Category: Uncategorized

For a long time, the battle over which is the best operating system has been a three-way one. The vast majority of computer user still depend on some version of Windows, but the market share for Linux in all its varieties has grown over the years. And there is an even larger (although still small) following for the Macintosh.

Here’s the way it’s broken down as of May 2007, according to the Market Shares web site run by Net Applications: Windows XP currently enjoys a little over 82 percent of the market, with other Windows operating systems making up another 11 percent or so.

Macs come in second with almost 9 and half percent (includes both MacOS and MacIntel), and Linux – despite open source advocates’ best efforts – is reported with less than 1 percent of the market. The numbers don’t add up to 100 percent because a few other specialty operating systems, such as Hiptop (for mobile phones) and PSP (for gaming consoles) are also included in the statistics, but the top three dominate desktop computing.

The web browser is arguably the most used piece of software on most computers and similarly, the browser wars have been primarily a battle between three contenders: Internet Explorer (with almost 79 percent), Firefox (with just over fourteen and a half percent) and Safari (with almost 5 percent). There are many other browsers available, including the one-time favorite Netscape, Opera, Konqueror and versions of Mozilla, but the rest all show under 1 percent of market share.

Safari has, up until now, suffered a disadvantage in this contest. Since it ran only on Macs, and Macs are on less than 10 percent of computers, most users weren’t able to run or even try the browser.

Thus, most folks, when you say “alternative web browser,” think only of Firefox. But now, if you happen to like the Safari web browser that comes with Mac OS X, but prefer to use Windows (or have to at work), now you can take a Safari without switching your OS. Apple has just released a version of Safari for Windows.

Some pundits warn that it’s just a ploy to lure Windows users over to the Mac. Others applaud the ability to use Mac programs they like without having to switch platforms. Some speculate the Safari for Windows release will hurt Firefox more than IE. Whatever your opinion may be, it was downloaded more than a million times in its first two days of availability. Somebody must be interested.

This release is a beta, and it was announced by Steve Jobs at the Worldwide Developers’ Conference 2007 last week. The Windows version has the safe features as the one that runs on OS X. Apples claims that Safari runs twice as fast as IE and significantly faster than Firefox. Since the need for speed seems to be a common trait of computer users, this makes Safari look like an attractive alternative.

It also boasts some interesting features such as SnapBack, a button that lets you instantly go back to the top level of a web site after browsing deeply into it or create an anchor point to snap back to after browsing through many links and sites. And it has a security feature called “private browsing” that lets you turn off storage of search results, cookies, site history, download history and other normally cached information, instead of having to erase those caches after the fact.

I wanted to find out for myself. I always install multiple browsers, for several reasons. Some web sites won’t render properly (or at all) in one browser but look fine in another. And I create web pages, so I like to take a look at my own pages in different browsers so I’ll know how others are experiencing them. I currently have IE 7, Firefox and Opera installed on my primary desktop computer and I was eager to add Safari to the collection.

Download and installation of the beta took only a few minutes, but I made sure to create a restore point first, just in case. It was pretty non-intrusive; it did install an icon on the desktop, but interestingly it didn’t open the browser after installation. I clicked the icon – and immediately got a message that the program had stopped working. Subsequent attempts rendered the same result. Although it was advertised as being for XP or Vista, my installation of Vista apparently didn’t like it.

I tried changing the compatibility settings on the Safari.exe program to run in XP compatibility mode. That’s worked for a number of programs that didn’t work on Vista right off the bat, but it had no effect here. Next I tried running as an administrator. That didn’t work, either. Okay, maybe – even though it didn’t say so in the installation instructions – it required a reboot. I closed everything and restarted the computer. Still no Safari for me.

Not one to give up that easily, I next tried to install Safari on a couple of XP machines – first one that belonged to my Windows domain and then, when I was unsuccessful again, on one that wasn’t a domain member. This time I got a little further – Safari detected my proxy server and asked for my credentials. I had high hopes. However, after I entered them, I got the XP dialog box telling me that Safari had encountered a problem and needs to close.

If I canceled the proxy dialog box, I couldn’t access any web sites, but I could examine the Safari menus and Help files. Unfortunately, the Help files provided no help for my problem. The good news was that the installation attempt didn’t cause any problems for the OS or other programs, but darn it, I had used Safari on OS X and wanted to get a chance to actually use it to view web pages on XP or Vista.

Tom started mulling over the problem with me, and we came up with one last idea, based on the request for proxy credentials on the XP computer. Maybe the proxy authentication wasn’t working correctly. He headed upstairs to the server room and turned off proxy authentication on the ISA Server that’s installed on our network edge. Sure enough, Safari then worked fine.

It’s not a very practical solution. For security purposes, we’re not going to leave authentication turned off just so we can use the Safari browser. But at least we did track down what was causing the problem, and I got a chance to take a brief look at the browser.

The interface is the familiar OS X look (which I rather like). Its window frames are not transparent in Vista, though. And yes, it is fast. In side-by- side tests, it opened most pages more quickly than IE and Firefox, but not by a lot. In fact, the other two browsers sped up a lot when proxy authentication was off, too.

