Month: March 2007

In Defense of Perimeters and Security through Obscurity

This week’s editorial is sure to cause a firestorm with some in the security community. I’m sure my credibility will be attacked from all sides and I’ll be shunned by at least half the “experts” forevermore – because I’m about to question two sacred cows:

1) that there is no longer such a thing as a perimeter in network security, and

2) that “security through obscurity” is practiced only by idiots.

After spending the last week surrounded by other security professionals and hearing those two mantras repeated over and over, I decided it’s time for someone to offer a challenge. Unfortunately, security people seem to have latched onto these two ideas with absolute certainty.

First, let’s take a look at the new idea that somehow security perimeters have ceased to exist. This grew out of the very entertaining “Death of the DMZ” presentation introduced by Steve Riley of Microsoft a couple of years back. The point seemed to be that network boundaries are becoming less defined because of remote access, VPN, wireless access points, etc. And that was a good point – but it’s also a complex issue that has been reduced by many of Steve’s disciples to the simplistic chant that “there are no perimeters.”

That’s like saying that because more people now live in apartments and condos than on 100 acre walled estates, there are no physical perimeters anymore. Of course there are perimeters – in fact, there are now multiple perimeters. In some cases the boundaries have moved inward; just as you may now have control only over the space within your walls instead of all that acreage surrounding you, you now need to put more focus on protecting the host (individual computer) than you might have back when the internal network was more clearly separated from the Internet outside.

But the new model doesn’t mean that outer boundaries are gone completely. As the threat level has increases (both for networks and neighborhoods), we should be looking at more perimeter protection, not less. The fact that apartment and condo buildings must let many people into the common areas doesn’t mean they have to let everybody in. Gated communities use access controlled fences to keep out the casual wanderer. Are those controls perfect? Of course not – a determined intruder can sneak in on the coattails of an authorized resident or find out the key code through social engineering or even blow up the gate. But that doesn’t mean the perimeter controls are useless.

And neither are firewalls, DMZ networks and other protective mechanisms at the network edge useless just because they don’t, by themselves, completely protect the host computers inside. The “no perimeters” proponents seem to believe that any security mechanism that doesn’t provide 100% protection is worthless. The fact is that no security is ever 100% effective. If it were, legitimate users wouldn’t be able to get access to the resources they need.

This doesn’t mean we should just throw up our hands and give up on perimeter protection altogether. Instead, we need to recognize the importance of multi- layered, multi-level security strategies. We can’t expect the firewall at the network edge to create a LAN that’s totally safe any more than we should expect that living in a gated community means we don’t need to lock the doors of our individual homes. The edge firewall (and the gate) will keep out certain types of threats. Others, not so much. You still need to use mechanisms such as IP security, file level permissions, disk encryption, file encryption, Group Policy, wireless encryption and so forth to address all the perimeters present on today’s network.

Should you rely on perimeter protection for all your security? Of course not, just as you don’t rely on a locked fence to protect your valuables, but also put them inside a locked safe that’s inside a locked house that has a big, mean dog in the yard. But it’s silly to throw away one of the layers of your security plan just because it won’t do it all.

That brings us to our second topic: security through obscurity. This much maligned practice is mentioned in tones of contempt. It’s popularly considered to be not just worthless, but downright evil.

Of course, most of those who proclaim that only an idiot would practice security through obscurity are the same folks who’ll argue that it makes sense to use Linux or Mac, or to use “any browser but Microsoft’s” since it makes you a smaller target for the hackers. Isn’t that a form of STO? And if you truly believe obscurity plays no part at all in security, why don’t you flash your roll of cash when you’re out on the town? Why do you hide your expensive jewelry away in the bedroom instead of leaving it on the coffee table when you have a party? Why do you put valuables under the car seat or in the glove compartment if you have to leave them in the car, instead of leaving them out in plain sight to passersby?

