Monday, June 28, 2010

Dell Publicly Uncovered – Finally

Please read this NY Times article about a lawsuit against Dell.

Finally I have at least some independent third party support when the next customer wants to buy a Dell computer and has a hard time concealing his doubts about my competence when I advise against it.

As usual I welcome comments and suggestions right here in the blog. Thank you in advance.

Click here for a categorized Table Of Contents.

Saturday, June 26, 2010

Thunderbird 3.1.* Finally Usable!

It has happened – finally! Yesterday Thunderbird (TB) version 3.1 was released and my two major gripes with the 3.0.* versions have been alleviated.

Upon the first start of TB after installing version 3.1 it asked if I wanted to install the CompactHeader add-on and the ExtraColumns add-on. I said yes to both and now TB version 3 has important functionality that I did not want to miss – and many customers had confirmed that choice.

Don’t despair if you miss above windows and questions or if you already have TB 3.* running without these add-ons. You can find and install the add-ons from this web page. Search for “Compact Header” and “Extra Folder Columns”, go to their description and download them. Don’t forget to install them after the download!

Happy emailing.

As usual I welcome comments and suggestions right here in the blog. Thank you in advance.

Click here for a categorized Table Of Contents.

Friday, June 25, 2010

10 Myths of Safe Web Browsing

I found an interesting article written by a Sophos product manager. The man is generally correct but I was amazed at the amount of what I perceive as spin. To save you the trouble of downloading the PDF file I quote the 10 myths here verbatim and will give you my opinion right after each paragraph – if applicable nad indented for readability.

Sophos is one of the better anti-virus and computer security companies geared squarely at the business market; just their ant-virus solution for a single computer is priced at $186.25 and thus of little interest to the vast majority of my customers.

Myth #1: The web is safe because I’ve never been infected by malware
You may not even know you’re infected. Many web malware attacks are designed to steal personal information and passwords or use your machine for distributing spam, malware or inappropriate content without your knowledge. For example, one Sophos customer recently installed a Web Appliance at its network gateway and immediately flagged more than 50 machines on its network for suspicious behaviour—calling home to a malware network for further instructions.

Myth #2: My users aren’t wasting time surfing inappropriate content
Without any kind of web filtering, you really have no idea what users are doing with their internet connection. The fact is that more than 40% of corporate internet use is inappropriate and going unchecked—an average of 1 to 2 hours per day per user. To make matters worse, the potential for employees being exposed to inappropriate content can have serious legal ramifications to any organization. The internet is full of studies related to internet use in the work place, from gambling and pornography to less nefarious activity such as social networking and travel planning. Furthermore, incidents of internet addiction disorder are increasing, with current estimates suggesting up to 5% to 10% of internet surfers have some form of web dependency.
The author speaks of “users” meaning employees in a company. But do you really know what family members and friends do when they use your computer?

