Saturday, January 14, 2006

Speaking of Trustworthy computing....

The link in the title goes to the latest Security Now podcast with Leo Laporte and Steve Gibson. Steve releases his current information about the WMF Vulnerability. He says that the WMF exploit was a deliberate backdoor, by somebody at Microsoft, and there's no way that it was unknown. One does have to go to a website that could take advantage of the exploit though.

He came to this conclusion while trying to determine if 95, 98 and WinME were vulnerable or not to the wmf exploit, and had to come up with a file that would test the exploit in the earlier Operating Systems. Steve gets into a bit of an arcane discussion re: bits of data in wmf files, when all of a sudden he says it had to be deliberate. That woke me up! It'll be very interesting to see what happens on this issue, in the next week or so.

--MissM
P.S. At first, I assumed that the MS patch had been forced on his machine, since this was so public (referring to Jack's post below).
P.P.S. I assume the fix, fixed the exploit, er backdoor?

UPDATE: 'Windows backdoor' theory causes kerfuffle |CNET News.com

Further UPDATE: Microsoft Security Response Center Blog! : Looking at the WMF issue, how did it get there?

PCWorld.com - Symantec, Kaspersky Criticized for Cloaking Software

More companies are using Root-Kits now!Mark Russinovich, chief software architect with systems software company Winternals Software, says that the techniques used by Symantec's Norton SystemWorks and Kaspersky's Anti-Virus products are rootkits, a term usually reserved for the techniques that malicious software uses to avoid detection on an infected PC.

Friday, January 13, 2006

Anti-Spyware Coalition Risk Model Description

The link above is not to the Anti Spyware Coalition's home page, but to their definition of "risk modelling" in relation to these programs.

I have no idea whether the ASC can actually make a difference and to be perfectly honest, I have my doubts. No matter that; they're trying to do well by users and that must be applauded.

Check it out. Send them feedback if you think you can be of help. Anything is worth a shot to make this plague upon users better.

JacK

A Time to Patch

The link is to an article on The Washington Post's web site. In it, Brian Krebs examines the timeliness of Microsoft' patching of security vulnerabilities. According to Krebs, it is not a pretty picture.

It seems MS assigns priority to patches based on how much the public knows of them. Those that have gotten publicity get higher priority in Redmond than those that don't. And regardless of publicity, Kreb's analysis shows MS is actually slowing down in it's responses to vulnerabilities.

Isn't Trustworthy Computing grand?

Jack

Microsoft patches without permission

I had no idea this was the case and have heard no reports of it until this blurb made it to my attention.

Apparently; even as MS played down the severity of the WMF vulnerability to us, they were taking it so seriously that they chose to over-ride the patch installation settings on machine to install this patch the instant it was received, rather than waiting for the administrator to do the deal. The subsequent reboot must have thrown a wrench into at least some operations.

So; we see Microsoft saying one thing about a security problem and acting in such a way as to convince me they knew differently all the while. So much for Trustworthy Computing".

Jack

A Reasonable Discussion of Digital Rights Management

Victor Yodaiken has written an article posted at Groklaw about problems associated with widespread DRM. I recommend this highly, though the author does have a viewpoint of his own, he tries really hard to express only technical problems and not get into philosophy or law.

Yodaiken accepts that pervasive DRM is coming and concentrates on which problems have to be solved before DRM becomes a danger to users or their data.

The same author has written "DRM Out of Control" at Linuxdevices.com.

Jack

Microsoft Support Lifecycle

Updated today, according to ISC. Online support for XP Pro [my flavor of XP] until 2011, a full list of links by product, handy resource.

--MissM

F-Secure : News from the Lab

To add to Jack's post about Symantec's RootKitAccording to F-Secure Norton's Rootkit was part of a well documented feature, its related to recovering deleted files. Evil program writers could have hidden there, but apparently none had done it yet, as I read it, and now it can't be exploited, according to Mikko at F-Secure.

