The Legacy Sunbelt Software Blog
The Great Years: 2004-2010
If you subscribe through this blog through Bloglet, I’m ending the service. I don’t want to maintain it along with everything else I do.
If you want to receive blog updates through email, use RSSFwd, which doesn’t require any client software. Or use rsspopper, which installs in Outlook or Outlook Express.
Alex
Speedtest: The new Speedtest beta seems to work like a charm, looks wicked cool, and you can share the results. Link here.
WiFi help: Setting up more Wireless Access Points and need to test signal strength on a “g” network with a Pocket PC or Laptop? Try NetStumbler, here.
Vmware tool: Russian Veeam Software developed an app to monitor the performance and resource usage of all the virtual machines running on VMware SV or WS. Free version for personal use. Link here.
New Exchange list: Microsoft just put up their Exchange 2007 Beta Wiki. They called it… “ExchangeNinjas”. I guess we should be flattered. Link here.
Top Ten Active Directory Tips: The inner workings of Active Directory can get so complex, it can drive an admin crazy. Not to fear, though. No one is more adept at the technical side of AD than SearchWinIT.com expert, Gary Olsen. Here we have gathered Gary’s ten best tips from the past year, as rated by SearchWinIT readers. Link here. (free registration required).
FAQ: Exchange Server Non-delivery Reports: Exchange Server non-delivery reports (NDRs) indicate e-mail delivery issues due to non-existent, inactive or expired accounts, misspelled e-mail addresses, poor spam filter configuration, and other causes. Get tips on enabling and disabling NDRs, and learn how to decipher and troubleshoot NDR messages in this collection of expert advice. Link here. (free registration required)
VMware Users Worry About VM Sprawl: Server virtualization makes it easy as pie to deploy a new system — maybe a little bit too easy, say industry observers. Can you ever have too much of a good thing? Server virtualization fans are wildly enthusiastic, but even some true believers are worried about how quickly scads of virtual machines (VMs) are being added to corporate IT environments. “We love VMware,” said Tom Dugan, director of technical services at Recovery Networks, an outsourced business continuity provider in Philadelphia. Even so, he’s worried about managing an ever-increasing sprawl of VMs. More here.
SQL Server 2005 Upgrade Hurdles: Before upgrading to SQL Server 2005, consider this collection of potential migration hurdles and pitfalls, from parameters that may cause blocking to default settings that are no longer supported in the new DBMS. Link here.
Gartner: Top 5 Steps to Dramatically Limit Data Loss
Public exposure of private data is becoming a regular occurrence, but the majority of these incidents can be prevented if companies implement the proper security best practices, according to Gartner, Inc. Gartner analysts have identified the top 5 steps to prevent data loss and information leaks. The top 5 steps to prevent data loss and information leaks are the following:
Preventing Users from Disabling a Screen Saver
(This is a really useful tip I ran into from Randy Franklin Smith’s newsletter from the UltimateWindowsSecurity site).
Q: How can I prevent my users from disabling the password-protected screensaver that I configure when setting up new systems?
A: If your computers and user accounts are part of an Active Directory (AD) domain, you can use one Group Policy Object (GPO) to deploy a policy to all your users that prevents them from disabling the screen saver. If you don’t use AD, you’ll need to configure the setting in the local GPO of each computer.
Whether editing a GPO in AD or a computer’s local GPO, maneuver to the User ConfigurationAdministrative TemplatesControl PanelDisplay folder in the Microsoft Management Console (MMC) Group Policy Object Editor and enable the “Hide Screen Saver tab” policy. Now when users open the Display applet in Control Panel, the Screen Saver tab just won’t be there for them to access. Note that the Display folder also contains other policies that enable you to configure the screen saver itself as well as its timeout value and other parameters.
This Security Q&A originally appeared in the Windows IT Security newsletter’s Access Denied column. You can subscribe here.
Stu
Remember to send in phishing scams to PIRT, the Phishing Incident and Takedown squad for takedown.
