Home » Daynotes Home » Week of 6 October 2003

Photograph of Robert Bruce Thompson Daynotes Journal

Week of 6 October 2003

Latest Update : Sunday, 12 October 2003 08:41 -0400

Click Here to Subscribe Buy PC Hardware in a Nutshell, 3rd Edition: [Amazon] [Barnes & Noble] [Bookpool] Visit Barbara's Journal Page

Monday, 6 October 2003

[Last Week] [Monday] [Tuesday] [Wednesday] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Forums] [HardwareGuys.com Forums] [TechnoMayhem.com Forums]

9:34 - The last few days have been the weekend from Hell. Our oldest dog, Kerry, is nearly 16 years old, which is about 100 in people years. Unfortunately, he's either becoming incontinent or getting confused about where to go. Yesterday, Barbara and I had him out in the front yard, and he was desperately trying to hold it until he could get back indoors. Friday afternoon was the worst, though. We often keep Kerry penned in the foyer because otherwise he thrashes around constantly, which for some reason terrifies Duncan.

About 4:00 p.m. Friday, I took all three dogs out for a bathroom break. After walking around with them for ten minutes or so, I brought them back in. About 4:15, I got up to get a Coke and smelled something in the foyer. It was a disaster area. I hosed down the foyer rugs and took then downstairs and put them in the washer, for the third time in three days. Then I started to clean up the remaining mess with toilet paper, as I usually do, but that was hopeless. So I escalated to paper towels and ammonia, which didn't do much better. Eventually, I got out the bucket and mop and ended up mopping the foyer twice to get it clean.

Unfortunately, during all this I also managed to hurt my back. When I first noticed the problem in the foyer, I tried to lift Kerry to his feet without stepping in anything. I was twisted in a very awkward position, and when I lifted him up I think I sprained one of the muscles in my back. Fortunately, aspirin seems to work, and I'm not hurting much.

Then Saturday I went over to Barbara's sister's house to set up the new PC that Frances and her husband had just received and connect it to Roadrunner. It's their first PC, so they wanted to get it set up properly to start with. It's an HP Pavilion with an Athlon 2000+ processor, 512 MB of memory, and a nice 17" flat-panel display.

I'd originally suggested they get a baby router, but they'd already busted their budget on the PC itself, so I suggested we install ZoneAlarm instead. I picked ZoneAlarm rather than one of the more configurable software firewalls because I wanted something that would just work without requiring them to do much. I got the PC unboxed and connected with no problem, installed ZoneAlarm, and connected the PC to their cable modem.

The first thing I saw was a ZoneAlarm alert saying that BackWeb-137903 was attempting to connect to the Internet. That didn't sound good, and for a moment I thought that their system had been infected almost instantly when I connected it to the cable modem. The truth was much stranger. Their new system had malware installed on it before I even set it up. HP did that intentionally, believe it or not. I installed SpyBot Search & Destroy, updated it, and told it to scan the hard drive. In addition to the BackWeb Trojan, it also found Comet Cursors and other Malware, put there by HP. After I got all that junk cleaned up, I installed Grisoft's AVG, updated it to current, and ran a virus scan. No viruses were detected.

Then came the fun of using Microsoft's automatic update service to bring the system up to current on patches and service packs. When I connected to Windows Update, it told me there were dozens of critical updates needed, along with a dozen Windows XP updates and three driver updates. Just downloading all of those and getting them installed took several hours. I had to sit there the whole time, because periodically ZoneAlarm would pop up a warning dialog to ask if it was okay for some application to access the Internet. The applications were part of the updated Microsoft stuff. I wasn't about to turn off ZoneAlarm and let their system sit for an hour or more connected naked to the Internet, so I had to sit there waiting for ZoneAlarm alerts.

Finally, all of that completed and I was able to start installing applications. I installed Mozilla 1.4, WebWasher, OpenOffice.org (the system came with only WordPerfect), Irfanview, and other apps. With Mozilla installed, it was time to get their mail configured. The moron Roadrunner installer hadn't left their account name or password anywhere, so I had to spend 15 minutes or so on the phone with Time-Warner Cable and Roadrunner to get a username and password. That really annoyed me, because I'd spoken by phone to the installer while he was there and specifically asked him to make sure to leave that information for them. Once I got that information, it took only a few minutes to get their email setup and tested.

Then came the part I dreaded. Frances and Al had bought an HP OfficeJet hydra--printer/scanner/copier/fax device. I hate those things on general principle, and I particularly hate HP models. As far as I know, HP LaserJets are still okay, but I swore off ever buying another HP printer or scanner after my horrendous experiences with the $400 HP 6200C scanner I bought several years ago and never was able to get working.

This OfficeJet 6110 fulfilled my expectations in spades. I disabled the AV software and started the installation, following their directions exactly. Everything proceeded normally right up to the point where I was supposed to connect the printer so it could be recognized. It wasn't recognized. Instead, I got a cute little image of the OfficeJet on one side, the PC on the other, with a cable with a big red X in the middle of it. I shut everything down, checked all the connections, restarted the system, uninstalled the driver software, rebooted, and tried the installation again. Same problem. I tried plugging the USB cable into a different port, re-did the uninstall and re-install from scratch. Same problem. After four abortive attempts, it was 8:00 p.m. and I was exhausted.

Yesterday, Barbara went over to her sister's house after she finished playing golf. She and her sister called HP tech support and spent literally hours on the phone with them. They couldn't make it work either. Near the end of that session, Barbara called me and told me the HP technician was telling them that there was a problem with the chipset in the computer. Huh? I told her to ask the guy to call me.

A couple minutes later the phone rang, and I was talking to some guy in India. He told me that "the Intel USB controller is missing from the chipset." I explained to him that this system was an AMD Athlon processor running on a VIA-based motherboard, so it wasn't surprising that there was no "Intel USB controller". From his lofty position of great technical expertise, he told me that I shouldn't question his technical assertions. His suggestion was that we return the OfficeJet to the retailer and get a replacement, so I thanked him and hung up.

