Home Daynotes Home Week of 28 June 2004

Photograph of Robert Bruce Thompson Daynotes Journal

Week of 28 June 2004

Latest Update: Sat, 21 May 2011 8:09 -0700


Click Here to Subscribe Buy PC Hardware in a Nutshell, 3rd Edition:
Buy Building the Perfect PC:
[Amazon] [Barnes & Noble] [Bookpool]
[Amazon] [Barnes & Noble] [Bookpool]
Visit Barbara's Journal Page

Monday, 28 June 2004

[Last Week] [Monday] [Tuesday] [Wednesday] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Forums] [HardwareGuys.com Forums] [TechnoMayhem.com Forums]
{Five Years Ago Today]


9:29 - I have to admit that when I read those articles claiming that 2004 was "The Year of the Linux Desktop", I didn't believe them. Oh, I don't doubt that desktop Linux is making great strides this year, both technically and in terms of adoption rates. But it wasn't quite the time for me, I thought.

Well, I was wrong. After working with Xandros Desktop 2.0 on my den system for a couple of weeks, I've decided it's time to make the change. From now on, Linux is my primary desktop operating system. Not my only desktop operating system. Windows still has a place in my computing environment. I need it to do screenshots for my books, for one thing.

I also need Windows to run some applications that I simply can't do without. Microsoft Word 2000 and Excel 2000 seem to run flawlessly under Codeweavers' Crossover Office under Xandros, so that's no longer a concern. But there are things I need to run that simply aren't available under Linux.

Astronomy programs for one. I've looked at the Linux planetarium apps, and none of them come even close to what I use now. Cartes du Ciel, which runs only under Windows, is extremely powerful, elegant, and easy to use. The alternatives under Linux aren't good. I tried Kstars. It's pretty enough, but it has about 5% of the functionality of CdC and about 10% of what I need. Then I looked at xephem. It's extremely powerful, although still nothing near CdC, but it's also crude and awkward to use. I could live with xephem if I absolutely had to, but there's no reason to. It's easier just to keep a Windows desktop system handy. And the notebook system we use while observing in the field will continue to run Windows and CdC for the foreseeable future.

There are other minor missing pieces with Xandros, most notably the lack of support for burning DVDs. I'm not surprised that Xandros decided not to attempt to include DVD burning support, because the current tools for burning DVDs under Linux are crude and feature-poor. Perhaps by the time Xandros 3.0 ships, whenever that might be, Linux DVD burning tools will be sufficiently well developed to include in that release.

All of the issues I have with Xandros are niggles. There's nothing really stopping me from migrating to Linux as my desktop OS, and that's exactly what I plan to do. It won't happen immediately. I need a new main system for my office, and I don't have one available at the moment. That may sound odd, given the number of new systems sitting around here unused.

Let's see. There's a departmental server, which'll eventually run Linux, probably SuSE. There's the "Kick-Ass Gaming System", which is fast and pretty, but much too loud for my office. There's the mainstream system I built for the book, but it's currently sitting in pieces on the library floor, awaiting a professional photographer to shoot cover images for the new book. There's the Home Theater PC system I built for the book, but that's scheduled to go from testing into production use soon. I have the pieces to build quite a few more systems, but I think I'll just wait until the mainstream system is available and use it for my new main office system. It'll be running Xandros Desktop 2.0 Business Edition, of course.

 

[Top]


Tuesday, 29 June 2004

[Last Week] [Monday] [Tuesday] [Wednesday] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Forums] [HardwareGuys.com Forums] [TechnoMayhem.com Forums]
{Five Years Ago Today]


9:48 - By popular request, I've changed the "Latest update" link at the top of the page back to the way it was.

The date/timestamp is produced by a FrontPage "bot". Each time I edit this page, FrontPage automatically inserts the date/timestamp. When I save the page, the bot inserts the date and time as text. That's very convenient, but the problem is that that function is specific to FrontPage. I have FrontPage installed on my Xandros Linux box in the den, but it doesn't work properly under Crossover Office. For that reason, I'm using Mozilla Composer on the Linux box, and Mozilla Composer doesn't automatically update the date/timestamp.

