Sunday, June 26, 2005

Digital Insecurity

I see a common thread in the news these days. The proliferation of digital technology and connectivity is creating an unprecedented threat to information security on many fronts. Here are just a few excerpts from recent news on this theme.

SenderID, SPF, Domain Keys
By this Fall, if your e-mail does not have a Sender ID, MSN & Hotmail will handle your message as if it was JUNK mail. other e-mail giants such as America Online (SPF) and Yahoo (Digital Keys) have developed their own authentication systems. AOL and Yahoo plan to implement them into their e-mail systems by year's end.
Unsigned mail could be handled differently since it is more likely to be SPAM, but DoubleClick, a major SPAMMER, has already announced plans to use SenderID on it's mail servers when appropriate. [You probably won't recognized the name of that domain owner or it could appear similar to a known business. ]
http://news.zdnet.com/2100-1009_22-5758365.html?tag=nl.e539

Instant Message Collaboration
The latest desktop version of Microsoft Office Communicator 2005 together with the company's Live Communications Server software will allow workers to access a [corporate] IM system from any device on the Internet.

MS Issues Small Business Security White Paper (71 pgs)
http://www.microsoft.com/smallbusiness/support/security-toolkit-pdf.mspx

Microsoft Releases 10 Security Bulletins
Microsoft's monthly bundle of patches for June is one of the biggest since the company switched to a monthly patching cycle, and it brings fixes for 12 vulnerabilities, including three critical issues.

Popular Web browsers' javascript leaves users vulnerable
The flaw allows a phishing attack when a malicious JavaScript pop-up window appeared in front of a trusted Web site, Secunia [Security firm] said. It could prompt s user to enter data such as a userid and password.
"The problem is that JavaScript dialog boxes do not display or include their origin in a popup dialog window which could appear to be from a trusted website. The latest versions of Internet Explorer, Internet Explorer for Mac, Safari, iCab, Mozilla, Mozilla Firefox, Camino, and Opera prior to 8.01 are all vulnerable.

Security Software facing increased attacks
Symantec, CheckPoint Software, and F-Secure are among the vendors that have seen a rise in the number of security issues that affect their products in the past years, according to Yankee Group. If the trend continues, the number of vulnerabilities for security products will be 50 percent higher than 2004 levels, according to the analysts. While Microsoft flaws continue to be exploited, the rate has decreased notably. Analysts credit the shift in targets to the tighter security in Windows XP Service Pack 2.
http://news.zdnet.com/2100-1009_22-5754773.html?tag=nl.e539

Microsoft to Deliver Automated, All-in-One PC Health Service for Consumers OneCare is a comprehensive, simple-to-use consumer subscription service that will provide automated protection, maintenance, and performance tuning in an all-in-one package for Windows-based PCs. [...there's big money in creating a problem then solving it.]

Microsoft plans to buy Claria (Gator)
Microsoft is expected to buy the advertising firm Claria which earned the wrath of millions of users when it was called Gator for trashing Windows PC's with AdWare. Microsoft hopes to extend it's MSN advertising and add user profile technology already possessed by rivals Yahoo and Google. All three offer free "toolbar" downloads which add functionality to browsers but could also work in the background to gather information about your browsing and even capture keystrokes or at least javascript field (login) input if so configured. I do NOT recommend adding optional toolbars in general, but do find the Yahoo and Google customized homepages helpful and informative. You might try these highly personalized portals for a homepage, but avoid the temptation to modify your browser with added features you don't really need and installing executables you don't understand.

To make matters worse, Microsoft's [Giant] Anti-SpyWare software (still in Beta) has just been changed so the default settings Ignore Claria/Gator SpyWare rather than remove it. Anti-M$ jealots are going wild over this clear abuse of power and lack of ethics. That pretty well shoots 'Trustworthy Computing' in the foot. Nice going Balmer. Hopefully, Enterprise Admins will use this as a valid reason not to implement SpyWare Security with Microsoft products since they now ignore the worst AdWare/SpyWare offender out there.

