Friday, December 31, 2004

I guess I'm supposed to do an end-of-year wrapup? 

All right. Grumble.

Organized crime seemed to be moving into computer crime increasingly in 2004. I haven't seen solid proof of this yet but there's not much room for doubt. Some of the phishing scams sent money to Russia. Maybe, just maybe, somebody started those without paying protection to the Russian mafia. You can bet they are now.

The other big trend is Microsoft's continuing transformation. They created their products in a vanished world that needed flexibility above all. Today their products face the rough-and-tumble of the Internet. Microsoft is like a professional gymnast trying out for pro football. Microsoft succeeded with their web server product, Internet Information Server 6, which security experts describe using a security geek's term of ultimate respect, "boring". XP Service Pack 2 was good work -- install it if you haven't already. But use Firefox to surf the web.


Wednesday, December 29, 2004

Another blog is collecting simple security tips 

The Financial Cryptography blog is usually technical but writer Ian Griggs has started a collection of security tips for non-technical people. So far he's got sound advice ranging from free and easy (install Firefox) to expensive (buy a Mac).

Financial Cryptography laments "I feel the lack of any good tip for phishing; there just isn't a good way to deal with that yet". I'll repeat my advice: do what you already know to do for phone calls. Keep secrets to yourself unless you're the one who placed the call or started the transaction. If someone called out of the blue and asked for your online banking password you'd hang up on them. Do the same for email.


Monday, December 27, 2004

"But don't I have to click on attachments?" 

When a chemical plant blows up or a worker is mangled by machinery, an honest investigator usually finds the same kind of problem. People were doing dangerous things before the accident because they had to. They were rewarded for getting their job done by cutting corners on safety, punished for not getting their jobs done when they tried to go by the book, and kept getting away with the dangerous procedure. Without meaning to, management was training the workers to be unsafe.

What's that got to do with email attachments?

It's the same problem. Your boss sends you documents and spreadsheets attached to email. You have to open them to do your job. Most of the time nothing bad happens. You read security people saying you shouldn't open attachments, shrug, and figure they must live in a different world. Then one day a virus comes in, you launch it by clicking an attachment, and boom. You've been accidentally trained to do something dangerous.

I'd been thinking along these lines ever since I started reading about industrial safety engineering. Today there was an article about user education in a more technical security blog which reminded me I should write about the lessons the chemical industry can teach you about computer security.

If you're the boss you can train your people to be safe. Put documents in a shared folder and send email telling where to find it. Then your people won't have to get in the habit of opening attachments automatically. But the real solutions have to come from software makers.

For one thing they should make it a lot easier to tell where email really comes from. For another they need to limit how much damage a simple attachment can cause.


How does the government protect classified information? 

Leave out the expensive technology that protects against people like James Bond, and you find two techniques to learn from the government that anyone can use.

Disconnect from the Internet

You can't do that with your entire company, but keep that idea in mind as you buy systems. Do your cash registers really need an Internet connection?

Eliminate desktop data storage

You need a reliable network to make this work, but security administration gets a lot easier if everybody's documents live on central file servers instead of on their local hard disks. You can back servers up more easily than desktops to protect against fires and hurricanes, and you can even set them to refuse to talk to any PC that doesn't have up-to-date antivirus software.


Sunday, December 26, 2004

Very detailed anti-spyware news and reviews 

The hard-working and highly respected Eric Howes has a comprehensive anti-spyware program feature comparison and results from his anti-spyware product testing. Cutting to the bottom line, he recommends Spybot Search&Destroy, Ad-aware, Pest Patrol, Webroot Spy Sweeper, and Microsoft's new acquisition, Giant Anti-spyware. Giant should be available again under a Microsoft label in about a month.


Saturday, December 25, 2004

Yet another holiday Windows vulnerability. SP2 is affected. 

UPDATE 12/28/2004:
The bad news is that bad guys are already exploiting the browser vulnerability. The good news is that the attack is not spreading fast, and there are already antivirus updates to protect you.