I called Barbara back and told her to tell Frances to return the OfficeJet for a refund rather than replacement, and that I'd talk to them about what they should get instead. Frances didn't want to do that, because she wanted the PC and printer to be matched in appearance. I told Barbara to tell Frances that I expected a replacement OfficeJet to have the same problem, and that if she insisted on getting one I couldn't guarantee to make it work. I have no idea what they'll decide to do.

And today I have a dentist appointment.

11:22 - After working hard to protect Barbara's sister's new PC against viruses and worms, I read this article in The Register this morning. The guy makes some excellent points. The plague of Windows viruses and worms is often blamed on the ubiquity of Windows. I've made similar comments myself. There's some validity to that statement, but, as this author makes clear, not a lot. Windows is inherently insecure and Linux is inherently much more secure. The article is worth the time to read it.

15:21 - Back from the dentist. I survived. 

With regard to my problems with the HP hydra, Ron Morse posted the following installation procedure over on the messageboard:

I get the same result when I try to install my Photosmart 1215 printer and Scanjet 4550 in XP using HP's directions.

This is what I do to get them working. Note the following procedure differs from HP's instructions.

Make sure the latest VIA USB drivers for your chipset are installed.

Download the latest drivers from HP's support site.

Expand/unzip/copy (depending on their form) the HP drivers to a scratch directory. Not necessary to extract .CAB files but they need to be in the scratch directory (for the printer this results in about 265 files).

power off

connect the device on both ends, power it up.

Power the PC on. If XP detects new devices during IPL click cancel. You may have to do this multiple times. You want XP to be fully loaded before installing the devices.

From the XP desktop, disable AVG and tell Zone Alarm to block all internet traffic. If Zone Alarm is not installed, disconnect the internet cable. YOU DO NOT WANT THE HP INSTALL ROUTINE TO TRY AND ACCESS THE NET.

Expand the device tree in Device manager, you should see a number of entries for the hydra, indicating errors. Find the printer, right click, select update driver, select let me choose which files. Browse to the AUTORUN.INF file in the scratch directory. Click OK

All hell will break loose. Select OK anytime it asks you a question. This should install the drivers for all the devices enumerated in the AUTORUN.INF file. If it asks to reboot when done, do so. If it doesn't ask you to reboot when done, do it anyway.

check device manager for errors (should be clean).

enable AVG and reset Zone Alarm

This method works for me without fail...even over a network.





Tuesday, 7 October 2003

[Last Week] [Monday] [Tuesday] [Wednesday] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Forums] [HardwareGuys.com Forums] [TechnoMayhem.com Forums]

10:39 - The polls have just opened in California, where it appears that Arnold Schwarzenegger is almost certain to become the next governor. In general, the media has done everything possible to hurt Mr. Schwarzenegger's candidacy. They have given major play to unsubstantiated claims of sexual harassment, and to the ridiculous claims that Mr. Schwarzenegger is a closet Nazi who admires Adolph Hitler. At the same time, they have largely ignored Mr. Bustamante's unapologetic support for a racist Hispanic radical group and credible allegations of Mr. Davis's foul-mouthed private ravings and physical abuse of his office staff. Despite all of that, it appears that Mr. Schwarzenegger is likely to be elected by a large margin.

I don't envy him the job. I think he's going to find that entrenched special interests and populist laws will make governing impossible. California may be too badly broken to be fixed, at least in any fashion that is acceptable to the voters. Mr. Schwarzenegger is, after all, only one man. He's saddled with the mistakes made by and the obligations assumed by the Davis administration, and he's not likely to have a cooperative legislature. I am reminded of that old joke: First Prize - one week in Cleveland. Second Prize - Two weeks in Cleveland. (No flames, please. I used to live in Cleveland, where, speaking of flames, the Cuyahoga river once caught fire.) Mr. Schwarzenegger may yet regret winning this election.

My impression of Mr. Schwarzenegger is that he is an honest and honorable man. I don't agree with him on many of the issues, but I don't doubt that he will attempt to do what he's promised. I'm just not sure that his honesty and honor will suffice.

Ron Morse points out over on the messageboard that he didn't realize I was going to post his comments about bringing up the HP hydra. I apologize to him for posting it without asking permission. Ordinarily, if I have any doubt, I ask before posting. In this case, he'd already posted his comments publicly on the messageboard, so I neglected to ask. Ron points out that his comments were specific to my situation, and not to be taken as general advice. You can read more of what he has to say on the messageboard in this week's topic.

I hate it when this happens. Some time ago, I'd posted a favorable comment about LaserMonks. But Richard Micko sends the following, with an attached copy of the spam he received from LaserMonks.:

-------- Original Message --------
Subject: FYI. regarding lasermonks.com
Date: Fri, 3 Oct 2003 16:18:37 -0400
From: Richard Micko
To: 'Robert Bruce Thompson'

You have recommended them on your webpage. I thought you'd be interested in this spam or uce, which I received today. I have not purchased from them before, so a 'prior relationship' does not exist. A cursory search of 'opm network' and 'flaview.com' results in spam problems.

Have a great weekend,


Arrrghhh. I hate it when that happens. I'd be willing to bet that the monks don't even realize they're doing anything wrong. Or least they didn't until they started this spam campaign and started getting nastygrams from people they'd spammed. I've noticed a certain selective blindness among many businessmen. They all know spam is bad. They all get lots of spam in their inboxes, and they hate it just like the rest of us do. But they don't consider their spam to be spam. It's important to them and therefore must be important to everyone.