Beyond PC's
Gartner analysts John Pescatore and John Girard wrote in a published paper that enterprises should prepare for the growing threat from malicious software for mobile phones and PDAs. "...a fast-spreading phone virus or worm is unlikely to appear before the end of 2007...after that, even antivirus software is unlikely to help. "

Two main factors...that would encourage a virus to propagate.... First, smart phones capable of being infected by malicious software will have to make up about one-third of the market. Second, users of those phones will have to regularly exchange executable files. "Today, the penetration of [such] mobile devices (capable of being infected by a virus) is still relatively small. [That situation is changing quickly. Wireless providers are anxious to sell optional data services and routinely offer comlex picture phones for under $100 with extended service plans these days.]


The Liberty Alliance is working on a standard to keep cell phone numbers from providers of wireless content such as ring tones, protecting people's privacy.

"The standard's purpose... is to enable third-party content providers to integrate (services) with mobile carriers without knowing the identity of the users." said a member. The interface specification for mobile messaging will work with both plain Short Message Service (SMS) and with Multimedia Messaging Service (MMS), which is used by newer cell phones to send images and music.

The privacy concern arises from content providers sharing users' information, such as e-mail addresses, with spammers for a fee. "This business represents a large source of income for mobile operators and content providers alike," says Timo Skytta, of the Liberty Alliance. In Europe, laws now prohibit service providers from transferring personal information to third parties without customer's consent.
http://news.zdnet.com/2100-1009_22-5754363.html?tag=nl.e539

Vehicle Computer Security
Malicious Code - Anti-virus firm F-Secure confirmed it was unable to infect an automobile, a Toyota Prius, with variants of the Cabir worm, despite rumors to the contrary.

Personal Security
"[Security firm] Cybertrust does not use the term 'identity theft' if we can avoid it. Identity theft is actually identity fraud, since the victim continues to have the use of his identity after being attacked."

National Digital ID
In May, President Bush signed into law a bill that will require all Americans to obtain federally approved, machine-readable ID cards approved by the U.S. Department of Homeland Security. The "Real ID Act of 2005", was attached to an Iraq/Afghanistan military spending bill. Enforcement starts in May 2008. This will effectively create a national ID card [and database]. Once created, it's likely that it will make an attractive replacement to Social Security numbers, passport numbers and other credentials which would be more easily trackable in a national database. Read more on the Real ID Act:
http://snipurl.com/fln6
http://judiciary.house.gov/newscenter.aspx?A=430
http://www.schneier.com/blog/archives/2005/05/real_id.html


RealID (national digital ID cards & database) and RFID (embedded passive transponder chip) may be the most significant, life-altering developments in this Century! I'm working on a detailed discussion of their significance to all of us. I was astonished at what I discovered.

Digital Identity Control
While the potential for abuse is obvious, proper implementation of digital identification can be beneficial and finally end the senseless repetition of filling out your name, address, and phone number on different forms again and again. Urge legislators to require all digital ID information be encrypted with the best available technology including a hardware component and to require physical contact with the item containing the embedded encryption chip plus your personal identifier number (PIN) code to authorize and enable decription of personal identity information transmitted by RFID or read from your card. You should always have positive control of when and how this information becomes usable unless superceded by the filing of criminal charges against you.

Knowledge and Vigilance
Government has a legitimate interest in being able to gather this still encrypted information and some unecrypted non-personal information such as zip code, citizenship status or other valuable but less personal data to help identify criminal or terrorist movement and activity. In a post-911 world, there is room for some high-tech tracking and surveillance without wholesale invasion or elimination of personal privacy. We can learn to live with cameras everywhere in public places and infrared scanning through buildings by authorities looking for criminal activity. These minor technical invasions of privacy are offset by the increased threat of terrorism and need for security. All of this can be done without excessive snooping, building extensive profiles of regular citizen activity or other unjustified loss of personal liberty or privacy. The principles of personal liberty and privacy must be maximized while the proliferation and uses of digital technology increase. Strong penalties for anyone exploiting technology to compromise personal identity must keep pace with new technology and be vigorously enforced.

For now, I remain hopeful that digital technology can be used properly to improve our lives. But this will require our knowledge and vigilance to overcome those who would abuse it's power.