UPDATE 12/28/2004:
Another workaround is to go to Internet Explorer's Tools/Internet Options menu, click the Security tab, click the Internet Zone icon, and change the security setting to High. Unforutnately, doing this may stop some web sites from working the way you expect.

UPDATE 12/27/2004:
Nobody's sure yet but it seems that running from a non-Administrator account may protect you, as might some popup blockers.

This is different from the set of vulnerabilites I reported earlier. Some people have found an attack which would allow them to take over your computer if you use Microsoft Internet Explorer (the blue "E" icon) to visit a web page that uses the attack. Even XP Service Pack 2 is vulnerable.

You can't just stay away from bad web pages any more, because bad guys have figured out that they can put hostile code into banner ads. Any web site that has flashy ads might be dangerous these days.

Someday the antivirus vendors will start checking for this attack. Once they do your antivirus software will protect you.

Meantime any of the following will protect you:

Paul from Greyhats
Michael Evanchik
Http equiv


Medal of Cluefulness for US Bancorp 

Passwords are a terrible way to log in.

Imagine if your front door had a password instead of a key. You couldn't just ask the housesitter to hand the key back; you'd have to change the password instead. Anyone could plant a tape recorder in the bushes, steal your password and clean out your house.

Phishing scams only work because passwords are so lame.

Better technology has been around for years but only a few places are using it. AOL recently offered subscribers a keychain-sized gadget that makes a new six-digit password every minute. A bad guy who steals that number can't do anything with it. Other gadgets prove they're authorized by decoding a coded message from the system you're logging into.

US Bancorp is offering its customers small devices that plug into their computers's USB ports and grant access to online banking. They still use a regular password, but it's only a backstop to protect you in case the USB device ("token") gets stolen.

US Bancorp is doing the right thing! They're giving their customers state-of-the-art security against very real threats. Everyone should be doing the same: it's as basic and necessary as security paper in checkbooks.

I can think of a way for bad guys to get around that kind of security but it would be complicated and increae the risk of getting caught.

US Bancorp is the first recipient of the Security Mentor Medal of Cluefulness.


Friday, December 24, 2004

Three new Windows vulnerabilities while everyone's on vacation 

The bad news is that they're serious, Microsoft hasn't patched them yet, and the people who discovered them published "demonstration" programs to show exactly how to take over a Windows machine. Bad guys will start exploiting these problems quickly.

The good news is that two of the three have no effect on a Windows XP Service Pack 2 system. XP SP2 is only vulnerable to the fourth attack, which involves a booby-trapped help file. Don't open .HLP files from strangers until Microsoft releases a fix. The other good news is that all the news reports about "four" vulnerabilities are wrong. The discoverer listed the same thing twice on their web page.

If you're on an older Windows installation, you'll have a harder time avoiding the problems. One of them crashes your computer if you look at an animated cursor the attacker created. A more serious one can take over your computer if you look at a web page or email containing an icon, cursor, or bitmap image created by the attacker.

The only defense I can think of is to check your email and surf the web from an account that isn't an Administrator and which doesn't contain any important data. My recommended solution is to turn off your computer and enjoy the holidays.


Thursday, December 23, 2004

Do people go to you for computer advice? 

Are you a Micro CTO?

Do you pick out computers for your church/synagogue/Republicrat precinct? Are you the one who has to plan or troubleshoot computer and network infrastructure for a small business?

Then you're doing the job of a Chief Technology Officer without the staff or the budget.

There's a new weblog just for you, called Micro CTO. It offers field-proven practical advice and points out resources you'd have trouble finding anywhere else.

Disclosure section

You should always check whether your security consultant has conflicts of interest.

I don't get any money from the operation of the Micro CTO blog. The author is a friend who occasionally buys me coffee. I may get a three-figure consulting contract from him next year.


Wednesday, December 22, 2004

Can you replace Windows with Linux? 

A company called Xandros sells a Linux package designed to appeal to Windows users. You can get it pre-installed on a $200 Wal-Mart PC.

Small Business Computing took a look at Xandros in their buyer's guide to Linux for small business, and PC magazine praised an older version in their Xandros review. For your technical friends/advisers, here's a propellerhead's review of Xandros Linux as a Windows replacement. Xandros meets one of your most important needs by including a program called Crossover Office that lets you run Word, Excel and so on as if they were still on Windows (but that's only in the Deluxe edition which costs around $100).

