on, and the above doesn’t even scratch the surface. My recommende­d starting point if you’re worried is to head to Carnegie Mellon University’s security note at pcpro.link/314cm and follow the provided links.

The question is what to do about not just Ripple20 but security problems in firmware. It’s now clear that it’s critically important to keep firmware and software up to date. That there are devices you wouldn’t normally think of as being updatable that need attention. And that the old-fashioned view that you can go to a web configurat­ion page to manually upload something you have downloaded from a vendor’s support page is wholly unsustaina­ble as a model. Devices need to auto-update by themselves and to check regularly – I’d suggest at least once a week. Yes, I accept there’s a risk that you might brick a device by downloadin­g bad firmware onto it, but this has to be compared to the risk of not updating a device, either through oversight or simply not knowing it was there.

So there are a number of things that need to happen moving forward. First, you should take a long, hard look at the support page of a product before you decide to buy. When was the last firmware issued and is that a reasonable timescale? Vendors have traditiona­lly preferred to issue a few firmware updates reasonably early in a product lifecycle, and then allow them to be ignored and gain dust, despite the product still being sold. If the latest firmware is 18 months old, alarm bells should be ringing.

This is especially true for products that are effectivel­y end of life. For example, I just looked at a very basic low-end router from TP-Link, the TL-WR841N. By “low end”, I mean 2.4GHz wireless N mode only. But it’s £15 on a well-known site. The latest firmware for it is dated “2018-04-03”. Please be clear that I’m not highlighti­ng TP-Link as a major offender here – this is typical across the industry.

Second, take a good look at the descriptio­n about a recent update. I just looked at the D-Link DIR-3060 Wi-Fi router support page, and there’s a firmware release on 30 June 2020 for version FW 1.11 Rev A1. You can download the ZIP file,

and this contains the firmware image. However, there’s no explanatio­n of what’s changed.

Other vendor firmware updates use such phrases as “Various security fixes”, which, whilst better than silence, still isn’t good enough.

There’s a huge database of known vulnerabil­ities out there and it’s called the Common Vulnerabil­ities and Exposures (CVE) list. Indeed, it’s so large that you need tools to help utilise it. We use Nessus from Tenable ( pcpro.link/314ten), which is a robustly priced licence (thousands of pounds per year) but it’s proven invaluable. Fire up Nessus, point it at the IP address of a device and let it run riot. After 30 minutes, you have the report covering tens of thousands of known exploits.

Obviously, that price is beyond the reach of the smaller businesses, but

I’d now put it as a requiremen­t for the IT department of any serious organisati­on. Either buy Nessus, or an equivalent, as an in-house resource or retain a consultant who is conversant with the technology. If Ripple20 teaches us anything, it’s that the old rules about updates and exploits will not wash any more, and that we need to take pre-emptive action to monitor, mitigate and manage these emerging risks. And it’s about time that we held vendors’ feet to the fire over their update schedules for products.

Active Backup for Office/ Microsoft 365

The move to cloud services has been a godsend, especially for the SME marketplac­e. No longer do we have to worry about servers and backups. And all is well in the IT garden.

Well, not quite. I confess that I’m glad to see the end of Windows Server in the SME workplace, with Office 365 providing an extremely compelling solution. (Yes, I know it’s called Microsoft 365 now but, as I believe I may have mentioned, I’m now an old man and must resist all change.) As I’ve discussed in previous columns, I prefer to keep all data storage in-house, so I have several Synology NAS devices distribute­d around the buildings, both on and off-site.

I’ve never had occasion to doubt the integrity of the mission-critical online Exchange Server storage that we use as part of our Office 365 E3 subscripti­ons, but there’s always the nagging doubt that something could go wrong. After all, a cloud service is simply time and space on someone else’s computer. They’re not magical data boxes that can never fail.

That’s why I’ve been looking for solutions that would enable me to keep a local archive of everything we hold in Office 365 cloud services, just in case a real disaster was to happen. The solution was staring me in the face – as part of the Synology server platform, there’s a tool called Active Backup for Office 365. Install it through the Package Center, be delighted that the software and licensing is free, and fire it up. Give it all the relevant login details for Office 365 cloud services, then sit back, relax and watch it do its work. It makes local archive copies of Drive, Mail, Archive Mail, Contacts and Calendars – along with all of the group items such as SharePoint site services. A separate tool called Active Backup for Office 365 Portal lets you dive in and view all the data, down to individual emails – and do appropriat­e recovery procedures as necessary.

I’m happy that I have this running, keeping a watchful eye on my online cloud presence. It’s free and seems reliable so far. What’s not to like?

New-style Facebook

Remember how I said I was becoming a grumpy old man? Well, I utterly hate the new-look Facebook design, which is why I released a small harrumph of delight (before going back to being grumpy again) when I discovered that FB Purity, the excellent add-in tool for keeping control of your Facebook browser experience, has implemente­d a setting that forces Facebook back into the old design.

It seems that Facebook is waging a war against plugin authors, doing whatever it can to stop them working. So far, I’ve been impressed with the way FB Purity has kept ahead of the curve. For now, I’m back with the old look, rather than the horribly inefficien­t new design. How long this will last, I have no idea. Time to send the team at FB Purity a little support donation to help with its work.

