Shameless Words from Shameless Geeks

According to a recent survey, incidents of phishing in the first half of the year were up 81% over the end of last year. Phishing is becoming a bigger problem by the day. The worst part is that it doesn’t take an idiot to fall for one. I’ve spoken to very intelligent people who sheepishly admitted that they had fallen into the trap.

Some of the more insidious versions of the phisher scam include false complaints from fake E-Bay members (ie… “Joe Bogus says you swindled him in an online auction: click here to fix the problem"), fake purchase notices (ie… “Thank you for purchasing the ultra-expensive software we sell, your credit card or Pay Pal account has been charged $5000 USD, click here to complain"), and the fake overdue bill (ie… “You are 1 year behind on your mortgage, click here to stop us from foreclosing).

There are lots of variations, but all of the ones I’ve seen have been meant to put me into a state of panic, hoping that I would act without thinking. I guess I was just lucky that the first phisher scam I saw was an attempt to make me panic about my PayPal account… which I didn’t have.

There are a few rules that can keep you much safer online. Since the old-fashioned rule about never doing business over the internet doesn’t apply to most people, I won’t even propose that one. Here are my anti-phisher rules:

1. Never click on a link in panic. Even if the bill/complaint/foreclosure is real, an extra 30 seconds spent investigating isn’t going to make things worse.
2. Always check the link before you follow it. Most browsers and mailers will show you where the link goes if you hover over it. If you get an email that claims to be from Google in Mountain View CA, but the link goes to a domain like phisherking.ru, you can bet that clicking it will hurt.
3. Remember that big companies never send links in email. It’s much safer (though much more irritating) to go through the bureaucracy of a billing department than to click on a link that says “Billing Department”
4. Don’t let down your guard just because the link came from a friend. Phisher links sent by email viruses are not uncommon, and your friend may have been a victim of one.

It looks like The US State dept. believes it was hacked by the Chinese military last month. This would make warfare a whole new ball game. As people get more and more dependent on computers and the Internet, hacking will become more and more effective as a strategy for taking out competitors. It may even be possible soon to cripple your enemy so badly that he surrenders without anyone firing a single shot.

I really hope we have a way to respond to this.

Microsoft has finally made instructions for uninstalling and disabling WGA notifications. It’s about time.

WGA is probably the single most annoying thing that the beast of Redmond has done. It would be very nice to see it devastate their bottom line and teach them a lesson. Unfortunately, it probably won’t.

On the bright side, it has pushed a few more people into switching to alternatives like Mac OS and Linux. As people switch to the alternatives, they tend to get better… as they get better, more people switch to them. Need an example of what can happen? AMD vs. Intel.

You’ve probably heard all about the Windows Genuine Advantage spyware controversy. If you want to get around it, here is a way to stop WGA from phoning home. Thanks to Specialst for the pointer.

It would have been so much better for Microsoft if they had simply released an uninstaller. I can’t think of anything more annoying than a company’s refusal to allow you to remove a piece of software. When you find out that it is spying on you, it just multiplies the annoyance a hundredfold.

One caveat: I haven’t tried uninstalling WGA myself. I can’t say whether it works or not. Use it at your own risk.

Microsoft still is not apologizing for pushing people into unwittingly joining a test program for their beta version of WGA. They have no intention of backing out the anti-piracy tool that was stealthily installed on millions of machines in the guise of a high priority update. The unfinished tool still sends home to Microsoft on a regular basis, and still cannot be removed once installed.

At the same time… Microsoft is saying that they won’t put their Vista beta2 on BitTorrent due to “legal and privacy issues”

So… someone check my logic here. We have a company that installs a piece of software that:

1. Is called an “update", but is actually a beta version of an unrequested tool. Basically, it is installed under false pretenses
2. Once installed, compiles information about the system it runs on
3. Regularly sends its findings to a central server
4. Cannot be uninstalled

Isn’t this software called Spyware by definition? Since when does spyware have fewer “legal and privacy issues” than BitTorrent?

I think someone at Microsoft needs serious professional help if they believe that WGA and the ludicrous press releases associated with it are even remotely credible. Most users would be much happier if you were honest about what WGA is… a dishonestly veiled attempt to squeeze more money out of a market that you monopolize.

Update:
I ran across this recent Microsoft justification of WGA. I have to say that it made me even angrier. It claims that no info is sent to Microsoft after the initial validation, and claims that their failure to mention the periodic download of a settings file is an “oversight". If it really was an “oversight", then they would make a settings file available that would shut the whole thing off. Better yet, make a removal tool available. Until those are available, I’m afraid that all evidence says that they are liars.

I’ve never used the word “liars” in print before, and it will probably call forth a legion of Redmond lawyers. However, I think that it is justified in this case. Microsoft has broken a major trust. They have installed a piece of software under false pretenses, it is entirely for their own benefit, and they refuse to allow it to be removed. I fail to see any “genuine advantage” at all.

It looks like I’m not the only one expressing an opinion. Check out this post on Groklaw.

China has accused the U.S. of conspiring to reject China’s WAPI encryption standard in favor of IEEE’s 802.11i. Accusations include things like “unethical activities, such as allegedly conspiring against WAPI, insulting China, and using intimidation and threats".

So… China actually wants someone to be able to hide data from them? Hehehehe.

Damn. I guess ShamelessGeeks is banned in China again.

20-year-old botmaster Jeanson James Ancheta was sentenced to 5 years in prison for taking over a bunch of computers. Seems to me that punishment is fair enough, but we need to prosecute a whole lot more of these annoying script kiddies before spam volumes will drop significantly.

Speaking of spam… has anyone else noticed that it is mostly sent in Engrish lately? I’m not talking about those that disguise words so that they don’t trigger filters, I’m talking about those that are filled with strange Engrish words and structure. Some of them are actually entertaining, though I don’t think that a lot of people are going to trust an email from someone who doesn’t bother to have his sentence structure proofread by a native English speaker. Oh well. Nobody ever accused spammers of excess intelligence.

Spammers of the world have finally figured out how to deduce the contents of a do-not-spam list. I can answer the question about why it took so long. Simply put, spammers are as dumb as DRM people, who are only slightly dopier than those who create do-not-spam lists. All three groups are basically the least intelligent of the lawyer-salesman personality type.

There… have I offended all of them yet?

A very nasty bug has been found in the X-Windows code that runs on most Linux and Unix systems. This one is a buffer overflow that can enable Denial Of Service or root logins by machines authorized to use the display.

Though there are fixes available, it looks like there is a much simpler and more general purpose fix for this: don’t authorize other machines to use your display unless you know who they are! Since just about every version of Linux that I have run up against in the past few years has made it pretty difficult to actually enable this kind of authorization, I don’t feel sorry for those who get caught by it. Seems like this is a case where the bug can only be exploited on machines configured by crazy administrators.