Crossover Office is important because OpenOffice, the free Office replacement, isn't completely ready to take over from Microsoft. It didn't even have a databae to compete with Access until recently, and compatibility with Microsoft Office documents is a gamble.

Linux might interest you because very few viruses target it and the engineering behind it is solid. A recent Stanford study of Linux bugs from Wired magazine discovered that Linux has many fewer bugs per thousand lines of programming instructions than most commmercial software does. And most of the bugs the Stanford researchers found are already fixed.

There's an IBM guide to converting to Linux, which they wrote for big-company planners. It has some ideas that a micro-CTO could use; try skimming it and picking out just the good parts.


Tuesday, December 21, 2004

Another headline that's not as bad as it sounds 

"Are Security Vendors Tricking XP SP2?", says the headline in PC World's story about XP Service Pack 2 reporting antivirus update status.

Well, not exactly, and it's only an issue when you first install the antivirus software.

Here's the deal. Windows XP SP2, commendably, tries to tell you if your antivirus software needs an update. Virus writers are busy people and release new viruses every day. Antivirus software needs a constantly updated list of known viruses so it can recognize them. A package of antivirus software on a store shelf isn't getting updated, so of course you need to fetch an update first thing after you install it.

That's where the problem comes in. A couple of antivirus vendors decided to make installing their products hassle-free by telling Windows they are up to date even before fetching the first round of updates. It's kind of like writing a check the day before your paycheck arrives.

Can this hurt you? It's hard to see how. The antivirus software still knows that it should update itself. It'll still call home for updates first chance it gets. OK, maybe if your network connection is down so you can't get the updates, and someone hands you a virus on a floppy...

Is fooling Windows a bad idea? I think so. It's good to understand that antivirus software needs updates starting the moment you install it. When antivirus makers suppress the Windows security warning they're hiding information and interfering with understanding. Besides, it just feels wrong. How many industrial accidents have started with someone turning off an alarm because they just knew it was unnecessary?

What does this mean for you? It means don't panic if you install antivirus software and Windows pops up a security warning. That just means everything is working and your antivirus supplier is doing everything right.


Monday, December 20, 2004

Are you running Google's Desktop Search? 

If so, click on their icon now and choose About. If the version number is 121004 or higher then there's nothing you need to do.

If it's lower thyan 121004, you need to protect yourself against a recently discovered security flaw in Google Desktop Search. It's easy. Just change the preferences for Google Desktop Search to turn off "Show Desktop Search results on Google Web Search result pages". You can turn it back on again when you get the automatic update from Google that brings you up to (or past) version 121004.

This one was a real problem, not like the previous silly reports of "Oh no! Google Desktop Search found one of my files!". It would have allowed bad guys to find out names of files on your machine and little bits of their contents. It looks like the good guys found out about this first, but now that the problem's been publicized someone will probably try exploiting it before all the fixes are in place.


"I haven't experienced a virus in about a year " 

That's what one small businessman said after switching from Microsoft Windows to the free Linux operating system. His story is in an Ottawa Business Journal article about Linux conversions. The article has some balanced quotes ("Is not! Is too!") from experts about whether switching is a good idea.

Personnel costs will decide the issue in real life. Which can you get more cheaply: the man-hours to harden a Windows system, keep up with the frequent updates, and clear out the spyware, or the man-hours (fewer but more expensive) to fix surprises from Linux?

Nobody really knows which is cheaper. There are studies that "prove" that the cheapest solution comes from whoever paid for the study.


Sunday, December 19, 2004

If you don't believe me about Firefox, check the NY Times 

There's an article which compares Firefox to Internet Explorer, pointing out the security benefits in particular.


I take it back 

Remember when I said that you could protect yourself from a lot of spyware and other vicious stuff by staying out of the "bad neighborhoods" on the Web?

Even that doesn't work any more.

