Recently, there are a lot of articles talking about how business is generally staying away from Windows Vista, and they're giving all of these reasons such as compatibility, reliability, system requirements and the like, but the real reason you're not seeing the business side jump all over this OS isn't because of just these things. It's the Genuine advantage.

For example. here where I work, we had Vista running everything most office workers need; Office, IE, SCT, Even wIntegrate, which is an ancient terminal program from 96. There was three reasons we didn't go to vista. One was the System requirements we were not quite ready to meet, another was that F-secure (our virus scanning system) did not have an official Vista version at the time, but the real reason we decided to stay with XP even if all the above problems were resolved was simple. The Genuine Advantage is for lack of a better word a total pain in the ass.

In Vista there are two ways of handling corporate keys. One with a Key Management server and the other with a Multiple Activation Key. Under KMS. You are required to have a KMS server on your network, tie it to DHCP and give it your VLK (which can be changed if your old key is pirated and propagated to networked PC's). once you do that it will activate any Business version of vista automatically every 3-6 months without entering any keys, but if the computer is no longer on the network (say a Laptop) after 3 months, the system locks you out in a reduced functionality mode which can only be described as useless.

The Second method; MAK isn't much better. basically MS handles the KMS for you. this means that you don't have to worry about traveling users not being disconnected from your network for too long since it works over the Internet, but now MS is handling your activations, and you have to contact them every time you hit your quota in order to activate more windows, which isn't as bad as it sounds. According to MS activation isn't counted against your licence count, and you can request indefinitely. However, if MS sees a huge activation spike. (say your activation rate average goes from 100 a day to 10000000 a day) they disable your key (which brings us to reduced functionality mode for all MAK'ed PC's) and then you must go to each and every MAK managed PC and change the key to a new one supplied by MS.

So basically, to use Vista you either have a server on your network and pray no one's laptop cripples while their on a business trip, or you contact MS until the break of dawn and pray that no one pirates your key so you don't have to touch 1000 Crippled PC's with the Dreaded "YOU ARE A PIRATE!" message. Add to the mix that under both of these systems, your company is sailing the high seas if one disgruntled employee decides to give out your corporate key to WAREZ R'US, or if the system is completely disconnected from the network (to be used as a secure storage platform or to run dedicated equipment for example) and you got a product that companies will avoid like the plague.

As for the other excuses, Most businesses would have upgraded to vista over time. The gleaming example of this is windows 2000 to XP. There was no technical reason to go from 2000 to XP, but many businesses did it anyway over time and a service pack release. Now with vista, you got companies that are flat out saying they have no plans for vista at all and are looking at Linux and MacOSX as alternatives, and I can guarantee that Their IT dept's are most likely looking at what hell they would have to go through to appease Vista Genuine Advantage and are throwing it out the window. It would be a safe bet that if MS changed the licencing scheme for Vista from Key Management Server/Volume Activation 2.0 back to Volume Activation 1.0, (the old method) adoption would be much higher than it would be right now. Office 2007 doesn't have the "YOU ARE A PIRATE!" system built in it and still has the old VLK licencing system like XP. I can guarantee that it's adoption in business is much higher than Vista. I know we're using it here, but Vista is sitting on the shelf.

Maybe, hopefully, MS will see this and realize that the Genuine Advantage is looked at as a Genuine Disadvantage for business, is making corporate IT departments around the world look at their OS competitors and their earlier business friendly versions of windows, and in the long run, the money it's saving by stopping privacy is not worth losing the corporate business that they've established over the past couple of decades.

I'm looking for a web application for my site that can handle a file archive for some programs that I've wrote, Particularly, something that allows me to upload files, posts screenshots of the programs and leave feedback (ratings, reviews, ETC)

Unfortunately, I do not have that many MYSQL databases for my web hosting account. I know I could switch hosts, but the price I'm paying for my current host is ideal and is basically overkill for what we use.

I've seen scripts like RW::Download, CFiles, and PAFileDB but they all require mysql databases. I've also looked in the CGI Resource index with not much better luck.

So, has anyone in the vast Slashdot community used anything similar to these above apps that uses a flat file database? Do they even exist? I really don't care if it uses PHP or perl, but I don't have the SQL database to spare for any of the programs I've ran into so far. File ratings would be nice and commenting would be ideal. File uploading by administrators of the system would also be nice but not exactly critical since I can FTP into the site. I would like for it to also have it's own page generation, that way I don't have to make a site full of links that I would need to update every time to add new files or functionality.

The below is a list of anti-virus software that is either in development for Windows Vista, or a beta is available. I will update this as I find out about more working scanners. Post a comment if I'm missing one and I'll add it.

Trend Micro
Computer Associates
Avast
Sophos
AVG
Mcafee
Symantec
Microsoft

Just posting this if you just happened to buy into the hype that Vista is somehow stifling competition in the AV market.

One of the perks of my job is that I have to stay ahead of the game when it comes to the technical aspects of computer operation, which usually means beta testing new OSes. So over the last couple of days, I've been playing with the RC1 release of Vista. From what I've seen so far, however, I have come to a simple conclusion.