If you were one of the 3 people in the world who believed that adware companies were just innocent little guys trying to make a living, here is a TechWorld article about some of the hardball tactics used in the adware world. Some of the stuff they have been accused of is pretty awful.

I disagree with some of the conclusions of the author. I believe he is right when he says that adware will probably end up going underground once their tactics are brought into the light. However, Unlike the author, I believe that these companies really do know how evil they are. Otherwise, why would they hide their actions?

For a few hours on Friday, McAfee’s anti-virus software was identifying legitimate applications, including MS Excel, as malware. As you can guess, this caused files from these applications to be quarantined or deleted, breaking the applications in the process.

I know lots of geeks out there who will tell you that Excel is some of the worst malware out there, but that they wouldn’t want it deleted from their disk. I’m wondering how many people had the file deleted, but didn’t notice any change in Excel’s behavior

It isn’t often that you see a locally destructive worm anymore, but it looks like we’ll be seeing one soon. Mywife.E is set to begin corrupting files on the 3rd of every month starting now. It’s a good time to make sure that your AV software is up-to-date. Since this one is said to attack the popular types of document files, it might be a good idea to back them up on Thursday.

Experts say that Mywife.E’s impact should be low due to it’s limited circulation. However, if it strikes you, it’s impact could be devastating.

UPDATE:

It seems that this may be more prevalent than I originally thought. This Reuters article about the Kama Sutra worm appears to be a much better article about the same worm. You’ll want to make sure that you are protected.

Yup. Here we go again. Another anti-piracy nightmare is upon us. This time, Games protected by the Starforce anti-piracy stuff are causing headaches for legitimate users. It seems that the software installs 4 drivers without asking, that these drivers are required to play the game, they slow down computer operation, and that they will not automatically uninstall when the offending game is removed. The Starforce software is also blamed for opening vulnerabilities in Windows systems. Sony rootkit redux.

As usual, anyone who speaks out against the fallacy of copy protection is labeled a “pirate” and ridiculed in public by the company that sold the so called “piracy protection". I guess you can’t really blame them… the world has figured out that their product is useless, and that they should all be looking for jobs. What is the point of copy-protecting a product if someone is going to crack it and put it online anyway? About the only thing you are going to do is irritate legitimate customers. Pirates will just end up using the cracked version anyway. Does all of this sound like part of an old pattern to you?

There is a lot of talk about the Starforce thing out there. Apparently, it has been causing trouble for quite a while now. http://www.glop.org/starforce/#games appears to be a good place to research the problem.

It looks like Song BMG has settled quickly in its disastrous DRM attempts. I can’t say that I’m terribly impressed by the settlement. Many of us who buy CD’s do so in order to avoid all of the digital artifacts in compressed music. IMHO, the cash deal is the better of the two.

I really hope that SonyBMG learned a hard lesson from this. As I’ve stated before, DRM just isn’t worth the risk of alienating consumers. Somehow, I doubt that a simple lesson like this will convince a corporate yes-man when put up against someone promising incredible returns on their DRM investment. It will probably take a few more hits to their bottom line.

Unfortunately, there is an entire industry growing up around the fallacy that you can increase profits just by adding draconian restrictions to your product. Eventually, this will be exposed for the scam that it is, but I fear that consumers will have to endure a few years of idiotic assertions from DRM scammers before the corporate world gets a clue.

Texas has filed another suit against Sony/BMG. This time, it is for installing SunnComm’s MediaMax copy protection. The suit alleges that the software installs spyware even if the user does not agree to the terms. Sony’s response was “it does not collect the personal information that spyware typically does". Note that they did not deny the collection of information, just stated that it is different from other spyware.

Yet another big company that is so far out of touch with their customer base that they make stupid decisions. As consumers, the only way we have to let them know how we feel is to hit them in the only place they will notice: the bottom line.

It looks like hackers are using BitTorrent to share movies from unsuspecting PC’s. That’s right… you can share Disney movies without ever having to watch them, or even knowing that you are sharing.

Nice. Now the MPAA can theoretically hack your system, share files from it, then sue you for sharing their IP. Of course, MPAA would probably have to take computer literacy classes first, but that’s another story.

It looks like Sony has decided to re-examine the DRM issue. It’s about time, too. I’ve been an outspoken opponent of DRM on simple realism grounds for quite a while now. I can’t see how any entertainment company could believe that they would be able to get away with something like this for long. Maybe The Beast from the East is finally starting to come to it’s senses.

(BTW… I think I used the hole digging analogy better here and here.

After reading the latest news about Sony/BMG’s latest DRM debacle with MediaMax 5, I’m left wondering whether anyone at Sony/BMG has an IQ above 50. I don’t say that lightly… I believe it is a valid question. But before I go any deeper into the question of executive intelligence, lets present a few facts, some of which the whole world seems to be missing.

Fact 1: DRM isn’t designed to stop pirates

Most people define a pirate as someone who steals the music and makes copies of it for public consumption. If you are that determined to steal the music, there is a low cost way to do so… it is called a patch cord. That’s right, just buy a $5 cable that plugs into the line out of one sound card, then attach it to the line in of another sound card. Voila… a near-perfect copy, no matter what your DRM software tries to do. If you are a sophisticated, high volume pirate, you might even spend a few $k to provide a copy that is an improvement over the original. For those of you with a single computer… don’t fret. Many sound cards will allow you to patch the line-in and line-out jacks and use them at the same time.

Fact 2: DRM isn’t designed to help “starving artists” as the music industry states

The only artists who ever make any money at all from record sales are the ones who are already mega-rich. Those who are still trying to ‘make it’ seem more likely to get a statement telling them how much they owe the record company. Don’t believe it? Check out www.janisian.com.

Fact 3: DRM companies already know that their software is ineffective

A few years ago, I was involved in some Internet radio work. Part of my job involved adding tags to music that would be used to trigger events. While asking a not-to-be-mentioned DRM company about some of their watermarking techniques, I threw in a question about how they protect their music from the simple patch cord copy. After several non-answers that were essentially just restatements of their sales brochure, one of their execs told me that their software was meant to keep honest people honest. A few years later, when a company named Sunncomm actually tried to sue the guy who told everyone to disable the autorun feature by holding the shift key, their knowledge of how bad their software was became obvious.

Fact 4: DRM software providers have a TERRIBLE track record

In the past, DRM has been easily defeated by holding down the shift key, changing Windows settings, drawing on the CD with a fine-line marker, and by running Linux. This doesn’t even include the patch cord method. Meanwhile, DRM has been responsible for security holes and seriously irritating customers. It seems that the only competent part of the DRM community is the marketing staff.

