Sunday, October 18, 2009

I told you so. I told you so.

Loathe as I am to do it, today's post is a solid "I told you so". Not once, but twice.

First... in my last post ("You're a pirate, and you don't wash your hands") I suggested that you should turn off automatic updates, and examine security patches before applying them. Friday, ZDNet posted a story exemplifying what will happen to you if you don't heed this advice ("Microsoft exposes Firefox users to drive-by malware downloads").

Some time ago, Microsoft critically abused their Windows Update facility to sneak in a Firefox extension that was not requested, validated, or approved by the Firefox user. This was their ".NET Framework Assistant" add-on, which frankly, is not necessary for the operation of Firefox and "fixes" no Firefox deficiency or bug. Quite simply, Microsoft decided on their own to change the way a competitor's product works, and they abused your trust to do it without your knowledge. This isn't opinion, by the way, it's a statement of fact.

This same software, installed without permission, was left in place even after the abuse of trust was made public. Microsoft Security Bulletin MS09-054 warned of a critical remote code execution flaw which affected "Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8". What they fail to state is that, due to their abuse of trust and ineptitude, it also affects any Firefox browser that received the .NET Framework Assistant add-on.

This isn't the first time Microsoft has abused the Windows Update system to stuff in some unasked-for piece of code that changes the way your computer works...
Just so we're clear... I am not describing some tin-foil-hat scenario, or paranoid fear of what might occur. I am describing more than a tangible risk. It is a solid certainty that if you didn't heed my advice before, Microsoft has compromised the security of your PC without your permission. If you'll examine the links above, you'll see that Microsoft promised two years ago that they wouldn't do that sort of thing ever again. You'll also notice that two years ago the same brand of ineptitude also compromised security on XP machines.

Although Microsoft quite demonstrably has not learned from their mistakes, you can.
TURN OFF automatic updates, apply bug fixes AFTER EXAMINING what they are, and then ONLY if it's clear what the fix is for.



Second... I'm pretty vocal in my dislike for "cloud" computing. Here are links to a couple of my most recent thoughts on the subject:
My contention is basically this: you should never, ever, ever entrust your critical data solely to a third party. As described by Robert Vamosi at WindowsSecrets.com ("Press delete: the risk of outsourcing your data"), the reason is clear. You stand a very good chance of losing said data, with no recourse, and no chance of recovery. It's a very, very stupid thing to do.

Recently, users of T-Mobile's Sidekick service discovered that when thousands of them lost all of their contact data. All of it. (I'm not intending to prod, but Microsoft was behind that one, too.) For their part, T-Mobile offered their users a month of free service and $100 credit on stuff you buy from them in the future. Not $100 credit, but $100 off on the additional money you send to them in the future.

Yeahh.... about that future thing....

The big question here isn't really "what caused the outage?" or "who's to blame?"... it's "why is this stuff dependent on a cloud server anyway?" Maybe in the future I'd re-think the way I store and sync that data.

And it's not just T-Mobile... the same link describes a Bitbucket outage. Google Docs have had everal outages in recent months. The advice here isn't to not use online services... often they're a convenient way to share information. BUT, for the life of your company, DO NOT depend solely on these services for storing your data safely.

Certainly, your own computers and hard drives can experience failures. The difference is this: You own your machine and your data. You can make backups and be assured that they are available to you. Most "cloud" services are not beholden to you for the integrity of the data at all. AT ALL. Don't believe me? Then as an example, the Google Terms of Service, applicable to all Google services include Google Docs and Gmail. Pay particular attention to "15. Limitation of Liability", esp. 15.1(B)(iii), in which you learn that Google is not liable to you for...
THE DELETION OF, CORRUPTION OF, OR FAILURE TO STORE, ANY CONTENT AND OTHER COMMUNICATIONS DATA MAINTAINED OR TRANSMITTED BY OR THROUGH YOUR USE OF THE SERVICES;
In other words, they don't guarantee squat. They don't really have to do anything at all. You are completely and totally on your own with regards to liability. This isn't just common... it's universal. No online service guarantees its service. Go ahead and look for yourself.
Or just look at the terms of service of your preferred provider. If it's not clear enough from real-world examples, common sense, and the tacit admission of the innumerable vendors who absolutely refuse to warrant their services, Cloud computing is inherently risky. DO NOT depend on it. When you do, use it for convenience, but keep your data on your hardware. All cloud vendors place the risk of using their services entirely with you. But all the responsibility in the world means exactly nothing without the empowerment to act to mitigate risks. So with regard to online services, your one iron-clad inescapable inflexible rule should be to never use a service that does not provide a simple means for synchronizing your data to a local datastore.

Monday, October 12, 2009

You're a pirate. And you don't wash your hands.

OK, maybe you're not, and you do. But according to the Business Software Alliance, 41% of all software on personal computers is pirated (link). In the U.S. that figure is around 20%, and higher in the rest of the world.

The funny thing is that this doesn't have to be the case at all. With OpenOffice.org, Firefox, Thunderbird, the GIMP, and other great Open Source packages around, there's no need to pirate software. And commercial software publishers don't want you to use their software if you haven't paid for it.