I had one immediate complaint: when you click in the address bar, it doesn’t highlight the whole address as IE and Firefox both do, so you can type in a new one without dragging to highlight and delete the old one. Minor, but annoying. Also, as with all OS X programs, you can’t resize the window by just grabbing the edge anywhere; you have to grab it at the bottom left corner. That can take some getting used to.

As promised, it imported my IE bookmarks without asking (not sure if that’s good or bad). The way it handles bookmarks is interesting; there is a bookmarks tab that you can choose to show or hide. SnapBack also works as described, and I think I could get to like that feature.

Note that the initial release had some security problems, but Apple released an update on Thursday (June 14) to fix the vulnerabilities. Be sure you have version 3.0.1. If you have the Apple Update software installed, it’ll be pushed to you through that. And you may want to read this article from Larry Seltzer that discusses the “halo effect” before installing Safari.

If you still want to give it a try, you can download the Safari beta here.

Let me know how you like it and whether you encounter any problems running it on Windows. Also tell us: what’s your favorite web browser, and why? Do you use more than one browser? What features would you like to see on the ideal web browser?

Deb Shinder

Update on the previously reported spam wave spreading malware.

Our analysis of the web page in the spam shows that it uses a number of exploits to infect a system: Cursor ANI, Create Control Range, MDAC (and this), and SetSlice.

So, fully patched systems should be fine. However, the page that one gets directed to does offer the user the ability to download the malware, so social engineering is still at play here.

Also, sources at the CastleCops SIRT (Spam Incidence Reporting and Takedown) team indicate the following URLs are infection vectors:

zlnewly(dot)hk
hxicing(dot)hk
zzease(dot)com
arpower(dot)hk
koride(dot)hk
nfhare(dot)hk
ngvein(dot)hk
fnfame(dot)hk
smsale(dot)hk
mgsilky(dot)hk
ksjab(dot)hk
onleak(dot)hk
jcstark(dot)hk
vswagon(dot)hk
orinput(dot)hk
trrum(dot)com
kjmate(dot)hk DEAD
huwatt(dot)com DEAD
xvglue(dot)com
fcslur(dot)com DEAD
rjsear(dot)hk

Update: More added in the comments section.

[Many of these are live exploit sites. Do not visit unless in a virtual machine, etc.]

More information here and here.

Alex Eckelberry

A run of spam this weekend looks something like this:

From: Martha [fake email address]

Sent: Monday, June 16, 2008 2:56 PM

To:

Subject: Martha sent you a endeny(d0t)hk! Greeting

Surprise! You’ve just received a endeny(d0t)hk! Greeting from from “Martha” [fake email address]

To view this greeting card, click on the following Web address at anytime within the next 30 days.

[malware link]

Enjoy!

The endeny(d0t)hk! Greetings Team

[endeny(d0t)hk is a live exploit site. Do not visit it unless in a virtual machine, etc.]

If you click on the link, you get to a website which attempts to exploit your system (the one we analyzed use the now-patched Ani cursor exploit). A link is also provided on the web page to download the malware yourself.

It’s a new technique that one group is using to deploy the “Storm Worm” P2P bot net.

Alex Eckelberry
(thank Adam Thomas for his research help on this)

A mother (who is also a former cop) gets in trouble over sippy cup.

“I demanded to speak to a TSA [Transportation Security Administration] supervisor who asked me if the water in the sippy cup was ‘nursery water or other bottled water.’ I explained that the sippy cup water was filtered tap water. The sippy cup was seized as my son was pointing and crying for his cup. I asked if I could drink the water to get the cup back, and was advised that I would have to leave security and come back through with an empty cup in order to retain the cup. As I was escorted out of security by TSA and a police officer, I unscrewed the cup to drink the water, which accidentally spilled because I was so upset with the situation.

“At this point, I was detained against my will by the police officer and threatened to be arrested for endangering other passengers with the spilled 3 to 4 ounces of water. I was ordered to clean the water, so I got on my hands and knees while my son sat in his stroller with no shoes on since they were also screened and I had no time to put them back on his feet. I asked to call back my fiancé, who I could still see from afar, waiting for us to clear security, to watch my son while I was being detained, and the officer threatened to arrest me if I moved. So I yelled past security to get the attention of my fiancé.

I’ve always been suspicious of those cups. So cute… but we all know looks are deceiving. After all, you can never be too careful.

Alex Eckelberry
(Image courtesy of BuyCostumes.com. And thanks, Stu.)

It’s a curious observation that the more governments try to control people, the more difficult it becomes. Contrast that with the observation that the more you treat people like intelligent human beings, the more they start acting like it (it’s my belief that if you treat people like children, you’ll not get your desired effect).

At any rate, in Britain’s inexorable march to apparently follow in the path described by one of its most brilliant writers (Orwell), they have put cameras virtually everywhere.

And now they’re using cameras to spy on people’s trash-binning habits.

Householders in a seaside town have been told to put their bins out at the front of their homes and not in an alleyway to the rear.

They must also leave their rubbish out between set times to ensure it does not attract pests or miss the dust cart.

To enforce the new rules, a camera will be placed in a rubbish bag and left in an alleyway to blend in with the surroundings to catch offenders. Those filmed breaking the rules will be given a ticking off.

