Urgent issue with AI squared access technology

Hello folks,

Thanks to Shaun, he tipped me off to this. The following is text sent from a word document sent to me after I enquired to AI’s window-eyes division. If you use any of these products, its important that you read this, and upgrade your product to the latest version.

Beginning of text from AI squared

January 16, 2017: Urgent Notification

Forthcoming Startup Failures in ZoomText 10.1 and other Ai Squared Software Products

Problem

The digital certificate used to certify newer ZoomText and Window-Eyes software products has been compromised. As a result, our certificate will be revoked on or around January 26th, which will result in startup failures for the following Ai Squared products.

Affected Ai Squared Software Products

When attempting to start the following Ai Squared software products, the product will fail to launch and display a Windows error message: “A referral was returned from the server”

  • * ZoomText Magnifier v10.1 Build numbers 10.10.8 through 10.11.6
  • * ZoomText Magnifier/Reader v10.1 Build numbers 10.10.8 through 10.11.6
  • * ZoomText Fusion v10.1 Build numbers 10.11.1 through 10.11.5
  • * ZoomText Keyboard v4 Build numbers 4.0.0 and 4.1.0
  • * Window-Eyes v9.5 Build numbers 9.5.1 and 9.5.3

When attempting to start the following Ai Squared software products, the product may launch even though the certificate has been revoked. Anti-virus utilities may detect the invalid certificate and block the software from running.

  • * ZoomText ImageReader v1.2 Build numbers 1.2.16106
  • * ZoomText Voices (language packs) v1.0 Build numbers 1.0.1.4693
  • * Vocalizer Expressive v1.3 (for Windows Eyes) Build numbers 1.3.0.13329

Note: Inspection of the certificate will show that the certificate is invalid. Inspection and validation of certificates is a process performed by some organizations.

Solution (software updates)

For each of the affected products, software updates incorporating a new digital signature will be released and available for download prior to January 26th. We will send updated information as it becomes available. You can check https://www.aisquared.com/certificatefix”>https://www.aisquared.com/certificatefix for updated information.
Software Product Update version

  • ZoomText Magnifier v10.1 10.11.7
  • ZoomText Magnifier/Reader v10.1 10.11.7
  • ZoomText Fusion v10.1 10.11.7
  • ZoomText Keyboard v4.1 4.1.1
  • Window-Eyes v9.5 9.5.4
  • ZoomText ImageReader 1.2 1.3.0
  • ZoomText Voices v1.0 1.0.2
  • Vocalizer Expressive v1.3 (for Windows Eyes) 1.3

Warning When Disabling Security Options

Various websites provide steps for disabling Windows security options with the expectation that unsigned software executables will start and run. Disabling these security options will not fix these problems for the ZoomText and Windows Eyes products and may compromise security and protection from malware. Ai Squared strongly recommends against disabling these security options.

Conclusion

We apologize for the inconvenience this issue has caused you, but assure you we are doing everything possible to rectify this matter as soon as possible. To minimize downtime, we encourage you to update your software as soon as possible.
If you have questions or require assistance resolving this problem, contact the Ai Squared support team at (727) 803-8600 option 2 or mailto:support@aisquared.com.

As some of you may have already noticed, we just released English Window-Eyes 9.5.4 this morning (January 18th). Other languages will soon follow. It is very important if you are using Window-Eyes 9.5.1 or 9.5.2 or 9.5.3 that you upgrade to 9.5.4 before the digital certificate described above is revoked.

There are 3 changes from version 9.5.3 to 9.5.4:

  1. Support has been added for the HumanWare BrailleNote Touch braille display.
  2. An issue where multiple hooking errors would occur in the latest testing builds (insider build) of Windows 10 has been fixed.
  3. An updated digital certificate has been used to sign all executables. (as per the description above)

Again, it is critical you upgrade your copy of Window-Eyes 9.5.1 or 9.5.2 or 9.5.3 to 9.5.4 immediately. Once the certificate is revoke these copies of Window-Eyes will no longer launch leaving you without speech and/or braille.

