Month: August 2006

Macs pwned

Anyone who has half a head in the sand right now has heard about  Jon “Johnny Cache” Ellch and David Maynor hacking a Mac in 60 seconds at Blackhat.

It’s important to realize that this is not a Mac vulnerability.  It’s in a 3rd party wireless card.

Classic is what Maynor said, also quoted today by John Paczkowski

“We’re not picking specifically on Macs here, but if you watch those ‘Get a Mac’ commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something,” Maynor said. “The main problem here is that device drivers are a funny mix of stuff put together by hardware and software developers, and these guys are often under the gun to produce the code that will power products that the manufacturer is often in a hurry to get to market.”

Of course, those who actually read this blog know that you don’t have to watch the “Get a Mac” commercials.  You can always watch the Lost Mac Ads instead. 

And yes, for the three Macheads who read this blog, I know, I know: Windows is still less secure, Macs are more secure, they are bitchin machines, etc.  But it’s just the holier-than-though thing that kind of tires the UnRest of Us.

Alex Eckelberry

More playing with Meebo

Ok, this service is getting very cool.  Meebo, the universal IM client that works through the web, just released a widget.  I’m testing it on the blog for a brief time — feel free to try it — it’s on the right side of the page (don’t be insulted if I don’t respond, I’m a wee bit busy, but you can always email me). 

Those concerned about security on Meebo should be, as with any use of IM.  I admit that for me, IM is a throway type of activity.   I’m not an active IMer and I don’t use it for anything sensitive — I use it primarily to find out if people are in, or to ping someone quickly.   So I’m not as sensitive about this as others may be.

But if you’re curious, Meebo encrypts all passwords with 1024-bit RSA keys (except on IE 7, which they still don’t support…). 

IMs on the main Meebo servers are sent in the clear.  For those wanting end-to-end encryption, however, they do have several SSL-enabled servers (accessed at https://www.meebo.com) which offer increased security.   They have more details here.  (IT managers can really groan—there’s a Meebo repeater which bypasses blocking).

(Thanks for this tip to security guy Xavier Ashe, who put one up as well.)

Alex

Microsoft reorganizes, Culter to become a web 2.0 kinda guy?

Big reorg at Microsoft. 

And this is interesting: Dave Cutler, the father of NT (and arguably one of the greatest operating systems geniuses of all time) is now going off to work with Ray Ozzie on Live.  From Paul Thurrott:

David Cutler…will be reassigned outside of Windows to work directly with Microsoft Chief Software Architect Ray Ozzie on “initiatives focused on Live products and services.” 

(This is the same Cutler who said to Gates “I won’t pollute it [NT] with crap!”.)

Crusty Dave Cutler, working with Ozzie, the hyperkinetic web services visionary?  Is this a marriage made in hell or is it something that will really get Cutler excited?  

Link here.

 

Alex Eckelberry

Feb.gov hacked by Islamic hacker

Well, this is embarrassing — feb.gov has been hacked.  By an Islamic hacker who even adds the nice touch of playing the call of a muezzin.

Islamhack0131

What is the Federal Executive Board?  From SecuriTeam:

The Federal Executive Boards (FEB’s) were established in 1961 by a Presidential Directive to improve coordination among Federal activities and programs outside Washington. The need for effective coordination among the field activities of Federal departments and agencies was then, and is still, very clear.

Link here via SecuriTeam.

 

Alex Eckelberry

Journalism 101

Incredibly, the State Department has just released a comprehensive primer on journalism.  You can read it here.   This is a concise but very useful overview of the field.

Today, the line between traditional journalism and blogging has become blurred.  Blog sites provide news.  And traditional journalism sites are adopting blogging styles.

It’s a trend that requires readers to be wary:  Blogs are not journalistic sites.  They are journals.  Getting your news as fact from a blog is not the best idea, unless you take it as one opinion out of many.  And, of course, outright belief in much of the news you read is also dangerous.  You need to make up your own mind about what you read and see — not through the filter of someone else.

Alex Eckelberry
(Hat tip)

Sunbelt TechTips for the week of July 31

Windowsxp-2

How to get to the web if your browser is blocked or broken
Web browser software is blocked by administrative policy, or not working? You may still be able to get to web sites. This is a case where Help can actually be helpful!

  1. Open a program such as Microsoft Calculator.
  2. Press the F1 key to open the Help window.
  3. In the top left corner, click the “document with a question mark” icon.
  4. Select “Jump to URL.”
  5. Type in the URL of the website you want to visit, and it comes up in the right pane of the Help window.

Important tip: you must type the full URL, with http://, not the shortened version that starts with www.

You may be updating to IE 7 soon — whether you want to or not
I’ve been using IE 7 for so long, I forget it’s still a beta. But we’re getting close to a final release of the software, and now Microsoft has announced that they’ll be distributing it via Automatic Updates as a high priority update. Read about it here.  

Because of all the improved security features, upgrading to IE 7 is considered a “must.” And I agree that, for most people, the upgrade is just good sense. But some folks may not want to have it forced on them. Enterprise customers can download a blocker tool that will prevent IE 7 from installing automatically. The easiest way for home users to accomplish this is to set your Auto Update settings to download updates automatically but NOT install them until you approve of them. For info on how to change your Windows Updates settings, click here.

“Day After” Attacks
On the second Tuesday of each month, Microsoft releases a set of security patches to fix vulnerabilities that have been discovered. The once-a-month system has a lot of advantages; users and system administrators know when to expect the fixes and can apply several at once, rather than doing it as they trickle in one by one. By hackers are taking advantage of the routine to release their exploits a day or two after Patch Tuesday so it’ll be a whole month before the patch comes out.

Read more about this sneaky practice and its most recent implementation here.