Repeat offenders could be handed a fixed penalty notice or even be taken to court and fined up to £1,000.

The tiny covert camera, which has cost Weymouth and Portland Council, Dorset, up to £10,000, will also help catch householders who put their rubbish out too early or too late…They will only be allowed to put out their rubbish between 8pm and 6am the night before collection and it will have to be at the front of their homes.

Do you think the citizens of this town might find this a bit insulting?

Link here.

Alex Eckelberry

I think everyone involved in malware takedown is getting very tired of ISPs who don’t have 7 day abuse desks.

Take, for example, one very dangerous IRS phish making the rounds right now. It’s another in a number of targeted attacks we’ve been observing lately.

[BEGIN EMAIL SAMPLE]

Subject: Tax Information – (individual’s name) – (Code individual’s email address-plus a sequence of codes)
From: “IRS.gov” <service@IRS.gov>
Date: Sat, 16 Jun 2007 10:35:49 -0400
To: (individual’s email address)

Account : (individual’s name)
After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $163.80. Please submit the tax refund request and allow us 3-5 days in orders to process it.

A refund can be delayed for a variety of reasons. For example submitting invalid records of applying after the deadline.

To access the form for your tax refund, please click here.

Regards,

Internal Revenue Service

[END EMAIL SAMPLE]

This phish is unique displays the recipients correct name and email address on the To: and Subject line. But the real kicker is this — embedded in the URL is the recipient’s email address, and when the recipient connects to the website, the website pulls up the recipients actual name, email and street address and displays that in the form!

So not only is the email targeted, but there’s a complete back end database containing information on the intended victim. The site is obviously prompting for credit card information.

Here’s what’s frustrating: The site is hosted by Earthlink. Already, attempts have been made to get this site shut down, to no avail. As the person doing the takedown says “I was told that the only people permitted to shut the site down is the abuse team, and they don’t work nights/weekends/holidays.”

So Earthlink will let hundreds, possibly thousands of people get phished over the weekend, because they can’t have even one person manning their abuse desk on the weekend.

What’s ironic is that often the smaller ISPs are the ones that are the fastest to react. The big ones, especially ones like Yahoo and AT&T, make it monumentally difficult just to get an actual phone number for them.

And in cases like this, it’s critical to be able to react rapidly.

My feeling? ISPs must have a basic level of security credentials and 7–day abuse service.

This has to stop. Really.

Alex Eckelberry

Oxford Economics, in conjunction with Tom Ridge (the first DHS secretary) have analyzed travel patterns to the United States and have found travel to the US to be on a decline. Survey data indicates that a major reason may be overly restrictive security and immigration policies. The eoconomic impact is not trivial — it’s to the tune of over $100 billion dollars over the last seven years.

Overseas travel to the United States has fallen 17 percent since its peak in 2000, with a cumulative cost of more than $100 billion in lost visitor spending, almost 200,000 jobs and $16 billion in lost tax receipts. World economic growth has been stronger during the past three years than at any other three-year period in the past thirty years. Almost all destinations – outside of the United States – have benefited from increased inbound travel amidst this rising economic tide. Worldwide, international travel has been expanding at a rate of six percent per year.

Making the decline all the more perplexing, the United States is a price-attractive destination for international visitors with the dollar weakening 30 percent against the euro and 22 percent against the pound since 2001. Historically, a weakening dollar should drive robust gains in visitation to the United States.

A survey of 2,000 foreign travelers starts to indicate why travel is down:

– By a greater than two-to-one margin, respondents say the United States has the “world’s worst” entry process;

– Sixty-six percent of respondents say they are worried they may be detained for hours because of a simple mistake or misstatement at a U.S. airport;

– More respondents were concerned about U.S. immigration officials (70 percent) than the threat of crime or terrorism (54 percent) when considering a trip to the United States; and

– Sixty-one percent of respondents believe that the United States makes little effort to attract international visitors compared to other countries.

In other words, we’re scaring the crap out of these people with our security and entry policies. And incredible as it may sound to some, not everyone who enters the United States is actually a terrorist.

I’m, obviously, all for good security. But when “security theater” significantly affects us economically, one has to rethink how we’re protecting this country and what we can do optimize the process toward pragmatic solutions.

Alex Eckelberry
(Hat tip)

So I came back from lunch yesterday and found Robert LaFollette (our creative director and a favorite of this blog) walking around the office barefeet.  Surprised, I asked him what had happened to his shoes.  Well, it turns out he got a bit wet on his lunch break.

He had gone out to drop by the Clearwater Marine aquarium to handle some paperwork from a photo shoot he’d done (this is a small aquarium that does a tremendous amount of local environmental work — all on a volunteer basis). 

Unexpectedly, he found himself in the middle of a turtle release — and this was a big deal, with news cameras, etc.  Since the aquarium people knew him, he was invited to come along and photograph the event.  He found himself in the back of a pickup truck, sitting next to a very, very large female loggerhead turtle.

The turtle was driven down to the beach and released, and it was all quite dramatic. 

You can read his blog post about it here and see his photos of the event here.

Never a dull moment.