The colour accuracy question

When it comes to colour editing of images, whether it’s video or stills, there are some astonishin­gly good tools available for little cost, and often no cost at all. One of my favourites is Blackmagic Design’s DaVinci Resolve Studio 16, which is available as a free and as a paid-for version. The difference­s between the two really only affect those working in big teams or on super-high-resolution, Hollywood-quality production­s. And at a few hundred dollars for the licence, it isn’t a big cost to upgrade from one to the other.

One of the big features of Resolve is its ability to do colour grading of video. This is when you take different sets of video and need to apply a common colour scheme. The sun might have moved, there might now

be clouds or there may be difference­s between cameras in their colour response. All of these things need adjustment to get a consistent “look”.

However, there’s really no point in doing this, either for video or still image editing, unless you know what you’re looking at. Whilst I’d be the first to admit that the best displays come with very good colour accuracy “out of the box”, there’s always a significan­t and important difference between “accurate” and “nearly accurate”. This is especially true if you work on both a desktop and laptop. Both might be nearly right, but in different directions of wrong.

If you want to really know what’s happening – and to be able to make informed, accurate decisions – it’s imperative to have a colour-accurate display. And the only way to do this is to calibrate it.

My go-to company for affordable, high-performanc­e screenmeas­urement tools is X-Rite, which really owns this space. It offers a range of products, and it’s possible to avoid breaking the bank ( PC Pro uses an X-Rite colorimete­r to test monitors and laptop screens).

X-Rite has recently released the i1Display Pro Plus at around £250, which is an updated version of the i1Display Pro (st (still ll a fine piece of kit that remains on sale at around £180). The difference­s are minor, but useful

– essentiall­y the Plus version can handle even brighter screens if you’re exploring the leading edge of HDR TV.

The i1Display Pro Plus is a small puck-sized device that easily fits in your hand. It has a reasonably long USB cable and you plug it into the computer you want to calibrate. For software, you get a free licence for the X-Rite i1Profiler applicatio­n. This has a good step-by-step wizard-based approach to doing calibratio­n. In essence, you put the i1Display Pro Plus in the centre of the screen and run the software. It then displays a large number of colours, one at a time, on the screen and uses the i1Display Pro Plus to measure the screen brightness and colour accuracy. Once this is done, the software can basically calculate the inverse of the error to create a correction file. This is called an ICC profile (as defined by the Internatio­nal Color Consortium).

Using the ICC profile is simple enough, because the i1Profiler software will automatica­lly insert it into your OS system settings (System Preference­s | Display | Colour on macOS, for example) and then enable it for you. The whole process takes under ten minutes from start to finish.

You can rerun the software every month or two if you want to see how the panel is ageing. Given that I need traceable colour accuracy here in the lab, this is something we do on a scheduled basis. But you don’t need to be quite so finicky.

Is it worth doing? Sure, if (and only if) onscreen colour accuracy matters to you. Whilst it would be fun, there’s no need to calibrate your display if you simply need to edit a selfie you’re going to throw onto Facebook or Instagram. There’s no need to do serious colour optimisati­on for a video shot on a phone that you might drop onto YouTube.

On the other hand, if you want to do some semi-serious work, accuracy really starts to matter. For under 200 notes, the i1Display Pro is great value if you need to know that what you are looking at is actually correct.

The only downside is that, once you’ve finished the colour analysis, the tool is done until you want to perform a rerun to check for ongoing consistenc­y. Maybe it’s a good excuse

“Is it worth doing? Sure, if (and only if) onscreen colour accuracy matters to you”

for something like a camera club or group of friends to buy and then spread the cost between them.

Of course, you can go stratosphe­ric with these tools should you wish. X-Rite has the i1Publish Pro 3 product, which contains the newly updated third version of its profession­al-grade measuring tool. This is different to the much cheaper i1Display Pro Plus as it has its own built-in light source. Not only can you use to measure the light of a screen, but also the colour accuracy of printouts because the tool can illuminate the measuremen­t spot. At over two grand, however, it’s a much more serious tool.

At the really high end, there’s little that can beat the Klein Instrument­s K-80 for doing screen measuremen­ts ( kleininstr­uments.com/k-80). A price of over £5,000 moves it into the lab reference instrument­s bracket, which is exactly how we use ours. The Klein is the “above all others” referenceg­rade product, with the i1Publish Pro 3 as the daily workhorse.

For software, there’s a range of tools out there, my favourite being the well-known Calman software from Portrait Displays ( portrait.com). It also makes special versions of the software that you can use to calibrate an HDR colour TV – quite a few vendors have put Calman calibratio­n capabiliti­es into the TV itself, so this is useful for those larger screens.

Finally, if you really want to get into understand­ing colour, I can strongly recommend CT&A from BabelColor ( babelcolor.com). Now in its new v6 release for macOS and Windows, it’s an indispensa­ble tool for looking at and measuring colours. While not particular­ly nice to use, it’s incredibly powerful. I use it to look at colour shift on printouts when exposed to accelerate­d wear and tear, and for that it’s the best tool I’ve found so far.

Before you spend hundreds of pounds on any of these devices, you need to decide whether colour accuracy matters to you. If it does, and the context is appropriat­e, there are tools available to really sort this out without breaking the bank. It’s very frustratin­g working on a beautiful photograph and printing it out on expensive paper, only to find everything looks slightly wonky. jon@jonhoneyba­ll.com