I'd be willing to bet that this all started when LaserMonks themselves received a spam, something like "Promote your business inexpensively with bulk email". They probably thought, "Everyone would buy our stuff if they knew about it, and here's a cheap way to get the message out." Like many businessmen, they didn't stop to think that what they were about to start sending was spam. One man's useful marketing message is another man's spam. Or, one man's Mede is another man's Persian. Or, one man's fish is another man's poisson. (With apologies to George S. Kaufman, Oscar Wilde, and H. L. Mencken.)

And this from Dr. Mark Huth on the Linux vs. Windows viruses link I posted yesterday.

-------- Original Message --------
Subject: security linux and microsoft in the Register.
Date: Mon, 6 Oct 2003 13:58:23 -0700
From: Mark Huth
To: Robert Bruce Thompson


Like most things, this whole Linux/Windows thing is complex.

I'd agree with everything the article author has said (perhaps without the same undercurrent of religious fervor), however, the fact remains that the Windows world provides huge advantages that the Linux world doesn't provide and no amount of wishful thinking can make that go away. It is also true that Windows can be made to function in a secure fashion. Put windows boxes behind secure firewalls, virus scan, maintain patches and one has a pretty good, pretty secure, pretty stable platform. Look at my environment, your working environment, and that of millions of others running Windows. Would Linux or OS X be better than Windows if it had the same market penetration? Sure, but it doesn't. Is it as easy to setup Linux on an individuals machine, does it provide the same workgroup integration, etc. Answer, alas, is no. Can I run my business on it? Not now, and not for the foreseeable future. Is it as cost effective as Windows? I don't know, but if the pieces don't exist to run in my environment...the cost doesn't much matter.

My point...well the article writer is looking at a tiny piece of a much bigger picture and is looking much the easier part of the picture. I'd suggest that Gates et al. didn't see the future clearly and made some bad choices in one area, but saw the future far more clearly than anyone else in many other areas.

Microsoft, for all its warts, has clearly improved my workplace. We do run our business on Microsoft products, we employ a bunch of people, we make technology decisions based on what works...not what I'd personally like to see work. Religious discussions are fun, but for better or worse Microsoft is doing an ok job of putting bread on my table and that of my employees.

I'm hopeful that the next 5 years will bring improvement in both the Linux and in the Microsoft products. I would make my life easier and probably expand your target market for your books as well!

Warm regards.

You make several good points. That Windows is inherently insecure is not in doubt. Even Microsoft has admitted that publicly. That Linux is inherently more secure than Windows is also not in doubt, although Microsoft would bite their collective tongues off before admitting that.

All of that said, I don't regard viruses and worms as a big problem for me personally. Like you, I have firewalls, virus scanners, and so on out the wazoo. The likelihood of one of us falling victim to a virus or worm is pretty small. But we are not normal users. I continue to use Windows 2000 for now, because for me it has the best combination of features, software support, and so on. I'm willing to put up with the virus/worm threat because I can contain it, albeit at an unfortunately high price in terms of time, effort, and frustration.

I've watched Linux grow and mature over the last few years, and I don't doubt that it will eventually become a serious competitor to desktop Windows. As you say, for many that day has not yet arrived, but it is coming. I think a lot of people think of desktop Linux as being X years in the future, but it's not really quantifiable that way. For some, desktop Linux is here now. For others, it's on the very near horizon. For still others, it's a long way off. Application and data format compatibility remains the overwhelmingly important issue. Most of the usability concerns have been addressed and things continue to improve on that front. Linux will arrive for the desktop in fits and starts, as more and more large companies begin to adopt it. There is a critical mass issue. I'm not sure where the critical mass occurs, but I've seen credible estimates of 10% of desktops. Once Linux reaches that critical mass, it will be unstoppable, because everyone will rush to support it with their applications.

My guess is that for you desktop Linux may be three to five years away. For me, it's a lot closer.

12:01 - More from Dr. Huth:

-------- Original Message --------
Subject: RE: security linux and microsoft in the Register.
Date: Tue, 7 Oct 2003 08:12:45 -0700
From: Mark Huth
To: Robert Bruce Thompson


I'd like to believe that what you say is true. However, I've some doubts. Software development time being what it is for complex software, I don't see the medical applications we need being available in the 3-5 year time frame. That would mean that many of the larger firms should be starting now...and none of the firms we've discussed this with have told us of any plans to move their software over to Linux. Further, one needs to interweave the applications into an "environment". As a crude example, my electronic medical record needs to talk to my cath lab software, to my echo machines, it needs to talk to my scheduler, needs to talk to my billing system, needs to be web enabled, allow portable devices, etc. Those interconnections require structure, years of fine tuning and dare I say it...corporate relationships. While a collection of open source programmers may generate a fine product, do they do the legwork to connect their software to the software that I need? My market is huge, but smaller than the word processing market by multiple orders of magnitude. I suspect that similar industries require similar levels of interconnection. I don't think that it is simply a matter of putting up a word processor or spreadsheet and saying "World, here it is!" (Although, that it taking a horridly long time to happen in the Linux world...and yes I've got a copy of Open Office).

I, personally, think that it is more likely that Microsoft will begin to show improvement in security. As we both know it isn't very difficult to protect MS software from most threats. Granted one needs to hide it behind "other" software...firewalls, virus scanners, but one would need to do some of that no matter which OS one uses. I'd never put anything that had sensitive data on the net without protection. I suspect that Microsoft will begin to show improvement in the next couple of years

Then, is cost an issue? Well, from a business standpoint, is the cost of Microsoft products an issue? Well, we are running a mix of NT 4.0 server, windows 2000 server, Office 98 and 2000, with Windows 98, 2000, and XP on the desktop, (I believe you remember that we also run AIX and Linux). The cost of these Windows products just isn't an issue. Would free be better? Sure, but Linux isn't really free.