I actually like Mozilla Composer pretty well, but it's purely an HTML editor. FrontPage has a lot of site-management functions that Mozilla Composer lacks. For example, each January 1st I update the copyright tag at the bottom of the page. In FrontPage, that tag is another bot. When I update the copyright notice on one page, FrontPage automatically updates it on every page in the web and writes the HTML for the new pages to disk. Similarly, if I move a page to another directory, Mozilla Composer leaves all the links in that moved page untouched. FrontPage checks all the links and automatically corrects them. As an editor, FrontPage also has some desirable features Mozilla Composer lacks, such as automatic in-line spell checking.

There are also some differences that take getting used to. For example, I'm writing this entry with FrontPage. As I reach the end of a paragraph, I press Enter once. FrontPage starts a new paragraph and skips a line. If you look at the HTML, you'll see that paragraphs in FrontPage begin with a <p> tag and end with a </p> tag, something like this:

<p>Here is the first paragraph text</p>
<p>Here is the second paragraph text</p>

Mozilla Composer works differently. I did yesterday's entry in Composer, and if you look at the HTML you'll see a slight difference. In Composer, when I reach the end of a paragraph and press Enter, it takes me to the start of a new line, but doesn't insert a blank line. So, in Composer, I press Enter twice to start a new paragraph, just as I would on a typewriter. Composer produces HTML that looks something like this:

<p>Here is the first paragraph text<br></p>
<p>Here is the second paragraph text<br></p>

Both versions render the same in a browser, though, so I suppose it doesn't make much difference.

Overall, FrontPage is a considerably more capable product, but I can live with Mozilla Composer on the Xandros box.

 

[Top]


Wednesday, 30 June 2004

[Last Week] [Monday] [Tuesday] [Wednesday] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Forums] [HardwareGuys.com Forums] [TechnoMayhem.com Forums]
{Five Years Ago Today]


11:24 - I sent the following email to subscribers yesterday. I meant to post it here at the same time, but I forgot.

-------- Original Message --------
Subject: [RBT] Another critical IE exploit
Date: Tue, 29 Jun 2004 16:41:18 -0400
From: Robert Bruce Thompson
To: Subscribers

The SANS Internet Storm Center has announced yet another critical exploit against Internet Explorer, this one related to the Browser Helper Objects (BHO) commonly used by banks to extend the functionality of IE. This exploit subverts SSL and HTTPS security to give the malefactor access to passwords and other account information. For details, see (here):

This exploit is still more confirmation that the focus of these attacks has changed. Until recently, most viruses/worms/Trojans were mere vandalism perpetrated largely by teenage script kiddies looking for a cheap thrill. Most malware/spyware was, if sometimes skating gray areas of the law, at least intended for semi-legitimate purposes.

That has changed and is continuing to change. Several recent exploits have apparently originated with organized crime and the Russian Mafia. These folks are not playing games. Their intentions are clear. They want access to critical data such as username/password combinations that they can exploit to drain people's bank accounts and that will provide the raw material for identity theft. These folks are out to pillage your identity and your bank accounts, pure and simple.

The common thread through all of this is Outlook, Windows, and Internet Explorer (OWIE). If you continue to use these products, particularly IE, for personal work, you are risking having your bank accounts compromised and your identity stolen. As anyone who has been the victim of identity theft will tell you, recovering is a long, expensive process.

The risk is even worse in corporate environments. Imagine the result if a bank, law firm, or other business allows client/customer information to be compromised as a result of continuing to use software products with known severe security flaws. I expect the first law suit based on such a claim to occur in the near future, and I would expect it to be difficult to defend when competing software products without significant security flaws are so readily available. Even the Department of Homeland Security has suggested abandoning IE and using another browser.

At any rate, Internet Explorer, Outlook, and, to a lesser extent, Windows itself are security disasters just waiting to happen. I strongly encourage everyone to cease using IE as their default browser and replace it with an alternative. My own preference is Mozilla 1.7, but Mozilla Firefox or Opera is also an excellent choice. As to a mail client, I think Mozilla Mail 1.7 (included with the browser) is the best client available, much superior to Outlook. If you prefer a lighter-weight mail client, look at Mozilla Thunderbird.