User Access Control in it's current and default setting is absolutely useless.

I don't know what Microsoft is thinking here, maybe it's going to change down the line after release, but as it stands right now, it's useless, and here's why.

First off, when you first install Vista, it asks you to set a password for the administrator account, Which is so far better than WinXP, but that's it. That account is your primary account. It doesn't force or even encourage you at install to create a user account and run that as your main account like most Unixes do. In other words, it creates accounts just like XP with a slight difference in what the administrator account can do to the PC so it's slightly better than XP. This of course is a bad thing. But it gets worse.

To expand the above, that "Administrator" account isn't really an Administrator account. It's more like a "Super Power User" account (probably since it is your default account after all). This so called admin account can do a lot of things a real admin can do, but there are a lot of things it cant, such as releasing an IP Address using ipconfig. This restriction is in the right direction when it comes to how the default account should respond but they shouldn't be doing this to the only account that can possibly recover from a bad situation. If a PC gets infected with something that is Deep Penetrating, your going to have a really bad day trying to clean it out with this account's access level.

Second, They did adopt a deep penetration stopgap like the Unixes, and anything you run that can adversely affect your machine is protected similar to Unixes root access prompt, but with one major flaw: No Password Prompt on the default administrator account! I can understand if the account didn't have a password but it should damn well prompt you if you have one set. Now, it does prompt the administrator password if you are running a user account, but let's face it, most users are going to use whatever Vista defaults to, and as of today, it's this neutered administrator account. I've said in the past (read my "Mythbusting Computer Security" journal entry) that I believe that the password prompt is useless since an Idiot user will just put it in and deep infect themselves anyway, and I still stand behind that, but there are three reasons why these dialogs work relatively well in UNIX:

1) The frequency of the prompt itself. When it comes up in Unix, you Know it's something big because you don't see it that often unless your installing something or messing around with system settings. In Vista Simply copying files from your profile to your Spare drive can get you this dialog, Although RC1 is light years ahead of Beta 2 in this regard.

2) A Threatening presence. Your using your computer when out of the blue this box shows up wanting an Admin password for this program to do it's thing. This forces people to 1) read the dialog and 2) think; since they need to conjure up their password. This will never protect a computer from a stupid user, but that simple pause will make cautious people second guess their judgement. When you have a simple yes/no prompt, a user will get so indoctrinated with the prompt that they will simply say yes no matter what they are running. Don't believe me? how fast can you click on "yes to all" when you're copying files into an already existing folder? Do you even read the dialog anymore? Did you realize you could be overwriting newer documents with older revisions of the same document?

3) Protect the system from other people messing with your computer if you happen to be away from your desk, since they would have to know your log in password in order to screw things up.

So, basically, if you want to know how Vista feels and you don't have access to the Beta, simply download service pack 2 and install it, download a program, and run it. That security dialog you see is basically UAC for the administrator, albeit with a little less graphic flair and frequency. Now imagine seeing that dialog dim the whole screen and pop up when you click on anything in the control panel and you got the Vista Experience.

What can be done to fix it? For starters, Make the Administrator account a Real Administrator, not a "super power user" with administrator as the user name, and force a password for the account. Second, the User's default account should be a "user" or "Power User" account and anything you do that needs UAC approval would require the administrator password. This would work exactly like the Unixes work and would stop most of the problem's I've mentioned here.

Actually XP does something similar to this at initial install. When you initially install XP, there's the administrator account and a "Your Name" account. the problem with XP is that the "Your Name" account is a full blown administrator. All they needed to do was force you to set a password for the administrator account and make that "Your Name" account a "user" or "power user" instead of a full blown "administrator". That would have fixed most of the security problems in XP right there. This coupled with Vista's UAC's permission elevation would have been Ideal.

Update 10/8/06: RC2 has come out and there are some minor changes. For one, it looks like they have gone back to a model similar to XP. Instead of having the "Super Power User" Account called "Administrator", they have decided to go back to the "Your Name" system that XP Uses. My guess is that testers didn't like their own account being called Administrator and MS wanted to do more account Salting for extra protection. (Not like a malicious program couldn't get the account location anyway from a variable) However, that appears to be the only change. It also still has the same prompting characteristics as RC1 using "Adminstrator", so this article is still relevalent. I didn't test to see if the true Administrator account is accessable in any form, but I do know that it doesn't ask for a password for "Administrator" anymore. Hopefully it's truly blocked from being used in normal mode.

I though of something when Sony was taking about how cheap the PS3 was since Bluray was implemented, and it's doesn't look good for Bluray. Basically, the PS3 is going to kill off Bluray, and I'll tell you why.

Lets say you're a manufacture of equipment and are choosing which player to make. The HD-DVD player is easier to build and cheaper, while the Bluray player is more expensive but has more storage and possibly better quality video. Now, when you look at your bottom line you can sell an HD-DVD player for $500-$700 but your Bluray player will sell around $800-$1000.

Now, here comes Sony with their BluRay equipped $500-$600 PS3. You know that you'll be selling your Bluray player at a loss if you sell it any less than $800 and you know anyone that wants a Bluray player will just get a PS3 since it's cheaper. You also know you can't compete against it with Bluray but can easily compete with an HD-DVD player and even the XBOX 360 plus HD-DVD will be in that $500-$700 competitive range your player will be in.