I think you're confusing operating systems and applications. I have certainly never suggested that commercial software won't be used on Linux systems, or that open source developers would fill all software needs. IBM, Oracle, and other large companies, as well as thousands of ISVs, have ported their high-dollar applications to Linux, and I expect that trend to continue. Ask any vendor of server applications and they'll tell you that there is great demand for Linux versions of their apps. Certainly the horizontal applications like databases have been the first to be ported, both because the market for Linux versions is larger than it is for vertical applications and because many of those vertical applications require horizontal applications like Oracle to function.

Linux is a better application server OS than is Windows Server. That fact, as well as customer demand, has caused many software companies to make their software available for Linux. I don't know the medical software business, but I'd be surprised if Linux didn't start making some serious inroad there as well. Not just for the lower cost and superior functionality of Linux, but because security is not the problem on Linux servers that it is on Windows servers, and data security is certainly a major issue in the medical profession. I'd expect most medical software developers to soon begin producing Linux versions of their Windows Server applications, and eventually to phase out support for Windows in favor of Linux.

In purely technical and economic terms, Linux is unstoppable. The only prayer Microsoft has is to continue doing what they've been doing, which is to attempt to use the legal system to block Linux.



Wednesday, 8 October 2003

[Last Week] [Monday] [Tuesday] [Wednesday] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Forums] [HardwareGuys.com Forums] [TechnoMayhem.com Forums]

9:38 - Governor Schwarzenegger finds himself in the same situation that our oldest Border Collie, Kerry, was in the time he charged a UPS truck, bit it in the tire, and brought it to a halt. Now that he's caught it, what's he going to do with it?

A lot depends on whether he cares about being re-elected in three years. If he does, he'll have to work within the existing political framework. With the Democrats already talking about recalling Schwarzenegger, he's obviously not going to get much co-operation from the legislature, and he can count on ferocious opposition from entrenched special interests. That means California will spend the next three years in political deadlock. Conversely, if Mr. Schwarzenegger doesn't care about being re-elected--and why should he?--he can get a lot done by using executive orders to slash his way through political opposition. Many, perhaps most, of those executive orders will be the subject of court battles, but by the time the courts settle them they will have had their intended effect anyway.

So, the question is whether Mr. Schwarzenegger will behave as a typical politician or as the Terminator. I'm betting on the latter, and hoping that's what happens.

More on Linux from Dr. Huth:

-------- Original Message --------
Subject: RE: security linux and microsoft in the Register.
Date: Tue, 7 Oct 2003 22:46:54 -0700
From: Mark Huth
To: Robert Bruce Thompson


Again, thanks for the note and I don't want to get into a beard pulling contest with you, especially over something which will work out in some fashion in the future.

That said, let me natter. I'm not so naive that I don't understand the difference between operating systems and applications. As you know, I did device driver development in assembly language as a contract programmer for Hewlett Packard eons ago and have worked with 5 large medical software companies in database development over the years. I'm in the process of working with a number of web developers to try and get a freely available medical database running in a cross platform environment right now in conjunction with the ACC and with Johnson and Johnsons research arm. So, I do get it...a bit anyway.

But, OS's provide the environment for software development (as you understand far better than I). Indeed, much of the bitching about MS is that outside developers don't have the same access to the OS that MS developers have. That environment...the fact that the OS supports an excellent word processor, the fact that my programming environment can access my plotting and graphing program, that my groupware will allow me to detail tasks to others, that I can use something like Access to do a quick and dirty mock up of a project to be converted into a more advance database are all part of the environment provided by the OS and applications in concert. If I need to find a different program to do my scanning or faxing or PIM...I want a selection. (As a more specific example, we've done a working, tested database in Access in our project...with the idea that it will be converted into a more sophisticated database has met with enormous praise from almost all the high end developers with whom we are working). The fact that you still work in Windows 2000, given your enormous level of sophistication, suggests that the OS is doing something right for you at this point.

Will that change? You are very optimistic, I'm much less so. The fact that database developers support Linux is great and I hope to see great things as time passes. Time is passing and I'll remind that you wrote similar things a couple of years ago...things are better now in Linuxland, but we ain't there yet. Lots of things have to happen for Linux to be very successful and reach a critical mass. Many of the niches that are filled in the Windows environment remain to be filled in the Linux world. Meantime, MS isn't sitting idle...for better or worse.

Finally, I can't address non-medical developers. What I was addressing in my note below was that...In the last 6 months I've seen a fairly large subset of the development efforts of a number of the biggest medical software developers in existance...Siemens, GE, and Phillips for example and I didn't see any development for Linux based medical products. The lead time is long for this type of software development...in the 3-5 year range. I did see that all of them were developing in and for Windows. Will that change? I don't know.

I've voted for Linux with hard dollars. I've recently added to my personal collection of *nix "stuff" by adding a Powerbook G4. That added to a linux server, a linux workstation, and assorted other things running *nix...all bought an paid for...I own 2 registered copies of RedHat and one of Suse. I, personally, want to see Linux survive and thrive, but I want to do it in a market filled with excellent, easy to use software. I want more than what I have now in my software world, I want to do less work to get it all to work...I'm happy to pay for it. Will Linux deliver....sure hope so, but I'm not holding my breath.

Mark Huth

"In democracy its your vote that counts.; In feudalism its your count that votes." Mogens Jallberg

I didn't know you had a beard.

Of course I realize that you know the difference between operating systems and applications, but my point was that it's easy to confuse the issues. Most vertical-market ISVs are OS-neutral, in the sense that they're willing to put their applications on whatever operating system(s) their customers demand. Of course, that may or may not be easy. If the application uses something cross-platform like Oracle as a back-end, it's relatively easy to port the application to a different OS. If it depends on Microsoft hooks, it's much harder. Apparently, most medical software falls in the latter category, or it'd be available for Linux already.

As far as the progress of Linux, I think we'd both agree that it's come an awfully long way in the last couple of years. Typically, prognosticators are overly optimistic in the short run and overly pessimistic in the long run. I think that's what's going on here. I've been overly optimistic about the short-term prospects for penetration of Linux in various niches, but I think you're being overly pessimistic in the long term.