There's a news site for geeks called "Slashdot" (the name is funny if you have a geek sense of humor) where I get a lot of my news. A user there who calls himself "Hamster Lover" and who probably knows how to protect himself online wrote (with real words in place of the dashes):

I am in much the same situation as yourself, fully patched, running Ad Aware and Spybot regularly with Javascript OFF.

I was researching information on the Roman Empire and was directed by Google to a great web site. About five minutes in I notice a small pop up window that when maximized displayed a blank window. The router, modem and network lights start to blink and the hard drive begins to churn. Ugh, I realize I am the victim of drive by spyware installation on of all things a web site on Ancient Rome. If I can't protect myself given all the above safeguards, how the hell is the average person going to?

It took an hour or two of work with Ad Aware, Spybot and Hijackthis to remove the five or six pieces of spyware s--- that installed from an innocuous web site. I am well and truly tired of this bulls---, Firefox here I come...

As of today, there is to the best of my knowledge no way to use Internet Explorer safely on the Web at large.


Saturday, December 18, 2004

Spyware news: spyware pushers offer deals to anti-spyware firms 

Karl Bode reports in a article about spyware that some companies whose products get removed by anti-spyware have been trying to improve their image and get off the anti-spyware software's removal list.

Have they done this by clearly informing users about what's getting installed? Have they made their software straightforward to uninstall? Have they stopped using security holes to break into people's computers? No, according to Bode they've been offering money or ad exposure to the anti-spyware companies.

What's next, virus writers offering "co-marketing deals" to anti-virus software vendors?


Friday, December 17, 2004

You need this separate update for XP Service Pack 2 

Microsoft has a critically important update which wasn't part of the monthly update package last Tuesday.

Microsoft released the update to fix a problem with XP's firewall settings. When the firewall starts up, it's set to reject all incoming traffic (safe) except for file and print sharing requests from your local network (functional).

The problem is that the firewall would sometimes make a mistake about the size of your local network. Sometimes it decides that the entire Internet is your local network and it lets your files get shared by the world.

See Microsoft's description of the firewall security issue and pointer to the patch.


Free firewall on a computer you get paid to haul away 

Firewalls aren't magic. Those little boxes contain small computers running software that looks at the network traffic and decides what to let through.

You could run software like that on a regular personal computer. For a small network a firewall doesn't need much computing power. A computer from the early 90's can do the job just fine. Charities won't even accept computers that old any more. Their price is literally less than zero.

A free software package called Smoothwall Express, and another called IPCop, let you turn that computer into a firewall capable of protecting hundreds of computers, with extra features like VPN access, web content filtering and so on. The result looks competitive with thousand-dollar products from companies like Checkpoint. Near as I can tell, the only thing they're missing is support for central administration. You can even get commercial support if you get a paid version of Smoothwall.

Here's a review of Smoothwall Express if you're interested.

Does either product make sense for you? I'd say, only if you're a mid-sized organization with normal security needs. If you have a small network, you'll spend more on the electricity to run a PC than you would on a firewall appliance from Circuit City.


Thursday, December 16, 2004

Followup on Microsoft's 12/14 patches 

Running Windows Update to get Microsoft's patches from Tuesday will protect you against some real-world problems. Bad guys are using some of those security holes today.

However, if you run Windows 2000 you'll still be open to a security hole discovered by eEye, a security firm. I can't tell you how to protect yourself because eEye is keeping the details secret while Microsoft works on a fix. It's been four and a half months so far.


Wednesday, December 15, 2004

A quick way to check your firewall 

If you get a free account on, you can go to and have them run a test where they do the electronic equivalent of twisting all the doorknobs to see if they're locked. Don't try this from your work computer without permission.

There's another site that does the same job, They seem eager to sell things. Their spyware removal section made me nervous: it's a list of advertised free products. Unless the owner of is very careful about who advertises there, there's a risk of one of the crooked phony "antispyware" companies showing up in the results. may show you your "internal IP address", which your firewall should normally hide. They suggest getting their "patch management software" to fix this. I simply changed my browser preferences to stop running Java applets and that took care of it.

In any case, take the results with a grain of salt: there are several ways for this kind of online scanner to come up with wrong answers.