Please take this seriously. Ignoring this problem won't make it go away. Download Mozilla, Firefox, Opera, and start using it as your default browser. It's human nature to hate new things, but I promise you that if you use any of these browsers for a week, you'll come to prefer it to IE. Not only is IE riddled with unfixed and unfixable security holes, it hasn't been updated significantly for years. Any of these modern alternatives provides functions like tabbed browsing that you'll soon find yourself unable to do without. And you'll be a lot safer.

Here's one response from a local friend, which is pretty representative of several others:

-------- Original Message --------
Subject: RE: [RBT] Another critical IE exploit
Date: Wed, 30 Jun 2004 08:22:02 -0400
From: <name removed>
To: Robert Bruce Thompson

Hi Bob --

Thanks for the warning. Unfortunately, I have to use Internet Explorer, Windows, and Outlook and I cannot replace them with alternate products. What do you suggest?

On your work machine, yes. When we get you a personal machine installed, you don't have to use any of those, except perhaps Windows.

As far as your work machine, I'd take the following steps:

1. Ask your IT department contact what measures they recommend, and follow their recommendations. Ask them if it's okay for you to install Mozilla and use it as your default browser. Unless there's some web-based software your company uses that requires IE, you may be allowed to do that. I was under the impression that you were using Outlook Express (versus Outlook) for mail. If that's the case, you may be able to use Mozilla Mail as well.

2. Visit the Windows Update site frequently, and apply all Critical Updates. Be careful about applying Service Packs. You want them, but they sometimes break things that formerly worked. Again, ask your IT folks what to do. They'll probably tell you just to use Windows Update and install all updates and patches.

3. Keep your antivirus software updated. I think we set it to retrieve updated virus sig data every day. If not, we can do that. Also, set the AV software to scan every night at 2:00 a.m. or something (assuming you leave your system running).

4. Assuming your IT department approves, download and install a spyware checker such as Spybot Search & Destroy and/or AdAware. Scan for spyware frequently.

5. Set Outlook (if you're using it rather than Outlook Express) and IE to use their most secure settings by default. I can help you with that.

6. Don't put anything personal on your work system. Absolutely do not use it for anything involving your credit card numbers, SSN, and so on.

We can talk about all of this in detail at some point.

Which brings up the question of what to do on work computers. This person's situation is more difficult than most. She telecommutes, so she doesn't have her corporate IT department down the hall. My first inclination is to tell people that as far as their work machines go, it's not their problem. That's literally true, of course. It is or should be up to their IT departments to take the necessary steps to protect business machines.

But when someone's work machine is compromised, it becomes their problem in the sense that they have to deal with the fallout from the problem. When a telecommuter has problems, there's no one nearby to fix them. So it seems prudent to take steps to prevent problems from happening. The problem with doing that, of course, is that it's often a damned-if-you-do situation. Some corporations go so far as to make it a firing offense to install unauthorized software on a company machine.

Although I'm obviously competent to secure a computer against viruses/Trojans/worms and other attacks, I won't touch her notebook because I'm afraid I'll break something she needs. She uses a VPN to connect to her corporate network, and there's no way I'll mess with anything that might break that.

So what's the best advice for someone in this situation? I'm inclined to suggest that she ask her IT department for detailed guidelines, do what they suggest, and hope for the best. Of course, that may mean her work notebook will end up compromised, and the last thing she'll want to do is connect a possibly compromised machine to her home network, where it may infect her personal systems. What advice should I give her?

 

[Top]


Thursday, 1 July 2004

[Last Week] [Monday] [Tuesday] [Wednesday] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Forums] [HardwareGuys.com Forums] [TechnoMayhem.com Forums]
{Five Years Ago Today]


10:30 - More bad news for Microsoft. US-CERT at Carnegie-Mellon University, which is now  a part of the Department of Homeland Security, has updated their Vulnerability Note to recommend ditching IE.

Use a different web browser

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML).

This is about the strongest phrasing one could expect in a government warning. People like me can be blunter, so I can say things like, "Dump IE. You're nuts if you continue to use it." The folks who wrote this warning were actually thinking, "Dump IE. You're nuts if you continue to use it.", but, since they were writing an official government document, they had to cover their asses and appear to be a bit more even-handed.