Two ways:
1. Email them to pirt @ castlecops.com as an attachment.
or
2. Go to the web interface at castlecops.com/pirt, and enter at least the phishing URL.
Also, we still need more volunteers to help take these sites down. Nothing more satisfying than toasting a fresh phish. Join the crew by clicking here.
Alex Eckelberry
You’re going to see a lot more about this over the coming weeks, but a number of reputable publications are being critized for their testing methodologies. Not all the critisisms may be fair, but we have a debate going and it’s healthy. As an industry, there needs to be standards in testing methodologies for all types of security software (something we’re trying to do in the antispyware testing space).
It started back in June, when the New York Times quoted Microsoft as saying that PC Magazine’s antispyware test method was unfair, “pointing out that the particular spyware programs tested were extremely rare and obscure.” Veteran PC Magazine tester and author Neil Rubenking responded an article headlined “Our Tests Are Fair” and further elucidated on testing strategy in the article “Spy vs. AntiSpy”.
Brian Livingston later added fuel to the fire with a full newsletter issue critical of the antivirus testing of PC World.
PC Magazine and PC World are both highly experienced tech publications and know their stuff. So there’s going to be a very active debate, but it will be a healthy one: These publications don’t have their blinders on and they do know technology.
Which brings me to ConsumerReportsGate, involving the publication Consumer Reports, better known for reviewing cars, lawn-mowers and appliances. They have recently published a review of antispyware, antivirus and antispam applications. We’re as baffled by the results as everyone else, especially with our desktop antispam program, which scored in such a way that I can only speculate that the magazine used some antediluvian version of the product with no updated definitions.
Why the big hulabaloo? Consumer Reports made an incredible error: They “created” 5,500 viruses for their antivirus test. Graham Cluley of firm Sophos is reported as having said, “When I read about what Consumer Reports has done I want to bash my head against a brick wall”.
Veteran virus tester and expert Mary Landesman takes Consumer Reports to task as well:
Admittedly, I may know very little about vacuum cleaners, cars, coffee pots, and many of the other things Consumer Reports tests – but I do know security software. The methods used, and the results construed from those methods, cause me to severely question the validity of any of their more mainstream reviews. I’m actually in the market for a new vacuum cleaner and a new coffee pot, and I’m sure of one thing – I won’t be relying on Consumer Reports for buying advice.
More at TechWorld, CNET, SecurityProNews and Dwight Silverman’s blog as well.
Now, there were a number of people who are curious as to why creating viruses is a bad thing in testing, a practice considered taboo in the antivirus industry.
The primary scientific procedural problems with using simulators and creating new viruses were originally explained and substantiated in an open letter Joe Wells (our chief scientist in charge of security research), wrote here. I will quote some relevant passages:
Today’s antivirus products use a variety of sophisticated methods to detect viruses. Such methods include execution analysis, code and data mapping, virtual machine emulation, cryptographic analysis of file sections, etc.
Such advanced antivirus systems make virus simulation for testing virtually impossible. This is because there is no way to know what sections of viral code and/or data are targeted by any given product. That being the case, all of the virus code and data must be in the file and in the correct order for the product to detect it as that virus. If a simulator did create a file with everything possibly needed in place, it would have to create the virus exactly. It would no longer be a simulator and the virus would be real, not simulated. Therefore a virus cannot be reliably simulated.
So simulated viruses cannot reliably take the place of real viruses. This in turn means they are not a measure of an antivirus product’s worth. Think about it. If a product does not report a simulated virus as being infected, it’s right. And if a program does report a simulated virus as being infected, it’s wrong. Thus, using simulated viruses in a product review inverts the test results. It grossly misrepresents the truth of the matter because:
– It rewards the product that incorrectly reports a non-virus as infected.
– It penalizes a product that correctly recognizes the non-virus as not infected.
And then in a section entitled “An Ethical Quandary”:
Most antivirus companies are under some form of self-imposed restrictions that prevent them from knowingly creating new viruses or virus variants. In addition, competent testing and certification bodies such as ICSA, Virus Bulletin, Secure Computing, and AV-Test.org, do not create new viruses or virus variants for testing.
Indeed, the consensus throughout the antivirus development and testing community is that creating a new virus or variant for product testing would be very bad „ and totally unnecessary. To do so would undoubtedly raise questions about their ethics.