Myth #3: We control web usage and our users can’t get around our policy
Anonymizing proxies make it easy for employees to circumvent your web filtering policy and visit any site they like. Anonymizing proxies are readily available and regularly exploited by school kids and employees alike. Hundreds of new anonymizing proxies are published daily to keep ahead of web security companies and resourceful users have even been known to setup their own private proxy at home to enable them to surf the web freely and unchecked. If you don’t think this is an issue, you can simply Google “bypass web filter” to see there are over 1.8 million ways to do this.
And even middle school kids often already know how to do this!
Myth #4: Only porn, gambling, and other “dodgy” sites are dangerous
Hijacked trusted sites represent more than 83% of malware hosting sites. That’s correct. The majority of infected sites are websites that you trust and visit daily—they’ve just been hacked to distribute malware. Why? Because these sites are popular, high-traffic venues that silently distribute malware to unsuspecting visitors. Download the infected sites list to see just a small sampling of these kinds of sites.
Yes, 83% are trusted sites; it's gotten that bad. But don't go and try to find “the infected sites list”; I believe it does not exist. Should you find it please let me know!
Myth #5: Only naive users get infected with malware and viruses
Malware from drive-by downloads happens automatically without any user action, other than visiting the site. Therefore, it doesn’t matter what level of computer expertise you have. The fact is, if you are visiting sites on the internet, you are at risk. The infected sites list provides just a small sampling of recently infected sites that distribute malware. If you visit sites like these, you are at risk.
FUD! (Fear, Uncertainty and Doubt). I can forgive him, he is a marketing manager.
Myth #6: You can only get infected if you download files.
Most malware infections now occur through a “drive-by” download. Hackers inject the malicious code into the actual web page content, then it downloads and executes automatically within the browser as a by-product of simply viewing the web page. The malware is typically part of a professional exploit kit marketed and sold to hackers that leverages known exploits in the browser, operating system or plug-ins to infect the computer and download more malware. Again, it does all of this without a user having to do anything other than visit a hijacked web site. This graph shows the most popular exploit kits used in drive-by download attacks. Source:
Yes, he is basically correct.
But the graphics he links to are full of what I call spin; I strongly object to this.
If you are my customer or ever have listened to me on WTKM Radio you'll know how strongly I advocate to update, update and then update. To even test Internet Explorer 6 and 7 is in my opinion outright dishonest. Microsoft's main reasoning for creating new versions is improved security! Stay with an old version at your own risk.
And on top of it all we are not told what versions of Firefox 3 were used!
Myth #7: Firefox is more secure than Internet Explorer
All browsers are equally at risk because all browsers are essentially an execution environment for JavaScript, which is the programming language of the web and therefore used by all malware authors to initiate an attack. In addition, many exploits leverage plug-ins such as Adobe Acrobat reader software, which runs across all browsers. Although the more popular browsers may get more publicity about un-patched exploits, it’s the unpublicized exploits you should be most concerned about. The fact is, there is no safe browser; when security research firm Secunia tabulated the number of browser exploits reported in 2008, Firefox was actually the least secure by a large margin:Source:
The gentleman IMHO is a true master of marketing spin. All this based on data from 2008; in the super fast world of computers that is age old! Please see the end of this article for more background on Firefox vs. IE relating to the source quoted here.
Myth #8: When the lock icon appears in the browser, it’s secure.

The lock icon indicates there is an SSL encrypted connection between the browser and the server to protect the interception of personal sensitive information. It does not provide any security from malware. In fact, it’s the opposite because most web security products are completely blind to encrypted connections: it’s the perfect vehicle for malware to infiltrate a machine. Furthermore, some malware can exploit vulnerabilities to spoof SSL certificates to make users feel more secure or enable devious connections to fake banking sites. There are numerous recent examples of hackers creating elaborate phishing schemes that emulate bank, credit card, or PayPal sites complete with spoofed SSL certificates that are extremely difficult for the average user to identify as fraudulent. This is becoming an increasingly important security risk.
True; the lock icon only says that data transferred via the Internet is encrypted; this means your password and other data can not be understood by some crook passively listening to the Internet traffic with help of a sniffer or packet analyzer.
Myth #9: Web security requires a trade-off between security and freedom
While the internet has become a mission critical tool for many job functions, whether it’s Facebook for HR or Twitter for PR, it’s completely unnecessary to create a trade-off between access and security. A suitable web security solution provides the freedom to grant access to sites that your users need while keeping your organization secure. Policy settings for groups or individuals don’t need to be complex—a few quick steps through a wizard are all a user needs to secure and enable your organization.
When evaluating a web security solution, be sure to focus on the administration tasks you will use most often, such as establishing special policies for users or groups. How easy are these tasks? How much time do they take? How many steps are involved? Is documentation required to navigate through the process? Ask these questions and more.
Good marketing, isn't it?
Myth #10: Endpoint security solutions can’t protect against web threats
Typically, this has been the case because the web browser is essentially its own execution environment: It downloads content, renders it, and executes scripts all without any visibility outside the browser to endpoint security products. However, this is changing. As a result, it’s opening up a whole new approach to web security, particularly for mobile workers who are operating beyond the traditional boundaries of the corporate network. Be sure to check out the new Sophos Live Protection Web Filtering, which is part of our new Endpoint 9.5 security solution. Live Protection enables real-time malicious site filtering at the endpoint to protect mobile or remote workers who may be operating off the corporate network.
Now that we’ve busted several common myth’s and exposed the truth about web security risks, you’re probably thinking “Ok, how do I protect my organization and users?”. Good question. Fortunately, there’s a simple answer: Visit for more tips, tricks and more expert advice.

Now my comments.
So much for the scary world of myths. If you are still with me THANK YOU and congratulations for your determination.