As a manufacture looking out for your Shareholders, what are you going to build?

Basically, the PS3 will be the only Bluray player in the market because it will drive the market away from it and toward the cheaper HD-DVD. That is until Bluray drops in price, and by then, the format war will be over and HD-DVD will be the winner.

BTW Yes, There will be a ton of PS3's out there. But First off, on the day the PS3 launches, your going to have an already established base of HD-DVD players out there at a cheaper price, and the 360 HD drive out there for $200 if you really want High Def movie viewing through your 360 for whatever reason. If you want Bluray, it's either a Sony PS3 at $500-600 or a Sony Bluray player at $1000 since no other company will dare make a bluray player and try to compete against the PS3 at a price $200-$400 cheaper than they can physically build their own player at, meanwhile, you'll have HD-DVD players out there from multiple manufactures competing against each other driving the price down on HD-DVD players way below the PS3 price point. the same thing happened with a majority of their other formats; Betamax, UMD, MiniDisc, Memorystick and even 8MM Video cassettes to a point (they took off in cameras but not in the VCR dept.)

A lot of people point out as a counter argument to the above the huge support for Bluray in the Movie industry. First off, none of the movie companies (except Sony Pictures. Duh.) said they were exclusively supporting Bluray. They're all supporting it because they think the PS3 is going to take off and build a userbase. Kinda like what they thought the PSP was going to do for UMD, Which so far has shown disastrous results in the movie sales department. As soon as these companies sense trouble (and Sony's not helping with Delays, Prices, and the like) they'll start supporting both formats, if not dump Bluray for HD-DVD. The same goes if HD-DVD flops, the HD-DVD supporters will drop it in a heartbeat and go both formats or all Bluray. So at this point, I would just assume that every movie company will support the format that wins, instead of them supporting either Bluray or HD-DVD

The other Argument I constantly hear is the Storage Difference Between Bluray and HD-DVD. Sony did one hell of a job promoting space as the big reason for Bluray, but in reality, it doesn't mean anything other than you have the option to run longer length movies at higher bitrates. Why is it a moot point? Because the new formats support much higher compression movie files than DVD. look at the UMD movie format. (another Sony Format) It had 1.8GB of space but can supposedly equal a 480i DVD (4-8GB) in video size, length and quality. How does it do this? it supports MPEG4 which has much higher compression than MPEG2 at the same quality level. Bitrate wise, you can only go so high before you can't tell the difference, so the only real advantage bluray brings to the table is less disk swapping when you watch Titanic or LOTR, and the jury is out if you would even need to swap disks on the HD-DVD medium for any of these movies considering the new compression schemes both these players use. Simply put, Bluray may be great for storing computer files, but the size difference isn't going to make a huge difference quality wise to your movie viewing experience.

With the amount of news Slashdot has been getting regarding Google and IE7, I decided to actually sit down and play with the IE7 beta to see what the fuss was about. What I found actually surprised me. IE7 is actually Light years ahead of it's predecessors when it comes to choice.

First off, to my surprise, when I installed IE7 on my main machine for the first time, Google was my default search engine. Why? because I had the Google Toolbar installed and it adopted the setting that was set in IE6, which was Google as my default search. I'm actually amazed that MSN wasn't even on the list.

Second, IE7 is supporting an open standard when it comes to adding search providers called OpenSearch. They actually have a page Here that uses OpenSearch to add and set search providers and even set them as the default client. The selection is all over the board too, from Google (that's Right) to even Wikipedia from the search bar.

Now, for the really surprising part. I got sidetracked from an MSN search to a live.com beta search when I tried to give the MSN search a shot. What happened was interesting to say the least. The Blue search button in IE7 changed it's drop-down button color to Yellow (Apparently it turns yellow when it detects OpenSearch Data) and Windows Live Search was listed in the drop-down box as an entry with a yellow "This is New!" star next to the name. under it was another menu choice that said "Add Search Providers" and allowed me to add it to the search bar and even set it as the default if I wanted to.

I delved into the source code on Live Search, and found out how this works. IE7 supports a new mime type called application/opensearchdescription. This type refers to an XML file that enables this functionality to activate in IE7.

All Google would have to do is add this to the head of all of their search sites, make an XML file to tell IE7 what and how to add, and done. Right now, Google pops up a box in the upper right hand corner when it doesn't detect Google Search in IE7 which allows you to download a program that does this for you. In reality they didn't even have to go that far. All they had to do is support OpenSearch in their website, make a link to add the provider and it would do it all for them.

Now I'm not a Web Developer, and I'm sure that this would take a lot of time from Google, especially considering the size of Google, but It's seriously easy from the looks of it. the XML file and OpenSearch tag (Here's Live.com's search XML for an Example and in the head portion of live.com search html is the tag (link title="Windows Live Search" type="application/opensearchdescription+xml" rel="search" href="http://www.live.com/search.xml") that activates the functionality) seem to be easy. I don't See why Google would be struggling with this.