Yet, as Wells says, another problem involves the verification of created viruses. How were Consumer Reports’ viruses modified and were they fully functional viruses? If the test is to be validated scientifically, then the samples would be given to another bona fide testing lab to be verified and tested. Thus the original testing body is not just a virus creation lab, but a virus distributor as well. If they refuse to provide the samples, then their claims cannot be independently validated; so their test is invalid.
So how do you test heuristics? It’s easy, and again, I quote Joe Wells:
A tester can easily do a meaningful scientifically valid test based on the real and present danger (actually the real and soon-to-be present danger).
To elaborate on the logic, a tester can install products and download signatures on a specific day, and then test the products against current viruses known to be in the wild (see http://www.wildlist.org).
Then the tester waits a month or two and, using those old detection signatures, test against new viruses that have appeared in the wild after the signatures were downloaded. In this way the unknown viruses being tested are real viruses that are an actual threat. Such testing is therefore a “reality check” in a literal sense.
Simple and effective. And honest. Joe has done this type of testing successfully in the past. He designed and performed such testing for PC World back in 2000. If you look at the “How We Tested” section you will find the simple and real-world solution.
This is turning into a scandal, with only one outcome: Consumer Reports must do a comprehensive re-test. There’s simply no alternative. Otherwise, their reputation for fair and unbiased testing of security software is in the toilet.
Wait — there’s even a disagreement with their toilet reviews as well.
Alex Eckelberry
Second in a two-part series with Rowan Trollope. Yesterday, thoughts on OneCare, Norton Confidential and Genesis. Today, SiteAdvisor and emerging threats.
What do you think of McAfee’s recent acquisition of SiteAdvisor?
Chris Dixon, and the folks at SiteAdvisor built an interesting technology. I don’t know what McAfee plan to do with it.
The real shame is that SiteAdvisor doesn’t really work very well for phishing attacks — it wasn’t designed for that. So users of SiteAdvisor need to be aware that while they are getting the “green light”, it doesn’t have best of breed anti-phishing technology… Why? SiteAdvisor was a startup, and they had to focus on doing something new that wasn’t already being done. Whole Security, Microsoft and a few others were already quite far ahead on the phishing side, so they chose to focus on spam, popups and other “known” malicious code. Unfortunately for users, while these are “interesting”, they aren’t as critical as protection against the real threats – namely phishing and pharming.
While this choice may have been right for SiteAdvisor the startup company, McAfee now has a big hole in their portfolio — no competitive anti-phishing technology — at least none that I’m aware of.
Our approach is to focus on the real threats, and to also provide users a “red-light/green-light” in their browser (with the Norton Toolbar). We think this in-browser technology is so important, we’re not only including it in Norton Confidential, but also in Norton Internet Security and the upcoming Genesis.
You have been in the industry for 15 years, since the early days of viruses. Most recently, you wrote about Vishing. What other new types of attacks do you see on the horizon?
Yes, Wifi attacks — what I call wifi jacking (I think it has another “official” name, such as the recently reported “evil twin”). Others are more crafty trojans, screenscrapers, password stealers, etc. Blended threats using worms to propagate crimeware will continue and accelerate.
With Web2.0 sites becoming more and more useful and complex, we’ll see more attacks embedded in Javascript and against back-end systems which contain more and more valuable user data.
When I think of these, we try to start working on the protection concepts well before we even see the threats, so we’re already looking at this stuff now, even though many of these threats have yet to materialize.
On a personal note, what do you do in your spare time when you’re not working?
I spend my “free” time snowboarding, racing motorcycles, painting, playing ice-hockey, and hanging out with my family and friends
Eesh. Snowboarding, racing motorcycles, painting, playing ice-hockey? Sounds like way too much work for me.
Alex Eckelberry
Deja vu: AOL is under fire from privacy experts.
After being contacted by IDG News, AOL said it now plans to alter the licensing agreement. “We are updating the EULA to address any concerns,” said Andrew Weinstein, a company spokesman. “We are reserving the right solely to send periodic marketing e-mails that users will have the choice to opt out of.”