In fact, such a fundamental security practice as keeping your password secret is a form of obscurity. The only thing that keeps an intruder from using it to log onto the network with your account is the fact that you’ve obscured it by making it long and hard to guess and not telling it to everybody.

If you say obscurity is a relatively weak form of security, I won’t argue with you. But to say it should be used in conjunction with other, stronger technological security mechanisms to increase the overall level of security makes no sense at all. As any police crime prevention officer will tell you, the real purpose of security measures is to make it more difficult for an intruder to get in. Everything that slows him down makes it more likely that he will give up and move on to a house (or network, or computer) that’s less protected, that he can get into more quickly and easily. By putting obstacle after obstacle in his way, you build security for the items you want to protect most – whether that’s your diamond necklaces or your sensitive files – one piece at a time.

What do you think?

Is protecting the perimeter hopeless so you might as well not even try?

Is obscurity useless so you might as well advertise your sensitive information in flashing lights?

Or do security specialists who advocate such theories do a disservice to those they’re supposed to be helping protect?

Let me know your thoughts.

Deb Shinder

More on the Windows Live pwnage in Italy

As we reported earlier this month, Microsoft Live in Italy is serving massive amounts of infected pages through rogue search engine optimization by the Gromozon crew.

The Register has picked up the story and run with it.

To see for yourself, type “veicolo commerciale noleggio” into Live.com and watch what gets returned. The first result (at the time of writing, anyway) is for a site at b9n3q3.info/yb6u46p76.html, which uses a Javascript to redirect users to another site. This second site actively tries to install several varieties of malware, in some cases the nasty Trojan known as Rustock. This return is just one of many malicious referrals Live.com makes when entering the above search term, which is Italian for “commercial vehicle rental.”

Link here.

Some researchers might get confused by this exercise — because the results aren’t showing malware.

However, they will if you’re using an Italian IP address. Also, according to Francesco Benedini, a Sunbelt researcher and one of the foremost experts on Gromozon, “the Gromozon group pulls off every trick to make sure that when you’re surfing one of those sites you’re doing it with a real browser instead of an http crawler like wget; that includes headers that wget doesn’t normally put in place, like “Accept-language”, “Accept”, a proper user-agent, and apparently even that actual referrer is one of their sites.

So if you don’t live-test it with a real browser you’re not being redirected to their malicious pages. Also, there’s a server-side detection of the user-agent as well; an XP machine with SP1 and IE6 gets infected right away, an XP machine with SP2 and Firefox doesn’t.”

Alex Eckelberry

BMW dealership requiring thumbprints?

Wow, this reeks to high heaven. There’s lots of BMW dealerships out there in Southern California. Go to one which does not have an absurd policy of demanding a thumbprint in order to buy a car (like this South Bay BMW and Mini outfit). The dealership is apparently owned by Hitchcock Automotive Resources — ironically, the subject of a Cisco White Paper.

Imagine you’ve gone through a multiple week process to purchase an automobile.

You know the drill. Research every feature, pick your color, then, it’s negotiations for purchase price and for trade-in. Everything is done and agreed-upon, and excited, you are ready to hand over the check and collect your new car.

But wait!

You are handed a slip of paper and told to mark your right thumbprint in a box. The paper says clearly that it’s a request, for your protection, and to prevent your identity theft.

When you politely decline, the dealership refuses to sell you the car.

This is precisely what happened to me today when I tried to purchase a new X3 at the South Bay BMW dealer in Torrance, California.

Link here.

Truly, what extraordinary audacity on the part of this dealer.

Here’s my advice: Don’t give anyone your thumbprint unless it’s statutorily required.

Alex Eckelberry
(Hat tip)

Seen in the wild: Trojan spawned on MySpace

My colleague John LaCour over MarkMonitor shared this one with me. It just goes to show how social networks can be used to spawn malware (as Dan Hubbard at WebSense describes it, “Web 2 dot uh oh”). When you give anyone in the world the ability to rapidly and anonymously create web pages, and then invite “friends”, you’re asking for trouble.