Frankly, and this is my opinion, Google should Ignore Microsoft altogether and just keep doing what they've been doing for years; Make a better search and web experience. Competing with Microsoft will just kill you because you get so caught up in the competition that you forget why you exist and screw up your core with stupid business decisions. Ask Netscape, Real and recently Palm what competing with Microsoft does to a company. Simply put, it scares the company into Blinking which MS takes advantage of in the long run. Meanwhile, Apple, who generally ignores what Microsoft is doing can't keep people away from IPods even if they wanted to. Why? because when MS starts saying their competing with Apple, Apple laughs at them and releases something mind-blowing since their focusing on their customer base rather then their so called competition. Google is the Ipod in the search engine business. They should start acting like it and keep leading the future instead of crying antitrust (like they're losing the search engine battle somehow. Microsoft is #3 behind Google AND Yahoo, and MSN Search has been listed in their browsers since IE3) and competing against a practically nonexistent rival.

I constantly see a ton of posts on Slashdot talk about security issues regarding their PC's. Most of these posts drive me up a wall because most of them seem to not understand how easy it is to infect a computer. Since I've gotten sick of posting the reasons every time a security issue comes up, I'm going to maintain them in this journal entry.

Myth #1: My machine is secure because it's running (Insert OS other than Windows here. Usually Linux or OSX)
First off, I'm not defending Windows. Windows XP with the default setup is bad. Really bad. But it's not the fault of the OS as much as it's the fault of the developers putting Convenience over Security. At least they are wising up with Vista.

First, understand that viruses are much different today then they were just 5 years ago let alone 10. 10 years ago and through the dos/win9x period, there was one basic type of virus. This type of virus had the potential to do massive damage to the entire operating system, and totally FUBAR the PC. For the interest of this article, we'll call it a Deep Penetrating virus or Deep Virus.

Now in today's world, you have multiple user accounts and user permission operating systems becoming mainstream in the PC world. Particularly the WinNT variants, Linux, OSX, ETC. These operating systems can be affected by two different types of viruses, The Deep Penetrating Virus like DOS usually had to deal with and the Shallow Penetrating Virus. The shallow virus is simply a virus that infects the user account of the person that is currently logged in and executing it.

Now generally speaking, most well set up OS's will give the user only user access. (Instead of XP's stupid give everyone Admin mode.) This user sandboxing allows only a shallow virus to infect a PC. A shallow virus cannot do as much damage as a deep virus, because a shallow virus cannot natively get access to the critical operating system's files, but that's where the fun begins. You see, all it takes is a local exploit that escalates user privileges and BAM, that harmless shallow virus is now a deep virus destroying everything on your drive. Also, if there is no local exploit that the shallow virus can use to escalate it's privileges, it can still do network wide damage using the access it does have such as DOS pinging someone, or spamming, or do spyware/adware banner popping, ETC. The only difference is that it only does it when that particular user is on instead of all the time.

Now, let's introduce the law of Stupidity into this equation...
The Law of Stupidity: 99% of computer users don't know what they are really doing.

Which brings us to John Q Ignoramus here. Now John is an idiot so his computer admin at work locks his work machine down. John gets an e-mail that says that if he open's this file, it will show him the Pam and Tommy Lee video. Since John really wants to see this file for some reason, he opens it, but nothing happens, so he just goes on his way, but in the computer itself it actually executed and infected his user account so it will start every time he logs in. Now every time he logs in, its going to SPAM everyone in his address book mailing list about Pam and Tommy Lee or just plain stock SPAM, or it'll just send his address book mailing list to someone to SPAM them for him, or better yet, wait until it gets orders from some black hat to ping somecompany.com all day because the black hat stubbed his toe on his staircase and is looking for revenge, or download another program to take advantage of a recent exploit and delete everything on the hard drive including the OS. I'm sure your imagination could take over from here. Hopefully the admin realizes whats going on when he looks at whats sucking 90% of the company's bandwidth, because John wont care until it starts affecting him personally.

Now I know what all of you OSX guys are saying, so I'll address that next.

Myth #2: My OS is Secure because I run as a User account and any administrator privilege prompts for my Admin account, and I know better then to put that in

You might, but what about John above? Let's say he's now at home running the same setup as above except he knows his admin password for his machine. (After all he owns it.) Now, since his computer at work is a POS in his mind, surely his high end PC will run the Pam and Tommy Lee video! So he runs it and instead of nothing happening, it prompting him for his Admin Password, well I'll just type that in and my Pam and Tommy Sex dreams will come true! Bam!! His box is now the Black Hat's box, and you can turn your Imagination back on again. Also, just as before he is going to do nothing about it until he can't use the computer anymore because it's spamming and DOSsing all day instead of looking at the pretty girls on the interwebs.