Adding to AOL’s troubles is the fact Active Virus Shield’s security toolbar is based on a product with a questionable reputation. An earlier version of this software, known as the Softomate toolbar, is flagged as adware by Kaspersky’s own anti-virus products.
Link here.
Alex Eckelberry
Rowan Trollope is the vp of consumer engineering at Symantec. We’ve been informally exchanging some emails recently on the state of security and he was kind enough to answer some questions I posed to him.
You have a new product coming out, Genesis. How is it coming along?
Genesis is coming along very well. We are targeting a public beta before the end of summer. We’ve been working on Genesis for almost 2 years now, and the features and functionality are looking very good. There is a lot of anticipation in the market for the product, and the team is working many late nights and weekends to get it ready.
When you see Genesis, it will be immediately apparent how we rewrote the functionality under the covers. Unlike other suites and offerings in this space, we did not just throw everything in the kitchen sink together and call it something “new”, we really went back to the basics and rebuilt stuff from the ground up. The benefits to customers will be that the product is faster, more lightweight, and better integrated than any other product on the market.
We’re very interested to see the public reaction to Genesis, which is why we’re so focused on getting the Beta out. Look for more comments on Genesis on the Norton Consumer blog here.
What’s your feeling about Microsoft OneCare?
I think it is great that Microsoft are continuing to focus on the security of the operating system. Its a big job, and the more folks we have working on it the better. That being said, there is nothing new or innovative in OneCare itself. Onecare offers yesterdays technology to solve last years problems. For example, there is a Virus scanner, firewall and a local backup. These have all been available to customers for many years.
The real threats to be solved are phishing and crimeware (keyloggers, trojans, screen scrapers). These threats require a new approach to security. Our approach has been to increase our investment in behavior based security technologies, as evidenced by our acquisition of WholeSecurity last year.
Symantec has recently announced Norton Confidential. What will this product do for consumers?
First, let me give you some background on changes in the threat landscape, which precipitated the introduction of a brand new security product, Norton Confidential.
Many users are aware that over the last 18 months, there has been a significant transition in the threat space, from hacking for fame, to hacking for fortune. Coincident with this shift we have seen the threats changes dramatically — from Viruses and Worms, which spread internationally over days and weeks, to phishing and pharming, which are very targeted attacks, and which come and go within hours.
To combat these new threats, we realized that we had to invest in behavior based systems, and heuristic detection technologies, which is why we purchased Whole Security. Whole Security was the market leader in anti-phishing technology, and this is being directly included into Norton Confidential when it is released.
Also unlike Viruses and Worms, there is no simple remedy or perscription, such as “don’t open attachments”, which will keep you safe. Phishing attacks can be so devious, they fool even the most savvy users. I almost got fooled last week by a phishing attack which was spreading through IM. It was very crafty. Its kind of funny when someone in the engineering team gets fooled by these, as they can almost never live down the taunts that will follow from their peers.
So what does it do? Norton Confidential protects users confidential information, and keeps it safe. How does it do that? First, it integrates into the browser and provides an easy “Red/Green” signal light for every page that a user browses to. Second, it has special hueristic based scanning technology which can detect “unknown” threats, based on their behavior and characteristics, instead of a threat fingerprint, in the manner of traditional AV products. Finally, Norton Confidential scans ALL outbound channels, looking for telltale signs that your identity is being stolen, and will alert you instantly.
In my estimation, these features will make Norton Confidential the most important new security product to have on your system going forward.
Tomorrow, Rowan’s thoughts on some other technologies and new threats.
Alex Eckelberry
There’s been a fairly quiet debate in the spam community for some time as to the effectiveness of “Bayesian poisoning”.
As you probably know, Bayesian filtering is a method proposed back in the late 90s to filter junk email, and developed by Paul Graham in his original work, “A plan for spam”. (If you’re rusty on your higher math skills, the term Bayesian refers to a number of methods of determining probability, first realized by mathematician Thomas Bayes).
