Saturday, July 31, 2004

Stay alert even after you switch Web browsers 

Microsoft's Internet Explorer is like the fat kid in the schoolyard. Everyone likes to make fun of it.

Just like in the schoolyard, the criticism isn't completely fair. No matter what browser you use, you still need to stay alert and keep your software up to date.

The latest example is in Mozilla, the browser I'm using right now. The most concise description I've seen is at security firm Secunia's website. The problem allows a nasty web site to change your browser's appearance. That matters because, for example, a nasty web site could put a fake padlock at the bottom right to make you think you could type in your credit card number.

You can protect yourself by simply being street smart. Stay out of bad neighborhoods on the web, or stay alert when you visit them. Don't trust a link from someone you don't trust.


Friday, July 30, 2004

Street-smart artist foils virus 

Check out this column by Wayne Rash of Infoworld magazine. Someone in the magazine's art department questioned a suspicious email attachment and prevented what would have been a lot of damage.

All the self-defense instructors teach that your first and most important defense, more decisive than pepper spray, firearms or karate, is alertness. It's just the same with computers. That art department employee had paid attention to the news and followed his hunch that something wasn't right. It's the same kind of feeling that makes us cross the street to avoid some people.


Run Windows Update now 

Microsoft just released a patch for the hideous Internet Explorer problems that allow bad guys to take over your computer.

You need this even after you switch to a different browser for web surfing. The reason is that lots of other programs use machinery from Internet Explorer and some of them are therefore vulnerable to the same attacks.

Hit the Start button, and Windows Update is one of the choices. If you've taken my advice and are not logged in as an administrator, hold down the shift key and click Windows Update with the right mouse button, then choose Run As and supply your administrator password.

Then just follow the instructions from Windows Update.

You need this. Even if you only visit reputable web sites, bad guys have been known to take over reputable web sites and change them to take advantage of Internet Explorer's problems.


Thursday, July 29, 2004

Electronic voting machines not even reliable yet 

An article about e-voting machines appeared in industry publication Computerworld. It turns out that we're not getting the promised advantages yet because there are still too many bugs.

Let me be a paranoid security type for a moment. Suppose the voting machines are certified "secure", but are (for example) a little bit fragile and need repair after a power surge. There are neighborhoods where the voters predictably choose one party. Imagine someone walking into the building where the polls are, and plugging in a machine that puts surges on the power line (lots of normal ones do). Poof! No votes come in from that precinct and it looks like an accident. Do that in a few well-chosen neighborhoods and you could swing a close election.

You're a citizen, not a "consumer". Pound on your state officials and demand backup paper voting in case the computers don't work. It's more than your right, it's your duty.


Wednesday, July 28, 2004

Could you spot a fake email asking for your Visa #? 

It turns out that a lot of people can't. The fraudulent "phishing" email have been getting slicker and more convincing.

There's a nifty online quiz now that you can take to see how street-smart you are. It has real-life emails, some for real and some which are scams, and you get to guess which is which.

The bottom line is to treat email like a phone call. Don't give out anything confidential unless you placed the call or started the transaction. If your browser is Internet Explorer, don't follow unexpected links either.


Monday, July 26, 2004

Did you know your ISP can legally read your email? 

They can even do automated snooping to gain a business advantage, according to a recent court decision.

Four Congressmen have introduced legislation to fix this. Two Democrats and two Republicans want to make it explicit that monitoring email is just like tapping a phone.

Should you rush to the phone and call your Congressperson? The new law would make it possible to provide justice for some outrages but of course it won't make email secure. It's easy to snoop, hard to get caught, and if you need privacy you need to encrypt your email anyway.


Do you ever read those "privacy policies" online? 

Didn't think so.

If the appeals courts agree with a recent court case, those "policies" may be meaningless.

SecurityFocus columnist Mark Rasch analyzes what the judge said while ruling in favor of Northwest Airlines in a suit about Northwest giving passenger information to the government.

The judge said that the privacy policies aren't a binding contract and that it was just fine for Northwest to inform on all its passengers.

Before you start yawning, ask yourself a couple of questions. Is there enough credit-card information in the airline records to allow identity theft? How sure are you that every single person the government hires is honest and will stay honest?


Watch out for "failed mail" notices 

The latest piece of nastiness is yet another password-protected attachment. It may show up in any of several forms. That link unfortunately starts with technical material and postpones the information for end users. Skip to the bottom: it tells you what to look for.

This one is spreading fast and hard, and caused a Google outage because it looks there for email addresses to victimize, and created so much traffic that even Google couldn't keep up.

Tiptoe around your company's IT people for the next few days. They're probably hitting the ceiling in frustration at all the people who are spreading this infection, in spite of zillions of warnings. You can avoid this one with just regular common sense. The old saying "Fool me twice, shame on me" tells you what to do when something comes in that looks exactly like a virus from last January. By now the IT staff probably believe that all "users" are morons sent to torment them for sins in a past life. Now is not a good time to ask for a favor.