So… if DRM software does nothing except raise the barrier to illegal copies by the cost of a patch cable, just exactly who is it stopping? Would it be those nasty pirates who can’t afford the $5 entry fee? Sounds like the real target is the law abiding citizen who wants to archive his collection, not the pirate.

Now back to the original question. Assuming that all of the above is true (not much of an assumption, you can prove the first two very easily… the last two should be fairly obvious), what entertainment executive in his/her right mind would choose DRM? It won’t stop pirates, and it will only irritate the average customer. About the only explanation I can think of is that someone fell for the DRM company’s hype.

Just to be clear… I don’t condone the theft of music. I don’t frequent P2P sites, I don’t download music, and I loathe the real “pirates". However, I do like to make additional copies of legally purchased Cd’s for my car and for work. I have several computers that I use for playback while I am working, and I resent any big company’s assertion that it is OK for them to create security holes in my system to install software that has no chance of actually accomplishing it’s goal. Shame on you music industry… you are biting the hand that feeds you.

It looks like there is a rather nasty exploit for a recently uncovered IE bug. This one could remotely run code on your machine if you are lured to a malicious web site. I would suggest that you use the Firefox link at the top of this web page to download the latest version… just until IE is safe to use again (if ever).

It looks like Sony’s legal troubles over their rootkit have begun in earnest. The State of Texas is suing Sony under it’s anti-spyware laws. This is the first credible lawsuit I’ve seen over this incident. There have, of course, been class-action suits filed, but those tend to be nuisance suits that are easily settled by giving a few lawyers some money.

Let the public flogging begin!

UPDATE:

If you need a little more info, check out Groklaw’s recent post on the same subject.

Well, not really. But it got your attention, didn’t it?

It looks like there is a new weapon in the war on terror. An Israeli company recently tested an airport lie detector that is intended to catch anyone planning something illicit. Though I’m always glad to see a device that can make air travel safer, I’m a little worried about the potential for abuse of this device. One thing is almost certain: the day they start actually installing these devices, there will be a pretty nasty public debate.

Once again, we find ourselves looking at another ridiculous Sony DRM scheme. It looks like Sony and SunnComm have gotten together for more DRM fun. The SunnComm version seems to be a little less troublesome than the prior rootkit, but it still looks like spyware. It installs itself on your computer and transmits info about you without ever telling you what it is going to do. It also leaves 12MB of garbage around, even if you decide not to install it. It also seems that refusing to install it doesn’t stop it from running, it just stops it from re-running on the next boot cycle.

Could it be that Sony is getting informed that you refused to install their monitoring software for future legal action? Your guess is as good as mine. I would ask Sony, but I no longer trust their answers. I think that recent events justify that position.

More questions… Just how many copies am I allowed to make of a CD I legally bought? Am I allowed one at home, one at work, and one for each of my cars? what happens if I break or lose one? can I replace it? What happened to the concept of fair use?

I think that the most annoying of all of the big music assertions is that this is all done for the poor artist. If you want a view from one of the aforementioned artists, check out Janis Ian’s article “The Internet Debacle: an Alternative View” (you’ll need to scroll down in the left frame to find it). The most telling quote from it is this: “in 37 years as a recording artist, I’ve created 25+ albums for major labels, and I’ve never once received a royalty check that didn’t show I owed them money". Just exactly how much of this can be for the “poor artists"?

A legal eagle out a Groklaw has written something that should be read by anyone interested in the wacky state of intellectual property laws. Basically, it says that Microsoft’s reaction to Sony’s rootkit raises some questions and proceeds to explain them. The main question here is: If these rootkits have been installed from Sony CD’s for 8 months, why didn’t the large AV firms detect them and assess the potential damage? That’s a very pointed question, but I’d love to know the answer.

The article questions whether the AV firms were involved in the process, or just too inept to discover the rootkit. The first could be a reason to sue, and the second could be a reason to question whether they are worth using. I almost agree with the conclusion that switching to GNU/Linux is the answer. Though it is certainly more secure, it is waaaaaay to difficult to teach Grandma how to run. It’s a correct answer, but a useless one.

The Department of Homeland Security has it right… It may be your Intellectual Property, but it isn’t your computer. DON’T undermine its security in the name of a few bucks.

In another stunning display of customer antagonism, Sony/BMG has begun auto-installing CD copy protection on hard disks. The major problem is that the software is automatically installed, and never indicates what it does, or that it cannot be uninstalled. Honestly… it doesn’t take a lawyer to realize that this is an enormously risky endeavor. The security risk alone could easily put a huge bite into Sony’s revenue for the next quarter. Sounds like a good stock selling opportunity.

Why don’t we make a deal with Sony and the other music industry leeches… You replace my broken CD’s at cost (cost of the media that is, not some inflated number that you dream up), and I won’t have to make archive copies of them. Yeah… like they would really go for something that reasonable.

BTW… if you suspect you have this software installed, follow the link above to a pointer to a utility that will identify it. As of now, there is no removal tool.

Microsoft’s unwillingness or inability to fix a flaw in their lightweight jet database engine has resulted in a virus that can completely take control of your system. The worst part of this is that Microsoft was given plenty of warning, but chose to ignore the danger. The fact that this one seems to spread slowly will be little comfort to those who lose control of their systems to botnets.

Want to know who to blame for your deluge of spam? According to TechWorld, London is the zombie capital of the world, and the UK is the most infected country. So the next time that you feel like complaining about all of the garbage in your inbox, just console yourself with the fact that much of it is imported from Britain.

I’m guessing the BOFH had a lot to do with this

Hang on to your hats, folks. Someone has released a worm that presents fake search results if you mis-type www.google.com. The worm itself doesn’t seem to harm the machine or OS. It’s only purpose is to put a few bogus entries on the first page of results.

Even though this one seems kinda clever and innocuous, the guy who came up with it should still be stomped into oblivion. I don’t know of anyone who wants an outside party messing with their hosts file and intercepting web searches. Also… as anyone whos has been hit by a worm knows, these things usually commandeer a large percentage of available badnwidth for spreading the disease. The innocuous ones always seem to mutate into something nastier, too.

In a slight twist of morals, the Yusufali-A trojan monitors a user’s web traffic and replaces porn with Koran messages. If the user continues to view objectionable material, he gets logged out.

Y’know… there is a really good joke hiding in that last paragraph. I’m just too dimwitted to see it right now.

If you are still using the stone age Microsoft browser, you may want to check out this report about a new Internet Explorer vulnerability that attacks msdds.dll. Although Microsoft points out that it doesn’t ship with Windows, they neglect to mention that is does ship with Office XP and Office 2003.

You probably want to fix this one ASAP. There is already an exploit available, and it could potentially take over your system.

If you want the unofficial, ShamelessGeeks recommended patch, just click on the Get Firefox button at the top of this page

It looks like there are a growing number of worms designed to exploit the recently announced Windows 2000 vulnerabilities. I’m not surprised at the ‘gloom and doom’ predictions coming out of all of the computer security firms. After all, there hasn’t been a good AV justification outbreak for around a year.