Alex Eckelberry

Yesterday, Senator Mark Pryor introduced the Counter Spy Act of 2007 to make it illegal for companies or fraudsters to implant spyware on a person’s computer without consent. I just love to see my product name in an act of Congress. 

Ok, putting the sophomoric humor aside, I’ve outlined my feelings on these laws, and Declan McCullagh has weighed in as well.

Alex Eckelberry

One of my favorite comedy shows, FamilyGuy, had a recent segment where one of the characters runs for mayor, and realizes the power of using terrorism to get elected. Very, very funny — and a bit sad.

In that vein, there is a very good post this morning over at Schneier about the recent “plot” to blow up JFK fuel tanks:

The alleged plan, to blow up JFK’s fuel tanks and a small segment of the 40-mile petroleum pipeline that supplies the airport, was ridiculous. The fuel tanks are thick-walled, making them hard to damage. The airport tanks are separated from the pipelines by cutoff valves, so even if a fire broke out at the tanks, it would not back up into the pipelines. And the pipeline couldn’t blow up in any case, since there’s no oxygen to aid combustion. Not that the terrorists ever got to the stage — or demonstrated that they could get there — where they actually obtained explosives. Or even a current map of the airport’s infrastructure.

But read what Russell Defreitas, the lead terrorist, had to say: “Anytime you hit Kennedy, it is the most hurtful thing to the United States. To hit John F. Kennedy, wow…. They love JFK — he’s like the man. If you hit that, the whole country will be in mourning. It’s like you can kill the man twice.”

If these are the terrorists we’re fighting, we’ve got a pretty incompetent enemy.

You couldn’t tell that from the press reports, though. “The devastation that would be caused had this plot succeeded is just unthinkable,” U.S. Attorney Roslynn R. Mauskopf said at a news conference, calling it “one of the most chilling plots imaginable.” Sen. Arlen Specter (R-Pennsylvania) added, “It had the potential to be another 9/11.”

These people are just as deluded as Defreitas.

The only voice of reason out there seemed to be New York’s Mayor Michael Bloomberg, who said: “There are lots of threats to you in the world. There’s the threat of a heart attack for genetic reasons. You can’t sit there and worry about everything. Get a life…. You have a much greater danger of being hit by lightning than being struck by a terrorist.”

And he was widely excoriated for it.

Link here.

Now, to all those commenters who invariably accuse me of some ridiculous thing like not understanding the “real problem”, that’s nonsense. I don’t want to see terrorists any more than the next person.

But what really concerns me is the silly security theater, political grandstanding and other nonsense that we’re doing in this country at the expense of our civil liberties and practical considerations. It seems the voice of reason is being lost admidst a sea of hysteria, and anyone who talks out about it gets accused of being some commie pinko leftie (which I’m decidedly not).

Alex Eckelberry

Rather humorous.

More here.

Alex Eckelberry

I don’t know if you caught Paperghost’s post on SpywareGuide recently about a fake Windows update popup pushing malware on MySpace, but it is just extraordinarily nasty.  Just look at this screen shot:

(I believe this is gone from MySpace now.)

More here.

Alex Eckelberry

Most dangerous types of web sites
We all know that some web sites have embedded controls or code that can result in “drive-by downloads” – programs installed on your computer that you don’t want and that may be malicious. But are certain types of sites more likely to put you at risk than others? Absolutely. And if you search for certain terms, they have a higher probability of returning URLs that lead you to dangerous sites. According to an AP story last week, you’re in the most danger of stumbling across a malicious site when you search for terms related to music or technology. The good news is that the number of high risk sites in search engine results is lower than it was a year ago.

Send live video from your cell phone to the web
Want to share your son’s big moment in the high school football game with dad, who’s out of town on business, almost as it happens? Want grandma to be able to “be there” for your daughter’s graduation virtually as well as just in spirit, even though she lives a thousand miles away? A new service called PocketCaster lets you do all this and more. If you have the right model of G3 mobile phone, you can take video and broadcast it to a web page as a live stream with only a small delay (less than half a minute). Others can view it on their computers with Windows Media Player or QuickTime. Is that cool or what?

At the moment, it’s free, although you do have to sign up. You can install the software on your phone or, if your phone doesn’t support SMS, you can access the software from a web site via your phone’s web browser.

Why would an anti-spyware law be bad?
We all hate spyware, those insidious software programs that install themselves on our computers without our knowledge and then “phone home” with information about us. We hate it so much that many people said “there ought to be a law” – and that propelled legislators to do what some might argue legislators do best: pass hastily contrived and potentially harmful legislation.

The U.S. House recently passed the Spy Act by an overwhelming majority (368 to 48). After all, no one wants to appear to be soft on privacy violators. But many in the computer industry, who really understand the problem, believe it’s a bad law that will have unintended consequences. Read what our own Alex Eckelberry had to say about it in his blog a short while back for a better understanding of why this law is not the answer.

Customize IE 7 with free add-on
IE7 Pro is an add-on for the latest version of Internet Explorer that lets you extend its functionality by adding a Firefox type spell checker, tabbed browsing management, inline search and more. One cool feature is Super Drag and Drop, with which you can open new links by dragging and dropping them on the page. The crash recovery feature can be a godsend if you’re deep in a maze of research when IE gives up the ghost. It automatically restores open pages after the crash. You can check out all the features and download the software to give it a try.