Do update your antivirus software and don't open anything it warns you about. For Pete's sake don't turn off the antivirus software so you can open a file.


Friday, July 23, 2004

What to tell your kids about using the Internet 

I approve of this list of rules from


Thursday, July 22, 2004

Is the Mac really more secure? 

Mac users like to say they don't get viruses. Sometimes they say it's because the Mac system software is designed better.

SecurityFocus columnist Daniel Hanson disagrees. Is he right? Is the Mac not inherently secure?

The answer is that it's the wrong question. You'd ignore anybody who said they had a perfectly safe car. Be just as skeptical when people talk about secure computer systems. Whether your car crashes depends on whether you stay alert, keep the tires and brakes working, and drive in low-risk areas. Your computer's security depends on your thinking twice before installing software, keeping your firewall working, and staying out of questionable neighborhoods on the web.

The Macintosh world dodged a bullet recently with a serious security hole. It was as bad as anything in Windows but didn't lead to a massive virus outbreak. Microsoft defenders gloat that the only reason Mac users live in peace is that virus writers don't target the Mac.

"I'll take that", says a friend (may I quote you, Steve?). You'll get a better experience even if the Mac critics are right. To you the end user it doesn't make a difference whether a Mac is "inherently secure". Either way you'll still need to be careful and you'll still be safer than on Windows. Using Windows on the Internet today is like driving a red Corvette past the police station -- it makes you a target.


Wednesday, July 21, 2004

Things that may break in XP Service Pack 2 

Microsoft is making some fundamental changes that delight security experts and dismay software companies used to the old Windows.

You may see some things suddenly stop working when (please, please, not "if". Just do it) you upgrade to Service Pack 2. Don't panic. There will almost certainly be a fix already available from the affected vendor's web site.

You'll need an update to your Norton Antivirus software. The maker, Symantec, is bracing for the onslaught of phone calls. You probably won't need to call if you can upgrade over the web.

Games and conferencing software are especially at risk.

Be ready to see more warnings pop up about what software is doing on your machine. If you can't figure out what to do, check the software vendor's web site first for advice.

And know that it's very worthwhile. Wired News quotes security expert Russ Cooper about Service Pack 2: " "I hope it breaks more things than it's already broken ". Microsoft is biting the bullet and fixing things even at the expense of temporary problems. This is good.


Tuesday, July 20, 2004

There's another side of the e-voting issue 

Everything is all right, according to the Information Technology Industry Association. They say that the security researchers and professors who want better quality in voting machines are engaging in a "religious war" and that 77% of the voters they surveyed like the idea of computerized voting machines.

What can a non-expert think, when computer people don't agree?

The first thing to notice is that the ITAA is getting distracted by a small part of the problem. One issue is whether we the people will be able to look at the computer programs that count our votes (and that we paid for). That issue is what the ITAA means when they talk about "open source" versus "closed source". Open source or closed, a system can be usefully secure if enough trained people review it and if it offers ways to check its results.

Auditing features are completely missing or inadequate on today's e-voting systems. That's right -- there's no way to check whether they made an error. How do you do a recount if there's no paper to count?

The second thing to notice is that critics of first-generation e-voting machines come from all over. Gadfly Bev Harris, for example, didn't come from the "open source movement".

There's an old saying in business, "you can expect what you inspect". Apply that wisdom to voting machines. Demand independent certification. Voting is too important to accept a vendor saying "trust me".


Saturday, July 17, 2004


I just got spam offering to check my computer for spyware
infections! I'm supposed to visit their web site and they'll scan
my computer for spyware.

I'd like to be a good investigative journalist and visit the web site
to see what they're actually doing, but I'm not willing to risk it.

The conventional wisdom is "If it's spam, it's a scam". Here a stranger is offering to run software on your computer. Are you going to take candy from this stranger?


Thursday, July 15, 2004

Can you trust computer programmers? 

Usually. Usually they're in a hurry and motivated to do as good a job as they can and meet an impossible schedule.

But sometimes they play games and sometimes that costs money. This article
describes allegations that some gambling machines had hidden features
in their programming that would allow people in the know to make them
pay out on command. Ick.

Stop and think about that. Those are machines that the casinos buy and
inspect, and those machines have a back door that costs the casinos
real money. The casinos couldn't stop that from happening.

Electronic voting machines are going to need a lot of scrutiny before
we can trust them. There's big money in stealing an election, more than
you could make by ripping off gambling machines.


Good news from Microsoft 

Their upcoming security upgrade for Windows XP, known as Service Pack 2
or "SP2", will be available on CD to customers who take the trouble to
ask. If you have dialup Internet access, be sure to ask for the CD when
it comes out (scheduled for August now). If you have a cable modem or
DSL then downloading it might make sense.