John got an invite saying “Jocelyn wants to be my friend”. The invite has showed a picture of a young lady in a bikini.

Jocelyn199123812312321

(Perhaps a more accurate portrayal might be here).

Once you check Jocelyn’s profile, you get a link to download the Zlob trojan, from http://privatemsprofiles(dot)net/download(dot)php.

Myspace91991233

(Obviously, don’t download this trojan, and don’t go to Jocelyn’s profile unless you’re in a virtual machine.)

Incidentally, do you want to guess what the number one piece of spyware out there is? Zlob. You can see this right on the front page of our research center, which pulls live threat stats from our ThreatNet network. (Zlob is a trojan that downloads as a fake “Codec”, purporting to be requried in order for you to view a video clip.)

Threatnet1293123123123123

What’s really sad is all those people that you can see on Jocelyn’s profile who have been pwned.

Alex Eckelberry

Higher education and infected wikis and tikis. It’s icky.

We’re finding buckets of infected forums, blogs, wikis and tikis. A lot of “compromised” educational (.edu) sites, most likely from unpatched vulnerabilities.

Take a look at some of these examples (offensive screens are thumbnailed for the easily offended):

Wikit98123123080000

As you can see, a vast number of hits of sites that have been taken over by porn on the University of Southern California system (usc.edu).

But it’s not only USC.

We have Virginia Tech:

Virginiatech1239998

On this one Virginia Tech page, we get some really nasty porn (which we’ve covered up), with an offer to view more porn after installation of a fake codec:

Virginiatech123213400

Here’s the University of Maryland:

Universmd991923

Searching Google for this one term brings up some rather disturbing stuff:

More991238888888

Similarly, searching for “amatuer porn movies free” on Google brings up more nasty stuff, including this:

Luther1998823888

Now, in the case of the Callutheran site, it’s a WIKI – there is a PHP script that loads HTML from here a porn site (http://www(dot)bigvideosonline.com/lesbians/index(dot)php?id=1403&style=orange). How did the script get there? We don’t really know, but suspect it could MediaWiki vulnerability.

A search for “Cheating Wives movies frees inurl:edu” brings us this:

123998888888adfcgeat

And here’s more, Indian River Community College and USC:

Porn12999123818888

Sniffing around one place, we find wide open access:

Snf2923423400888

So there’s an open directory listing with a keyword list and two PHP scripts that load the security scam hijacker porn pages or re-direct to rogue applications like Privacy Protector:

Privacy921949888234

It literally goes on and on and on and on and on.

Alex Eckelberry
(With copious credit to Sunbelt researcher Adam Thomas)

Security theater: Massive prank at the Superbowl

Many of you may know of this one, but it’s not widely known. zug.com did a massive prank at the SuperBowl. Whether it actually happened or not (I think it probably did), it’s worth checking out.

And this note by the author, John Margrave, which is dear to my hear and something I’ve written about before:

We live in a zero-risk society, convinced that more security, more police, more searches, and more technology will make us more safe. This is false. As we’ve proven, even four comics and a cameraman can outwit the most tightly-controlled event in history. Everyone did their job. No one did anything wrong. But no system is completely safe.

Life involves risk.

I want to leave you with this final thought. Life is some risky business. When we cling to the illusion of security, we give up our freedom and our privacy. When we willingly remove more clothing at airport security, when we allow our government to pass wiretapping legislation, when we give them power to spy on us, we are giving away our precious civil liberties that our founding fathers earned with blood.

Link here (via BoingBoing)

Alex Eckelberry

Another explosion in Connecticut

As you may know, I’ve been deeply involved in the case of Julie Amero, the hapless substitute teacher convicted of four felony counts for impairing the morals of a child, while the defense contends that Julie was a victim of popups and spyware. The rest is history, as the tech community exploded into her defense.

Yet the local Norwich, CT town has continually taken the side the prosecution, with virtually every story laced with implications that Julie deserved her sentence. However, the stories were always veiled as “unbiased journalism”, looking at “both sides of the story”.