FL PC Guy

Monday, June 20, 2005

Internet Threats & Defense

Considering my handle, it is about time I post some computer advice. In this globally connected, post 9/11 world, you must be observant and be able to defend yourself. It reminds me of when I was stationed in West Texas. My father-in-law gave me a handgun and told me to hide it in my car in case I ever broke down out in the middle of nowhere. EAdd Imageven in the 1970's there was an element of the Wild West still prevalent in remote West Texas. Banditos roamed freely. Considering our current border situation and the massive influx of all sorts of people from Central America, it probably still isn't safe at night in many parts of the South or other remote areas of the US. The rest of the world, especially the Third World, has always been this way but we Americans have been enjoying innocent "Happy Days" since the mid 20th Century. When I was a child we never locked our doors in a town of 10,000 and there were only two or three patrol cars for the entire town and they were often parked at the Office even at night.

Well, anyway, the internet is like the rest of the world, untamed, even a bit wild. All sorts of bad guys are still out there online, some are even organized and well funded. So anyone who connects to the rest of the world and especially those who connect via Broadband needs to take some basic safety precautions.

Microsoft has done a pretty good job on their Windows Update site with their three step plan. http://www.microsoft.com/athome/security/protect/default.mspx Use a firewall, download critical updates immediately or automatically, and use updated AntiVirus software. If you haven't done these three basic steps, please follow the directions at the address above.

Non-Windows users also have automatic security patch updates available from their OS vendor and cooperating mirror sites, usually Universities here in the US. Your anti-virus options are far more limited, but the threats are far fewer. Still, you need to follow the same procedures to be safe. I'll explain firewalls in a minute. Almost all Linux distributions include a configurable firewall, ipchains, and if you are fortunate, some GUI interface or dialog. Linux users should also install and frequently or automatically update anti-virus software, even if you have to pay for it. Perhaps someone will post some good free alternatives.

Firewalls are specialized access lists which filter IP traffic by TCP or UDP port and direction. As a former router administrator I can tell you there are thousands of ports loosely designated for a particular application. Most people only use a handful like TCP port 80, the browser or HTTP port. Incoming POP3 email uses port 110, while outbound SMTP typically uses 25 or these days 25000. The entire list is here: http://www.iana.org/assignments/port-numbers . Most people only need to know to open those two, close 135 outbound (Windows network sharing) and block (drop) every other kind of traffic from the internet. Of course, reply traffic is typically allowed. You want to block unsolicited traffic from outside. If you download a Trojan, macro executable, or other virus and initiate it from your local PC, any traffic it sends and any updates it downloads would still pass through a properly configured firewall. Windows XP SP2 firewall ignores all outbound traffic. That's why you need security updates, AntiVirus and the other stuff I'm about to list. Even XP users need to add an outbound firewall like ZoneAlarm or NetVeda Safety Net. Both are available for free.

The fourth defense you increasingly need is Anti-Spyware software. SpyWare, malware, and AdWare are variants that install some executable on your PC and secretly gather information which is eventually sent back to its creator. While it typically included elements of viruses, trojans, and other malware, the primary objective is to compromise your privacy, security, or both. Amazingly, there are few laws in place to counter this relatively new threat and enforcement is often difficult since much AdWare obtains your tacit agreement when you install some legitimate software it sponsors. Until specific legislation addresses hidden applications, it isn't unlawful in most places to distribute AdWare or even to use it to gather private information about it's users.

Even if the company, much SpyWare or AdWare is created by big companies, doesn't use this information for unlawful purposes, the way it installed, updates, and operates without your control makes it very tempting to abuse and extremely hard to prosecute.
Once a piece of AdWare gets installed on your PC, it runs silently, repairs and updates itself, has no easy means of being removed, and communicates freely with any internet address in the world as often as it is connected to the internet, even if you have all the latest critical updates, current anti-virus software, and a good inbound firewall. That's why we all need to run several of the available Anti-Spyware applications that are available.