Following myth #7 I promised to come back to the Firefox (FF) vs. Internet Explorer (IE) issue. For this purpose I have to insert a screen shot of the relevant part of the Secunia article the author quotes as his source.
 Yes, in 2008 there were more reported vulnerabilities in Firefox than in IE. What they don't say is that the FF vulnerabilities were fixed very timely compared to Microsoft all too often taking weeks and months to fix IE – if at all. It seems worth noting here that my Secunia PSI still claims that IE8 has a non-fixable vulnerability!

And look at the number of ActiveX vulnerabilities; almost 4 times as many as all the others TOGETHER! And as my customers know, ActiveX needs IE to be able to run! 
This makes it pretty clear to me that I seem to be on to something when I always say “Firefox is less insecure than IE”; even these old numbers show it!

To conclude this already way too long article here are three short quotes from this article:
  • The probability of a user getting infected from a malvertisement [malicious advertisement] is twice as likely on a weekend and the average lifetime of a malvertisement is 7.3 days.
  • 97% of Fortune 500 web sites are at a high risk of getting infected with malware due to external partners (such as JavaScript widget providers, ad networks, and/or packaged software providers).
  • Fortune 500 web sites have such a high risk because 69% of them use external Javascript to render portions of their sites and 64% of them are running outdated web applications
Especially the very last sentence makes me cringe. These Fortune 500 companies run outdated software, thus putting the safety of our computers, our data and in the end effect our money at risk. 
And the publishers of this, here ZDNet as an example for all the others, are not giving us the names of the companies in question; IMHO a clear (but maybe unconscious) case of collusion.

As usual I welcome comments and suggestions right here in the blog. Thank you in advance.

Click here for a categorized Table Of Contents.

Friday, June 18, 2010

Letter To The Greeks (not Computer Related)


The following “Open Letter To The Greeks” was published in the German magazine “Der Stern”, best described as Life, Time Magazine, venerable (Saturday Evening?) Post and US News and World Report rolled into one. I received this text via email on a long and twisted path.

What strikes me most about it is the thought that one day some Chinese might write an astonishingly similar letter to the Americans.

This is an unauthorized free translation; please don't bust me.

Dear Greeks!
Do you know in your country the kind of money-aunt that for all childhood and youth has been feeding your piggy bank? The first bike, the first radio, your first vacation, she always added a few bills. And she expected nothing more than a friendly “Thank you” every once in a while.

Dear friends, this is a letter from your money-aunt. Don't worry, you're not even expected to say thank you.

The thing we are hoping for: Put yourself in our situation. Since 1981, over 29 years, we belong to the same family, the EU. In this time no other member of the family has paid as much money into the common budget as we did, a net of 200 billion Euro. And per capita nobody has received vaguely as much as you, altogether almost 100 billion net. About half of what we have poured into the EU pot, you have skimmed off with a big ladle.

In other words: Statistically over the years we Germans have given all you Greeks, from infant to the elderly, a gift of more than 9,000 Euro. Wasn't that nice, right? Probably there has never been a people voluntarily and generously supporting another people over such a long period of time. You truly are our dearest friends.

You have never asked how we fared in all those years . I suspect that even today you don't really want to hear anything about our worries But I'll tell you anyway:

Our roads are full of holes like old buildings because we lack the money for maintenance. Libraries and swimming pools have to be closed.  At night some cities have to turn off every other street light because otherwise they can't pay the electricity bill.

Since the introduction of the Euro unlike your wage increases our wages have had virtually no increase at all. And now we are expected to save you Greeks. That concern is just what we have been missing.

You did fairly earn our distrust: Every summer you set ablaze this beautiful land that God has given you and then you call for our fire department because you can't extinguish it yourself.

All of  you want to work in public service, but no one wants to pay taxes. If only a part of the reports that we read in the last few weeks are true, then you are only willing to work after you receive a bribe. Especially your doctors and hospital staff seem to ask for big bribes.  You are cheating yourselves whenever you can get away with it.

That does not matter to us. But you also deceive us. For many years. About that we do care. You collected EU subsidies for more olive trees than fit in all your country.

Obviously, you know something about accounting; to meet the stability criteria for the Euro you have systematically cooked and falsified your books; for years you've done that so well that [the EU government in] Brussels has not noticed anything.