The fact that all of the scumbags out there are writing the same worm to exploit the same vulnerability means that they have been hungry for something to do for a long time. This alone speaks volumes about Microsoft’s recent security push. I don’t often compliment the beast of Redmond, but you have to give them credit for doing exactly what they said they would. Now if only they would come up with a reasonable licensing model for their software…

I guess my Dad was right. There is no honor among thieves. According to Reuters, some of the worms in the recent rash of malware have the ability to remove competitors. This is leading to a ‘bot war’ with several rival gangs of virus writers competing to create the largest zombie army. It really doesn’t matter who wins the competition… Everybody will lose the fight, even the virus writers.

Reuters is reporting the existence of a nasty new virus called ZOTOB, which can cause serious problems in a system with Windows 2000. According to FSecure, those with Windows XP or Windows 2003 Server aren’t affected yet, only those with NT, 2000, ME, or 9x versions. However, they are still subject to future worms based on the same vulnerability, which Microsoft labels MS05-039. It would be a good idea to follow that Microsoft link and download the patch it indicates.

A couple of things to note about this one:

1. It is a net worm, meaning that it isn’t spread by email or website visits
2. It allows a scumbag to gain remote control over your system via an Internet relay chat
3. If you get it, it is likely that every unpatched computer on your network will get it. That is unlikely to help your job security

UPDATE:
It looks like there is a little confusion online as to which OSes this bug afflicts. The best I can get out of the available sources is that the flaw exploited is in all Windows versions, but the fixed offsets used are only present in Windows 2000. If that is true, then even a somewhat inept hacker could modify the original code to use new offsets to attack different MS operating systems. If there isn’t an exploit for XP yet, there will probably be one available within days. It is best if you just apply the patch, whatever version of Windows you run.

How do you cause a geek to have mixed feelings? Show him a story about Microsoft winning a lawsuit against a spammer, even if it is technically just a settlement.

Geeks are almost universally anti-spammer. But then, who isn’t? A vast majority of geeks also believe that Microsoft has too big of a stranglehold on the software industry, and that handing them windfall profits from litigation is a bad thing. Hence the mixed feelings.

So… It’s lucky that Microsoft got this settlement. I was afraid that they wouldn’t make any profits this year, and that Redmond WA would become a ghost town. Yeah, right.

It looks like the fight against spam is heating up. The Blue Frog initiative attempts to give spammer websites a dose of their own medicine.

I can understand the logic behind this, and I sympathize with the sentiment that brought it on. Unfortunately, this type of thing will only be effective for the few weeks it takes for the spammers to find a way around it. The really big downside to this is that there doesn’t seem to be an effective way of distinguishing real spammers from innocent victims of hackers. In the end, it will only be used as a tool by unscrupulous people to perform mischief.

We really need an effective way to fight spam. This just isn’t it.

Well, maybe that’s what they should call it instead of a Spyware Removal Tool. It looks like anit-spyware groups are annoyed at Microsoft again. This time, it looks like they are playing favorites with a spyware (thats right… I used the S word) company that they have designs on. The current default action for Claria software has been changed from ‘remove’ to ‘ignore’. So if Microsoft really buys Claria, what will that say about their business practices? Didn’t they already end up in court for this type of thing?

Oh well… it looks like the early nineties all over again. Anybody want to start a company that makes IPO’s?

If you are going to sneak around your neighborhood trying to find a WiFi hotspot you may want to rethink that idea. Stealing WiFi has been classified as a class 3 felony. A man in Florida was recently convicted when he connected to neighbors WiFi network from his SUV. The laws are new on stealing WiFi, but this is most likely the first in a long wave of arrests. Also, if you have a WiFi network in your house, please take the ten seconds to set it up fully with Passwords, so people can not access it.

Even though he did so soon after his apprehension, the man who wrote Sasser has officially confessed in a German court. Now would be a good time to start making examples out of these snot-nosed jerks who write computer viruses. Maybe a stretch of jail time will make him think twice before doing it again. Oh… by the way… Nobody is impressed at his programming abilities. Viruses just aren’t that difficult to create.

It looks like DVD Jon has cracked the Google player this time. A quick trip in my wayback machine reminds me that DVD Jon was the Norwegian guy who cracked DVD scrambling and posted it on the web.

Based on the fact that it took less than a day to break, it doesn’t seem like Google took a lot of time securing it. Well… that’s better than the thought that they did spend a lot of time on it… or that they allowed Sunncomm to handle their DRM .

UPDATE:
I wasn’t going to say anything about the ease of hacking players, but I bumped into this pointer to the source code right on Google’s website. Not only was it an easy hack, but he was also given a monumental head start. Even my kids could have done this hack with this kind of assistance. I suspect that someone at USA Today was desperate for a story on a slow, slow news day and found a willing publicity seeker to help. There is no reason to lionize some guy who modified a few lines of source code to keep it from checking the source of a file.

More and more large companies are using the Internet equivalent of vermin to spread their message. It’s an alarming trend that is a bad omen for those of us who spend a great deal of time online. The cost of this type of behavior just keeps on going up, as the spyware vendors make their annoying wares more difficult to remove from a PC.

Personally, I think that the most appropriate way to handle this kind of thing is to fine those who create AND those who use this type of advertising. Make the fine approximately the same dollar figure as the projected cost for a consulting company to clean up the mess. Unfortunately, there are too many lawyers in the world for such a practical remedy to be legal.

Until the lawyers and politicians come to there senses, the best course of action is to boycott anyone you see mentioned in a spyware ad. Period. Minimum: 1 year. Google into spyware? go with Yahoo. Yahoo into spyware? go with MSN. Since we know all of these guys have been implicated, how about Alta Vista? Just remember that there are always alternatives.

The real solution is to shortchange those who will sell their integrity for a few bucks, and the best way to do that is to make a major dent in the wallets of the cowards who pay them. Boycotting is only the first step in an effective anti-spyware campaign. Step two, which is something that is caused by the boycott, is to sell off stock in companies who advertise via spyware. Make the spyware campaign a net loss to the suits and they will pull their money out within nanoseconds. If the money goes away, the spyware goes away.

…And for pete’s sake NEVER click-through on a spyware ad.

One last thing… Don’t take “plausible deniability” as an excuse. If a major company tries to tell you that they are unaware of their involvement in spyware because they don’t track every dollar they spend on advertising… call them liars, or extremely bad businessmen. An advertising campaign that doesn’t track Return On Investment is something that just shouldn’t happen. I would make sure that I sold off any stock I had in a company with a management that stupid.