Regards,
Doug

Doug Geoffray
VFO(tm) | Accessibility Software Manager, Enterprise Compliance
11800 31st Court North, St. Petersburg, FL 33716 mailto:dgeoffray@vfogroup.com http://www.vfogroup.com/

The information contained in this communication is confidential, may constitute inside information, and is intended only for the use of the addressee. It is the property of VFO(tm). Unauthorized use, disclosure or copying of this communication or any part thereof is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by return email, and destroy this communication and all copies thereof, including all attachments.


touch as I want to understand more about what took place here.

more updates out

Hi.
This must be the day of updating.
Java released its first build of 2017.
Amd which had only just released a build for end of 2016 as well as something on january 10 have now just released the first major for 2017.
Realtech has released 2.81 hd codec minor package.
Oh and their website is back up, it went down.
On at least one system it caused the sound drivers to unsync and become unusable.
They were down for about a week or so, so they must have had something major go like a main board or something.
I did the yearly service of computers and now look at me all out of date again lets hope things improve.
To the rest, I apologise about the blog I will update you at some point in the next 2 months.

comments on last post

Hi jared.
I actually find being called sock puppet a bit offensive.
There are many reasons I can think of making an identity which is not your own.
1. you are some undercover agent going against terrorism or spam tracking or something.
2. you are in a chat, no one has needed to reveal their names.
3. you are in a blog like this one or in fact on a forum.
The net is dangerous.
While on a lot of places people know me because well they just do, if I chose, I could make a fake gmail address, a fake id, etc I just don’t.
One thing would be that I’d have to check 2 addresses or forward addresses to addresses and I can’t be bothered.
I seriously don’t think its new this definition.
We have been making ids all the time and a lot are doing it for the heck of it.
While I don’t think it would come to anything, imagine if it came down to it that you would have to use your real name everywhere you go thats not really safe.
On that note, a small update was released to skype and ccleaner today.
Also of note, defragler does not recognise all ssds as ssds, it tried to defrag my ssd drive as a hard drive though who knows, it may have detected 2 hard drives and not a hdd and ssd.
I have also noticed that the percent actually fragmented is greater on defragler than a standard defrag and it almost never says the true percentage, windows defrag says a much lower percentage on the drives when run.
I wish there was a standardised value set for actual acurate figures.
On a system I am maintaining, defragler says overblown values on all drives.
thats standard with defragler.
On standard defrag the command line, I get another value meaning it needs some attention.
On regular where it detects both hdd and ssd, the hdd is 0 and the ssd is 0 phase for optimisation which means that the optimisation and defrag for the hdd is working and the optimisation phase on the ssd which ofcause is not the thing to defrag has been working fine.
While defragler is accessible I am really wandering if it has our best intrests at heart.
I killed it on the system I was working on but still have it round on others, I have run it and its more stable, but the values are inacurate, you would have to run it at least 10 times to really make it 0 itself where is windows defrag you only need to do once.
In theory, windows is supposed to do this on an automatic footing.
Thats usually fine, but only if it runs in schedualed timeslots.
If you in theory left your system on all the day it would eventually do it.
I personally don’t advocate this though.
Several reasons.
1. security, no need to be logged in, especially since we have dynamic ips.
2. stress on hardware no need to stress when you are not using it for long periods.
3. noise, I don’t know about you but noise can still be heard.
And last but not least notifications can be distracting.

Noun: Sockpuppet

Just saw this article or maybe a dictionary entry for Noun: Sockpuppet and it is an interesting read.

According to the article, it says in part: “An Internet sockpuppet, according to Google, is “a false online identity, typically created by a person or group in order to promote their own opinions or views.”” Sockpuppet is linked to Wikipedia in this article and I’ll link it too.