--MissM

Thursday, January 12, 2006

Linux is Not Windows

A VERY good opinion article on why Windows users find using most Linux distros does not mimic the Windows experience. If you've ever had any interest in trying Linux, or of converting your operations to it, this will clarify both the issues and what you are getting yourself into.

Jack

Mark's Sysinternals Blog

Mark Russinovich is the person who discovered Sony's XCP rootkit. His current blog entry is an almost sickening account of misleading spyware/adware popups that sell dodgy anti-spyware apps. Ben Edelman has other documentation of the same sort of thing.

If you need a refresher course in what we are up against in terms of spyware/adware, this is it.

Jack

More RootKit Madness

This time it's Symantic. One would think a vendor of security products would know not to do stuff like this, but evidently they included a rootkit function in Norton SystemWorks.

This is downright disgusting.

Jack

Wednesday, January 11, 2006

New Wi-Fi standard back on track

The link is to a story on CNet's News.com.

Peter and I alluded to the fact that some hardware for 802.11n is already on the market, such as AirLink's "MIMO" parts. These are built to the company's best guess as to what the "n" standard will be, not to the standard itself. This has the potential of causing interoperability problems to kit made to the actual standard.

This new spirit of cooperation is essential to speeding codification and adoption of the standard. When that is done, all products will (in theory) interoperate smoothly as we can spend our money on kit with confidence it will work in all or most situations.

Jack

Should Apple Open Up?

The link above will take you to a current article in Business Week's web site. I got the link from my friend, Waleed al-Shobakky, who is attending university in Qatar.

Though Apple is almost completely without a commercail presence anywhere except the US and western Europe, the company garners a lot of attention in the rest of the world. Almost an amazing amount of attention.

I don't think Apple should open up any part of their digital entertainment operations. However; I do think they are missing a lot of income by not selling OS X for x86 as a standalone product. Actually, I would see that as a grand move to drive their digital entertainment market forward, besides generating a boatload of profits.

Doing so could conceiveably drive Apple's market share of operating systems above 10% and 20% is not beyond possiblity. Rather than the iPod generating operating system and hardware sales, I could see operating system sales generating a much more widespread presence in digital entertainment, which is where the real money is.

Apple does not have to attempt supporting the vast majority of hardware, as Windows does. They only have to support a small subset of x86 stuff. They can line up strategic partners for this and support no other products. That's doable without great development costs to drain their profits.

If they don't do this, and relatively soon, I think they'll be missing a chance to really grab the maket and lead it, despite their minority share.

Jack

Skype - the bandwidth hog

From Om Malik's blog... some interesting observations, comments and links about Skype. Several of us here use Skype and have had pretty good results. Apparently though, there are some bandwidth and security issues. For some of us, these aren't serious enough issues to stop using Skype, for some others they are. Interesting food for thought, though.

NOD32 now detects rootkits

NOD32 scores again! "Today, Eset’s ThreatSense technology represents the only integrated solution able to protect from even unknown rootkits proactively. According to Eset’s chief software architect Richard Marko, the technology is very effective with detection rate in company’s internal tests on the level up to 90%..." This seems a significant development because of the incredible stealth of rootkits. Check out the article. Folks, I'm not just praising NOD32 because of OnComputers (although I'm always glad to support O.C. when possible) but I've been using NOD32 for several months on every computer system that I own or support and the results have been as near perfect as you could get; it hasn't missed a single threat or potential threat. Joe's not kidding when he says it's the best A/V available today. And recently, Jack brought to my attention that NOD32 is one of, if not the the least resource-intensive A/V available. There are certainly other good ones (and some not so good) but IMO, it's the best, and definitely worth the money. Here's to "safe computing"...

Tuesday, January 10, 2006

Feds Give MySQL Thumbs Up

In granting a GSA contract to sell MySQL relational database software into the federal government for the next four years, the Feds have blessed another component of open source software. Bad news for Microsoft, Oracle and IBM. The maturity of MySQL was a factor in the decision.