Now, let's introduce the happy fun world of Social Engineering. If there's one thing you should look into, read up anything you can find on Kevin Mitnik. This guy practically invented the term Social Engineering. He also went to Jail for a few years because of it. Now in a nutshell, Social Engineering is the art of fooling/Annoying someone into doing something that benefits you. This is by far the most powerful tool in the Virus Writer's arsenal. I've actually been fooled by it once while studying a file I absolutely knew was a virus. How you ask? They simply made the icon for the Executable file a Folder icon. Since I had to unzip the virus out of the zip file the virus was in, my subconscious brain immediately thought folder and clicked on it thinking subconsciously it was a folder created by the zip software with the virus in it. As soon as I did it I almost immediately realized what I did and was shocked and infected the VM with a virus. Now if someone who Knows what they are doing can get tricked by something as a simple icon change, imagine poor John.

Basically, all the black hat would need to do it make a shallow/deep virus hybrid that infects his user account and prompt you for the admin account every 5 minutes or so. Eventually, John will get so annoyed at the prompt that he will either put the password in hoping that it will stop the endless prompting, or make a mistake and put it in when he really wanted to put the password in for something else. Bam! Black hat 0wnage!

And, just for the sake of argument, the above applies if it takes a lot of steps to get a program to execute after you download it. you could have 20 complex steps involved and John will go through all 20 steps if he really wants to see Pam doing the naughty dance. (This also explains why Vista still gets infected.)

Myth #3: My machine will never get spyware, because I use (Insert Browser other than IE here. Usually Firefox)
This is my personal favorite. Yes IE is bad (more on why below) and Firefox is seriously whipping its tail, but if you truly believe that a new browser will solve all your spyware problem your seriously mistaken.

First, why is IE so bad? One word: ActiveX. Microsoft in its infinite wisdom decided that it needed the answer to Java and it needed it YESTERDAY!!! OMG!!! If we don't compete with Java, the Java Box Sun's pushing will catch on, and rivers will run red with blood, and the antichrist will rise from the ashes of hell, ETC!!! So MS decided that the best (IE: Fastest) way to compete with Java was to make a whiz bang way to basically make it easier to install executable code on your machine with no sandboxing or execution security whatsoever. So your probably asking "Then how does it protect users from malicious code?" where someone at MS raises their hand (probably some embodiment of a PHB) and says "Why, we make them digitally sign the program of course, because nobody will want to make a virus for ActiveX if they need to buy a digital signature!" well, that works fine and dandy until Virus Inc. walks in, buys a digital signature and proceeds to revolve their business around spamming you to death. So simply put, if MS made ActiveX properly and forced it to be confined to a sandbox like Java did it never would have ever been as big a problem as it is today, but MS didn't look as security when they designed ActiveX, they looked at what customers (IE:PHB) wanted that Java wasn't delivering, which was speed at the time. So someone at MS got the bright idea to run native code instead of run-time code, and BAM! ActiveX.

Now comes problem 2, which is single user windows. Windows9x ran as administrator (Root) at all times regardless of who's logged in, so when you ran a executable file under windows, it could do anything from show a spreadsheet to format your Hard drive. Java since it was sand-boxed couldn't do this without prompting you like crazy that you were probably doing something stupid right now if a program was trying to do something malicious (not that John wouldn't just allow it anyway if it had anything to do with Pam). Even under 2000/XP, by default your running as Administrator because they decided that running all those legacy programs was more important than security, so the problem still exists today.

How could MS fix it? well they could emulate the core OS run-time for activeX programs (or any executable called by IE for that matter) so that it's completely separate from the primary OS so anything that is run under it is effectively sand-boxed, or they could enforce permissions on the next OS release. (Which will somewhat fix it. See Myth #1) It looks like for vista their choosing option 2, although IMHO they should remove all native legacy support from vista and VM anything legacy in a kernel-space designed specifically for the legacy application, but that's another story.

So why are other browsers so secure when it comes to Spyware? Simple: they don't support ActiveX. By not supporting ActiveX they avoid one of the big Spyware conduits, but that's not the only way you get spyware. Don't believe me? Ok, using your Third Party Browser, download Kazaa (or just about any P2P app these days it seems) from their web site and then tell me you can't get spyware from a third party browser. I've seen spyware in so many installers it's practically an epidemic. Hell, Even AOL's Instant Messenger is jumping on the Bundle Bandwagon and throwing weatherbug adware around for fun. It's got to the point that most file sites are actively testing all of the installers they get for spyware intrusion and delisting them if they find spyware in them. So basically, that Rico Suave Theme you downloaded has more than just Rico in it. It's probably got coolwwwsearch, SaveNow and god only knows what else.

And it doesn't stop there. Some of these Virus Inc's are trying out Firefox extensions and Java on for size. At least the Mozilla Group is keeping them at bay but for how long?

Myth #4: IE is insecure because it's merged into the OS/runs in Ring 0
IE doesn't and never ran in kernel space. It ran in and as the Windows Shell. It's the same thing KDE does with Konqueror in Linux. Where this myth came from I'll never know. My guess is some evil manipulating Clown out of one of those horror movies.

Now, not to say that there wasn't a problem with the way Microsoft did shell integration. They used to allow folders to have HTML files (namely folder.htt) to change the look of each folder. This was Really Stupid and some viruses used to use it as a way in by exploiting IE. Fortunatly in the latest Service packs of 2000/XP they disabled this "feature" (although they did not remove it. In theory a virus could turn it on for you, and another virus could infect using what the first virus turned on.) Also keep in mind that you could turn web page view off on the older shells and this problem immediatly goes away.