Well, their true colors were finally shown today. They dropped a bombshell editorial, going on the record that Julie deserves these four felony counts:

Amero could receive up to 40 years, if she gets the maximum sentence allowable for each of her four convictions of risk of injury to a minor, and the judge orders them to be served consecutively. It’s an unlikely sentence, even though children were exposed to six hours of Internet pornography under Amero’s watch. We think Amero is likely to receive some sort of community service, and it would be a fair sentence.

Amero has many supporters, which should not sway the court, as most of them have formed opinions based on limited knowledge of the facts of the case, or simple hearsay. At the heart of this international debate is whether Amero was responsible for causing the pornography to be on the computer screen for an entire school day, when seventh-grade students were able to view it. Many in the technology field have suggested she was the victim of a “porn storm,” which were frequent problems in 2004, when the incident occurred. Some suggested the computer was overtaken by malware or spyware, technical parasites that will plant unwanted images, pop-ups, etc., onto a computer. Some have suggested Amero was the victim of a conspiracy by students.

My answer that I posted:

You say that Amero’s supporters have limited knowledge of the case — yet many supporters are basing their arguments on the very same trial testimony that you are using. I’m not sure I understand this logic.

In this country, one understands that there is the concept of proportional justice, where “the punishment will fit the crime”. In this case, the crime was ignorance, and for this you demand a felony conviction, which will ruin Amero’s life. Do you have any idea what an effect a felony conviction has on someone’s ability to work and live?

You had a pregnant substitute teacher nearing 40 who had popups on the computer. The trial testimony shows that she went for help and attempted to keep the children from seeing the images — even going so far as to push a child away. And despite what anyone says, it’s not clear that these popups were occurring “all day” – in fact, it’s apparent they occurred for less than 2 hours.

Comparing these popups to “a fire in a trashcan” or a “racy magazine on the desk” is misleading. A fire, a magazine, a fight in the classroom — these are all things that people in general have experience in. With computers, you’re entering a different realm — how many relatives or friends do you have that are computer illiterate and really do think that turning off the monitor will end up turning off the computer itself?

Allow me to point out that intent to harm a minor played a role in this case. And yet, we see no proof from the testimony that there was any intent to harm by Amero.

Let’s leave “armchair” jurisprudence to the legal experts. They know the law, let them decide if ignorance is the basis for a devastating felony conviction.

Prominent USA Today journalist Andrew Kantor also comes to her defense, here.

And you can read the transcripts for yourself here and come to your own conclusions.

Alex Eckelberry

Guerrilla PR: Buying up negative names

Earlier this month, an environmentally-oriented blog posted some interesting research. Johnson & Johnson, the makers of Splenda, has gone out and bought buckets of potentially negative names.

Some examples:

splendasucks.net, .org, .biz, .info
splendakills.net, .org, biz .info
splendatruth.com , .net, .org, .biz, .info
splendapoison.com, .net, .org, .biz, .info
thedangersofsplenda.com, .net, .org, .biz, .info
thefactsaboutsplenda.com, .net, .org, .biz, .info
thesplendadangers.com, .net, .org, .biz, .info
thesplendafacts.com, .net, .org, .biz, .info
victimsofsplenda.com, .net, .org, .biz, .info
thetruthaboutsplenda.net, .org, .biz, .info
thesplendatruth.com, .net, .org, ,biz, .info
splendatoxicity.com, .net, .org, .biz, .info
splendatoxicitycenter.com, .net, .org, .biz, .info
splendavictims.com, .net, .org, .biz, .info
splendahealth.com

Many, many more here (via Domain Name Wire).

Interestingly, they didn’t manage to get splendasucks.com, which is a blog by fellow who really doesn’t like Splenda (he says it gives him rashes and is made with chlorine).

Now, buying up negative names to control your PR image isn’t new. EarthWeb owns the domain earthwebsucks.com, and I’m sure there are many other examples.