Bayesian filtering relies on “training” an engine to recognize the probability of something being spam or not spam. It’s implemented in a variety of antispam products, and is a supplemental antispam method used in our own iHateSpam desktop product (but not in our server product).
The idea behind Bayesian poisoning is that by throwing in a bunch of good words, it confuses the Bayes probability engine. That’s why you see emails with things like the works of Charles Dickens in them — they are trying to confuse both Bayesian filters and the signature based engines.
But does Bayesian poisoning work? John Graham-Cumming at the POPFile project decided to actually find out (realize that POPFile uses Bayes filtering, so there is the potential of bias). His conclusion? Bayesian poisoning is real, but is not that big of a deal.
The evidence suggests that Bayesian poisoning is real, but either impractical or defeatable. At the same time the number of published attack methods indicates that Bayesian poisoning should not be dismissed and that further research is needed to ensure that successful attacks and countermeasures are discovered before spammers discover the same ways around statistical spam filtering.
Link here.
Off the cuff, I think Bayesian poisoning is real. However, it’s a question of scale.
If a corporate email server is processing a 100,000 spam messages a day (probably about average for a company with 1,500 employees) and there’s a slight change in the probability to let, say, a tenth of a percent of spam through, that’s 100 pieces of spam that got into an organization. Now, a small number, but spammers deal with small numbers. A hundred million messages advertising herbal Viagra resulting in 50 sales (or a small spike in a stock price). When you’re using the bandwidth of other people’s machines (through botnets/spambots), it’s dirt cheap.
And there may also be the time factor involved. A massive attack of the work of Charles Dickens slightly alters the probabilities for possibly a bit longer. When you’re dealing with probabilities on a large scale, you will start to see a difference. This is the problem that the drug pushers pharmaceutical business deals with all the time. They do a small clinical trial and they may not see a small effect (or ignore it). Then the drug gets used by a millions of people and we start to see people dying, committing suicide or growing a third leg. The number may only be a few tenths of a percentage, but there’s a large population that’s affected.
We’ve also found that our own Bayes engine in the iHateSpam gets “corrupted” after a while and has to be reset. We think it’s due to poisoning. I think that Bayesian filtering absolutely has a place in spam filtering, but it’s not the only solution.
I’m curious to know your thoughts.
Alex Eckelberry
The latest issue of Consumer Reports has a review of antispyware, antivirus and antispam programs. It has some people in the industry a bit confused.
Igor Muttik at McAfee has the first antivirus company public response to the review.
There are several things here that do not seem right:
- It is claimed that created viruses were “the kind you’d most likely encounter in real life” which is, of course, something the testers cannot know.
- Creating new viruses for the purpose of testing and education is generally not considered a good idea – viruses can leak and cause real trouble (you can read an open letter on the AVIEN site about that).
- There is a more scientific way of measuring real proactive detection of AV products on future malware – it is called “proactive testing” or “retrospective testing”. The idea is to measure, say, 3-month old AV product against real field viruses that appeared within these last 3 months. The discussion of the methodology of such tests can be found here and some real test results with common AV products are on the AV-comparatives.org site.
(Minor side note: He expresses some confusion about Consumer Reports reporting the results as from September 2006, but this normal procedure in the magazine business).
Creating viruses for the sake of testing is a bad idea. Our very own Joe Wells and many other luminaries in the antivirus space wrote a letter to CNET on this very issue quite a while back. It’s pretty surprising that a magazine like Consumer Reports would make such an error. There are some in the antivirus community that are appalled at what they believe to be shoddy work.
Publications need to use industry-standardized methods for testing. Organizations like Virus Bulletin have been doing this for years. Why can’t publications follow their lead?
Remember, though, that antispyware testing is quite a bit different than antivirus testing, a subject Eric Howes is taking on.
Alex Eckelberry
(Hat tip to Andreas Marx)
UPDATE: TechWorld article here.
In case of emergency: get notified
This public service web site will send you a notification when there is a local, regional or national emergency, to your pager, cell phone or email address. You can select which types of emergencies you want notifications for (severe weather, homeland security, cyber threats, missing children/Amber alerts, even organ donations). You can have the notices sent to your email address, cell phone, pager or fax number. You can also block non-emergency content during specific hours (such as when you’re sleeping or when you’re at work). Check it out here.