In the end, the government isn’t going to help. Politicians and lawyers will make speeches and arguments, they’ll pat each other on the back and tell you to vote for them, but the spyware won’t go away. This situation calls for a real people’s revolt, and I’m hoping one starts soon. Only by speaking with our wallets will we be able to kill this scourge off.

According to Reuters, Microsoft has announced 3 critical flaws that could allow an attacker to take control of an unprotected machine and “steal data or launch other attacks". If you have automatic updates turned on, then you should get them in this months security patch release. If not, then try www.microsoft.com/security.

In a move that has been delayed for way too long, the FCC has recommended internet cutoff as a viable response to spam zombies. Though it will inconvenience a few of the clueless who have let their systems get hijacked by spambot programs, it may help to cut back on the huge volumes of junk mail being sent. Now we can only hope that these measures are enacted in short order.

I understand the reluctance to cut off grandma’s net access because she has become a victim of something that she doesn’t understand. However, it seems as if there are a lot of grandma’s out there who are completely unaware that they have been infected. I think that ISP’s should get strict about net cutoff, but balance the strict measures with assistance to those who cannot rid themselves of the bots.

The CIA’s Internet war exercise that we’ve been hearing so much about for the past few days is winding down. No word yet about whether Joshua found all of the launch codes. It’s nice to see the white-hat hackers practicing their craft, but any technical knowledge gained from a simulation has a shelf life of a few weeks, and is only as good as the team that wrote the sim.

It looks like someone over at TheRegister.com has come up with a justification for suing spyware removal vendors. As we all know, once someone finds a justification for it, the lawyers will start swarming. Luckily, there is no argument that would allow the “stealth” downloading that happens on some sites, only the spyware installed as part of a downloaded program with an honest-to-goodness EULA.

Thanks guys… Big help. Not happy about their lack of foresight in releasing this article, and not happy that they are advocates for the spyware houses. However, it shows ho any lawyer can make anything beneficial look illegal, while making anything shady look pristine.

Here’s a novel idea: stop downloading spyware!. It’s usually pretty obvious which application will load spyware on your machine. If not, then it is information that you will find all over the web. Here’s the first clue: If what the software is doing is something that is illegal, immoral, or shady, there is a good chance that it will have spyware in its payload. People who have no problem justifying one slightly illegal or immoral thing are unlikely to have a problem justifying another. Examples: P2P apps, DVD rippers, and anything downloaded from a porn site are likely to have big spyware.

It looks like those geeks who have gone to the dark side of programming (and I’m not talking about management this time) have a new way to steal your money. Its a form of extortion that has been dubbed “ransomware”. It involves a malware infection that encrypts your files and demands that you pay to have them unlocked.

Actually… this sounds like it could be a hoax to me. It seems unlikely that a criminal genius would actually have you mail him a ransom payment. Of course, I have seen dumber schemes that have hit people up for millions of dollars… but I’m accustomed to seeing them come out of Washington DC.

With a wonderful flourish and an intensely passionate statement of the obvious, the US Senate passed a bill that declares spyware illegal. I’m not one to argue with Congress when they declare that crime is a criminal act, but I would really prefer if they would spend more time enforcing the fraud and privacy laws that covered this in the first place. To make a second law against the same thing seems like a waste of government money.

I guess that my only response would be a soft sigh and an unspoken DUH!.

As previously mentioned on ShamelessGeeks.com, Microsoft unveiled the Anti Virus subscription service that we have all been expecting. Unfortunately there is no news about the fee yet. Since the initial rumors started late last year, other players in the AV market have seen their stock prices decline considerably.

Mozilla punched out a quick Firefox update (1.0.4) to patch the recently discovered “extremely critical” flaws. It is strongly recommended that everyone upgrade ASAP.

Still pretty ticked off that FrSIRT released an exploit without helping with or waiting for the patch first. Maybe the web community should start shunning those with such poor, poor judgement.

RSA, Ethereal, and smail-3 have all been flagged with exploitable security holes that allow execution of arbitrary code. The RSA flaw is in the authentication agent for IIS, so you only need to worry if you have a Windows web server. Ethereal is a network analyzer that is used by ubergeeks to decode network traffic, so hackers better upgrade before they get hacked. Smail-3 is a somewhat obscure mail transfer agent. If you don’t know whether you are running it… you aren’t. Check out the techworld link above for patches to each of these apps.

Firefox and Mozilla users are being advised of a pair of extremely critical flaws that can allow an attacker to run code on your machine without user intervention. Mozilla.org is scrambling to release a patch. Until then, the workaround is to disable Javascript, and disallow other web sites from installing software.

Thanks to FrSIRT (French Security Ignorant… er, I mean… Incident Response Team) for leaking the exploit code before the patch was available. Maybe we should charge those geniuses for all of the cleanup. Geez… some people don’t care who they hurt, as long as they get to claim their pointless victory.

According to an article on Endgadget, visitors to Google for part of the day where redirected to SoGoSearch instead of Google’s homepage. Google is claiming that where not hacked, just having unexplained DNS issues. So Google what where those DNS Issues?

Microsoft has confirmed a potentially serious flaw in Win2k that could allow execution of arbitrary code on your machine. No word when, or even if, they intend to fix it. Meanwhile, you can turn off the web view feature of Win2k to limit your exposure. Since this feature is enabled by default, you will need to shut it off manually, if you haven’t done so already.

Microsoft’s reaction makes me laugh a bit. They downplayed the flaw as something requiring “significant user interaction", yet they won’t let the OSS guys do the same. When Linux has a security hole that can only be exploited by a trusted, logged in user, they are quick to point to it as critical. I guess we should all remember not to take the advice of a party who has a stake in the outcome.

Various security orgs are reporting the existence of some nasty PHP bugs. It is recommended that anyone with a PHP based webserver (like this one) should upgrade ASAP.

A good look at the vulnerabilities shows that they allow a specially-built image file to consume 100% of the server’s resources, thereby creating a DoS attack. Luckily for me, this server doesn’t have an image upload feature, so I’m good for now. It gives me the luxury of waiting for my disty to provide the upgrade via it’s regular upgrade cycle.

Microsoft finally got around to releasing a patch to a well-known, well-exploited bug in the Windows Media Digital Rights Management feature that allowed a specially crafted media file to infect a Windows system. This one really should have been fixed quickly. I can’t think of a reasonable excuse why this wasn’t a high priority item, considering the potential for damage.

Microsoft is supplying download links for your convenience. Just scroll to the bottom of the page and choose the appropriate download for your system.

According to eWEEK, the Mozilla Foundation has released new versions of Mozilla and Firefox that plug a known JavaScript engine flaw as well as a few others. The article akes no mention of an OS-specific vulnerability, so I would advise everyone to upgrade. You can find all of the latest versions of Mozilla products here. Strangely enough, the browser itself usually warns me about updates before I see them online. I have no idea why this time was different.