Here's one that ended up buried in my junk mail folder for a month before I discovered it yesterday. If you're using an Intel D865GBF motherboard, it's worth reading.

-------- Original Message --------
Subject: D865GBF Motherboard Errata
Date: Sun, 7 Sep 2003 06:22:59 -0700
From: James Cooley
To: 'Robert Bruce Thompson'


Ran across this regarding Intel's D865GBF boards and thought you might be interested.

<ftp://ftp.download.intel.com/design/motherbd/bf/C4159703.pdf> (Somehow, it works with my FTP client; but not IE or Netscape 2.02... go figure)

Dated 8/12/2003


1. Pinout on Front Panel Audio connector incorrect, Q.V.

2. NOTE The Enhanced mode IDE/Serial ATA BIOS option requires support for resources up to a maximum six devices, and has been tested with Windows 2000 and Windows XP. This BIOS option should be set to Legacy mode when used with operating systems that support a maximum of two IDE channels (four devices).



Thanks. I hadn't encountered that. Barbara uses a D865GBF motherboard in her primary system, and it's in an Antec Sonata case with front-panel audio connectors, but I hadn't bothered to hook them up. As to the other, I'd hope most of my readers are using Windows 2000/XP or Linux by now.

13:57 - I've been looking at the California election results on CNN. If I recall the original election numbers correctly, nearly a million more people voted to remove Gray Davis from office than voted to put him there in the first place, and Schwarzenegger actually received more votes to replace Davis than Davis received when he was elected to the office. That's an extraordinary result no matter how you look at it.

It looks to me as though California taxpayers voted to reclaim their state and their government from the special interests and tax consumers. The question now becomes whether or not Mr. Schwarzenegger will be able to follow through. I suspect he will, although it may be a bloody fight.

14:24 - And, in what is presumably the definitive word on Linux versus Windows, Mark Huth writes:

-------- Original Message --------
Subject: RE: security linux and microsoft in the Register.
Date: Wed, 8 Oct 2003 11:06:41 -0700
From: Mark Huth
To: Robert Bruce Thompson

Actually, I do have a beard...grin. Had it for greater than 20 years.

I've had mine for 32 years now, except for one day. I stopped shaving the day I left for college and haven't done it since, with one exception. In 1981, I was going in for an interview for a job I really wanted. My father convinced me to shave for the interview. I didn't want to, but I finally took his advice. When I sat down with the president of the company, I immediately noticed that his face had an odd fur-like growth. Could it be? Yes, he had a beard. He hired me, and that's the last time I shaved.

I went in to a job interview some years later with a big-name software company. As I sat down with the interviewer, his first words were, "The beard has to go." So it left.



Thursday, 9 October 2003

[Last Week] [Monday] [Tuesday] [Wednesday] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Forums] [HardwareGuys.com Forums] [TechnoMayhem.com Forums]

7:03 - It's a measure of the chilling effect of the DMCA that I hesitated to report that the music industry's latest CD copy protection mechanism is trivial to disable. I read about the copy protection method and the workaround several days ago on /., but hesitated to mention it so that I wouldn't be liable to prosecution under the DMCA. Now that the story has made CNN, I'm probably safe.

Unbelievably, SunnComm MediaMax CD3 copy protection puts the music in unencrypted tracks on the CD and protects it only by depending on the PC to autorun a program that is also included on the disc. If your CD-ROM drive is set not to autorun, if you hold down shift while loading the disc to disable autorun, or if you're running Linux or an earlier version of the Apple OS, the disc works just like an unprotected CD. This is the first copy protection method I've ever heard of that depends on the user passively accepting the copy protection. Even Aunt Minnie can get around this one.

Being a suspicious sort of person, I wonder just what the point of this is. Certainly not to prevent copying, because getting around the protection brings new meaning to the word trivial. Their explanations are not convincing. One sources says they claim that users will have to hold down the shift key each and every time they want to play the CD unprotected on their systems. So what? Even if that were true, it's not particularly onerous to hold down shift as you put a new CD in the cupholder. But it's not true, of course. It's easy enough to disable autorun by default, which obviates the need to hold down the shift key each time. For that matter, it's easy enough to start the CD in unprotected mode, rip the tracks, and burn them to a $0.15 CD-R disc. Or, for that matter, leave them as .WAV files on your 200 GB hard drive.

So what game are these people playing? My guess is that they're simply trying to get people used to buying copy-protected content. Once people accept copy protection as a given, the gloves will come off and they'll start using something that's harder to break.

What's going on with the price of writable DVD discs, or not going on as the case may be? Their prices are much too high, and don't appear to be falling much, if at all, over the last few months. I periodically do a price check to determine how much DVD+R, DVD+RW, DVD-R and DVD-RW discs sell for. I price them in reasonable bulk quantities, a spindle of 25 to 100 without jewel cases. I did such a price check yesterday.

Once again the write-once discs, -R or +R, were selling for pretty much the same price, as were the +RW and -RW rewritable discs. The 2.4X +R discs were selling for about $2 each in bulk, with 4X selling for $2.50 to $2.75. That's much too much for a write-once disc. Name-brand 4X DVD+R discs should be selling for well under a dollar each by now, and really should have reached the $0.50 each range. The +RW discs were selling for roughly $3 each, which is not completely unreasonable, but something in the $1.50 each range would be more reasonable.

I think what's happening is that media makers are keeping their prices high to pay off development costs. But in doing so, they're hindering the widespread usage of writable DVD. They'd make much more money selling their discs by the hundreds of millions at a reasonable price than they are by selling them in small numbers at these ridiculously high prices.