Tuesday, December 14, 2004

Get today's Microsoft updates 

They're important. If you're curious about what they fix, there's a good table of what's changed in what version at firewall vendor Watchguard, but get the updates.


Does Firefox risk your security? Geeks vs. suits. 

Normally I'd take the side of geeks. I'm one myself, a former Microsoft programmer and so on. But I ran into something that reminds me, your business's geeks can be wrong sometimes.

A leaked memo from an unnamed IT manager said the shop would standardize on Microsoft's Internet Explorer web browser instead of Firefox because "FireFox saves encrypted pages to disk and does not give you override capability. It also does not allow automatic cache clearing when closing a browser. These are security risks.".

So what?

First question is, "what does that mean?" What the guy's saying is that when Firefox keeps things around in case they're needed later (every browser does), it's not cleaning up afterward and it's saving things it should know are confidential. The real-world impact is that if a machine gets stolen, there's one more place the thief could look for confidential material.

Internet Explorer's continuing and severe security problems dwarf the issue of whether there are copies of Web pages on disk. "Look at the big picture" actually means something in this case. Security is a game of tradeoffs and deciding where you want to take risks. Geeks can get tunnel vision. If you have solid information, say from a security consultant like me, you may sometimes be safe in overruling your company geeks.

The bottom line

That IT manager is flat wrong besides lacking perspective. Firefox doesn't save encrypted pages (technically oriented link for your geek employees). Firefox has knobs you can turn to prevent anything from being saved on disk between sessions.

How can you tell if your IT manager is giving you good information? Check whether s/he is telling you the real tradeoffs to a Firefox migration:


Monday, December 13, 2004

Here's another, really good, "twelve commandments" list 

This one is from my favorite security writer, Bruce Schneier. What makes this good is that it's tailored to today's threats, recommends good practices that will prevent many kinds of attacks, and doesn't pull any punches about insecure products.

I compared what Schneier wrote to the questions I hear from normal computer users, and realized it couldn't hurt to put a glossary in front of his article.

Bruce Schneier's 2004 recommendations for safe personal computing

I've got one disagreement, and one quibble. The quibble is that when he says to use an anti-spyware program, he really ought to say "use two". No one anti-spyware program catches everything.

I disagree with Schneier when he recommends deleting the files "" and "cmd.exe". If you're paranoid, rename them so that unwanted programs can't find them, but keep them around for system administration.


Another IT professional, Gordon Luky, has an article in his blog disagreeing with more of Schneier's advice. Here's how I'd reconcile Luky's and Schneier's advice:

Only uninstall programs (Start/Settings/Control Panel/Add-Remove Programs) or delete data files if you put them there and you're sure you don't need them any more.
Check whether your shredder is designed to cut up CD-Rs before you try it (if you paid less than $100 it probably isn't).


Sunday, December 12, 2004

Tuesday is coming, bringing Microsoft security patches 

If you run any of the modern flavors of Windows, from Windows 2000 to XP Service Pack 2, this will affect you. There's no word yet on what's being fixed, but we can hope there's a fix to a Windows 2000 security problem that research firm eEye found about four months ago.

As usual, go to the Start menu on Tuesday and click Windows Update.


Saturday, December 11, 2004

Another "Ten Commandments" list 

This set of security tips for small business is reasonable. It may be going overboard in recommending quarterly audits. They also should have covered information disposal: shredders are a necessity these days and you should have a plan for getting hard disks really erased when you toss out obsolete computers.


Here's a "twelve commandments" list 

Visa has started ordering card processors to comply with their Cardholder Information Security Program. It's mostly common sense, and their summary gives you a good place to start whatever your business.

They require, on pain of fines that can reach six figures, that card handlers must:
# Install and maintain a working firewall to protect data.
# Keep security patches up-to-date.
# Protect stored data.
# Encrypt data sent across public networks.
# Use and regularly update anti-virus software.
# Restrict access according to “need to know” basis.
# Assign unique ID to each person with computer access.
# Don't use vendor-supplied defaults for passwords and security parameters.
# Track all access to data by unique ID.
# Regularly test security systems and processes.
# Implement and maintain an information security policy.
# Restrict physical access to data.