Vista: Tag – you’re it!
One of the neatest new features in Windows Vista is the ability to tag your photo files without third party software. Tags are metadata (file properties) that can be searched, so adding tags makes it easier to organize and find your pictures. You can open the new info pane to add tags or view tag information about an existing file.

You can also add titles, subjects, ratings, comments, author name, copyright info and more to a photo’s properties. Just right click the photo file, select Properties and click the Details tab. When you hover over the Value column, a text box will appear where you can type in the information.

How to make the status bar display all the time in XP and Vista
I’ll never know why Microsoft doesn’t turn on the status bar at the bottom of the Windows Explorer window by default. Being able to see how many items are in a folder and the amount of disk space that’s free on the drive are convenient, but you have to go through a few steps to get it to display – even after you turn the feature on, it may go away when you move to a new folder unless you set it to stay permanently. Here’s how:

1. Click Start Explore to open Windows Explorer.
2. Click a folder in the left pane.
3. Click the View menu and select Status Bar. This turns the status bar on, but only for that folder.
4. Click the Tools menu and select Folder Options.
5. Click the View tab.
6. Under Folder Views, click the Apply To Folders button. This makes the view you just selected apply to all folders of the same type.

Four Fixes for June Patch Tuesday
This week brings us Patch Tuesday, and it’s a fairly light one. Microsoft is releasing only six security bulletins, but four are for critical problems (the highest possible severity rating) so it’s important that these get installed on your system ASAP if you use the products that are affected. That includes Internet Explorer, Outlook Express, Windows Mail and Visio.

Does Vista include DRM to keep me from playing or copying movies?
QUESTION: I’ve heard a lot of stuff about Vista’s digital rights management (DRM) that’s built in to keep us from being able to copy music and movie files. Is it true that Microsoft is trying to keep us from copying what we want to? I haven’t bought Vista yet, largely because of this issue. – Kim J.

ANSWER: It’s true that Vista contains copy protection technology. That technology is necessary for you to be able to play some of the new DVDs, especially HDTV and Blu-Ray movies. If Vista didn’t support the technology, those discs wouldn’t play at all, because the content owners build the protections into the discs themselves and those apply not just to Vista PCs but to DVD players and non- Windows computers. For a detailed discussion of this by Nick White, a Microsoft product manager, click here.

Network icon doesn’t update in XP
If you disconnect and then reconnect an Ethernet cable on Windows XP with Service Pack 2 (or Windows Server 2003), the network icon in the notification area (system tray) may not update to show the new status. Instead the red X indicating an unplugged cable remains. This only happens with particular network card drivers and it doesn’t affect the actual operation of the network, but if it bothers you, there’s a workaround. See KB article 899759.

Can’t remotely shut down an XP computer with screensaver active
If you find that you can’t do a remote shutdown on your Windows XP computer when the screensaver is active, it may be because a certain registry setting is disabled. There’s a hotfix; you can find out more in KB article 329142.

Can’t install some programs after restoring Vista
If you use the Windows Complete PC Backup and Restore Image option to restore a Vista computer, you might get an error message that says “the directory name is invalid” when you try to install certain programs. This happens because the Temp folder didn’t get restored. For instructions on how to fix the problem, see KB article 932142.

Until next week,

Deb Shinder

Last week’s Windows Secrets newsletter featured a story by Scott Dunn about Ed Foster’s crusade against bad End User License Agreements (EULAs). EULAs have been the bane of the existence of computer users for decades – at least, those who even bother to read them or acknowledge their existence.

The EULA has been held up as a binding legal contract between the software vendor and the end user (the person who purchases, installs and/or uses the software). However, EULAs differ from traditional contracts in several ways. Perhaps most importantly, there is (currently, at least) no formal signature proving that a specific person entered into this agreement. Although verbal contracts have long been considered valid by the courts in some circumstances, a key element of enforcing a contract is proving that the parties actually made the agreement in the first place – and without undue duress or trickery.

In almost all cases of consumer software, EULAs are “signed” by clicking a button that says “I agree.” There’s no way to prove later, however, who clicked that button, which could (or at least should) make it problematic to enforce the terms of the EULA against a specific user. At some time in the future, all computer users may be required to obtain digital signatures, which use certificates issued by certification authorities verifying a person’s identity. Digital signatures may one day be required to send email and other electronic communications, as well as to sign electronic contracts. But at the moment, software companies have no way to determine who accepted the contract.

Another difference between EULAs and contracts for, say, buying a new car, is that with traditional contracts you get to read and sign the contract before you part with your money for the product or service. Software EULAs are typically displayed for “signing” after you’ve plopped down the cash (or charged your credit card). In the case of boxed software, you do get a printed copy of the EULA but it’s inside the box; you don’t see it until after you’ve spent the dough and taken it home. In the Internet age, this problem has been ameliorated somewhat by the ability of vendors to post their EULAs on the web so you can check it out before you buy – if you have Internet access. For example, you can go to this website to find the license terms for most Microsoft products. Still, few folks read the contract before (or even after) purchasing the software.