This may become a big deal later on, but lets make this an educational post for now.

comments on today’s articles

Hi.
Jared I couldn’t agree more on the ransomware issue.
I use msse which sucks.
I did try to go the big guys root first.
1. avira didn’t have the featureset I would like, I also heard some sob stories on how a user in one of my forums got it that all their drivers and screen readers were viruses meaning a reformat.
I tried software that said it would secure my system.
It didn’t add that it wouldn’t allow anything it deemed needed to be run on any computer.
That was a problem when i started for programming class write scripts.
I then found that whilst I could uninstall it, it took windows out along the way.
I then loaded more software for exactly the same thing, surprise surprise this time it took out ole on all the 3 networked systems.
What a mess, the software didn’t even work.
A reformat fixed it the companies in question had gone from the net, no trace of them.
Shortly after that the magazine that had all this stuff on net guid nz stopped cd distribution with their mags saying that the net had the answers.
More than likely people were suing them for the dammage I guess I would be quite furious myself.
Sadly, secure doesn’t actually mean anything.
For us blind folks it means inaccessability and the possibility our own screen and or other software may be taken out by the security software in question.
Even with the systems I maintain I use malwarebytes to scan the system but then once its done I immediately kill it.
I used to trust spybot sd.
But that was ages ago.
I was thinking at one stage of getting sophos home for all my systems or spending the 50 bucks us buying vipre for lifetime membership.
Here’s the thing, as a user of security software not only do I need to make sure its accessible vs secure, I also need to make sure it will run with no hastle or babysitting.
I need it to work, I need it to work 1000000% of the time, I need it to never crash or fuck itself or my computer, I need it to have support emails or phone calls.
I need it to never change its interface.
I most importantly need it to be cheap, not cost a yearly subscription and never go down in the ratings.
Oh and I need it to not need me to use jaws or special scripts never have need of graphics, not have inaccessible manuals, need the companies to understand the blind and not brush us off because they think we are helpless fuckers etc, etc, etc.
If that is then settled then security is my main concern if it works.
Its impossible ratings will be constant.
I started with mcafee, pirated ofcause and it worked for a bit then norton.
This worked to some degree but needed me to babysit it it even got me to buy a subscription.
It did from time to time make my system unstable especially on first install.
Ie if you uninstall one part because it crashed you need to reformat because if you install it again it won’t run.
It also used to much resources.
I turned as much of it off as I could and kept it round as on demand.
In 2003 mr norton changed to symantech and suddenly they started changing things making me being dictated what needed to run and or not.
The systems were under spec but I couldn’t justify the cash for norton.
Later on users complained about it slowing down their systems and later on I had to remove norton to speed up a client’s system that was running slow.
I still have friends that use norton and love it and never complain.
Next avg.
Avg 6, and 7, and to some extent 8 really are nice.
Finally no babysitting, no big issue, good interfaces, no hastle no fuss.
However if it got something that looked like a trogen it would do this.
Avg has found a trogen on your computer the file jaws.exe or readme.mp3 or talk.txt is win 32_no name unnamed 53sdfjtewrfujoeiwu5338 virus and has been removed.
Never mind that unnamed random id and complex number has no search results.
And does not exist.
Then I was working with batch source code, and linux stuff.
file name on linux filename.txt.
filename on pc for conversion filename.lnx or .unx.ltx to filename.txt.dos rename to filename.txt.
Filename.lnx.txt is trogen ansi malware win32_noname 5y7ds7y6rfhuisdhfyuiewr63434343unknown.
At the end I had no option but to uninstall that to.
In v9 the thing got inaccessable and even when they fix that I found a folder on my system root and the root of every drive crunching away, the drive was going full out at system idol the fans were going nuts.
Affraid about the hardware and drives being wrecked I killed it.
I have heard since then high cpu usage and added toolbars.
Msse/ windows defender does everything it says on the package except that its average and will randomly say something is a virus even if its worked with it for ages and ages.
Nod32, costs and while its good I don’t know if I can subscribe yet again.
vipre has a 3 unit sub for 50 bucks, sophos is cloud based but so is now windows defender.
I am no longer confident that my security software will work for me.
I’d be happy dealing with the ransomware itself than the software.
As for backups I have had at least 5 drives fail in 5 years 3 last year, one of them a new backup drive.
I almost lost everything its not full proof.
Whenever I have chucked this on forums and lists and blogs of companies there has been absolute silence.
On the access front look at steam and valve, they refuse to do something.
you almost feel like hacking them and burning them down seriously thats what I feel like.
Security seems to equal inaccessibility, data loss and corrupted files, no thanks!
Avast was good but had capchas now its failing to.
If we want to be truely secure either the companies have to come to the table or they will have to be made to.
Sadly with the state of the us right now that will never happen, especially since reports say we could loose disability rights, acts health insurence and the lot.
I am not sure about europe.
None of the big corperations care so I just get on with my life.
Security for the disabled is a fucking ass joke, it really is.
I am not secure, but to be secure means I loose all rights and privilages I currently have, its to unequal.
Heliohost seems bad I had the same issue with 000webhost.
I have given up, I have a wordpress site blog and thats it.
Cloud backups may work but costs for those the isps, accessing things, etc.
This world is not disabled friendly.