If you know of have any other similar types of activity by corporations, post a comment with more info or contact me directly.

Alex Eckelberry

RSA plans to charge what PIRT does for free

A while back, Paul Laudanski and I started PIRT, a volunteer group dedicated to taking down phishing sites. Paul later evolved PIRT to become MIRT — the Malware Incident Response and Termination group. MIRT broadens the activities of PIRT to the takedown of actual malware sites, along with sharing of malware samples with vetted security companies and researchers. (They also submit results to VirusTotal, and what they now have is a kind of running tally as to the effectiveness of antivirus engines against new threats.)

Well now RSA is putting together a service to charge for takedowns.

RSA people: Just give Paul a few more servers and volunteer some of your staff’s time… few do takedowns better than PIRT and MIRT.

Alex Eckelberry
(Hat tip to Donna)

A PR nightmare for Yahoo

This is why you don’t give in to foreign governments with abysmal human rights records.  You just don’t. 

Moments later, government agents swarm through the front door — 10 of them, some in uniform, some not. They take Wang away. They take his computers and disks. They shove an official notice into Yu’s hands, tell her to keep quiet, and leave. This is how it’s done in China. This is how the internet police grab you

Five years later, Yu, 55, sits in the dining room of a small house in Fairfax and weeps softly. She is a slight woman — 100 pounds and barely 5 feet tall in slippers. Her eyes betray her exhaustion; but she is determined, too. She carries a thick stack of notes with her, and she has scrawled more on her left hand.

“Yahoo betrayed my husband and deprived him of freedom,” Yu says through a translator, her voice trembling. “Yahoo must learn its lesson.”

Link here, much more at BoingBoing.

Yahoo was in an ackward position, where the law of the land required them to turn over the data.  But what if you know that turning over this data may result in someone losing their life, or facing years in prison

I know for a fact that Yahoo people aren’t evil.  In fact, it is a group largely made of really good, well-meaning people who are actually sickened by this whole situation. So don’t blame the whole company. 

But sometimes, decisions are made by individuals in organizations that result in this type of action.  It’s a lesson in organizational ethics:  Set the standard, and then lose the damn business, fire the MBA moron who is harping about the opportunity, walk away.  Just don’t bother with it.

Alex Eckelberry

A conversation between development and product management

If you’re in the software development space, you’ll get this little humorous exchange that someone here at Sunbelt wrote:

Development: “You want answers?”
Product Management: “I think we are entitled to them!”

Development: “You want answers?!”
Product Management: “I want the truth!”

Development: “You can’t handle the truth!!!

Son, we live in a world that requires software. And that software must be built by people with elite skills. Who’s going to build it? You, Mr. Marketing? You, Mr. Sales? You, Mr. Finance? You, Mr. Human Resources? I don’t think so.

We have a greater responsibility than you can possibly fathom. You scoff at our open work areas and you curse our big screen monitors. You have that luxury. You have the luxury of not knowing what we know — that while the cost of delivering software may be excessive, it drives revenue and saves money. And my very existence, while grotesque and incomprehensible to you, drives BUSINESS!

You don’t want to know the truth because deep down in places you don’t talk about at staff meetings… you want me managing the project. You NEED me managing the project!
We use words like refactoring, test-driven development, continuous integration, sprint, velocity, and release planning. We use these words as the backbone of a life spent delivering something. You use them as a punch line!

I have neither the time nor inclination to explain myself to people who rise and sleep under the very blanket of software I provide and then question the manner in which I provide it. I would rather you just said “thank you” and went on your way. Otherwise I suggest you log in to a computer and write some code. Either way, I don’t give a damn what you think you’re entitled to!”

Product Management: “Did you cut the monthly scheduler feature?”
Development: “I did the job I was hired to do.”

Product Management: “Did you cut the monthly scheduler feature?”
Development: “I delivered the release on time.”

Product Management: “Did you cut the monthly scheduler feature?”
Development: “You’re g%$#@*& right I did!”