All this wouldn’t really be an issue, if EULAs were simple agreements laying out reasonable terms of use. And some are. But most are lengthy jumbles of legal jargon that leave those few who do read them confused and frustrated. And some insert terms to which the average user would object, if he knew what he was agreeing to. For instance, many EULAs give the software company the right to collect information about your computer and have it automatically sent to the software company. Some, especially EULAs for freeware and shareware, contain clauses whereby you agree to the installation of additional software you don’t want, some of it blatant spyware or adware.

The EULA usually defines what you can do with the software; for instance, that you can only install and use it on one machine at a time. That may be reasonable to protect the software vendor from piracy, but the trouble is, EULAs are getting more and more restrictive all the time. Some EULAs now contain language that could prohibit you from installing the software on a second machine even if the original computer on which you installed it died and is no longer usable. And that’s not reasonable. That’s like saying that if I buy a very cool and expensive stereo system for my car and then I get a new car, I can’t take the stereo out and put it in the new car.

Another big gripe of computer users is that EULAs routinely disclaim all express and implied warranties. In other words, the contract you “sign” agrees that the software doesn’t have to work as advertised, or even work at all. And even if an acknowledged programming error causes you to lose important data or the use of your computer for days, the software vendor has no responsibility. In the case of buying software, the rule really is “buyer beware” and “proceed at your own risk.” In fact, with such leeway, it’s amazing that vendors make their software work as well as it does. Imagine signing a contract with an appliance vendor that says, in essence, the refrigerator you bought might or might not cool your food and if it doesn’t, not only are you not entitled to any compensation for your spoiled food but you also don’t get back the several hundred or several thousand dollars you paid for the refrigerator.

How did EULAs come about in the first place? Well, according to the 3rd Circuit federal court in a case styled Step-Saver Data Systems Inc. vs. Wyse Technology way back in 1991, software licenses (EULAs) were first developed in large part to avoid the federal copyright law first sale doctrine. The first sale doctrine is part of the U.S. copyright law that says a purchaser can transfer a legally made copy of a protected work without permission. The EULA is basically an attempt to get you to contractually waive that right.

Court cases regarding the enforceability of EULAs have been mixed since then. Some courts have found so-called shrinkwrap license agreements (those enclosed in a software package and inaccessible until after you buy the software) to be invalid. The clickable agreements have been given more weight by most courts.

When I wrote about EULAs here a few years ago, I was much less bothered by them than I am now. I find the trend to include more and more restrictions on what users can do with the software they pay for to be disturbing. Some license agreements now prohibit users from releasing or publishing information about the performance of the software. That effectively prevents reviewers such as myself from reporting to readers our experiences with a particular piece of software. I think that’s going too far.

Much as I like Vista, I don’t like the fact that its EULA gives Microsoft the right to validate your software at any time (that is, check to verify that the software has been activated and is licensed) and disable some of its features if it can’t be validated. And as a technology writer who uses virtual machines for testing and screenshots, I’m not happy about the clause that prohibits installing Vista Home Basic and Premium in VMs.

I recognize the need for EULAs, but it seems software vendors are taking advantage of the privilege. It’s the old “give ’em an inch and they’ll take a mile” problem. What do you think? Should you have to “sign” an agreement to use software? If so, what terms are reasonable and which ones aren’t? Should you be able to get a refund if you get home, read the EULA and don’t like it? (Microsoft provides for that, but some vendors don’t). Are there certain clauses that vendors should not be allowed to include in EULAs? Or am I just complaining about nothing?

Deb Shinder

For me, the Julie Amero case was always about two things:

1. Seeing Julie go free.

2. Helping to make sure it didn’t happen to others.

(1) above is in progress. The judge has accepted the defense’s motion for a new trial and now it’s largely a waiting game.

But there are others who are in the same boat as Julie. The problem is there. And it’s not just schools. It’s in business as well.

How many people are never charged but quietly fired?

Now, a lot can be solved with education: How many of you working for corporations have been to mandatory sexual harassment training every year? But how many of you have been to a company security training? (Answer: almost nobody gets security training).

Consider it — a simple one or two hour training, with a nice video that explains the basics of security. IT departments layer on defense after defense, but because so much of the problem is social engineering, you have to teach the users. How many systems are infected because of people going to a website in a fake email? Or a bored salesman on the road, downloading some “harmless” porn on his laptop, only to have his system turn into a spam zombie, or worse — turning it into a warez server, serving child porn and pirated software? Or the administrative assistant who just wants to download some “cute screensavers”… Or the CEO who opens up an email attachment that turns out is loaded with a targeted zero-day exploit, stealing highly sensitive confidential information?

It doesn’t even have to be something horribly nefarious. A system can be infected with a simple piece of adware which produces its own search results. Some of those search results can be bad.

You get the picture.

And since our schools have made the decision that porn is a dangerous problem (which I have no argument with), then educators all over the world are operating “dangerous” machinery — without sufficient operator education.

In law, there is a real problem: Many people involved in this field understand little about about computers. Fear and ignorance combined with great power is a very dangerous thing.