This is a new industry and there are several approaches to finding and removing the many thousands of commonly known AdWare or SpyWare components in use. Worse, because malware updates itself frequently, once installed, it can change it's behavior completely on a regular basis, even hourly. Imagine someone at Gator (a major AdWare distributor) downloading a special code update that watches for browse connections to the Bank of America or CitiBank website then captures your keystrokes and sends them to some IP address in China or the Ukraine. After an hour, the code is replaced with legitimate AdWare code and there is no trace left of the deed that captured a few hundred usernames and passwords to bank websites and passed them along to Terrorists. This threat must be addressed immediately by Homeland Security, Congress, and each State legislature. Until the FBI is funded with the staff and tools to defeat this threat, you must play catch-up and hope you don't fall prey to a new segment of code not yet identified by current Anti-Spyware. The bottom line is that even if you have all of the following installed and up to date, you must ASSUME your keystrokes are being captured and forwarded.

Download, install and run the following software at least weekly: AdAware SE Personal Edition by LavaSoft, SpyBot Search & Destroy, and until Summer 2005, the beta of Microsoft's (Giant) Anti-Spyware application. Each has some capabilities the other lacks and all are currently available for free. If you can afford it, especially if you use broadband, buy the full versions. Set your scheduler (in Control Panel) to open all this software at least weekly when you are likely to be online. Get the updates before you scan your system just as you do with your anti-virus software.

Still, there are two other things you MUST continually do to safeguard your private information. Both are somewhat of a pain, but simple things you can do to protect your ability to do online commerce and internet banking with some sense of security. First, configure your firewall to prompt you for approval of all outbound traffic except HTTP. That means each time you send an email, update software other than your anti-virus or anti-spyware which can be exempted, you must give your OK to send information to the internet. If you aren't intentionally sending something, then DENY that traffic. It could be your credit card info going to China! You'll notice things like Windows Update (WUABOOT) requesting contact to the internet. Be sure you know what internet access you are approving. Second, you should never type your credit card number or password into a web dialog without skipping characters and using the mouse to reposition and insert the correct characters. If the website won't let you edit the string, complain how they are compromising your local security measures and stop using that site.

Keystroke capture is so easy to do with a tiny resident application that even an expert can't detect when service.exe is running something that does just that. All the IPSec and encryption techniques developed so far apply only to network traffic AFTER the keystrokes are entered. Microsoft is aware of this major flaw and has been working with Intel and others for years to develop a new generation of equipment that will encrypt all traffic between the motherboard, CPU, video card, keyboad, and other major components of your PC with special hardware chips. This feature won't be part of the next version of Windows and maybe not even the one after that. It will require your operating system to be custom installed for each hardware component and break your system if any piece fails. No existing hardware is compatible and no new hardware with this capability is yet available. Until you own such a system, be very careful before you participate in online commerce or banking. Review your bank and credit card statements for fraudulent transactions, you may be able to review transactions online every other week.

Never use a debit card online (or anywhere else), you are not protected by law from its unlawful use, only by current bank policy which could change at any time or be arbitrarily applied. The most you can lose from using a US credit card online is $50 by law as long as you promptly advise your bank and BankCard Center in writing (snail mail) of loss or compromise of your card number, or known fraudulent activity and within 60 days of billing. Banks make this distinction increasingly blurry but stand to save $Billions if they can swith users from Credit Cards to debit cards. Repeated efforts to repeal the Credit Card law have failed in spite of massive political contributions, but I wouldn't count on our current government to continue to protect you from big business. Watch for news of changes in Credit Card law.

Finally, try to become more familiar and in touch with the operation of your PC. Know what runs at startup and why, don't install any software from a company unless you are sure it has more to lose in bad publicity than it has to gain from compromising your PC. Stick to big name vendors or highly recommended, long established developers. Read the fine print of licensing agreements when installing software and never agree to install additional software (AdWare). Update protection software and run full scans regularly. Do a full system state backup before installing anything, backup your personal files to removable media frequently, and have all the drivers, CD's and license keys readily available to wipe and reinstall your OS if it does become compromised beyond repair. Yes, it's a pain but life online just isn't simple anymore.

Or, if you are unwilling to work at securing your PC, then stay off the internet and just use your PC to play Solitaire. Don't shop, get news, play games, or otherwise interact with the world online. While you are at it, build an eight foot wall around your home, put in a well and gas generator, stock up on canned goods and ammunition. That's the alternative.