3 Simple Steps To Disrupt Ransomware

This article entitled 3 Simple Steps To Disrupt Ransomware could not come at a better time.

  • Backup, backup, backup
  • Patch ASAP
  • Key security controls

    :#1 Backup, Backup, Backup p
    Ransomware is often compared to physical crime. It’s easier to understand the underlying concept that way. But there is a fundamental difference that you have to remember: digital data can be copied easily for little to no expense.
    That can change the dynamics of the crime. In the physical real world, if criminals steal an object to hold for ransom, you no longer have the that object. If you pay up the might return it or they might simply take the money and run.”

    This is good in the fact that we can preach this all day long, but we just need to do it today. There’s more for this, but I think this quote can be left for you guys to digest.

    “#2 Patch ASAP
    Software is inherently complex. Mistakes will be made and updates will be available. These updates usually contain important security updates that patch the very vulnerabilities that criminals take advantage of.”

    This is becoming easier, but still a chore. Turning on auto update can be a blessing or a curse, depending on how you view it. From an accessibility standpoint, we can say that fixed software is not always better. I can agree with that in some cases where developers have definitely broke things and they had to go back and fix it. For the most part, upgrading should not break the chore functionality of what is known as the main program. What I hate are those developers who change the menu interface of what we’ve learned, thinking it is better. We have to learn it all over again. That can be a curse for someone who is disabled. There’s more to this one as well.

    “#3 Key Security Controls
    Even with a strong backup strategy and patching immediately, there is still a strong possibility that your systems remain partially exposed. This is where 3rd party security controls come into play.”

    There is more to this but this may be the hardest part of our job as disabled people. We may not be able to use these third party applications which are designed to help us because they don’t work with any type of access technology. I’d love to use a leading AntiVirus program, however, the leaders are not accessible. AntiVirus is only part of what we should use, and again, the newer programs aren’t always the ones we should use.

    Part of our problem is that we are small compared to the mass market. We somehow need to get our voices heard to where accessibility can be included so we can be part of the solution.

  • Stop incoming attacks using an intrusion prevention system
  • Try to stop infections from taking root by using anti-malware software
  • Block outbound connections to attackers infrastructure using outbound filtering

Is any of this stuff accessible to those with disabilities? I doubt it.

Also, as stated before, everyone is telling us not to pay the money as that is the motivation to their antics. In certain cases, it may be the only option, and that, i understand. Here is what Mark has to say.

“I agree with that position but also understand the difficult nature of the position you might be in after an attack of this nature.
That’s why it’s critical that you make a small investment now to ensure that you have backups in place, patch regularly, and have basic security controls to help stop any attack being they lock up your data.”

Mark recommends if anyone is interested in reading more, read the no more ransomware project. I’ve not looked at it yet, but I plan to take a look.