So stop it.

The main thrust of the report, entitled Software Piracy on the Internet: a Threat to Your Security , is that people who download pirated software are more likely to have malware on their computer.

Well, duh. There are several reasons for that, and you don't need a 28-page report from the BSA to tell you that. Here are a few:

1. They (people who have pirated their software) don't generally apply security updates. This is either because they're afraid of being caught, wary of updates in general because they've been used by vendors in the past as "stealth" installers for new or changed functionality, or because they're locked out thanks to Genuine Advantage.

2. They are more likely to download other things and not be too picky about it. As opposed to your typical Open Source advocate, who is likely to look for the GPL license and source code availability as assurances of the quality and cleanliness of the software, pirates don't care. They're just looking for "free as in beer" programs. As a result, they are uber-suckers.... P.T. Barnum saw them coming over a hundred years ago.

3. A corollary to 2. is that they are less likely to have up-to-date anti-malware software and firewalls in place.

Of course, the report doesn't look much at the reasons, but focuses on the risks. Understandable, since focusing on the reasons would enable you to pirate safely, when in fact you should be discouraged from pirating at all. (I had to smile at one of the "risks" mentioned on page 12 of the report... that of "receiving an incomplete, altered, or trial version of the software". Much like the risk you take when buying a new computer with Microsoft software pre-installed.)

Pages 14 through 17 of the report are case studies exemplifying the nasty things that can be done to you if you're convicted of software piracy. This is followed by what the BSA does or does not support in the ways of laws and enforcement.

Pages 23 and 24 offer common-sense rules entitled "What Consumers Can Do to Protect Themselves". I don't disagree with any of them, but I find that the commentary that accompanies each step is one-dimensional, looking at it from a commercial angle only. Here are the BSA's recommendations along with my own commentary:

Trust Your Instincts. The BSA advises that if a price looks "too good to be true", then it probably is. This rule of thumb applies exclusively to commercial software. The price for many Open Source projects is zero. That's not "too good to be true," it's a new truth that you should be aware of.

Use Software Security Updates. Turn on update notifications, but turn off automatic updates. The problem with automatic updates is that software is changed on your machine without your knowledge. Then, when it comes time to identify malware, your job is made much harder because you can't tell why a core program was recently changed. Definitely, apply patches, and do it in a timely fashion. BUT... examine them first.

Look for a "Trust Mark". Absolutely. But here the BSA is talking about brands, and that limits your choice. Instead, they should be looking at actual trust marks, such as an OSI-approved license. See that mark to the right? That's a trust mark. You won't find it on commercial packages.

Do Your Homework. Google the open-source vendor. Ensure that the source code is in fact available. Take a look at the version number and make sure you're downloading a stable release.

Make Sure It's Authentic. I prefer to download from the project website on SourceForge or other trustworthy "forge" (My own VIC CRM is published on OpenNTF.org). For the ultimate in assurance of authenticity, you can actually compile open source software from source code.

Beware of Back-ups. You never have to worry about this with open source software.

Get the Seller's Address, If Possible. After all, you might want to send him a nice "thank you" for the software.

Understand the Transaction Terms. Look up the license at OSI.org and understand its terms. The first thing to understand is that nobody from the BSA can do to you any of the nasty things they list on pages 14-17 of their report if you use open source software.

Ensure Secure Payment. The BSA have this one 100% right: don't give your payment information unless you are sure you're connected to a secure website. Make sure the internet address begins with "https://", not "http://". Use a modern browser (such as Firefox) that will make it obvious that you're connected securely. Beware "secure" websites that have untrusted security certificates (you'll get a pop-up warning if the certificate is invalid or untrusted.)

Sunday, October 11, 2009

Rupert Muroch puts his foot in it AGAIN.

We've got our second story in a row on Rupert Murdoch, Soooper-Genius.

Over at Newsweek, Weston Kosova reports that Murdoch thinks Google is "stealing" his content, and wants them to pay him. According to Murdoch, linking == stealing. Definitely read Kosova's commentary, as he has it 100% correct.

Google doesn't steal anything from Murdoch. If you do a news search in Google, you get a list of links, including links to articles on FoxNews and other Murdoch properties. Click on any of FoxNews link and you are taken to FoxNews itself. Murdoch's site, Murdoch's content, complete with Murdoch's ads and Murdoch's revenue.

Google provides Murdoch -- and everyone else, for that matter -- absolutely free advertising, which just happens to be the undisputed #1 most effective advertising on the Web. Murdoch gets that for free, and doesn't lose one single penny to Google for it, ever.

So what does this sooooper-genius want to do? That's right... he wants Google to pay him for the privilege of improving his business. The funny thing is, that Murdoch can turn off Google's trawling any time he wants by editing his Robots.txt file. Of course he won't do it. Why not? Because the moment he did so he would lose million$ by the minute.

Why doesn't this relic just admit that search engines are a boon to his business? Stupidity? Senility? Your guess is as good as mine. What is certain is that he'd rather extort money from Google rather than stop the linking, as he could do any time, in under a minute... so it's absolutely certain that "protection" of his content isn't his real agenda.