The disc makers might argue that on a cents-per-megabyte basis writable DVD discs are already competitive with the price of blank CD-R discs, but that misses the point. People don't buy and use writable discs by the megabyte, they buy and use them by the disc. Right now, people think nothing of using a CD-R disc to write one file. Why should they, when a CD-R disc costs $0.15 or less? But before you pop a $2.50 DVD+R disc in the drive, let alone before you buy a spindle of 100, you have to think about it.

Disc manufacturers need to price their discs at a level that makes using a writable DVD disc a no-brainer, just as it is for CD-R right now. Why should they do that? Because they need to make sure that writable DVD becomes a ubiquitous technology right now, before follow-on technologies such as Blu-Ray start coming to market. Or perhaps the disc makers are intentionally following this course, skimming high profit margins from limited volume sales in the expectation that the current writable DVD standards will be obsoleted by the forthcoming standards. Rinse, wash, repeat.

Every few months, I check the quality of the on-line translation services, which are still pretty much a joke. Last night, for some reason, I decided to put the first section of Monday's journal entry through the Google English-to-German translator. My German is, to put it mildly, rusty. It's been more than 25 years since I spoke, listened to, or read a phrase in German. Still, the Google German version looked odd to me.

So I ran it back through the translator in reverse, converting their German version to their translated English version. The result was truly odd looking. For example, it converted the names of Barbara's sister and sister's husband, Frances and Al, to "Frances and aluminium". Hmmm.

So, as long as I was there and playing with it, I decided to enter a few more phrases. Back in college I learned essential phrases in many languages. Stuff like, "Where is the nearest American embassy?", "I need a doctor?", and "Would you like to sleep with me?" (Well, essential phrases for a 20-year-old male, anyway).

So I started running some of those phrases through the Google translator. It converted the English, "Would you like to sleep with me?" to "Wurden Sie mögen mit mir schlafen?" That seems a bit awkward, not least because I'd be using the formal "Sie" rather than the informal "du" to a woman I'm propositioning. I'd have said, "Möchtest du mit mir zu schlafen?" or simply "Möchtest du mit mir schlafen?", but perhaps my German is less fluent than Google's. (Actually, I probably would have said something shorter and ruder, but this is a family-friendly page, kind of.)

Most of the other phrases were equally awkward, although the sense of the statement generally made it through the translation, if only barely. Is this really the state-of-the-art in on-line translation? As best I can tell, they're still doing simple word substitutions. How hard would it be to parse the entire document being translated, if only to do something as simple as a keyword count to determine what the document is probably about? From that point, translations could be made from within the assumed context, which would surely result in more accurate translations.

For that matter, how hard would it be to extract the 1,000 (or 10,000) most common phrases and sentence fragments from each language to be translated and have a human translator fluent in both source and target languages construct a look-up table with vernacular replacements for the phrases to be translated? My desktop PC, I have no doubt, has more CPU power, more memory, and more storage than all of the computers used to manage the Apollo moon missions combined. Surely that is enough to do something more than simple word substitutions?

8:33 - This from Dr. Huth concerning another proposed technical solution for spam.

-------- Original Message --------
Subject: fellas, I think this has real merit. Take a look
Date: Wed, 8 Oct 2003 15:17:55 -0700
From: Mark Huth
To: Jerry Pournelle, Robert Bruce Thompson

I think this has real merit


Mark Huth

"In democracy its your vote that counts.; In feudalism its your count that votes." Mogens Jallberg

Although this proposal does make provision for running parallel with the existing SMTP/POP mail infrastructure, I still think any solution that requires a wholesale change to a million servers and a hundred million clients is a non-starter. I think what we have here is an exercise in behavior modification. The question becomes, is it easier to modify the behavior of 100,000,000 email users, or is it easier to modify the behavior of 100 spammers? I think the latter is the only real solution.

Speaking of spam, I've been training Mozilla Mail for quite some time now, and I decided to turn on its spam filtering the other day. In conjunction with SpamAssassin, it is quite effective. Overnight, I received 327 emails. Of those, 222 were spam. SpamAssassin caught 217 of those, and Mozilla Mail caught the remaining five that SpamAssassin had missed. I ended up with zero spams in my inbox.

Interesting, those that SpamAssassin flags are automatically deleted by my Mozilla Mail filters, and end up in my Trash folder marked as read. Those that Mozilla Mail's spam filters catch are also in my Trash folder, but remain flagged as unread. That makes it convenient to sort the Trash folder by Read status so that I can check the messages that were deleted by Mozilla Mail. So far, I've had zero false positives from Mozilla Mail's junk mail controls, so things are looking pretty good.



Friday, 10 October 2003

[Last Week] [Monday] [Tuesday] [Wednesday] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Forums] [HardwareGuys.com Forums] [TechnoMayhem.com Forums]

10:37 - There's good news and bad news on the DMCA front this morning.

The good news is that Senator Fritz "Hollywood" Hollings (D-Disney) is retiring, after spending 36 years violating his oath to protect and serve the Constitution and people of the United States. Hollings never met a campaign contribution he didn't like. He was one of the prime movers behind the unconstitutional Digital Millennium Copyright Act, but even that obscene piece of legislation wasn't enough for him. Last year, after receiving nearly $300,000 in campaign contributions from the movie industry, he tried, and fortunately failed, to push through Senate Bill 2048, the Consumer Broadband and Digital Television Promotion Act (CBDTPA). The movie industry no doubt considers Hollings bought and paid for, and for good reason.

There's an obvious solution to this problem, and it's long past time to implement it. Politicians are supposed to represent the people who elected them. Not companies, not industry trade groups, not special interests, but the voters. Instead, politicians nowadays represent the interests of the groups that fund them. The solution is easy enough, and Constitutionally acceptable. Allow politicians to accept campaign contributions of any amount, but only from individuals, and only from individuals who are registered voters in their districts.