So with this in mind, the small group of people who have been crusading to free Julie have started a new effort: The Julie Group. This is a group dedicated to the following objectives:

a) Help to educate people on computer security and computer forensics.

b) Do what we can to help others in a similar predicament to Julie’s.

c) Work to remove bad laws, such as the one that Julie was charged with (risk of injury to a minor, or impairing the morals of a child – Conn. Gen. Stat. § 53-21, which if you read it, is so broad that almost anyone could be charged with it).

So please join us — give us ideas, give us your comments. The Julie Group blog is at http://thejuliegroup.blogspot.com/. It’s basic for now but we’ll be fleshing it out over the next several weeks.

Alex Eckelberry

I find this pretty appalling:

On May 29, TorrentSpy – one of the web’s most famous .torrent dump sites was told by federal judge Jacqueline Chooljian in the Central District of California that despite the site’s privacy policy which states they will never monitor their visitors without consent, they must start creating logs detailing their user’s activities.

TorrentySpy isn’t backing down and has filed an appeal. Their attorney says that if they don’t prevail in their appeal (and let’s hope they do), they’ll likely shut off their US services rather than spy on their own users.

More here.

Alex Eckelberry
(thanks Richard)

We’ve seen this before — tikis, wikis, etc. that have been hacked to serve porn.

For example, look at these Google results here (warning: highly offensive content).

One of the CastleCops volunteers is working on a hacked .edu site right now that’s running a c99 shell and generating porn links like crazy.

Some of the links are trying to push Contravirus, a rogue antispyware program.

Some of these links are neglected forums and guestbooks collecting spam, but I’ll wager a good percentage of the sites in the google results are hacked.

Many links are being taken down, but here’s some some sample links that are live right now:

depts(dot)washington(dot)edu/archdept/cms/photogallery/1/zoo9(dot)html

www(dot)uvm(dot)edu/~astauffe/1/zoo3(dot)html

www(dot)wtc-ep(dot)edu/newsletter/template/images/7493579/96776/

I don’t know if you saw the presentation on Microsoft Photosynth at the TED conference, but it’s pretty cool.

You can play with Microsoft’s Photosynth here (it really helps to see the presentation at TED before using it).

Microsoft also just announced a collaboration with the BBC on using their images as well.

Alex Eckelberry

Amidst a sea of positive articles, KTVO TV characterizes Julie Amero as a “porn-loving” teacher. It’s outrageous. (Note — this is THEIR headline, not the Associated Press’.)

Feel free to make your feelings known to the station management:

ckellum@ktvo.com Station Manager 660-627-3333
danmagruder@ktvo.com Web Manager 660-627-3333
mspeas@ktvo.com News Director 660-627-3333
cthomas@ktvo.com Assignment Editor 660-627-3333

Alex Eckelberry

Update: A check of the site shows that the headline has been changed.

Vista: Multiple languages can now peacefully coexist
In today’s world, you might find yourself sharing a computer with someone whose primary language is different from your own. In previous versions of Windows, changing the language was a global setting, but in Vista, you can install and select different languages on a per-user basis. When a user logs on, his or her interface will display in the selected language.

How to disable the automatic Desktop Cleanup Feature in XP
In XP, Microsoft introduced the Automatic Desktop Cleanup feature, which can remove icons that you don’t use frequently. Some of us, however, don’t want our desktops cleaned up. By default, the Desktop Cleanup wizard runs every 60 days. You can disable it by doing the following:

1. Right click a blank space on the desktop and select Properties, or select Display from Control Panel. Either of these opens the Display Properties dialog box.
2. Click the Desktop tab.
3. Click the Customize Desktop button.
4. Clear the check box labeled Run Desktop Cleanup Wizard Every 60 Days.
5. Click OK and then OK again to close the dialog boxes.

You can still run the wizard manually by clicking the Clean Desktop Now button after steps 1 and 2.

How to use DRM-protected files after upgrading
Getting a new computer or upgrading your operating system can be a fun adventure – or a nightmare. Some folks resist upgrading because they don’t know whether they’ll have all the functionality they had before. For instance, how do you play those songs you bought from an online music store if you transfer them to a new computer or upgrade the OS?

With most digital rights management (DRM) schemes, you need to download the media usage rights (license). These are stored on your computer separately from the song file itself. Windows Media Player 11 will try to download the rights automatically. Sometimes you’ll have to sign onto the online store to get the rights. And some online stores will only let you restore your rights a limited number of times.

For more info about DRM and Windows Media Player, see the FAQ here.

Use new Office formats for better security – even with the old Office
Even if you’ve upgraded to Office 2007, you may still be using the old file formats for compatibility. But you should know that not only do the new XML- based formats (.docx, .xlsx, .pptx, etc.) have the advantage of smaller file sizes, they are also more secure. Malware authors can use the old formats to attack Office users.

With the Microsoft Office Isolated Conversion Environment (MOICE), which converts the old binary files to the new format and the Compatibility Pack add- in that lets you open, edit and save XML-based formats in Office XP and 2003, you can benefit from the increased security of the new file formats without even installing Office 2007.

Download the Compatibility Pack here. You can find out more about MOICE and download it here.