How to change the location of the print spool folder
XP uses the spool folder on your hard disk to store queued print jobs. Without it, you’d have to wait until printing was finished to use other programs on your system. The spool folder is located on the partition where your Windows system files are installed, but if this partition gets low on free space, you can move it to a different location. This can also speed up performance. Here’s how:
That’s it! Windows will create a CD with your songs saved in CD Audio format, which will play on older CD players that don’t support the MP3 format.
Remove the Turn Off Computer button from the Start menu
Want to make it more difficult for other users of your shared computer to shut it down? You can remove the Turn Off Computer button from the Start menu (along with many other restrictions that can be applied using the local Group Policy). KB article 307882 walks you through the steps of creating a Group Policy Editor MMC and editing your local Group Policy object to remove the button. Link here.
Sync information on multiple mobile devices
Do you have several handheld devices (such as Pocket PC and Windows Mobile phones)? Want to synchronize your files, contacts, calendar and email across all your devices? You can configure XP to do so, by following the instructions in KB article 314644 here.
Event Viewer gets a whole new look
If you use the Windows Event Viewer to view event log information for troubleshooting problems in Windows, you’ll be pleasantly surprised at how much more robust this administrative tool is in Vista. Accessed via the Administrative Tools applet in Control Panel, by typing “eventvwr.exe” at the command line or by simply typing “event viewer” in the search box on the Start menu, it now features a three-pane MMC with clickable Actions for performing common tasks in the right pane. There are many new application logs, and filtering the logs to find specific events is much easier and more precise. To see some screenshots of the new Event Viewer, click here.
When can we expect Vista and Office 2007 to be released?
The final release dates for Windows Vista, the next generation of Microsoft’s desktop operating system, and the next version of Office (2007) have been a moving target. We expected to get both before the end of the year, then Microsoft pushed release dates for both to sometime in early 2007. Now rumor has it that the two will debut together in January – but don’t hold us to that. Read the latest speculation here.
Vista coupons let you upgrade your hardware early
Been waiting to buy a new PC until Vista comes out? Now that the release of Vista has been delayed until 2007, you might think that means you won’t be able to take advantage of the 2006 Christmas holiday sales, but Microsoft and major computer vendors have found a way around that. They’re planning to sell PCs capable of running Vista with upgrade coupons that will let you get and install the new operating system at no extra charge when it’s released (whenever that turns out to be). See the story here.
Deb Shinder
Microsoft MVP
Upgrading is a good thing, right? Who among us wouldn’t, if we could afford it, always fly first class instead of cattle – er, economy – class? Who doesn’t prefer the deluxe suite to the standard hotel room? Who wouldn’t want to wear the latest fashions instead of last year’s? Oh. Hmm. So maybe upgrading isn’t always a good thing, after all.
When it comes to software, upgrades are a little like death and taxes; they’re inevitable. Sooner or later, no matter how fond you are of that old MS-DOS program, eventually you’re probably going to get tired of trying to make it work on evolving operating systems, or you’ll be seduced by the plethora of features offered by modern programs, and you’ll upgrade. Still holding on to Windows 98? A recent survey of our readers showed that a surprising number of you are. But sooner or later, that old computer will crump, and when you buy a new one, it’ll come loaded with XP or Vista or What Lies Beyond, and you’ll be … upgraded.
Personally, I embrace most new technology and consequently, I usually upgrade to new operating systems and applications before they even become commercially available. I’ve been running Vista as a secondary OS for well over a year and as my primary OS for many months. I run the Office 2007 beta on both main desktop systems and my laptop.
I guess when it comes to software, I’m like those folks who revel in new romances. I’m happiest when I’m “getting to know” a new version of Windows or a favorite productivity program. I delight in discovering cool new features (and writing about them). I even like finding the bugs, omitted features and other problems in new software, if for no other reason than to figure out workarounds that I can report to others.