The President and Vice President of the United States represent all Americans, and should be allowed to accept individual campaign contributions of any amount from any US citizen who is registered to vote. Senators and governors represent their states, and should be allowed to accept individual campaign contributions of any amount from any person who is registered to vote in their states. Congressman represent their districts, and should be allowed to accept individual campaign contributions from any person who is registered to vote in their districts. And so on. No campaign contributions should be permitted by businesses, political action committees, or any other entity that is not an individual person. Any such contribution would rightly be treated as a bribe, with severe penalties for the briber and bribee.

Doing that would eliminate the ability of businesses to buy legislators and legislation. You might object that Bill Gates could make $50,000,000 in campaign contributions and buy himself a congressman, a governor, a couple of Senators, and President and Vice President of the United States. So what? In the first place, it's Mr. Gates' Constitutional right to support his representatives with campaign contributions. In the second place, the system I propose limits the effect of Mr. Gates' wealth to local politics. There's not much point to buying two senators when there are 98 other senators to counterbalance them, nor to buying one congressman when there are 434 other congressmen to counterbalance him. As to the executive positions, well what good does it do Mr. Gates to buy the President and Vice President of the United States? Even if he buys them, there's not much he can do with them. Same thing for the governor. Gates may own a state representative and senator, but again they're counterbalanced by the rest of the state legislature.

Finally, to make this all work, we extend it to the judiciary. In theory, the judiciary is apolitical, but that of course is a myth. On the basis that they are supposedly non-partisan, many judges are appointed rather than elected, and many serve for life. Clearly, judges are no more apolitical than any other politician, and they need to be treated that way. With the exception of the Supreme Court, I suggest that all federal judges be elected by the voters in their districts on the same basis as representatives, and for the same terms. Oh, and no one who has graduated from law school or been admitted to the bar should be eligible to serve as a judge.

None of this will happen, of course, because our politicians serve their own interests rather than ours.

Finally, the bad news. My fear of posting the workaround for the latest CD copy-protection scheme was not unfounded. SunnComm has announced their intention use the DMCA to persecute the guy who publicized the workaround.

11:55 - Literally one minute after I posted the final paragraph above, The Inquirer posted an article saying that SunnComm had reconsidered and will not persecute John Halderman.



Saturday, 11 October 2003

[Last Week] [Monday] [Tuesday] [Wednesday] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Forums] [HardwareGuys.com Forums] [TechnoMayhem.com Forums]

14:37 - Barbara is off today at a Border Collie trial, running a table for Carolina Border Collie Rescue. I'm developing a preliminary outline for the next book I'm going to write for O'Reilly. They seem enthusiastic about doing the book, so we'll see. I can't say anything about it at this point.

16:00 - I don't often post security warning these days. There are just too many of them. But I just sent the following emails to subscribers, and you need to be aware of this problem. (Sorry for the ugly formatting. I don't have time to clean it up.)

-------- Original Message --------
Subject: Fwd: Bad news on RPC DCOM vulnerability
Date: Sat, 11 Oct 2003 15:33:48 -0400
From: Robert Bruce Thompson
To: Subscribers

I just received the following from Roland Dobbins on a critical Windows security vulnerability that the MS03-039 patch does not fix.

If you are running Windows 2000 or Windows XP, you need to be aware of this issue and take action to protect against this vulnerability. Note that earlier versions of Windows may also be vulnerable, although Microsoft does not comment on that.

-------- Original Message --------
Subject: Fwd: Bad news on RPC DCOM vulnerability
Date: Sat, 11 Oct 2003 11:56:15 -0700
From: Roland Dobbins
To: Jerry Pournelle, Robert Bruce Thompson

Begin forwarded message:

> From: "VigilantMinds Security Operations Center" > <soc.rpc@vigilantminds.com> > Date: Fri Oct 10, 2003 11:08:12 PM US/Pacific > To: <bugtraq@securityfocus.com> > Subject: RE: Bad news on RPC DCOM vulnerability > > Security Community, > > The following information references a serious security threat to you > or > your organization if the proper measures have not been taken to prevent > its destructive intent. > > Description of Issue > -------------------- > VigilantMinds has successfully validated the claims regarding the > latest > Microsoft Remote Procedure Call (RPC) vulnerability. Specifically, > VigilantMinds has validated that hosts running fully patched versions > of > the following Microsoft operating systems REMAIN subject to denial of > service attacks and possible remote exploitation: > > * Microsoft Windows XP Professional > * Microsoft Windows XP Home > * Microsoft Windows 2000 Workstation > > Although it has not been verified at this time, other versions of > Microsoft Windows are also suspected to be subject to this > vulnerability. > > As with the prior RPC vulnerability (MS03-039), these attacks can occur > on TCP ports 135, 139, 445 and 593; and UDP ports 135, 137, 138 and > 445. > > > Remediation Actions > ------------------- > VigilantMinds has notified CERT/CC and informed the vendor of this > issue. As of this posting, no vendor patch is yet available. > > As a temporary solution, VigilantMinds suggests that firewall rules be > placed on all affected ports for any exposed systems. All external > connectivity (including VPN) should be firewalled actively for > unnecessary incoming RPC activity. > > A Snort signature that will detect traffic patterns associated with > this > attack is below. Note that current Snort signatures may also identify > this attack. > > > Further References > ------------------ > > A Snort signature for this and other versions of the Microsoft RPC > vulnerability: > > alert TCP any any -> any 135 (msg:"RPC Vulnerability - bind > initiation";sid:1; rev:1; content:"|05 00 0B 03 10 00 00 00 48 00 00 00 > 7F 00 00 00 D0 16 D0 16 00 00 00 00 01 00 00 00 01 00 01 00 a0 01 00 00 > 00 00 00 00 C0 00 00 00 00 00 00 46 00 00 00 00 04 5D 88 8A EB 1C C9 11 > 9F E8 08 00 2B10 48 60 02 00 00 00|"; > flow:to_server,established;classtype:attempted-admin;) > > > > ******************************************** > Security Operations Center > VigilantMinds Inc. > > email: soc.rpc@vigilantminds.com > Office 412-661-5700 > Fax 412-661-5684 > ******************************************** > > This e-mail and any files transmitted with it may contain confidential > and/or proprietary information. Any use, distribution, copying or > disclosure by another person is strictly prohibited. It is intended > solely for the use of the individual or entity who is the intended > recipient. Unauthorized use of this information is prohibited. > > ******************************************** > > > -----Original Message----- > From: 3APA3A [mailto:3APA3A@SECURITY.NNOV.RU] > Posted At: Friday, October 10, 2003 10:49 AM > Posted To: Full Disclosure > Conversation: [Full-Disclosure] Bad news on RPC DCOM vulnerability > Subject: [Full-Disclosure] Bad news on RPC DCOM vulnerability > > > Dear bugtraq@securityfocus.com, > > There are few bad news on RPC DCOM vulnerability: > > 1. Universal exploit for MS03-039 exists in-the-wild, PINK FLOYD > is > again actual. 2. It was reported by exploit author (and confirmed), > Windows XP SP1 with all security fixes installed still vulnerable > to > variant of the same bug. Windows 2000/2003 was not tested. For a while > only DoS exploit exists, but code execution is probably possible. > Technical details are sent to Microsoft, waiting for confirmation. > > Dear ISPs. Please instruct you customers to use personal fireWALL > in > Windows XP. > > -- > http://www.security.nnov.ru > /\_/\ > { , . } |\ > +--oQQo->{ ^ }<-----+ \ > | ZARAZA U 3APA3A } > +-------------o66o--+ / > |/ > You know my name - look up my number (The Beatles) > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >

And a follow-up message:

-------- Original Message --------
Subject: Fwd: Bad news on RPC DCOM vulnerability - Part Two
Date: Sat, 11 Oct 2003 15:35:31 -0400
From: Robert Bruce Thompson
To: Subscribers

And here's a follow-on message.

Don't ignore this problem. It's critical.

-------- Original Message --------
Subject: Fwd: Bad news on RPC DCOM vulnerability
Date: Sat, 11 Oct 2003 12:02:48 -0700
From: Roland Dobbins
To: Jerry Pournelle, Robert Bruce Thompson

Begin forwarded message:

> From: K-OTiK Security <Special-Alerts@k-otik.com> > Date: Fri Oct 10, 2003 2:51:22 PM US/Pacific > To: bugtraq@securityfocus.com > Subject: Re: Bad news on RPC DCOM vulnerability > > as confirmed by 3APA3A and security labs, it seems that the public > exploit *works* even if the patch MS03-039 is *installed* > > This is a highly critical vulnerability - users MUST block vulnerable > ports ! > > Regards. > > K-OTik Staff /\\/ http://wwww.k-otik.com > > > >> From: 3APA3A <3APA3A@SECURITY.NNOV.RU> >> >> Dear bugtraq@securityfocus.com, >> >> There are few bad news on RPC DCOM vulnerability: >> >> 1. Universal exploit for MS03-039 exists in-the-wild, PINK FLOYD >> is >> again actual. >> 2. It was reported by exploit author (and confirmed), Windows XP >> SP1 >> with all security fixes installed still vulnerable to variant of >> the >> same bug. Windows 2000/2003 was not tested. For a while only DoS >> exploit >> exists, but code execution is probably possible. Technical details >> are >> sent to Microsoft, waiting for confirmation. >> >> Dear ISPs. Please instruct you customers to use personal fireWALL >> in >> Windows XP. > >

When I sent these messages to subscribers, I ran into a problem. A couple of weeks ago, Roadrunner blocked messages from my primary mail server, so I changed Mozilla Mail to use the Roadrunner SMTP server. I forgot to change it back after they fixed the blackhole problem. When I attempted to mail my subscribers, the Roadrunner server refused to send the message, claiming "too many recipients". Arrrghhh. So I changed my SMTP server back to rocket and sent the messages successfully. I hate spammers. They're the cause of all this aggravation.

And I've already gotten a lot of bounces from subscribers. If you're a subscriber, you should have received two messages from me. If you didn't get them, and if your mailbox isn't full (or your account has some other temporary problem), please let me know. I did get a few hard bounces, which are listed below in obfuscated form:

----- The following addresses had permanent fatal errors -----
<mshelto at socal dot .rr dot com>
(reason: 550 5.1.1 unknown or illegal alias: mshelto at socal dot .rr dot com)

<paul.edgerton at attbi dot com>: host gateway.attbi.com[] said: 550
mailbox unavailable [INACTIVE]

<larry.see at mindspring dot com>: host mx10.mindspring.com[] said: 550
larry.see at mindspring dot com...User unknown

<ray.mears at physio-control dot com>: host ns-mx1.physio-control.com[]




Sunday, 12 October 2003

[Last Week] [Monday] [Tuesday] [Wednesday] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Forums] [HardwareGuys.com Forums] [TechnoMayhem.com Forums]

8:41 - Barbara is playing golf with her father this morning. I'm doing laundry and working out the outline/TOC/proposal for the new book.

We've traded office chairs. Barbara's back was bothering her, and she thought her office chair might be the reason. I swapped them out. She prefers the one I had been using, and the one she'd been using seems fine to me. We'll try them for a while and see how they work out.

Mozilla released 1.4.1 on Friday. I downloaded it and have been playing with it. Looking at the features list, it seems to me that it already has most of what is to appear in 1.5, which is currently in RC2 and due for release shortly. I installed it on my den system yesterday and played with it quite a bit. There are only minor differences between it and 1.4, but what I've seen is very nice. If you're using an earlier version, I suggest you download it and give it a try. Even the optional Calendar, which is still in alpha, appears to work fine now.



Copyright © 1998, 1999, 2000, 2001, 2002, 2003, 2004 by Robert Bruce Thompson. All Rights Reserved.