But even with the above problem, the shell integration didn't increase the risk. Case in point? Windows NT. It has it's own file browser shell and you can install IE on it and it can run inside the Explorer shell without integrating it as the Explorer shell, and you'll get the exact same exploits that windows NT would get if you Installed IE as a fully integrated explorer/IE shell. Even the folder.htt exploits would run on a non-integrated IE.

So what increased the risk then? Simple. IE4 Security Zone implementation. Seriously, IE3 was the most secure browser MS has ever made, Why? because there was only one single security zone and it was set to High, also the ActiveX component in IE3 did not do auto install. If MS stayed with this simple security model none of this would have ever been a problem, but in IE4, they decided that HTML on your machine or on your local network is safe. This was another Really Stupid move, and it's been going on for so long that IE7 Might be the browser that finally fixes this stupidity once and for all by setting all the zones except restricted sites to medium security by default. Don't get me wrong. the Zone Idea is a sound one, and programs such as SpywareBlaster use security zones effectively, but if MS implemented it right in the first place there would be a lot less virii out there.

As for exploits, Myth #3 covers a lot of them, and code exploits can and will happen in Every Browser, Including Netscape, Opera, Firefox and even Konqueror. The difference here is that these guys write simpler and more manageable code, which results in faster turnaround time for patches. That's the Real advantage the other browsers have over IE, that and they didn't make stupid mistakes like Security Zones and ActiveX.

Myth #5: Windows XP can never be secured because of all the Security Holes
I'm calling BS on this one, and I'll tell you why. I work for a Small Private College. We have a laptop program for students as well as maintain some computer labs with desktops. The labs have had the same Operating system (XP) on them for over two years under heavy usage and not one of them ever had spyware/viruses or any of the other happy fun "screw your box" exploits that seem to plague every laptop 15 minutes after we hand it to a student. Why? Because we protect the Lab PC's that's why, and not with some exotic "erase the drive every time" solution like Clean Slate or the Shared Computer Toolkit. All we use is the built in security protections and policies to protect the PC's from what would basically be described as PC hell. On the laptops, the Students have admin access and can have a field day installing every porn and P2P Program they find, and they get spyware filled almost immediately. I seriously had a Laptop come in and it scored 17079 on Adaware. I've yet to see adaware score anything above 50 cookies on any of the lab boxes because they can't install anything on them.

How easy is it, well it's not if you never did it, and theres a lot of steps you have to go through but basically all you have to do is 2 things
-Remove the idiotic CREATOR OWNER permissions on the C:\, C:\program files, and C:\windows folders. Turn off simple file sharing to see the permissions right.
-Make user accounts for everyone using the PC or get a domain to handle the user part.
-Not really necessary, but gpedit.msc is your friend as well if you're really dedicated.

For people that are starting out, the shared computer toolkit (the Configuration part. Not the Hard drive protection part) can help you with a lot of the basic security settings if your a novice to securing your machine, but is not necessary to secure XP if your familar with the above steps I mentioned. Oh, and another thing. Stay away from the stupid Networking Wizard. Whoever thought that having the shared documents folder automaticially open wide with read and write permissions when you run this should be shot dead, then hanged, then the corpse should be Burned while the body is still swinging on the rope and the ashes secured in order to keep the stupid sealed away for all eternity. I swear they made this feature so the Nimda virus could live forever.

You do those simple things, and XP is hard to crack. Not impossible by any means (it can still take a shallow virus hit but you can minimize the impact further by giving all users guest permissions so their profile gets deleted, or by using a mandatory user profile), but it's pretty solid. It only sucks out of the box because Microsoft wanted it to.

Myth #6: Open source software is more secure then closed source software, so I don't need to protect myself
Open source code tends to be higher quality code and has faster patch turnaround times. I won't dispute that. But that doesn't mean that it's totally secure. People make mistakes. Mistakes could go on for years undetected until that mistake turns into a major exploit.

A perfect example of this is the Linux kernel itself. It's been in development for years, been looked at by hundreds if not thousands of people, and they're Still finding security exploits in it. Is it's Linus's fault, or the programmers, or the OSS model in general? No. Mistakes happen, patches come out, and all is well.

Now don't get me wrong, Linux Vs the NT kernel is like night and day. There could be hundreds of NT kernel exploits that we or even Microsoft don't know about. Would it be less if NT was open source? Most likely, but I can make a safe bet that it would never be to the point where we could say, "Well we're finished, this kernel has absolutely no security holes in it whatsoever!" for either NT or Linux.

Although Open source can be more secure than closed source, no software should be considered totally 100% secure. That's why you should always plan for the worst case scenario when it comes to software and not rely on a single security point of failure. Spending the time to layer security measures Always Pays off in the end no matter what OS you use.

Myth #7: There are no Linux/OSX Viruses
There are viruses for Linux and OSX, not near the amount windows has, but they definetly exist.