Friday, December 10, 2004

Cheaper/better security for corporate WiFi? 

If your eyes start glazing over when you read about securing your small company's wireless network with "802.1x" and "RADIUS" versus "WSA PSK", you're not alone. But there's hope for making security manageable by normal people, according to an article in Glenn Fleishmann's WiFi newsletter.

The solution is called LucidLink, and it comes from a company called Interlink. What they do is start with the highest-security option for a WiFi network and then write software that does what you need (like authorizing temporary employees) instead of forcing you to become a security consultant just to set up your network.

Their product is for Windows-only networks, at least for now. Their starting price is $449 to allow 10 simultaneous connections.


Thursday, December 09, 2004

Skip this unless you accept credit cards 

You're a small to medium sized merchant. You throw the newspaper across the room when it says that consumers and banks are losing billions to credit card fraud, because you know perfectly well who gets stuck with the bill.

This Christmas is likely to be worse than last year because of the rise of "phishing" scams. What's going to happen is that crooks will know all the information that the real cardholder could give you. They'll have the card verification number from the back of the card, mother's maiden name, and anything else you could think of. And at Christmastime, it's not like you can insist on only shipping to the billing address.

You can use the old standard practices like calling back to confirm a huge order placed at 3 AM by a new "customer", and you can check out the card issuer's "address verification service", but nothing I've heard of will work 100%.


Wednesday, December 08, 2004

Windows 2000 isn't dead yet 

You've seen headlines warning you that Microsoft canceled plans to release security fixes for Windows 2000. The fine print, for once, has good news. Microsoft will still be releasing security updates but will be calling them an Update Rollup instead of a Service Pack. The fixes will show up on Windows Update. Here is Microsoft's explanation of the change to an "Update Rollup".

Make no mistake, Microsoft does want you to move to Windows XP. But it's not yet mandatory.


Monday, December 06, 2004

"Cybersecurity for the Homeland" report: how does it affect you? 

Today the House Subcommittee on Cyber Security, Science, and Research & Development released a 41-page report about protecting the US from threats involving our computer infrastructure. How does it affect you, the small businessperson or home user?

Well, for one thing they say it's everybody's problem:

... all users -- from the individual consumer to the large corporation -- should strive to understand vulnerabilities within hteir networked environemnt and safeguard against them. It is also necessary to prepare mitigation and contingency plans to respond if a vulnerability is exploited.

They've got a point there. If you let criminals take over your computer, they'll use it to attack others, so you should secure your computers even if you think they're not "important".

They admit (commendably) that nobody knows what computer attacks are actually costing us. I'd long suspected that the numbers being thrown around ("XXX virus cost the world $NN billion!", which someone will say the day after the virus hits) were rubbish. They go on to explain that insurance companies aren't writing many computer security policies because they don't know what the loss rates are.

Despite being a government committee, they're skeptical about legislation to require better computer security. They've actually realized that the industry moves too fast. They hint that private sector players may start writing security requirements into contracts. If your business accepts Visa cards, you probably already know all about this: Visa's been imposing computer security regulations on merchants.

They suggest more technology transfer from government to the private sector. The report quotes an NSA spokesman as saying "In almost all cases the cybersecurity requirements found in national security systems are identical to those found in e-commerce systems or critical infrastructures". Which I think is wrong six ways from Sunday. Commercial systems have to defend against pranksters and thieves where national security systems have to defend against armies and spies. The mindset is different and the tactics are scarcely comparable.

The DHS goal that means the most to small businesses is to have an education and outreach program. The report admits that this has "not received appropriate management attention". They did succeed in launching the National Cyber Alert System, which offers some decent educational material but which has missed some important recent security threats. Congress wants the DHS to do more and do it better.


Sunday, December 05, 2004

Followup: Giant Antispyware 

I posted a first look a couple of days ago about Giant Antispyware, which I'd been hearing good things about. I had a favorable first impression but noticed a couple of false alarms, one of which could have happened to a normal person (the other was because of some weird things I look at as a security consultant).