But I know I’m not typical, and most folks just want their computers to work. You want to be able to read and send email, surf the web, create documents and spreadsheets and slideshows as quickly and easily as possible. And therein lies the trouble with upgrades: even when the new version is better, it usually involves some degree of learning curve, and that’s something that many of us don’t have time for or don’t want to bother with.
Lots of you subscribe to the “if it’s not broke, don’t fix it” philosophy, which in this context means if your current software works, there’s no reason to upgrade. And if you do upgrade – either because you have no choice because you’re using a company computer, or because you really need one particular feature in the new version – you want to be able to keep things as much like the old version as possible. The first thing that many users of a new operating system do is go through and switch everything to the Windows classic view, so their XP or Vista computer will look like Windows NT/2000. And the most frequent complaint I’ve heard about Office 2007 is that Microsoft “forces the new interface on you” – that there’s no way to turn off the ribbon feature and go back to the old, familiar menu format.
Human beings, in general, tend to react negatively to change. Never mind that the ribbon interface lets you do a lot of things faster; it’s different and, like the husband who hates it when his wife rearranges the furniture, some of you don’t want to spend even five minutes learning where things are now. Even those in the industry aren’t immune. Mary Jo Foley, editor of Microsoft Watch, proudly touts her “dinosaur” status in her June column for Redmond Magazine. You can read it here.
Of course, if you don’t like the ribbon, you can just keep on using Office 2003. If you upgrade to Office 2007 and don’t like it, you have only yourself (or perhaps your boss) to blame. But what about when upgrades become mandatory? We’ve talked before about Microsoft’s policy of discontinuing support for older versions of software, which has the effect of forcing you to upgrade to a newer version if you want to be able to get security fixes or help with technical problems. But you can still choose to keep the old versions and “go it alone” if you choose.
That may not always be the case. We reported a couple of weeks ago that Microsoft plans to distribute IE 7 as a high priority update via Automatic Updates, which means if you have auto update enabled, you’ll get it whether you want it or not.
The rationale behind this “update mandate” policy is, of course, security. The new version of IE contains numerous security improvements that will make the browsing experience safer. However, at least in the beta, IE 7 also has some problems (at least on the XP version) with rendering some pages correctly or even accessing them at all. Some people are likely to squawk loudly when you find that they’ve been involuntarily upgraded, even if it is “for their own good.”
What do you think?
Do you rush to be the first on your block to try out the latest and greatest new software versions or will they take away your MS-DOS and WordPerfect v. 4 only when they pry them from your cold, dead hands?
Or do you fall someplace in between? Should new versions of an application always allow you to “fall back” to the old look and way of doing things, or should choosing to upgrade mean you’re willing to accept boldly going where you’ve never gone before?
What about mandatory updates? Should Microsoft “push” new versions of their free apps, such as IE, on you through auto update, or should you have to explicitly download and install them (even if they add security)?
Tell us your opinions.
Deb Shinder
Hackers at a website have posted a number of cross-site scripting (XSS) vulnerabilities in a number of sites, including security vendors Eeye, F-secure and Cisco.
As you probably know, cross-site scripting is a method to where something from one source can be inserted into another. A common use is in phishing, such as making a phishing site magically appear to be the real financial site.
For example, clicking here will take you to the Sun site, with a wonderfully self-serving message. (And if you want to get really irritated, click here to go to the Cisco site, but don’t tell me I didn’t warn you).
Brian Krebs has more details, here.
Alex Eckelberry
UPDATE: The XSS links above have been fixed by at least Cisco. I think the Sun one should still work.
I missed blogging this last week as I was in a mad scramble to travel to California, but my old employer, Borland, has revitalized the Turbo brand with a killer deal — a free compiler dubbed TurboExplorer.
From their press release:
The Turbo product set includes Turbo Delphi® for Win32, Turbo Delphi for .NET®, Turbo C++® and Turbo C#®. Each version will be available in two editions: Turbo Explorer, a free downloadable version, and Turbo Professional, a version priced less than $500 which is designed to accept thousands of available third-party tools, components and plug-ins. All Turbo editions enable developers to rapidly build high performance GUI, Database, Web, and Web Services applications for Microsoft Windows. Turbo Delphi for .NET and Turbo C# support the Microsoft .NET and ASP.NET platforms. More information is available at www.turboexplorer.com.