Alex Eckelberry

Update: My mistake, this was actually from the Agile chronicles site.

Ninja upgrade shipped

We just did a nice upgrade to our Ninja email security product — it now includes disclaimer functionality built-in. This makes Ninja a ridiculous bargain in email security — dual-engine antispam, dual-engine AV, attachment filtering and disclaimers — all integrated.

New features in Ninja 2.1 include disclaimer functionality, an improved antispam engine for better spam detection, and console management enhancements.

Disclaim1239888123

Disclaim1239888124
You can view the webcast I did yesterday on it here, and our company propoganda here.

Alex Eckelberry

Sunbelt Weekly TechTips #35

OEM Vista upgrade frustration
If you bought a new Dell prior to the release of Vista, you had the option of selecting a Vista upgrade when the OS became available. I installed Vista from scratch on my Dell and avoided all that, but I’m hearing that some of the folks who opted for the upgrade have had long waits to get their software and that some of them are finding that Dell doesn’t have Vista drivers available for all of their hardware components. A quick web search finds that some people have recorded their experiences. We wonder if the same thing is happening with those who ordered upgrades with other brands. Let us know if you’ve experienced any problems with a hardware manufacturer’s Vista upgrade option.

Vista deactivation blues
Joe Wilcox blogged last week about a friend’s scramble to get his Vista computer working because he had failed to activate it when he installed Vista and the 30 day period ran out right at the time he suddenly decided he needed the laptop for a business trip. Sounds to me like all the drama was self- inflicted, but you can read and decide for yourself.

Vista: Improved Remote Desktop Connection
Like Windows XP Pro, Vista Business, Ultimate and Enterprise editions includes the Remote Desktop Connection service that allows you to connect to your computer and control its desktop, run its applications, etc. from another system on the network. RDC is based on Windows Terminal Services. The RDC client is included in all versions of Vista and can be used to connect to a Vista Business, Ultimate or Enterprise machine’s desktop or to a Windows Terminal Server. The new RDC client built into Vista makes RDC more secure, by using a new technology called Network Layer Authentication. You don’t have to upgrade to Vista to use the new RDC client, though. You can download a version of RDC 6.0 for XP here.

How to change the time stamp on a group of files
Here’s a by-product of Daylight Saving Time you might not have thought about: a colleague mentioned to me that whenever the time changes, his synchronization software thinks all the files have been updated on the USB flash drive he carries to transfer data between home and office, and wants to sync them all. He asked if there’s a way to change the time stamps on those files.

I use PowerDesk to do that: just open the PowerDesk Explorer, navigate to the location of the files you want to change, highlight them all, click File and select Set File or Folder Date/Time. Then type in the date or time you want to change it to and it’s done. You can use the free version of PowerDesk, or a little freeware utility called Time Stamp 1.1 that does the same thing. (On the subject of PowerDesk, the original developer, Mike Kronenberg, is rumored to be coming out with his own version of the product in several weeks. So if you’re thinking of buying a copy, I would hold off for a bit and contact his company, Novatix, to see what the plans are).

Additional Tip: If you just want to change the date stamp on a group of graphics files, but not the time, you can do it by right clicking the group of highlighted files in Vista Explorer, selecting Properties, clicking the Details tab and clicking the Date Taken field. This will drop down a calendar that lets you pick a new date.

How to change the name of the registered owner in XP
To change the name of the registered owner in XP, do the following:

  1. Click Start Run and type regedit to open the registry editor.
  2. Browse to the following key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
  3. In the right details pane, double click the value RegisteredOwner.
  4. In the value data field, type in the name you want to use and click OK.

You can change the company name, if any, in the same way by editing the value RegisteredOrganization.

If you’d prefer not to edit the registry directly, there is an automated script you can download from the Kelly’s Korner web site that will do it for you.

Can’t download files to XP computer with IE 7
If you’ve installed Internet Explorer 7 on your Windows XP computer and find that you are unable to save files to your computer from the File Download dialog box, it may be because you have the Japanese Input Method Editor set as the default keyboard layout. What’s up with that? You can get a hotfix for the problem. To find out how, see KB article 932823.