I reported the false alarm to Giant, with full technical detail, just to see what would happen. That was December 2. Giant sent me email the next day which said "Thank you for bringing this to our attention. This will be resolved in the next definition update which should be done tonight."

That's good service. Unfortunately their fix doesn't work yet, but I'd still suggest using their product as one of your antispyware programs (you need more than one in these troubled times).


Saturday, December 04, 2004

Mac users, you have a security update. No rush for most people 

Almost all the security fixes in the December 2 update for OS X fix problems that only affect people who run web servers or mail servers.

The most important change for everyday use is that Safari is now harder to fool about where a link will take you.

In other words, you do want to install the security update, but it's safe to wait for a convenient time.


Friday, December 03, 2004

Where does data go when you delete it? What Apple does right. 

Imagine that every time you bought a house, the sellers stayed there until you moved in and evicted them.

That would be a strange way to manage property, but it's the way your computer manages disk space. When you delete a file, your computer's operating system takes ownership of the space the file occupied but leaves the data there until you need the disk space for something else.

That's why you can "undelete" a file if you're lucky and act fast. That's good news if you delete something by accident, but bad news if you really needed to get rid of the data.

Apple lets you delete a file so that you've really disposed of the data. In the "Jaguar" release of OS X, version 10.3, the Finder menu has a new choice. Below "Empty Trash", it has "Secure Empty Trash" which immediately writes over the unwanted data.


Thursday, December 02, 2004

First look: Giant Antispyware 

Giant Antispyware from The Giant Company competes with the free programs Spybot Search & Destroy and AdAware in the spyware detection and removal market. Giant's software costs $29.95 with a year of updates and has a 15-day free trial that requires you to give them your email address.

This isn't a review. I haven't put in enough time for a review and haven't bounced my observations off Giant to get their comments.

It installed painlessly and scanned my machine quickly. It reported six problems that Spybot and AdAware had been silent about. I investigated the problem it described as "severe" and discovered it was a false alarm. I had run a test once to see an Internet Explorer security hole. Giant Antispyware saw that the security hole had gotten used and jumped to the conclusion that I must have a piece of spyware that's known to install itself through that security hole. I didn't have any of the files which belong to that piece of spyware.

Next I investigated the problem it called "moderate". That was another false alarm. A normal person might run into this one. It detected the ZoneAlarm firewall program as spyware! If you want the gory details, ZoneAlarm's email scanning feature tells Windows that it's going to use files that end with ".ZML", and there's a piece of adware that does the same thing.

The other four detections were all tracking cookies. It missed some other tracking cookies that AdAware and Spybot found.

Their online support forum doesn't seem to mention the false alarm with ZoneAlarm.

So what's my point already?

First, this is a reputable program from an honest company. Lots of "antispyware" is not.

It is impressively thorough when in scans the innards of Windows for problems but seems to jump to conclusions.

I believe the false alarms are harmless. Near as I can tell, I could have told it to remove the things it thought it had found and everything would have continued to work.


Visit Windows Update today 

You really need today's security fix unless you're running XP Service Pack 2, in which case you're already safe.

Microsoft has just fixed the Internet Explorer bug that bad guys were using to take over computers that visited the wrong web page or looked at the wrong banner ad. You need this fix even if you're using an alternative web browser. No matter how you surf the Web, Windows uses bits of Internet Explorer in many other places.


Wednesday, December 01, 2004

Firefox tries to protect you from "phishing" 

The scammers who try to trick you into giving them passwords or credit card numbers work by sending you to their own web site while making you think you're going to your bank's web site.

They have a lot of clever tricks for doing this.

I just looked at a web site with many examples of how to make one web address look like another one. I used FireFox to look at it. Every time I moved the mouse over one of the fake links, FireFox showed me the real destination in the status bar at the bottom.

FireFox also lets you know when you're on a "secure" connection by highlighting the address and showing you the real address at the bottom of the window.

Does this mean you can relax? No. The scammers will work out new tricks. But meantime, FireFox is giving you more chances to detect a scam before you fall into it.


This page is powered by Blogger. Isn't yours?