Microsoft admits that they issued a dud patch for Windows 98/ME. I’m not sure who is worse: a company that doesn’t test it’s patches, or someone who is still using ME.

…like create contests that encourage virus writers. If you don’t believe the Techworld account, check out the DVForge explanation. It seems to me a lot like the recent Linuxense contest that ended without a winner. The big difference is that one only challenged you to hurt their machine, while the other was essentially challenging you to risk an epidemic. I guess there’s no accounting for responsibility.

Is it just me, or have the FUD wars heated up? Most recently, we have the release of a controversial report that was mentioned here last month. I was hard on the methodology as stated, but maybe not hard enough. Now that they have published a paper describing their methods, they did an even worse job than I thought. I read through the entire methodology paper, and found it very superficial. The methods were extremely simple, and looked to be reasonable. Unfortunately, they made a few omissions.

First of all, they FINALLY admitted that they were funded by Microsoft. Now that doesn’t necessarily mean that they skewed things in favor of their meal ticket, but it puts things under suspicion. Their failure to disclose this fact in their “preview” release only multiplies the suspicion.

IMHO, the profs probably did their best to do an honest study. They came up with a methodology that they thought would lead them to a valid conclusion. They also believed that Microsoft would fund a study that could possibly prove that Linux was superior to Windows. That last part is the enlightening one. Someone who truly believes that Microsoft would fund a study about something this important without knowing the answer ahead of time probably owns a lot of swampland. Enough about the funding part. It’s irrelevant anyway.

The first hole is not actually their fault. It concerns the classification of the flaws. There doesn’t seem to be any distinction between a “severe” flaw that is the result of a remote break-in and one that is initiated by a logged-in user. This is a serious, serious flaw in my estimation. Although logged in users can do as much damage as remote break-ins, the required login is enough to significantly decrease the odds of an attack. There is also no consideration of whether an exploit actually existed. Some vulnerabilities exist in an ethereal world where an unlikely series of events could conceivably lead to a break-in, but nobody ever actually figures out how to force those events. This would be the difference between an oops and an Uh-Oh!.

Another HUGE gaping hole in the comparison is the fact that the professors compared a full-up LAMP server to a Windows 2003 Server system, then classified it as a “Linux” system. Sorry guys… the AMP part (Apache, MySQL, and PHP) aren’t part of Linux. Just the inclusion of an immature app like MySQL is a mistake, and PHP isn’t much better. Blaming Linux for whatever flaws are found in these apps is about as bad as blaming Windows for flaws found in Doom3. I also didn’t see anything in the methodology about whether MSSQL and PHP (or whatever) were included in the Windows system calculations.

The study actually does raise a few questions that the OSS community should address. Though there appears to be some lopsidedness in which apps were chosen, securing the full LAMP server is not an unreasonable request. Although the Linux and Apache part are probably OK, maybe some more time should be invested in the other major components of a server.

Ultimately, the major flaw in the study is it’s simplicity. Because Microsoft and the OSS community have such widely differing approaches to software, a direct comparison between the two is nearly impossible. The two systems vary greatly in functionality and architecture, making a proper comparison about as difficult as trying to fill a sieve with water.

A major Firefox fix was released on Wednesday. The problem was an old leftover Netscape vulnerability that was caused by the improper handling of buffer overflows in .gif files. Translation: something that should have been fixed years ago. At least the fix was released before an exploit was released in the wild. That would have been a huge embarrassment for a browser that sells itself as the “safe” alternative to IE. Apologies for the delay in this story. Sometimes, life gets in the way of schedules.

This TechWorld article postulates that Internet Explorer, even when fully patched, is rarely safe. In fact, it was only possible to have a safe version of IE for 1 week over the course of 2004. Compare that to Firefox, which was safe for about 310 days. Certainly not good news for Microsoft, which has been pounding the drum about how much safer their software is than alternatives.

The FUD war over browser security has been going hot and heavy for years now. Even with all of the loudly exclaimed loyalties on either side, nobody has ever presented any real evidence. Microsoft’s “Get the Facts” campaign ran into problems when some of their sources began to demand that Microsoft remove quotes from them. The OSS community has gotten a few black eyes from “independent” studies. We have all heard (endlessly) how one browser or the other is inferior due to some test algorithm that requires creative math, insane logic, or a huge leap of faith.

This study just says that if you used IE, you were vulnerable to a known flaw for 358/366 (97.8%) of the year, but if you used Firefox, you were only vulnerable 56/366 (15.3%) of the year. Seems pretty cut and dried to me, as long as we can trust the data.

The web is buzzing (albeit mildly) about another LAND attack that can effect Windows XP and 2k3 server. The Cnet story is a good place to start. In a nutshell, this type of attack sends an incorrectly formed packet to a machine and relies on it to handle the packet incorrectly, setting up a routing loop that consumes most/all of available resources for a short time. LAND attacks first surfaced in 1997. Remember that point.

Microsoft admits the vulnerability, but claims that it can only slow down a machine, and that the firewall (included since XP SP2) blocks it. I think they missed the point. They have just been informed of a bug-based vulnerability that first surfaced in 1997. It’s a relatively simple matter for a company the size of Microsoft to test for the presence of this bug when they test their releases. Why wasn’t it found? Was the release tested?

Bugs happen… but when bugs have been known for 8 years, and they re-appear in the system, they should be considered an enormous embarassment.

Found on Slashdot today: a break-in challenge from Linuxense. It’s just a bragging rights challenge… no cash prize. They will be putting a “generic” Linux box online without a firewall, and they are challenging the Linux / Security community to try breaking in.

Obviously, it is part of some type of publicity stunt. If the system stays up, we’ll be hearing all about how “robust” (dontcha hate that buzzword) someone’s Distro/app is. Details are sketchy at best, with no mention of which distro, apps, or security software are on it. If the machine is successfully broken into, we will probably never know any of the details of the system. It is also unlikely that the owners will publicize the name of anyone who might break in. Still interested? Follow the link at the beginning of this article. (Hint: if you don’t know how to do that, don’t bother entering the contest)

phpMyAdmin and phpBB, have been flagged with security vulnerabilities. If you aren’t running a web server, you probably won’t need to worry about any of this. If you are, then the latest patch levels contain fixes for the vulnerabilities.

eWeek has a small article about 2 House anti-spyware bills. Apparently, the software industry favors the one that doesn’t require consent before installing monitor software, citing that “helpful” programs will get caught in the trap.

I beg to differ for 2 reasons:

1) If you don’t ask the user to install your monitoring software, he will have no way of knowing what is “helpful” monitoring software and what is spyware.

And more importantly:

2) As soon as you allow “helpful” monitoring programs, some lawyer will find an easy way to define his clients’ spyware as “helpful".