The final sentence is worse still from Microsoft's point of view, because what it says after being translated from bureaucratese is "Dump Windows. IE is tied so tightly to Windows that there's no way to make Windows acceptably secure."

There is not and never has been a technical reason for tying IE so closely to the OS. Microsoft did it back in the days when they were facing monopoly charges because they wanted IE to continue to be the dominant browser. The unexpected result is that they've made Windows itself a security disaster just waiting to happen. If it were possible to remove IE completely from Windows and substitute a modern, secure browser I'd have a lot less concern about continuing to use Windows. But it's not possible to do that. Microsoft has seen to that.

Back when the attacks were coming mostly from PFY script-kiddies, the problem was bad enough. Now that we have concerted efforts by organized crime and the Russian Mafia to rape and pillage our systems, the security flaws in Outlook, Windows, and Internet Explorer (OWIE!) are simply unacceptable. Microsoft says that Windows XP SP2 fixes all these problems--This Time For Sure. Uh-huh. How many times have we heard that, and the situation has gotten worse, not better. I have concluded that Windows is unfixable, short of literally re-writing it from the ground up.

I wish that weren't true. I like Windows. But it is true, and I see no solution but to change to another operating system. That's why I'm going hot and heavy with Xandros right now. Mac OS/X is another possible candidate, but I refuse to buy into Apple's proprietary hardware. If Apple had shipped OS/X for Intel systems, as they should have, I'd have bought a copy long ago and had done with it. But they haven't, so that leaves Linux as the clear choice.

Xandros gives me most of what I need for a desktop operating system. I have a copy of SuSE on the way, and that's what I'll run on my servers. I'll keep Windows systems around simply because I need them for doing screenshots for books, running astronomy software, and so on. But they'll be isolated from our network. This won't be an overnight thing. Barbara will be the last to convert to Xandros. But it's going to happen.

Security, or lack thereof, is only one reason. As I've said elsewhere, I don't trust Microsoft. Every update or service pack I apply makes me wonder what I'm doing to my systems. They're all more hag-ridden by DRM crap now than they were a year ago, and I don't see that process slowing down. Fundamentally, I don't trust Microsoft, and that's enough reason in itself to run something else.

 

[Top]


Friday, 2 July 2004

[Last Week] [Monday] [Tuesday] [Wednesday] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Forums] [HardwareGuys.com Forums] [TechnoMayhem.com Forums]
{Five Years Ago Today]


11:50 - We had our quarterly Winston-Salem Astronomical League meeting last night. Barbara, Steve Childers, and Sean Childers all got their certificates and pins for completing the Messier Club requirements. We also discussed plans for our next field trip. Of course, it's been cloudy pretty much every new moon night for the last several months, so all we can do is talk about observing. Things may be looking up, though. July is usually better than the spring months, and the autumn is often wonderfully clear. Now if only we can remember how to set up our scopes.

Another female teacher is charged with having sex with an under-age student. She's 23, he's 14, and now she faces a 75-year prison sentence. That seems very harsh to me. Fire her, certainly. Make sure she is never allowed to teach again, sure. Give her a good caning, even.

But a 75-year prison sentence for engaging in consensual sex? That's absurd. I know many people will argue that the boy was under the age of consent and therefore the sex was not consensual. I think that's crap. In fact, this boy lucked out in the way that every heterosexual 14-year-old boy on the planet through all of history has dreamed of lucking out.

I maintain that there is no need for a legislated age of consent for boys or girls. Nature sees to that. It's called puberty. In the past, states that set an age of consent usually made it reasonable, often something in the 12 to 14 range for both boys and girls. There were several states that set the age of consent as low as 11. If I recall correctly Delaware at one time set the age of consent for girls at 7, which does seem low. But the point is that the age of consent was set at a reasonable level. It was intended to prevent sexual abuse of children, while recognizing that young people who had reached puberty were in fact no longer children but young adults. Nowadays, states have changed the laws to set the age of consent unreasonably high, and cases like this are the result.

Did Debra Beasley Lafave harm this boy in any way? Not that I can see. Ask any heterosexual guy what he would have done at age 14 if he'd been offered the opportunity, and whether getting laid at age 14 would have harmed him. If he's honest, he'll tell you he'd have jumped at the chance and remembered her fondly for the rest of his life.