The CD is good news because major updates take forever to download over a regular modem.


It's time to run Windows Update again 

The second Tuesday of the month has rolled around and Microsoft has
released another pile of critically important software updated. There
were half a dozen for my system.

Hit the Start menu, run Windows Update. Do it soon -- bad guys look at
the fixes to figure out what the problems were so they can write new
attacks (assuming they didn't know about the problems already).


Monday, July 12, 2004

New Windows machine? Do this first. 

You see, it's not exactly a new machine. It may have been months since the operating system got installed, depending on how long the computer has been on a shelf. That's long enough for new security problems to be discovered. Your brand new machine probably needs security updates.

Which you'd get from the Internet, but it's not safe to connect to the Internet without first doing the security updates.

Fortunately, there's a detailed, step by step guide to surviving the first day with a Windows XP computer. Check it out.


Would you like to see a review of competing web browsers? 

PC Magazine just ran a review of FireFox and another browser called Opera. Boiling it down to a sentence, Firefox is the simple one and Opera is the one loaded with useful features.

Either one will improve your life from a security and privacy point of view.


Friday, July 09, 2004

Another way to fool you into clicking attachments 

There's a worm making the rounds with a cute trick. When it infects a victim's computer, it looks through the victim's email and replies to all of it (including, of course, a copy of itself as an attachment).

Then, all the people who receive the email get a safe-looking reply to something they sent.

Your defense is to ask yourself whether you're expecting an attachment from whoever the mail came from.


Thursday, July 08, 2004

Security hole in Firefox or Mozilla on Windows XP 

I'd been meaning to write a column about how you need to be alert no matter what software you're running. Events beat me to it.

Remember "Firefox", the high-quality web browser I recommended? There's a security problem, if you're running on Windows. The problem allows a web site to start any program that's already on your computer. Could be worse, but you definitely need to install the fix, which is already out. If you copy and paste the address into your browser you get to the right place without having to trust me. Click on the words "Install Now" next to the picture of a folder. You'll see a dialog box asking for permission to install "shellblock.xpi". It's safe to say "install": the people are good guys, they're in control of their web site, and technical people have checked that the fix does the right thing. (You should almost always say "cancel" to dialogs like that unless it's something you need from someone you have a reason to trust).

Then close and restart Firefox.
You have to do that for the patch to "take".

So how did this happen, and why does it only happen on Windows? That's the amusing part. When the Firefox web browser sees something it doesn't understand in the first part of a Web address, it passes the buck to the computer's operating system. If you're running Windows, Windows goes off and Does Stuff that you wouldn't expect. Engineers have been arguing furiously about whose fault the problem is. Meantime everyone agrees users should just install the fix.


Electronic voting machines - what's the fuss about? 

It sounds like a great idea. You vote on a touch-screen terminal, there's no room for confusion or hanging chads, and the systems can be programed for use by disabled people.

So why are people protesting the idea? Are they just paranoid?

No. The more expertise someone has in computer security, the more alarmed they get about the current generation of electronic voting machines. The vendors have been making silly mistakes and refusing to let outside experts look at how their machines work. I do mean silly mistakes. Security experts have dropped their jaws and wondered "WHAT were they THINKING?". If you think problems are unlikely, remember that a virus got into cash machines at Bank of America.

What's the answer? Should we voters insist on getting paper receipts when we vote, like some of the activists suggest?

Paper receipts aren't enough. Building a secure system is like keeping yourself healthy -- no one single thing will do it, you have to get a bunch of things right. Get one security detail wrong, and it ruins the security like smoking ruins your health.

We'd get the best of both worlds if you voted on a computer and it printed out an old-style paper ballot. Then the computer could help you understand the ballot, but we'd have paper available for recounts.

What we need to do is put the heat on our government officials. Let them know we care about whether they do electronic voting right. Check the blue pages of your phone book for your state representatives and the "secretary of state", who supervises elections. Call them. Insist that independent security experts review and approve the electronic systems. Insist on a system that can be audited: banks accept nothing less and banks are only handling money, not our democracy.

"The condition upon which God hath given liberty to man is eternal vigilance;" John Philpot Curran, 1790


Tuesday, July 06, 2004

Appearing soon in spam near you! 

Denver Post writer Jack Cox dug up a story about the newest trend in spam. It's about a new way for spam to get around your spam-blocking filters.

Ever wondered how spam filters work? The best ones calculate how much a message sounds like your usual wanted email and how much it sounds like spam.

Spammers have tried all sorts of sleazy tricks to fool the filters. (Hey, spammers, get a clue -- why pitch your product to people who hate you so much that they're filtering out your email?!). The latest one is to send their scam along with a joke.