Anything that doesn’t require consent is just another piece of “feel good” legislation.

Recently, Microsoft announced that it was working on a rootkit identification tool. Well, Slashdot has a link to a rootkit tool called RootkitRevealer, and it is available for download now. Though the practice of booting from a known media to insure absolute control of what runs isn’t a new idea, I believe this is the first time I’ve ever seen it applied to the security market. I’m sure a few security experts are out there slapping their foreheads saying “D’oh! I should have thought of that!".

Unfortunately, RootkitRevealer doesn’t say anything about how to remove the rootkit, just how to find it. Hopefully, Microsoft’s will.

There is another rash of mailer worms out there. Latest to make the scene are a new sober worm and yet another MyDoom variant. More juvenile twiddling by those too stupid to write real software.

Once again, we have someone postulating that Windows is safer than Linux despite all evidence to the contrary. The latest is an article I first ran into on Slashdot about a theoretical Windows system vs. a theoretical Linux system. Once again, a purely theoretical analysis of MS’s security based on trusting MS to accurately report flaws has proven that all of the data collected must be wrong. Of course, the theoretical model can’t be wrong, so the data must be.

We should pity the students at the Florida Institute of Technology. Their professor just failed his lab test. Miserably.

SHA-1 has taken a few hits against it’s ability to secure data. The latest one ups the odds of attack from a message digest collision from one in 2 to the 80th, to one in 2 to the 69th. I don’t know about you, but I’m still not worried about someone breaking my hotmail password that way. If they give me the cost of the compute power necessary to break it, I would just sell them the password

You can set your calendar by Microsoft’s assertions about security. Ho Hum. Windows gets slammed by a bunch of vulnerabilities, they release the patches, they say “at least we aren’t as bad as limux". It all seems to happen every month at Microsoft’s pre-appointed patch time.

You have to understand… vulnerabilities appear once every month. Since MS is the only company with a monthly patchfest, they must be the most secure. Wanna buy a bridge?

In a really ironic twist, Symantec’s competitor has announced a vulnerability that affects all Symantec products. Physician, heal thyself.

This months crop of Windows updates appears to contain no less than seven critical patches. It is nice to see that Microsoft is finally marking some of it’s flaws as critical. If you aren’t set up to automatically update your system. it’s probably a good idea to download these patches from Windows Update.

As was widely reported yesterday, there is a major spoofing flaw in every gecko-based browser on the market. This includes Firefox, Mozilla, Opera, etc. Everyone except IE. Check out the article at TechWorld.com.

Well, looks like the Mozilla guys better get to it, or risk looking like hypocrites. You know you don’t have much time before Mr. Gates starts the FUD.

According to this TheRegister.com article, Spamhaus in accusing MCI of knowingly enabling illegal spam gangs and making a profit from it. If the contents of this article are true, MCI’s assertion that they can’t do anything about it won’t stop the impending doom. Every business has the right to institute a code of conduct for it’s customers. You need to do something about this before the community at large does it for you. Sounds like the first thing to do is fire your legal department and get a new one.

Remember SunnComm? That company who made the most HILARIOUS booboo in software history? The DRM app that could be circumvented by holding the shift key down? THEY’RE BACK! Check out this article at TheRegister.com for the story.

If a company is reckless enough to release a product like that in the first place, then compound the error by filing a lawsuit that calls attention to their blunder, would you take them seriously?

A DRM scheme that blocks copying but still plays in old CD players is never going to be secure. A simple LINE-OUT to LINE-IN patch cable gets around that. If you’re looking to hack it while it’s still digital, look at sound card filter drivers. Any way you slice it, this kind of DRM is meant to keep the general public from making backup copies, but does ABSOLUTELY NOTHING to stop the pirates they claim to be chasing. The only thing this technology does is to keep honest people honest… and that doesn’t require DRM.

Now that I’ve stated the common sense of the subject, is there a lawsuit in my future?

According to TheRegister.com, a recent attack on www.jabber.org was far worse than expected. An audit found that initial compromise was done by a root kit more than a year ago. If you have had any dealings with www.jabber.org or JabberStudio, you may need to validate your code.

MS and Belgium have teamed up (?) to integrate electronic ID cards with MSN Messenger. Slashdot has some reactions. Just lovely. Now Belgians get the chance to have their EID exposed to IM hackers.

This sounds like the premise for a really bad SCI-FI movie where a mega-company run by a meglomaniac gets complete control of everybody’s identity, and erases all memory of those who get in the way. Sound familiar?

It looks like there is yet another Internet hazard to avoid out there. TheRegister.com offers this brief article on pharming, an new way to lure unsuspecting victims into giving away their identities.

In this NewsForge article, Dan Razzell answers some direct questions about security without attacking any specific OS. Lots of these principles have been known and repeated over and over in the FUD from all sides of the security dispute. Usually someone is using them to tell you how wonderful/terribly Linux/Windows is. This time, they are presented as basic principles, rather than OS features. It’s nice to see that someone is finally trying to apply the KISS principle to security.

It seems that your identity is safer online than with your friends, family, and neighbors. Lots of people use a firewall and a AV app when they are online, but wouldn’t think of a shredding documents before throwing them away. Just remember one thing: CC numbers are easier to extract from paper than they are from a PC.

Our old friend the zombie-recruiter MyDoom has returned with another variant labeled MyDoom-AI. This one spreads via email, so use the customary paranoia when opening something that you can’t readily identify.

Spammers may not be the brightest bulbs in the scoreboard, or even capable of an original thought, but you have to admit they are persistent. How many MyDooms have there been?

Red Hat, Suse, and Mandrake released a bunch of Linux patches, some of which were labeled “extremely critical". They mostly concern DoS and local DoS vulnerabilities in .pdf and pixmap libraries.

Sidebar: For those running Fedora Core 3, kernel 2.6.10-1.741_FC3 is available.

Yahoo is reporting that another extremely critical IE bug has been reported. The bug has been known for a while, but security folks think it is much easier to exploit than they originally expected. This one takes advantage of drag-and-drop, and is pretty insidious. Check out the article for counter measures.

Update: Though originally thought to fix this bug, the recent pile of patches only lessens the effect of this hole. Not sure how, but thats what MS is saying. A patch is now in the works. I wish my previous mention of a fix were really true. Oh well, I only know what I read in the papers

It looks like the Spyware people have figured a way to use the Digital Rights Management features of Windows Media Player to load spyware on your PC. According to this article, the spyware comes disguised as a DRM-encumbered file. When WMP tries to acquire the rights to the file, it actually ends up going to a site that loads spyware on the machine.

The attack itself is a classic. It’s the kind of “in your face” method that is attractive to the hacker community. The surprising part of it is that fact that the entire thing seems to be funded by otherwise reputable online companies. Check out the article to see who they are. You’ll probably be surprised.