I was in Borland back in the 80’s when the company was still fairly small and it was a great place — great culture, great products and many brilliant people. Over the years, the company lost its way at various times and then recently established itself as a testing tools company (through the acquisition of Segue). The languages were to be sold off, but apparently that won’t be the case.
So if you’re interested in learning programming, get this free product.
Warms my heart, this does.
More at /. also.
Alex Eckelberry
Well, not exactly, but this is what local photographer Hubert Heller named the photograph. It’s our building at night.
Alex Eckelberry
unitedtoserve2005(dot)com redirects to a hard core porn site, search(dot)porn-info(dot)info, which offers “totally free porn videos”.
These are Zango porn videos — you watch them but get Zango spyware installed on your system.
More curious is that viewing unitedtoserve2005 with Javascript disabled brings up some very disturbing keywords, like the following (WARNING: very offensive language):
pre-teen pussy
young teen models
animal sex pic
hot teens asian
Free teen pics
cartoon house
Kids masterbating
children masterbating
Adult Vhs Rape
Sex adult
incest sites
incest free stories
only incest stories
Incest Free Stories
Only teens
and much more.
The full text file is here, but it is very offensive.
It is unknown whether unitedtoserve2005 is owned by the same company that makes the porn-info(dot)info (and other sites). However, there is clearly a relationship as unitedtoserve2005 redirects to the Zango-supported porn site.
Related sites are arcadeforum(dot)biz, aiasinc(dot)info, angelsandinspirations(dot)com and others.
Thanks to blog reader Francesco for the tip, and for Sunbelt’s Adam Thomas for follow-up.
Alex Eckelberry
I’ve talked before about the problems of doing business with some third party ad networks. Unfortunately, the folks over the Guardian signed up with one and the result is Zango!
It’s live right now, you can see it by going to any number of places on guardian.co.uk, including this site and refreshing your browser. After a while, you’ll get an ad that looks like this:
It’s an ad placed by Fastclick.
Nice, eh?
Alex Eckelberry
(Thanks Paperghost)
So some poor guy sued by Warner, Sony BMG, UMG, BMG, Capital Records and Atlantic dies.
The plaintiffs have graciously allowed the family 60 days to grieve. And then they’re back in business.
1. Plaintiffs have recently learned that Defendant, Larry Scantlebury, passed away on June 20, 2006. Please see the attached Death Certificate.
2. Prior to Mr. Scantlebury’s passing, Plaintiffs believed that there was potential to resolve the case. While at the time of Mr. Scantlebury’s death, he had not responded to Plaintiffs’ discovery (he had asked for and received extensions), he had indicated that others, in addition to Mr. Scantlebury, were involved in the infringement of Plaintiffs’ copyrights.
3. Plaintiffs do not believe it appropriate to discuss a resolution of the case with the family so close to Mr. Scantlebury’s passing. Plaintiffs therefore request a stay of 60 days to allow the family additional time to grieve.
4. In the event the parties do not reach a resolution with Mr. Scantlebury’s estate or the other family members involved, Plaintiffs anticipate amending the complaint following depositions of members of Mr. Scantlebury’s family.
Link here (more legal docs here) via John Paczkowski
As I’ve said before, I respect artists. I have no respect for bullies.
Alex Eckelberry
Update: They’ve withdrawn the suit out of an “abundance of sensitivity”. (Thanks Mercen4ry.)
So our buddy PaperGhost blogged about some guy who made a skin for WinAmp, which installs Zango.
In a forum post, the skin maker defends his actions, saying:
haha, if you don’t want Zango don’t install the update. You have the option, it’s not forcing anything on you. We added it that in to potentially make some money doing this, but I didn’t want to make anyone upset over this.
Does this violate some winamp rule? There is nothing in the version downloaded from winamp.com that does anything to your computer, correct?
Please let me know what the ‘official’ winamp stance is on things of this nature.
Thanks! and sorry for any inconvenience
What an ass.
Alex Eckelberry