The U.S. federal government also met in November to flesh out a process of building an open-source software stack that will be used across agencies to develop, deploy and maintain applications across their life cycle. That stack will include such open-source components as the JBoss application server and the Eclipse application development environment. I find such a federal software stack very interesting, primarily because it will likely create a parallel non-government use of the open source stack by enterprise and commercial software developers.

Microsoft to hunt 'new species' of bugs

Yet another take on Microsoft's WMF vulnerability and the patching thereof.

Remember what this article makes clear. What turned out to be a vulnerablity was intended originally as a feature. We can extend that to include other parts of Microsoft's various code bases and realize what security researchers have known for a very long time (this includes both the good guys and the bad guys); A large fraction of MS' code base in both operating systems and applications is quite old and from a kinder, gentler time when organized crime wasn't keen to exploit any vulnerability. Therein lies a large part of the problem. It's not that Microsoft can't write secure code. It's that they really didn't need to when a large part of their code was written.

Not all legacies are good.

Jack

Apple's Jobs Wows the Crowd at Macworld

Apple Computer introduced new Intel-powered desktop and notebook computers, said its wildly popular iPods helped drive a 63 percent jump in holiday quarter sales, and indicated it sold 1.25 million Macintosh computers during the holiday quarter when sales at its own retail stores were about $1 billion.

Apple sold 14 million iPods music and video players during the holiday quarter and 42 million to date. Jobs said that iPods were supply-limited. Speaking at the company's annual Macworld conference in San Francisco, CEO Steve Jobs claimed the iTunes store has so far sold 850 million songs.

The strong demand for iPods and Macs fueled a 63 percent jump in revenue to a record $5.7 billion compared with a year earlier, beating Wall Street concensus.

The company introduced new computers based on Intel Corp. chips. The company's new line of iMac computers would come in the same shape and sizes as the existing G5 line of iMacs, with starting prices at $1,299 and with twice the G5 performance. It also introduced a new high-end laptop called the MacBook Pro that will replace its PowerBook series, starting in February at prices beginning at $1,999. Some eyebrows were raised as Apple will be shipping the new Intel-based products six months before it said it would. The early shipments are likely to fuel a greater whole-year market share gain by Apple.

iLife photo and media software is updated in a new version of its suite of digital media editing tools for use in organizing and editing music, photos and movies and Web sites. ILife, which costs $79, also includes the ability to edit high-definition videos.

With its own stores generating over $22 million in annual sales each -- Best Buys stores do about $30M -- the company is clearly profiting by its own channel. Recall how Gateway tried the same strategy and failed.

Wall Street was ecstatic.

Paul Allen's Hobby Web Site

It seems like everyone my age (except me) started computing on Digital Equipment Corporation's PDP series of computers. Indeed, they are still mentioned fondly and a few are still in use. Certainly the successor to the PDP series, the VAX is still going strong in many businesses.

DEC is no more, but their influence is still strong in the history of computing. Microsoft co-founder Paul Allen has an old computer museum and a web site about them. It really is a work in progress, but there is enough there to satisfy a lot of your curiosity and whet your appetite for more.

Jack

Wow, Microsoft Sure Patched That One Quickly!

This is Larry Seltzer's look back at the WMF vulnerability in Windows and the surrounding flap. It's worth a look and pointing you toward that will keep me from having to write it up.

The article points out that it is hard for Microsoft to be believeable when they say that security is their highest priority when they have vulnerabilites of which they have been aware going unpatched for over half a year! The tired old excuse of having to test every patch and release it in multiple languages simultaneously doesn't hold water. Why can't they devote a very small part of their billions in yearly profits to expanding the security team to the point where they can make timely improvements when flaws are found?

Microsoft has indeed made great progress in security. I don't understand why they cannot go farther faster.

Jack

Strip Out The Fans, Add 8 Gallons of Cooking Oil

Save this url for when you need a bit of comic relief.

It's a real experiment and had a good result, but filling a sealed PC case with pure cooking oil as a coolant is a bit much and makes me think the folks at Tom's Hardware have a bit too much time on their hands and money for their own good.