Microsoft’s new antivirus software is due to be released tomorrow as a critical patch. The first version is geared toward squashing the top 10 worms out there. Updates are expected to be done on a regular basis, with emergency patches pushed out for major viral outbreaks. If your microsoft update is set to automatic, expect to get the patch tomorrow. If not, you can download it from MS.

A Flaw in the way that certain executables are loaded in Linux can allow a local user to gain root priveleges. This is one of those flaws that you can ignore if you don’t have any login users on your machine, or if you trust all of your users. For all other cases, it can be a pretty big security nightmare. This flaw is found in all 2.4 and 2.6 kernels, and there isn’t yet a workaround or patch.

On the heels of their AntiSpyware release, Microsoft is releasing an anti-virus application on Tuesday. According to MSN (another Microsoft venture), the program will be free, and will provide regular updates. It looks like Mcafee and Symantec have been Netscaped after all.

MS’s release of AntiSpyware made the PC security market a little “icky” (for lack of a better word). This one continues that trend by destroying the companies that tried to keep MS honest. Oh well. As I said before, building a business based on someone continuing to make mistakes is a really bad idea.

Security Focus is reporting that there are buffer overflow, spoofing, and temp file disclosure vulnerabilities in older versions of Mozilla, Firefox, and Thunderbird. These flaws can allow problems ranging from hijacked browser to exposed mail attachments. Luckily, all of the latest versions of the software are free of these flaws. Check your version against the versions listed in the table and upgrade as necessary.

Microsoft has released a beta version of their AntiSpyware application. You can also check it out here. The program is based on the Giant AntiSpyware application that they obtained from last months aquisition of Giant. You can check out a decidedly MS friendly review of the product. Yahoo has a much more neutral announcement that doesn’t have a review of the software. I found a few mentions of the software online, most of them saying that the software seems to perform its job fairly well, but the GUI is buggy, and it crashes too often. Bugs like these are forgivable behavior for a beta version. I have no doubt that these obvious bugs will be fixed ib tme for the final version.

This release presents a strange situation. If Microsoft ends up charging for the software this summer (the beta ends in July), then they will be selling a patch for bugs that they created, and should therefore be expected to fix for free, or at least in the next version. In addition, it seems a little shady to have an entire product that depends on you not fixing your own bugs. It all grates on my sense of right and wrong.

Whether they decide to charge for the product or not, it looks like a lot of Web security companies are about to get shut out a lot like Netscape did in the browser wars. You really can’t fault MS this time. The web security guys made a living from cleaning up after Microsoft. Any business model that depends on the continued screwups of another company is a bad one.

I’ve added a Security category to the weblog. If you hear of any vulnerabilities in any of the major OS’es or application packages, please post it here. You might alo want to check this category every now and then to see what the recent vulnerabilities have been reported.

I moved some earlier posts from the Tech News and General categories into Security because they fit the new category better.

C-Net is reporting that a new Windows exploit can compromise a machine by displaying a specially written image file. Since this is a flaw in one of the libraries that Windows uses to load images, so it is likely to appear in all browsers, email packages, and anything else that displays an image. It is unlikely that switchimg browsers or email software will help at all. You can help reduce your vulnerability by setting your emailer to NOT display images in email. Other than that, you would probably need to change OS’es to avoid this one. Hope for a timely patch, good luck, and Merry Christmas are about the only other bits of advice I can give.

Linux lasts longer, at least according to this CNet article. Unpatched systems on the internet last for two months in the case of Linux, 4 minutes in the case of Windows. I know which one I’d be able to patch before getting compromised.

All FUD aside, Linux is much better for an “always-on” connection, but it still isn’t good enough. My advice: put both systems behind a firewalled router and close all ports except the ones you absolutely need. In the case of your average home user, there will be no servers inside of the firewall, so all ports can remain closed up tight. If you decide to run a server, just forward that port to the server machine. In my house, I run an email server, a web server and DNS. I have only the necessary ports open, and they connect to a Linux machine running all of the servers.

Firewalled routers are cheap these days, I got a 4 port router with 802.11 b/g wireless support for about $70, and that was 6 months ago. The firewall is worth every penny, although the wireless was my real reason for the purchase.

Once you get the firewall set up, install Firefox on all systems. Mozilla would also be OK, and it is a fine browser, but it is a bit too unweildy for grandma, or evn a teenage girl to handle. Whether you believe MSIE gets hacked because it is more buggy or because it is more popular is irrelevant… Switch to Firefox anyway. Then set Firefox to block all popups. That will end all of your problems with spyware right then and there.

Email is a different problem. Outlook, Thunderbird, whatever email program you use, will still have lots of problems catching any virus that comes in. Email vulnerabilities can be manageable if you follow a few simple rules. Never turn on previews. Never open anything that you aren’t sure of. If you cant trust yourself (and you probably can’t), buy something to scan your email. Norton, McAfee, whatever.

I’m going on 5 years of having an “always on” connection, and I haven’t lost any data or gained any viruses yet, despite having 2 teenage daughters online a majority of the time, and my network server online 24/7. Spyware and spam are a different story… I’ve gotten my share of those

– end of fatherly advice

Another major IE bug has been identified. This one allows any web page to be spoofed, and there is currently no workaround. I suggest you look this one over before using IE again. Better yet: get Firefox and avoid the problem altogether.

Be careful about opening those Christmas e-cards. eWEEK is reporting that the new Zafi-D worm is using a yuletide social engineering trick to spread itself in several different languages. I guess nothing is sacred to worms or to the worms who write them.

There is a new batch of windows patches out for December. In my case, the auto updater installed them with only a generic description that said something like “a security vulnerability has been identified… blah blah blah". If you wanted to know a little more about what you downloaded, check out this list provided by Neowin.

eWeek is reporting a browser exploit that affects all (or at least most) of the browsers that run on Windows and Mac OS X. No word on Linux in the article, but the fact that they mention Konqueror isn’t very promising. Shall I say it? Get Firefox, Disable Pop-Ups, Done!

It looks like the amount of time an unpatched windows system will last on the internet is down to 4 minutes.

Can you install the patches in 4 mintues? I’d like to see ya try!

USA Today reports that a US District Court Judge has ruled that keyboard logging does not violate federal wiretap laws. My question is: Does this allow a hacker to insert a keylogger without fear of arrest? I can already see that this means that my co-workers can install a keylogger on my work desktop and obtain my passwords, account numbers, or anything else they want. Yet another Stupid Judge Trick.

eWEEK is reporting that MS has acknowledged that WINS is a flaw. OK, so maybe they really said that WINS has a flaw. Honestly, if you are dumb enough to run a Windows server and WINS, or even if you leave the ports open on a home network, you are inviting trouble. Please Please Please put a decent firewall between you and world+dog.