This newest attack on our mailboxes works because so many people exchange jokes in email, so the spam sounds like a real message as far as the spam filter can tell.

So you're going to get more spam in your mailbox, until someone invents a way to stop it. Then the spammers will come up with something new and the arms race will continue.

What can you do? Nothing.


Can you trust Caller ID? 


Surprised? Enthusiasts, pranksters and worse types have known tricks for years to make false information appear on caller ID.

New technology, as usual, makes things worse. More and more work that used to happen in the phone company's computers is happening at customer sites now. Costs are going down, features are getting better, it's like the PC revolution all over again, but the side effect is that security goes down a little.

You may yawn at the idea that your caller ID display might have the wrong name on it someday. But there's a worse problem. If you've blocked your number from appearing on someone else's caller ID, that may not work any more.

If you're being stalked by a technically sophisticated person, I'd suggest screening calls with your answering machine instead of picking up the phone when you see a trusted name on caller ID. (If you get a harassing call, *57 should still work).

If you run a shelter for battered women, make sure that your address will stay secret even if the unpublished number leaks out.

And if you're the type who likes details, check out Kevin Poulsen's article on SecurityFocus.


Monday, July 05, 2004

What to expect from XP Service Pack 2 

Some journalists actually do the work of running a product and think about what they're seeing. Scot Finnie is one of them. He recently reviewed an almost-but-not-quite-done version of Microsoft's next big patch for Windows XP. He aimed the review at corporate users, though, so I'll talk about what you'll see as a home or small business user.

Things you will notice

Some web sites you use may work strangely or not at all. This is good. In plain English, Microsoft changed Internet Explorer to make it less trusting. Web sites you visit will have less control over your computer. Most web sites should keep working just fine. A few fancy ones may break. The operators of those web sites ought to fix them.

Your computer may surprise you with how long it takes to shut down. When that happens it's probably not a bug. Windows may seize the opportunity to download new security fixes.

Downloads may go faster for security updates.

Your computer will start nagging you if your firewall or antivirus software is outdated.

IT people at your company will complain about SP2 and call it names. They'll have reasons but none will be relevant to you. Go ahead and install SP2 at home.

Things you won't notice that are important

The firewall is better and it's on all the time. It's your friend so you may want to get acquainted with it. Once you install Service Pack 2, look around the Firewall Control Panel without changing anything to give yourself an idea of what it can do.

You may not notice that there's a new thing in the Internet Control Panel called "Add-On Manager". It lets you turn on and turn off extra programs that web sites add on to Internet Explorer. I recommend leaving the settings there unchanged unless someone you have reason to trust says otherwise.

The new version of Internet Explorer blocks popup ads, just like Firefox already does.

Spyware will still get through. It may need to trick you into installing software by hand, instead of taking over automatically. SP2 closes some holes through which bad people were installing spyware if you only visited their site. That got called "driveby downloading".


Saturday, July 03, 2004

Microsoft's latest patch may not be a complete answer 

Yesterday Microsoft put out a change to Windows to stop the latest round of bad guys taking over home computers.

The change simply turns off a feature most people don't use but which was very handy for bad guys installing malicious software on your machine.

Security experts are still arguing but they think they've already found a way for bad guys to do the same damage even if you've installed Microsoft's latest change.

The best answer for most people right now is to use a browser that's less promiscuous about running programs from strangers. I've recommended the free download of Firefox, but if you have a slow connection you might prefer the CD. The name on the CD is "Mozilla", which is the name of a project that also includes an email program and a chat program. The CD by itself is about $6, or you can get it with a manual (you really don't need one) for $26.


Friday, July 02, 2004

Microsoft has a fix that will help Internet Explorer 

Run Windows Update today. They've disabled an Internet Explorer feature that bad guys use to write bad things on your hard disk.

The feature has legitimate uses, but not many, and security nerds have been warning Microsoft about its dangers since last year.

The change you get today from Windows Update would have kept you safe against the recent notorious attacks.

I still recommend using another browser.


Thursday, July 01, 2004

Here's another take on the advice I keep giving 

Paul Boutin writes about how to improve your computer security in 20 minutes. I disagree about Internet Explorer settings (I recommend making them stricter than the default), but it's a good article.


What kind of people try to get into other people's computers? 

I've never seen a better short article about the motivations of computer trespassers than this one by Sean McKibbon.

He's describing the old school, though, people who are passionate about understanding computers. An old-school "hacker", if born 40 years ago, would have been a hot-rodder.

Today there's money in computer crime. I suspect that organized crime is getting involved, especially since so many attacks seem to be based in Russia. If I'm right, a nastier breed of intruders will be attacking us over the next few years.


Are you confused about electronic voting? 

Are you wondering what the controversy is about, and whether the activists are being alarmist?

A team of experts recommends much better review of the inner workings of voting machines.


This page is powered by Blogger. Isn't yours?