In truth you have never deserved the Euro. Despite your fake data, since the introduction of the Euro Greece has never been able to meet the stability criteria. In 2006 you came up with  a neat sleight of hand to enlarge your GDP: You  just added the proceeds from money laundering, drug trafficking and smuggling in the annual economic output of your proud nation.

It just will not work out over decades to continually spend more money than you earn, to continually live out of other people's pockets, to continually deceive and trick – it never works out okay. Eventually the house of cards will collapse. Eventually is now. Strictly spoken you are bankrupt, bust.

Have no illusions. If [German chancellor] Angela Merkel promises "Greece will not be left alone" she is more concerned about us Germans than you Greeks. Our only concern is for our own future The trouble is: We are chained to you. If you drown, you draw us under water as well.

For example by the 300 billion debt, which you piled up over the years. About 30 billion of which belong to savers in German banks, given to you in the form of government bonds. Will you ever repay that?

Because of you the Euro is in free fall. We are facing inflation. This means that German savings accounts and life insurances for the future will always be worth less and less. And that is because of you. 

Of course you are strangers to such thoughts, for saving or investing is not your thing. You prefer to just spend  your funds. In the EU, Greeks are the people that squander by far most of their money for consumption.

The EU leaders have indeed decided that you should not receive any direct financial aid. For now. But you need help. And in the EU help in the end means more money; more precisely, our money.

Slowly it becomes clear to Germans: First, we had to rescue banks, now we need to save the Greeks and eventually all PIIG countries with rotten economies; the PIIGS are Portugal, Italy, Ireland, Greece, Spain.

A national bankruptcy of any one of these countries, experts exceptionally agree, would be a tragedy; the banking crisis would appear to be a comedy compared to this. Wise German constitutional lawyers have warned before the introduction of the Euro, warned that an Economic Union will not work without a political union.

They were right. Now we see the dramatic democratic deficit. We Germans depend on decisions of the Government of Greece. But we can not elect it. Only you Greeks can elect it, but you have completely different interests. We want your Prime Minister Georgios Papandreou to runs his austerity program. At least that. It would even be better if he accelerated the reforms.

But obviously you don't want that. You do what you always do: Your go on strike. Last week the public sector, next week all of you in a general strike.

Dear Greeks, if you go on strike next week, if you demonstrate, then you do not you protest against your government but against us. The Zorro, who has always saved you and whom you expect to do even more saving, that guy you kick right between his knees.

Dear Greek IRS officers, please do not go on strike next week, but finally get the taxes due from your millionaires by whom you have been royally paid for looking the other direction.

Dear Greek doctors, please do not go on strike next week but treat your patients; from now on without first asking for a money envelope. And then just pay the taxes on your income. Yes you have to order the next Porsche a year later. You will survive.

Dear retired Greeks, when in our country someone worked all his life he gets not even 40% of his average income as a pension. We are on the fourth place from last among the OECD countries.

And who is number one? Correct: You. Over 95% of your average income you allow yourselves as a pension. To get this done you again get deep into the bag of tricks:
You simply determine the amount of pension benefits not on the whole life, but only on the last three to five years of employment. Usually your employer pays you considerably more towards the end and again this increases your pensions. From the money that we have sponsored you with for almost 30 years, you have allowed yourselves a more comfortable retirement than we can afford. Does that seem fair to you?

So, dear pensioners in Greece: You are the generation that has caused this misery. Now is the time to keep the feet still, do not go to demonstrate and let the government pull through their savings plans.

And, dear citizens of Greece, do not excuse yourselves by saying that solely your politicians are to blame for the disaster. You did invent democracy and you should know that you, the people, govern and therefore are responsible. No one is forcing you to evade taxes, to accept bribes, to strike against any sound policy and to elect corrupt politicians.

Politicians are populists. They do exactly what you want. Surely some of you will now argue: You Germans, you are not better off at all. Right. A pension scheme in which nobody has any trust anymore. Pensions for civil servants that no one knows how to pay for in the future. A tax system that looks as invented  by experienced tax evaders. Above all a mountain of debt on a slippery slope that eventually will bury everything – we too have exactly these problems. And on this path of vice you're not as far ahead of us as many believe.

Long ago you Greeks have led the way, you have given democracy to the world, philosophy and first understanding of national economics.

Now you show us the way again.

Only this time it is the wrong path.

Where you are is a dead end road.

[signed] Walter W├╝llenweber [editor at Der Stern magazine]