What they ended up with is a high-performance PC that operates totally silently. No fans to disturb the user at all!

If you do this with Intel Xeons, you can make french fries.

Jack

Mercury ships PS3 - kind of

I've been watching the emergence of the Cell microprocessor in areas other than the PlayStation 3 and thought to point this one out to you.

The article grudgingly makes the point that gaming is related to other fields where data visualization is used. We're not talking about simple graphs, here. But visualization of seismic or medical data. There are actually a large number of fields where this is very important. Intense calculation is required and the Cell does it all in this area.

Expect to see a lot of this sort of Cell implementations. It's a marvelously well suited device for this. IBM and their partners have what looks like a killer design win here.

I want one. Jane? You missed my birthday. Better late than never.

Jack

Engadget says " Samsung combo HD DVD/Blue-ray a no go"

It looks like licensing issues will keep a combo player from getting to market in the near, if foreseeable future. That stinks, and is NOT consumer friendly. I just hope that it gets straightened out soon, or we are gonna be caught in a Beta/VHS war (if I'm not dating myself). :)
Have you decided on a format or approach to this conflict?

--MissM

I read somewhere this morning that XP Pro isn't gonna be supported after 2006. Doesn't that mean Vista HAS to be out in 2006? ;)

Buy a Local PC, Get a Vacation for Two

From one of the ads served up on this blog, I find a fascinating deal: buy a PC from a local builder with genuine Windows XP, and get lots of prizes worth up to $615. But wait, the average PC costs about $615, so that means you get a vacation and a free PC.

Served up at Microsoft Windows Marketplace, this appears to be a real marketing campaign -- as opposed to "click here and win a free iPod" scams. But I'll be damned if I can make out the economics.

So, hey, support your local PC builder!

[Full Disclosure: several of the hosts of the On Computers Radio Show are PC builders]

Microsoft's Vista for Consumers at Home

With all the smoke, mirrors, and speculation about Vista, it has been hard to keep track of the goals for Vista. Here's what Microsoft says about Vista directly from the mouth of eHome division executive Joe Belfiori:

Executive Q&A: Joe Belfiore
Corporate VP, Microsoft Windows eHome Division

This year at the 2006 International Consumer Electronics Show (CES) in Las Vegas, Microsoft Corp. Chairman and Chief Software Architect Bill Gates revealed powerful new innovations for Windows® users that will be launched with the company’s next-generation operating system, Windows Vista™. The following brief Q&A with Joe Belfiore, corporate vice president of the Microsoft Windows eHome Division, will provide a sense for what the upcoming changes to Windows will mean.

How does Windows Vista improve consumers’ experiences?
Microsoft® Windows Vista offers four clear categories of benefits, the first being that it makes it safer and easier to accomplish everyday tasks. Windows Vista features safer browsing, greater control for parents over what their children view, and enhanced protection from threats such as viruses, worms, and other attacks. Second, the operating system features enhancements to help users instantly find what they want. These include integrated search capability throughout the operating system and a fresh, new interface that will help people find and organize information in a fast, personalized way. Third, Windows Vista enables people to be connected at home or on the go with fast off (previously called instant on/off) capabilities, a new mobility center that enables people to access and change mobile computer settings easily from one place, and new features that allow quicker and easier connecting and syncing while on the go. And fourth, Windows Vista will allow people to enjoy the latest in entertainment through new photo and video capabilities, an updated Windows Media® Player and Games Explorer, and an enhanced Windows Media Center experience.

How will Windows Vista change the way consumers use their PCs?
Perhaps the most dramatic change in how people will use their computers lies in the ability of Windows Vista to provide easier and wider access to an integrated yet seamless menu of entertainment functions. Beyond enhancing the users’ ability to work with their music and pictures, Windows Vista will allow them to watch live TV, record TV shows, and access the many Web services that provide “TV-like” content — and they’ll be able to do so using a remote control. The Media Center experience will feature a revamped user interface optimized for high-definition (HD) widescreen displays and large media libraries and will also deliver new HD content through a number of means, particularly by the inclusion of CableCARD support for U.S. cable companies, which will allow for the consumption of cable HD broadcasts. Through these scenarios, Windows Vista marries the worlds of computing and entertainment in a way that’s never been possible before, and we think this is something that consumers are really going to be excited about.