How to change column settings in Windows Explorer
You can configure Explorer to display the columns that you want to see, or change the order in which the columns are displayed, by following the instructions in KB article 310297.

XP computer restarts unexpectedly or you get a stop error
If your computer suddenly decides to reboot itself without your permission and you get an error message saying the system has recovered from a serious error, or you receive a Stop error message that references “Driver_IRQL_Not_Less_Or_Equal,” this may be caused by a problem with the TCP/IP stack on a network running the IP Security (IPsec) protocols. There is a hotfix available. For more info, see KB article 925922.

Deb Shinder, MVP

Seen in the wild: Advertising in a trojan

As a brief follow-up to my previous blog today about advertising in spyware:  The Zlob trojan comes through fake codecs.  It’s nasty and not something you want on your system, and one thing you may get is ads.  In this case we found today, ads are spawned through entertainclicks(dot)com/cu/index.html, which you can see for yourself (in a vmware, please), the ads that the site shows on infected machines.  The ads feed top10–offers(dot)com.

Offer10099123

Offer10099123a

Offer10099123b

Offer112934810808

Alex Eckelberry
(Thanks Patrick)

Supporting spyware

The practice of advertising in spyware directly supports spyware itself. It’s something that’s garnered some attention, with the New York AG’s office coming to a settlement in January with three major online advertisers over the matter.

However, Ben Edelman shows how this practice is continuing.

“…despite their duties to the NYAG, both Cingular and Travelocity have failed to sever their ties with spyware vendors. As shown in the six examples below, Cingular and Travelocity continue to receive spyware-originating traffic, including traffic from some of the web’s most notorious and most widespread spyware, in direct violation of their respective Assurances of Discontinuance. That said, Priceline seems to have succeeded in substantially reducing these relationships — suggesting that Cingular and Travelocity could do better if they put forth appropriate effort.”

It’s worth noting that advertisements are typically placed through third party advertising networks (to see how this works, read my earlier blog entry here). Because they are using an intermediary, some advertisers may claim that they can’t control where their ads are placed, which is a crock. Just because you buy ads through a third-party ad network does not mean you can’t control it. For example, when one major security software company found its products being advertised inadvertently in spyware, they found the source and clamped down — and this is a company that advertisers a lot online. The same goes for a number of other companies.

To avoid getting ads placed in spyware, an advertiser can, at the least, a) choose third party ad networks that have a demonstrated track record of not placing ads in spyware and b) make the third party ad network attest in writing that they will not place your ads in spyware.

Things have gotten better in the third party ad network side. When AOL bought Advertising.com, they immediately dumped $100 million in business that was being done through spyware. And a number of other third party ad networks are clamping down, refusing to advertise through spyware programs.

But as Ben writes, it’s still happening. And that money spent by advertisers directly supports the makers of spyware.

Alex Eckelberry

Heads-up: Congress to debate spyware bills this Thursday

Evidently the House Commerce Committee will be holding a hearing on the various spyware bills this Thursday at 11 am EDT. Scheduled to testify are: the CDT, NAI, Zango, and one other group, among others. The FTC will not be testifying.

The house.gov may offer a live feed of the hearing somewhere on the house.gov web site. As soon as I find out more, I’ll post this to the blog.

Alex Eckelberry
(Thanks Eric H.)

Ready for Redmond and Windows Home Server

I’m getting ready to spend next week in Seattle and in Redmond at the Microsoft main campus. It’s that time of the year again, when Microsoft hosts the annual MVP Summit, and it’s a time when I not only get to meet in person some of my fellow MVPs from around the world, but also get some great “inside information” on upcoming Microsoft products, some of which I’ll be able to share with readers.