Ms. Lavave did violate the trust placed in her as a custodian of children, and she should never again be trusted in such a role. But a 75-year prison sentence? That's outrageous.

With regard to Internet Explorer security, several readers emailed me to mention a product I'd forgotten existed. Here are a couple of representative messages:

-------- Original Message --------
Subject: OWIE! remediation
Date: Thu, 1 Jul 2004 14:11:48 -0700 (GMT-07:00)
From: Mike Garvey
To: Robert Bruce Thompson

You may want to look into XPlite,

http://www.litepc.com/xplite.html

as a way to mitigate some of the issues with Outlook, Windows, and Internet Explorer. Also SANS,

http://www.sans.org/rr/papers/index.php?id=1298

has a pretty good guide for new Windows users that has some value for experienced folk as well.

-------- Original Message --------
Subject: Re: [RBT] Another critical IE exploit
Date: Fri, 2 Jul 2004 06:25:01 -0700 (PDT)
From: SV
To: Robert Bruce Thompson

--- from yesterday's post:

> If it were possible to remove IE completely from
> Windows and substitute a modern, secure browser
> I'd have a lot less concern about continuing to
> use Windows. But it's not possible to do that.
> Microsoft has seen to that.

I'm not sure I've ever seen you discuss the LitePC products (www.litepc.com), but, with 98 & Me at least, I've installed many a copy w/ all the IE, ActiveX, etc., stripped out. I've yet to use it on 2000 (a LitePC 2K version wasn't out when I built my newest box) and I don't use XP at all. Just FYI...

JEFF

Thanks to everyone who mentioned XPlite. I did try using an early version several years ago, but I've never fully trusted the idea of stripping out stuff from Windows. Perhaps I should give it another try.

 

[Top]


Saturday, 3 July 2004

[Last Week] [Monday] [Tuesday] [Wednesday] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Forums] [HardwareGuys.com Forums] [TechnoMayhem.com Forums]
{Five Years Ago Today]


 

 

[Top]


Sunday, 4 July 2004

[Last Week] [Monday] [Tuesday] [Wednesday] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Forums] [HardwareGuys.com Forums] [TechnoMayhem.com Forums]
{Five Years Ago Today]


Independence Day

separator

8:46 - Barbara is playing golf with her dad, and I'm waiting for the air conditioning guy to show up. When Barbara went downstairs, she found the unfinished part of the basement flooded with water from the air conditioner. We called the 24-hour service number, and the guy called back to say he'd fit us in sometime this morning. So, instead of taking a shower and doing laundry, I'm waiting for him to show up.

separator

Friday night, Brian Bilbrey gave me administrative access to the mailserver, so I spent some time yesterday getting things reconfigured to minimize spam.

The first thing I did, at Brian's request, was get rid of general-delivery on my domains. That is, until yesterday any message addressed to any account name, whether it existed or not, on one of my domains was delivered to my main mailbox. Having things set up that way does have a couple advantages.

First, if someone mistypes my account name, I still get the mail. Barbara, for example, frequently gets messages misaddressed to barbra@ one of her domains rather than barbara@. With general delivery enabled, those messages still make it through. Second, it allows me to create usernames on-the-fly. For example, when I registered for Skype the other day, I just typed in skype@(this domain). That makes it very easy to filter inbound mail into folders, and also can be used to determine who's selling my address to spammers.

The downside of general delivery is that any message addressed to the domain ends up in my inbox. Some days I get literally thousands of those, from spammers that use brute-force address-guessing. When I talked to Brian Friday evening, he mentioned that I'd gotten 5,000+ messages like that the preceding day, and something like 4,000 the day before that. I never see more than a tiny fraction of those, of course. The RBLs and SpamAssassin kill nearly all of them, and Mozilla kills the rest.

Still, that meant that every morning I'd open Mozilla Mail and download hundreds of messages, nearly all of them spam. All but a tiny fraction of the spam was deleted automatically, but even so it was there. This morning, I opened Mozilla Mail and downloaded my overnight mail. There were 29 messages, none of them spam.

 

[Top]