ActiveX control is downloaded twice
Sometimes you may find that when you visit a web site containing an Active X control with IE SP2, the control gets downloaded two times because of the way the Active X auto-blocking feature works. Find out how to prevent this from happening by reading KB article 922659.

Troubleshoot error messages in Outlook and Outlook Express
Email is, for many people, the most used Internet application – but there’s plenty that can go wrong. If you use Microsoft Outlook or Outlook Express as your mail client, you may sometimes receive error messages that are difficult to figure out. KB article 813514 covers some of the most common error messages and provides tips on how to resolve or work around the problems.

Pictures or other objects don’t appear in your Word document
If you’ve inserted a picture, autoshape, diagram or other object into a Word document and it’s not showing up, it may be because of the way the object is formatted and the view option that you’re using to display the document. Luckily, it’s easy to modify the view or change the formatting to solve this problem. For instructions on how to use both methods, see KB article 285957.

WinVista_h_Thumb

Doing flips over Vista’s new window switcher
One of the “cool factor” features in Vista is the new way of switching through windows, called Flip 3D. We’re all familiar with the program switcher tool in XP; when you press ALT+TAB you get a bar containing icons for your open windows that you can tab through quickly to get to the program you want. Vista has the same thing, but it actually displays a thumbnail of each window instead of an icon. However, if you want to get really fancy, instead pressing the Windows key with the TAB key. Here’s a video of what it looks like.  

Want to get the same functionality on XP without upgrading to Vista? TopDesk 1.4.2 does that. Check it out here.

Deb Shinder

Vista: the saga continues

Well, I’d been running Vista Beta 2 on one of my two primary desktop computers ever since it was released, almost two months ago. I’ve been generally thrilled with its features, performance and reliability. But the life of a beta tester is one always fraught with new dangers. Just about the time you get everything exactly the way you want it, it’s time to install a new version and risk messing it all up.

Vista Build 5472 isn’t available to the general public, and it’s probably a good thing. As Microsoft warns, although it’s designed to fix some of the bugs in Beta 2 and speed up performance, it hasn’t undergone nearly as extensive testing as did the public beta. I put off installing it for a while after it was made available to me, simply because I was so pleased with the Beta 2 installation I had and hated to mess with success. But last week, I decided to bite the bullet and go ahead with it. Who knew? Maybe I’d be pleasantly surprised.

The build number probably should have been my first clue. As a long-time Star Trek fan, I should have noticed that except for the first digit, it was identical to the designation for Species 8472 – an evil alien race so powerful that they were able to leave Borg cubes in shreds.

A build with a number so similar was destined to do damage to my perfect little Vista world. Ah, hindsight.

I thought seriously about installing the new build to a new partition, but I was already dual booting Vista and XP on the machine, so I ended up throwing caution to the wind and going for the upgrade. The upgrade process itself went relatively smoothly, although it took a long time. The first time it booted into Vista, though, the desktop was empty. And I mean completely empty – my custom wallpaper was still there but that’s it. No taskbar, no sidebar, no icons. The cursor moved freely, but right clicking the desktop failed to bring up a context menu. That was one of those “Oh, no, what have I done?” moments.

Luckily, another reboot restored my missing desktop items and functionality. However, one thing that I noticed right off was that not all of my settings had been retained – despite the fact that the upgrade instructions implied that they would be saved. Probably the most annoying was the multi-monitor setting, which had reverted back to mirroring (where both monitors show the same thing, instead of extending the desktop across the monitors). In fact, I soon discovered that the option to extend the desktop wasn’t even present in the display properties – because the upgrade had rolled back my video card drivers to a generic driver. After reinstalling the proper ATI Radeon drivers, I had extended desktop functionality back.

Temporary inconveniences like that are to be expected, and if that had been the extent of the problem, I wouldn’t complain. Unfortunately, after using the new build for almost a week, I’m very disappointed in overall system stability. I never had a program crash in Beta 2 (although there were a couple of small third party utilities that wouldn’t install). With Species 5472, crashes occur several times per day. Most disheartening, the main victim of this new-found OS instability is Office 2007, which ran without a flaw on Beta 2. And most maddening of all, it’s Outlook – my most-used and relied-up program – that was hit the hardest. I found myself getting a message that “Outlook has stopped working” every few hours. The program would close and then try to restart, going through the long process of checking the profile folder for corruption because it had been closed improperly. Canceling the checking process just closed the program again.

I decided maybe the profile itself had been corrupted, and made a new one. Of course, this resulted in Outlook losing my autocomplete entries, and within minutes it was crashing again with the new profile. At that point, I tried turning off Exchange caching. That seemed to do the trick; I’m no longer getting Outlook shutdowns all the time. But I’m also not able to reap the benefits of cached Exchange mode. Exchange caching caused no problems when Outlook 2007 was running on the old Beta 2.

After several days and a lot of tweaking, I have a useable Vista system again. There are still some remaining stability issues, and I’m not noticing any performance improvements (although, to be fair, there’s no performance degradation either). I feel as if I wasted several days, but hey, at least I got a column out of it. And I can tell any of you MSDN members, official beta testers or others who have access to 5472 and haven’t tried it yet to think twice before upgrading Beta 2. If I had it to do over, I’d install it in a different partition and leave my previous Vista installation intact.

Meanwhile, I’ve heard from a number of public beta testers who are unhappy that the interim builds aren’t available to them.

Tell us what you think. Once Microsoft has released a beta OS to the public, should they make all the interim upgrades available too? Or does it make more sense to only release the most thoroughly tested versions to the general public?

If you’ve upgraded to 5472, was your experience similar to mine? Better? Worse? Next time a new build comes out, will you do an upgrade or protect your current installation and do a separate new install?

Let us know your experiences and opinions.

Deb Shinder