How is Microsoft working to bring this digital entertainment vision to fruition with Windows Vista?
This is a process that actually began with Windows XP Media Center Edition. Because Media Center has become so popular — with sales now surpassing 6.5 million units in just three years — a host of media and entertainment partners have now seen the potential of bringing digital media to the PC in new ways and have begun to build hardware and software that unite the best of the digital entertainment world with the world of computing. As a result, you’re seeing us work with a range of partners and service providers that you wouldn’t have necessarily associated with Microsoft just a few years ago. Today we’re working with companies such as MTV Networks and Showtime Networks Inc. to bring new content to our customers in new and exciting ways.


How does Microsoft envision Windows Vista changing the industry?
Windows Vista has created a buzz among Microsoft’s software, hardware, and services partners because it enables them to build new devices and programs on the platform in a way that wasn’t as easy or wasn’t even possible before. Windows 95 changed the industry dramatically, and we think that Windows Vista will provide a similar, almost revolutionary, raising of the bar for our developer ecosystem and the industry at large. For consumers, Windows Vista will simply provide clarity so they can safely and easily enjoy everything on their PCs, at home or on the go.

Two new WMF bugs found

Strangely enough, these two flaws are not the ones I spoke of during Sunday's show. They are closely related, though. It turns out that the two I spoke of have been deprecated to the level of bugs and are not vulnerabilities.

Before you get too wound up over these, note that they are not rated as nearly as severe as last week's flaw. And as the article says; this is a consequence of the inherent complexity of image handling. While we as users tend to think of images as a simple display task, that is not true. There is a whole lot more to it and that complexity is the reason vulnerabilities are continually found.

Jack

Monday, January 09, 2006

OnComputers Radio show Podcast 01-08-06

This is the On Computers Radio show podcast for 01-08-06. If you prefer, you can download the same file here via ftp.

Sunday, January 08, 2006

Now Here's a Password!

This nifty site generates several unique, long and hard to crack passwords -- just for you! Each visitor gets a different password set from the server.

Intel's Tune: Take Viiv

Viiv (pronounced "five") is a new home-entertainment platform. After ignoring what I thought was fairly obvious for the past five years, the company is finally realizing that its star is attached to microprocessor-based media hubs in the living room.

By using the Napa platform, a new dual-core laptop chip and chipset that's part of the latest Centrino technology, PC form factors can shrink to attractive sizes and shapes that fit better in the living room or TV den. Napa generates much less heat than a Pentium 4, so the Viiv PCs can be quieter and smaller. But Pentium 4's can be used in Viiv's too. The past and next generation of chipsets -- 945, 955 and now 975 provide the I/O. That means high-definition audio is standard. More than 110 PC companies will introduce Viiv PCs in the first quarter of 2006.

Microsoft is a key technology partner because Windows XP Media Center Edition (MCE) 2005 is the preferred operating system. But Intel has also created digital rights management glue software that allows content providers and OEMs to avoid Microsoft's proprietary DRM.

If you have been one of the 6.5 million owners of a PC with MCE 2005, Viiv is a ho-hum product brand launch. But the impact on the industry will be great, nonetheless. The reason is that Intel and Microsoft have cajoled Hollywood into allowing much more content to move into and about our homes on networks. As a result, TV and movie video whizzing over the 'Net and around our homes will be routine in five years.

And lest you think I have missed the 800-pound content gorilla in the corner, fear not. The first Apple products based on Intel processors will be announced at Macworld this week. To Intel's bottom line, it doesn't matter whether they carry the Intel Viiv logo or not -- and I am betting they do not. Apple will be one of Intel's allies in opening up the digital living room.