How do I get the normal icons on the desktop in Vista?
QUESTION: I know the intent with Vista is to have a clean desktop look, but I don’t want my desktop quite that clean. Is there a way to put the normal icons (My Computer, Recycle Bin, Documents, etc.) on the desktop without having to individually create shortcuts? – Tom W.

ANSWER: It seems that this is one of those options that’s “hidden in plain sight” in Vista. Lots of people overlook it, but all you have to do is open the Personalization dialog box (right click an empty space on the desktop and select Personalize). Right over there on the left side, in the Tasks pane, you’ll see a link labeled “Change desktop icons.” Here you can check boxes to display the Computer, Network, User’s Files, Recycle Bin and/or Control Panel on the desktop.

Unfortunately, this dialog box doesn’t give you the option to display the Internet Explorer icon, but you can easily make a shortcut to that program in the usual way, by right dragging and dropping and selecting Make Shortcut Here.

How can I turn off Clear Type in Vista?
QUESTION: Okay, I know Clear Type looks good on my laptop and on LCD monitors, but I have an old fashioned CRT and having Clear Type enabled by default makes fonts look blurry. I haven’t figured out how to turn it off – can you help? – Wayne S.

ANSWER: Turning off Clear Type is as easy as a few clicks of the mouse – if you know where to click. As in the question above, you first open the Personalize dialog box, but then it gets trickier. Click the Windows Color and Appearance option, and then at the bottom, click Open Classic Appearance Properties for More Color Options (I know that doesn’t sound like the right selection, but it is). Then in the Appearance Settings dialog box, click the Effects button. Here, under “Use the following method to smooth edges of screen fonts,” in the drop- down box select “Standard” instead of “Clear Type.” That should clear things up for you on your old CRT.

New version of Live Writer makes blogging easier
My blogging client of choice has been Windows Live Writer ever since I discovered an early beta. I’m happy to announce that it just got better, with the release of a new beta version that added several of the features I’d been wishing for – including the ability to “set and forget” publication dates for posts. You can also insert videos, emoticons and tables with one-click ease. I do a full review of the new version and tell you how to get it, on my blog post of June 3, titled “Testing New Live Writer“.

Clean up your Spreadsheets
Want your Excel spreadsheets to look more professional? Get rid of those sloppy duplicate rows, remove spaces and non-printing characters from text, fix numbers and number signs, rearrange columns and rows and more. This article, “Top Ten Ways to Clean Your Data,” shows you how to do it all.

Hardware Secrets – Revealed
What’s the best way to get more bang for your buck with the hardware you have? This article contains lots of tips for upgrades and add-ons for your computer, phone, camera, printer and other hardware devices. See “53 Hardware Secrets” from MSN Tech & Gadgets.

Create custom Out of Office replies for Outlook 2007
While many hate them, many still use them. Want to create your own customized responses for incoming email when you go on vacation (vacation? What’s that?) or a business trip or otherwise have to be away from your Internet connection for a few days? If you use Outlook 2007 on Window XP or Vista, you can download the Outlook 2007 OoO Assistant.

Computing on your Tabletop
The big news in the computer world this past week has been the unveiling of Microsoft’s new “surface computing” device, which literally puts an interactive computer screen on your tabletop. Code named Milan and sometimes called Playtable, the new touch screen device looks pretty amazing in the demonstration video. I can see how it would be very handy for certain applications, but for my own day-to-day work, I want a keyboard. Still, this is probably the wave of the future, and when combined with speech recognition technology, will make Star Trek style computing a reality.

Apple embeds personal info in song files
If you use Apple’s iTunes, you’re probably pleased by the new iTunes Plus service that doesn’t use copy protection software. However, you should be aware that your name and email address are embedded in the song files you download, according to the Electronic Frontier Foundation (EFF). That means if you share those files on a peer-to-peer network, they can be tracked back to you. No worries if you don’t plan to share, right? Well … maybe not. If you lost your portable computer or MP3 player or it was stolen, your email address would be “out there” – something you may not want to happen. You can read more here.

You get an error message if you try to open an .exe file in XP or Windows 2000
If you attempt to start a program from an executable file with the .exe extension on a Windows XP or Windows 2000 computer and get an error message that says “Windows cannot find .exe” or something similar, this may be because your computer has become infected with the W32/Swen.A@MM worm. You can fix the problem by editing the registry. For instructions on how to do so, see KB article 8377334.

Floppy disk formats supported in XP
Does anyone still use floppy disks? Apparently quite a few people still do, even though most few computers don’t even come with a floppy drive. Heck, I still have a box of floppies in the closet that contain the original files for a lot of old lesson plans and syllabi I used back when I was teaching criminal justice courses full time, even though copies were long ago transferred to CD. But if you do have a floppy drive and you try to use from of those old disks, you may have noticed that some types of floppies can’t be formatted on your XP computer. KB article 309623 provides more info on the floppy formats that are supported by XP.

Vista computer goes to sleep during Bluetooth file transfer
If you’re running Windows Vista and you try to copy a large file to or from another Vista computer, you may find that one of the systems goes to sleep during the transfer, preventing the task from completing properly. You might need to change your power management settings to prevent this from happening. For more information, see KB article 937827.

Until next week,

Deb Shinder, MVP