It’s always interesting being inside the belly of the beast, and this year – for the first time in several years due to scheduling conflicts – Bill Gates will once again be with us for the festivities (not that I didn’t enjoy Steve Ballmer’s dynamic speeches). We leave early Monday morning and come back Thursday night, and we have a very full schedule – from 8:00 a.m. to 11:00 p.m. every day (that includes the official dinners and parties, which provide great opportunities for networking and finding out what’s going on “under the hood”).

There are different tracks for different specialties, and mine is security so I’m hoping to learn more about how Microsoft plans to make future products even more secure, but I’m also hoping to find out a little bit about some of the features that will be included in those products. Everything that doesn’t fall under the non-disclosure agreement, I’ll be writing about in the next few weeks, here and on my blog. While on the road, I’m planning to take advantage of T-Mobile’s offer of free HotSpot wireless for Vista users, and I’ll be reporting back to you on that.

Meanwhile, last week I was invited to partake of the Windows Home Server private beta. WHS is an interesting concept and we got a first look at it at the Consumer Electronics Show (CES) in January. This is an operating system that’s based on Windows Server 2003 R2, Microsoft’s enterprise-level server OS – but it’s designed for home use and is supposed to be so simple your grandmother can administer it.

Why would anyone need a server at home? Remember that only a few decades ago, the idea of home computers was dismissed by many as a flight of fancy. Now, according to recent statistics there are at least 40 million households all over the world that have high speed Internet access and at least two computers in their homes. Where there are two or more computers, sooner or later there’s likely to be a home network. And once there’s a network, a server can’t be far behind.

The main purpose of a server is to provide a centralized place for storing files so multiple users can access them easily. This also makes it much easier to back them up, since they’re all in one place, and that makes it less likely that you’ll lose important data.

Of course, you can share files on a home network without having a server. All you need to do is set up a peer to peer network and make your computers members of the same workgroup. The problem with this scenario is that the shared files stay on individual workstations. That means they may not always be available when you need them. If mom turns off her PC at night, or dad disconnects his laptop and takes it to the office with him, or Junior’s system crashes, others on the home network lose access to any shared files on those computers.

That’s the reason many families are already using de facto servers. They designate one computer, often an old desktop PC that’s left over after someone gets a new one, put it in a central location, leave it on all the time and have everyone save the files they want to share to a shared folder on that system. This works, in a crude fashion. What Microsoft aims to do with WHS is take the idea a step or two further.

WHS uses a brand new technology to aggregate all the files that are stored on the server into a single “storage pool” so you don’t have to worry about drive letters and which drive you saved something to. It also mirrors the data to two different disks, so that you have fault tolerance similar to what businesses and techies get with RAID, but it’s set up automatically and much easier to work with – no advanced technical knowledge is required. And when you outgrow the disks in the system, you can swap out your 200 GB drive for a 500 using a wizard that preserves your files and keeps them accessible.

The Windows Home Server also automatically backs up not just everything on the server, but files on all the other PCs on the home network, too. There’s a full PC image of each computer so that if any computer has to be restored, it’s easy to do. And WHS monitors security related settings on all the PCs so that you can know whether all the computers have their anti-virus software turned on, for example.

One great use for a home server is to share media files such as music and recorded TV programs. And it’s not just other computers that can access these files on WHS. Media Center PCs and Xbox 360s can also play songs and shows from the server. And if you’re at the office or out there on the road, you can access the information on WHS remotely over the Internet.

Note that the server doesn’t function as a regular computer in that you can’t sit down at it and work at it. It doesn’t have a monitor or keyboard or even a place to plug them in. The hardware connections are as simple as it gets: other than the power cord there’s only one jack, an RJ45 Ethernet port. You plug the server into your network’s hub or router and set it up through another PC on the network.

I’ll be reporting more on WHS in the future. Meanwhile, tell us what you think about the idea. Is it another solution in search of a problem, or a great idea? Do you run a server on your home network now? Would you if it were easier to do? Or are servers just for businesses? What’s your “wish list” for a home server (what do you want it to do for you)?

Deb Shinder, MVP