BTW PC Mag recently reviewed seven anti-Spyware apps and agree with me that no single app is up to the challenge. http://www.pcmag.com/article2/0,1759,1829282,00.asp

Saturday, June 18, 2005


FL PC Guy

Useful- Trucker's Hitch, Slide Rule

For no apparent reason I was reminded of a useful trick I learned somewhere, perhaps Air Force survival school in 1975, that has been a handy thing to know from time to time. I refer to a practical knot for tying things down, known as the Trucker's Hitch. I have used it for years to tie large objects to my car or tie down my partially open trunk when hauling stuff too big to fit nicely inside.

I'm not much of a knot master despite four years in the Cub Scouts and several weeks of Boy Scout camp in my youth. I may have completed a merit badge on knots, but don't remember any that I found useful. But Scouting did familiarize me with half-hitches and later I built on that knowledge when I needed to know more. [In the Air Force we studied knots and also learned to make backpacks and belts with pouches out of parachute gear for survival use.] The Trucker's Hitch, as I apply it, is simply a complication of simpler knots that removes the tension from the part of the knot you will eventually need to untie.

I said "as I apply it" because there seems to be some dicrepancy in what actually constitutes a Trucker's Hitch as indicated by these two different web-based explanations. http://www.grogono.com/knot/truckers/index.php# and http://www.bsatroop159.org/knots/ktrucker.shtm

My Trucker's Knot looks more like the Boy Scout description but I find mine even simpler and quicker to apply. I start with a single cross-over knot sort of like the first step in tying your shoes. You don't need two ends however, when tying big things down you usually fasten each end separately and have only one end of the "shoe lace" and loop it around something just before making the knot. You might use a three foot piece of rope or string and your leg to follow along. Tie one end off nearby and wrap the remaining end around your leg or a chair leg to practice.

Assuming you are tying something down you now have one end of the rope tightly over the item and the other end wrapped around your fastener (leg?) with a single hitch or cross-over knot in the rope and the remaining free rope in your primary hand. I usually tie left over right so I'll assume you did the same for this explanation. Doing the opposite throughout should produce a similar result.

Now do another left over right where the right is your hand with a grasp on the remaining rope, but not the end, and the left being the tight portion of the line over your load. This time, when pulling the line through, don't pull the free end through but pull that part of the line through leaving a four to six inch loop sticking up between two half hitches as you draw it tight.

You will notice that there is no tension on this loop but on the hitches below it. At this point, pulling the free end would make the loop smaller and eventually untie the second hitch releasing tension on the load. To stop the free end from moving you make a similar sized loop to the inside with the remaining rope and drop the new loop over the first one pulling it into a new half hitch over the first loop. Do another and you are finished. To untie your load, simply slip the last two half hitches off the loop and pull the free end to release tension on the single remaining knot holding the load.

With a little practice you can tie this knot in about three seconds without thinking about it and untie the tightest rope as quickly if secured with this knot. I hope you can follow these directions and take a few minutes to learn this valuable knot well. I guarantee it will come in handy some day if you can remember how to do it.

If you can't follow any of these directions, just Google (search on) "Trucker's Hitch" or "Lorry Hitch" in the U.K. There are many explanations, pictures and even animations out there on the web to help. But I have found the best way to learn this knot is to practice using it in a typical situation. All that matters is to end up with a knot that holds fast under stress but remains easy to untie. See for yourself what works and what doesn't.

It is very satisfying to have the knowledge and minor amount of skill or practice to get the job done with few tools. [Anybody can do a job with all the right tools.] With a length of rope and this practical knot you can turn your passenger car into a far more versatile piece of equipment than it normally would be (unless you drive a Hummer). But don't press your luck. If you really need a truck or trailer, this knot isn't an adequate substitute. I'm glad I took the time to learn to do this knot and wish it would be taught in schools instead of so much useless nonsense. In fact, I can't think of many useful things I ever learned in school except maybe basic Algebra.

Perhaps one day I'll explain how to make a simple circular slide rule for price comparison while shopping. It takes only two pieces of laminated paper printout and a fastener (sewing snaps, those replacements for buttons, work great), needs no batteries and quickly tells you which size saves you money. Don't always assume it is the larger one. It frequently isn't. And those shelf stickers with price per unit are often useless ore even wrong.