The reason there isn't more is because of three things
-Smarter people running them
-Better security practices in the OS
-Small Market Share

First off, users of these systems, Especially Linux tend to be higher on the computer scale than the majority. I'd say there somewhere in the top 10% of knowledgeable computer users. Thats still somewhat dangerous, but nowhere near the 90-99% moron zone you'll find most in the Windows world hang in. This alone shrugs off some of the real simple Social Engineering scams right off the bat.

Second is that the security models were put into these OS'es from day one. This is really easy when you don't have huge market share and don't care about compatibility, like Apple when they chucked OS9 for OSX but got a better system out of it, or Linux which came from a background that has had 30+ years of security refinement. Microsoft doesn't want to go down the "chuck all the software out the window" road even though it would benefit them greatly, so their stuck with less secure legacy code, which attracts virus writers because it's easier to exploit.

Third is their Market Share. Lets say you write software for Virus Inc. Are you going to attack the OS with A)2% B)8% or C)90% market share. I remember a time when my SAT coach said to answer C if your not sure what the answer is, so I'm going with C. Notice that Firefox is starting to get a bullseye on it? thats because it's Browser Market Share is growing rapidly, and it's starting to attract some Black Hats. the same goes with OS's as well.

Keep in mind, that although it's harder to infect these OS's and they have far less viruses, they still have a couple, and it's only going to get worse over time so it makes sense to be prepared then to be sorry when you get hit hard.

Myth #8: There are 180000+ windows viruses
This is another favorite one of mine. OSX and Linux guys love waving this myth around. This semi-myth comes from your friendly neighborhood virus vendor.

You see, there are a lot of viruses for windows, mostly because of the way MS makes it easy to exploit their OS as well as its OS dominance over other operating systems, but a good portion of that 180000 number is over inflated. For example, a lot of those viruses are variants of the same virus. And examples of these are the netsky and beagle variants. Beagle has got something around 70+ variants and netsky is around 50+. Most of these variants do the same thing as their predecessors but are updated slightly to infect more PC's. Even if a source virus has a single byte change, (for example changing a string in a virus from "screw MS" to "screw M$") it's classified as a variant of that source virus. Most AV firms count each variant as its own separate virus as well as other programs such as jokes and spyware. That's why Mcafee detects 178000+ viruses and Symantec, who only counts viruses and not variants, counts 72000+. Why do AV vendors do this? To say that they detect more than their competitor, I Mean what would you buy, the virus scanner that detects 72000 viruses or the virus scanner that detects 180000 viruses?

Now, 72000+ is a lot smaller but even that number is somewhat inflated. Why? Because Symantec never removes legacy viruses from their databases, (and they shouldn't) but you must understand that a virus circa 1990 has a very slim (to none) chance of infecting a Windows XP PC today and doing any kind of damage. First off, With NTFS replacing FAT as the default partition used by windows today, most boot sector viruses simply cannot attach to NTFS and do any damage to it because they are obsolete and don't know how to cause damage to NTFS. (or how to even read the hard drive correctly for that matter) Also, windows XP and Office 2003 are a lot different than its previous incarnations of DOS, Windows, and Office. Many viruses written for DOS, Windows 95/98 and Office 97 will not work in XP or office 2003 since Microsoft has patched the holes the older viruses used to exploit, also dropping this number considerably. Removing Office (or not having it in the first place) from your PC also removes any Macro virus threat that exploits Office to spread. Basically, that count is based on every virus that Symantec has found over the entire course of the PC, from Brain in 1986 to the latest Beagle today.

Now, even though you could possibly cut that 72000+ viruses in half and made it as low as 36000+ infect capable viruses for windows XP, (I honestly don't know the real number. Symantec could possibly tell you) that number is still very high vs. Other Operating systems that did security over convenience, but it sure isn't 180000+

Myth #9: Microsoft should focus on patching their OS instead of releasing a Free Antivirus product
This is a more recent myth that OSX/Linux people have been waving around since MS announced that they would release a free antivirus suite, and it has a simple answer.

You can't patch stupid.

Sounds simple right, or sounds like an insult that Bill Clinton would say during the 92 campaign. Anyway, the point is that the computer is only as secure as the person in front of the PC, and if the user (most likely) falls within that "Law of Stupidity" I mentioned in Myth #1, then it's a disaster waiting to happen.

Let's say for the sake of argument that you have a magic "Fix" button that would immediately remove every single bug from every software line of code on your PC. So you push this Fix button and BAM! You system is bug free. No bugs, no exploits, no problem right? Well, let's give the magic button to John Q Ignoramus here and see what happens. He presses the button, removes all bugs from his system, sees a trojan horse masquarading as a Pam and Tommy lee video program taunting him from his favorite web site, downloads and runs the program and all of a sudden he's sending spam! Wait a second! That's not supposed to happen! The Linux guy told me so!

What?! The Linux guy said I should have secured the PC first? Well here's the magic "Secure" button that secures your PC to a user level! So first press the fix button to get rid of that nasty spam thing, then press the secure button to secure it down! Now John a simple user on his exploit free magic PC. He then sees the Pam and Tommy lee video program on the desktop, and clicks on his dream of Pam's desire. Oops! He's sending spam again!! How you ask? because it's one of those shallow Viruses I was talking about in Myth #1. It's running within his user account and doesn't need any privilege escalation to spam.

Hold it! The Linux guy screams! His system still isn't secure enough! Fine. It's time we turn that security button up to max security!! At this point, the only thing John can do is run legitimate programs that were originally installed by an IT professional in his user account, and every other executable is denied! So John sees the Pam and Tommy video clicks on it and "access denied!" the Linux guy was right! M$ is out to take our money and destroy every other OS on earth! But Wait!! This is John's computer! There is no IT Nazi trying to keep the man down by knocking John's door down and dragging him away from the keyboard every time he tries to fulfill his Pamela fantasy! He has a way to install programs on his own PC!! So he simply follows the procedure to install the Pam and Tommy lee video program and his PC is spamtastic again. Linux guy foiled again!

I guess we could try the DRM button now but I doubt the Linux guy would be for that, considering he thinks that DRM is a tool by "The Ballmer" to force Linux freedom fighters away from fertile PC ground, But I hear the OSX guy is all for it. Either way, it's not like Virus Inc. couldn't get it digitally signed.

Now I know that the Max Security example even invalidates AV software, since John would just click ignore to watch bosoms fly, but the point of the above was to illustrate that you can't patch stupid. How do I know? Because Vista's UAC was an attempt by Microsoft to patch Stupid. What did most people do with Vista's UAC? They either turn it off or immediately hit allow without a second thought. Windows 7 makes it prompt less but it still does nothing because to UAC, every program is bad, and people get indoctrinated with the prompt to the point that they never read it anymore. So much for patching stupid.

So how does AV software help if they just click ignore anyways. Well, first off you get rid of ignore. Make it so you HAVE to deal with it by either quarantine or disinfection with quarantine for backup. That way, if it's a virus, problem solved and if it's a false positive, you can restore it from quarantine.

Second, it's a prompt that you will not see every day, since it only appears when a virus is detected. People tend to read things that are less frequent than others. If you see a prompt once a month vs. a prompt 10 times a day, you'll probably pay more attention to the once a month one.

Third and most important, AV software has the potential to retroactively fix mistakes. If you did click on a 0 day virus that your AV software missed, chances are that within a week or less, your AV scanner will say you have a virus even though it allowed you to run it before. Nothing else short of an IT guy looking at your process list once a month can do this, although I'm assuming that your AV software can detect the file in the first place.

Basically, it all comes down to layering security to protect someone from themselves. That's why I believe that Antivirus software should be included in all operating systems free of charge.

More as I think of them...

Working in IT you begin to realize quickly that most of the people you deal with have a tendency to have a certain persona to them when it comes to you working on their computer or how they use it.

After doing this for over 5 years it's got to the point where I've classified all of these personas into Villains from the 1966 Batman TV Series.

1) The Joker - Loves to send E-mail jokes all over the network. Also has a tendency to send every E-mail chain letter that enters his box to everyone on the network as well, regardless of how many times he's told that it's spam, not to do it, or both.

2) The Catwoman - Has an unhealthy fascination with cats. Usually has cats all over her office and/or desk. Most likely has a picture of a cat on her desktop, screensaver or both. Most likely has or has had at one time the felix deskmate or bonzi buddy. Will download and install anything that has a cat involved, whether it is adware, spyware or a virus.

3) The Riddler - Will constantly quiz you with questions about computing in general as soon as he sees you. Anything is fair game from "how much is it to buy this gadget?" to "How did I mess my computer up?" Tends to find your office to say hi and pick your brain for 30 minutes.

4) The Penguin - Uses Linux (or a UNIX variant, Like MacOS or FreeBSD). Tries to convert everybody he sees to his holy crusade of stopping Bill Gates and his Microserf Army of conformity. Will constantly remind you how inferior M$ is and how Linux is the second coming. Constantly asks you to convert files to a Linux Friendly Format or asks you to make something work that isn't compatible with Linux.

5) King Tut - Thinks he's king S#!+ of F*%! Mountain. Will constantly berate you the entire time you work on his PC. Will demand you do it his way or will go to your supervisor or above your Supervisor's head. Will call Tech Support constantly demanding that you fix his computer in five minutes right now and ignore everyone else in line even though he's had this issue for two weeks and decided to call you now about it.

6) Egghead - Thinks he knows more about computers then you do. Tends to give you advice that you've known for three years. Tends to read or own every "for Dummies" "Idiot's Guide to" and PC magazines with "X tips for doing X" he sees. Will download computer utilities from said books and proceed to FUBAR his machine. Blames the OS or the PC a lot when problems occur from said utilities.

7) Mr. Freeze - Has an uncanny ability to make any PC Crash. Will download every program he sees regardless if he uses it or not. Tends to have every spyware/adware/virus you've ever seen. Will lose critical data to the point that a forensic solution is the only recourse. Will have to have at least 3 OS reinstalls per year regardless of what OS he uses.

There are more villains in the 1966 series, but these are the more major ones that had more than a one shot appearance. Some of the comic book ones would work well here too (like Poison Ivy, Two Face, ETC) but that's out of the scope of this list.