Learning to use the C & D scale of a slide rule (straight or circular) is another useful skill everyone should master. Here are the templates you will need. You can adjust the size with a copier that expands or reduces. http://www.blogger.com/

Using your slide rule couldn't be simpler. Just turn the inside wheel to put Quantity (ounces) on the inner scale below Price on the outer scale. Look above the other quantity number for a comparable price. Look above the 1 for a unit price (price per oz.). Note: As with electronic calculators, it is important to first make a rough mental estimate so you will know approximately what answer to expect. Otherwise, you won't have any way of knowing when you make a mistake!


FL PC Guy

Saturday, June 11, 2005

First Thoughts

Well, thanks to Blogger.com for giving me a new way to share my thoughts and knowledge easily with others. I chose the dark background because white background web pages bother me. Perhaps I'll figure out a way to get a pastel background for the long run. Today, it's all about the words.

So, why read further? I think I can say without much fear of contradiction that I have a particular knack for getting personal computers to behave over the past 25 years I've worked with them and 13 years I've been paid for doing so. I don't know many people who wouldn't benefit from some regular advice on how to get more out of your PC experience. I've taught over 1,000 people to use PC's, or use them more effectively. More to the point, I come across all sorts of interesting tips and tidbits of information on the web that I find interesting or worthwhile. I'd like to share some of that knowledge with others because KNOWLEDGE IS POWER. A web log seems like a pertty painless way of doing so.

I'm not new to writing. For three years I maintained a website I updated daily that was read by about three hundred regular readers. I added lots of photos too, thanks to the advent of digital photography. For six years before that I maintained a personal website with a lot of great stuff for consumers, techies, and MCSE candidates (NT 4.0).

More recently I bought a domain and expressed my political opinion in 2004. As usual, my guy never had a chance. I'm pretty fed up with both major parties and Washington in general, so I"m going to avoid that topic for awhile. It make me so crazy and elevates my blood pressure. It is all I can do to watch Lou Dobbs on CNN at 6 without blowing a fuse over the nonsense going on all around us. One last word on this...how can we be safe with wide open borders?

There is a wealth of valuable consumer information out there and I'm confident we would all be better off if we followed some of the advice and knew how things work, including our own bodies. Nutrition and health are an increasing concern for me as I get older and medical care continues to get worse and more expensive. Just as waxing your car periodically for a few dollars can save hundreds on a new paint job, eating more fruits and veggies, taking the proper vitamins and simple exercises can save your a fortune or more in risky hospital procedures.

For example, most people know that everyone needs supplemental calcium, but most people don't take the magnesium needed to metabolize that calcium. I'm not sure why they don't put both together in calcium supplements, but it may have to do with shelf life or the extra cost.

There is actually a great website devoted to how things work. That's exactly what my mother needs. Like many women I know, she doesn't have a clue how anything works. That's not to say men are any better off. I can't do much under the hood of my car anymore either, though I will surely thrill some folks one day when I share what I've learned about auto air conditioning. Auto A/C repair is one of the biggest scams going. I'll give you some basic information you can use to defend yourself from con men in overalls (your nearest auto repair center) and maybe even resolve the problem yourself.

Of course, I'll also talk a lot about new developments in computers and digital technology. We have only begun to see the changes technology will bring. As the world becomes even more digital, connected, and even more computing power becomes even cheaper, or lives will be impacted even further. Hopefully, more to our benefit. WiMAX wide area wireless may bring some competition to the telco/cable fiber cable rollout monopoly that has been going on for decades. Imagine having three or four new wireless choices for broadband access or even phone and TV service! Right now, you are limited to your phone company and single cable provider.

HDTV is coming, slowly. By now, you may be annoyed by the format change that makes the DVD movies you rent and some TV shows smaller because they are designed for the 16 x 9 widescreen ratio instead of your nearly square old TV. It will be more than a year before DirectTV gets it's new satellites in orbit to offer truly digital HDTV. Until then, remember, digital and HD are not the same.

I look forward to posting more information soon and hopefully I will develop some readership to make my effort worthwhile. Until then, I'll close with the words of Ronald Reagan. "We make a living by what we get. We make a life by what we give."