The Do-Not-Track standard is stupid; in fact, it's so stupid that it makes less sense when used in a fable. So...

Once upon a time, there was a group of 4 sheepherders that tended to their sheep in the far far away land of internetia. Farmer Bill, Steve, Larry and Gary tended their flocks and would try to draw more sheep with either better grass, or shelter from the weather, or protection from predators. it got so competitive that sheep from other farms would jump the fences because some farms offered better comforts than others.

One day, a large pack of wolves (Genus: advertis infectus) started eating the sheep. The farmers responded accordingly. Farmer Bill first bought a "Tracking Protection" Caliber Shotgun. Which sometimes killed some wolves but would take about 10-30 shots before it killed them. Farmer Gary built a doghouse in which the sheep hired a German adblockplus and a Dutch noscript to protect them, which worked very well. Farmer Larry also built a doghouse, but was not as nice as Farmer Gary's doghouse. Eventually a German Adblockplus moved in, but it would get sick due to the cold getting into the doghouse and some wolves would get to the sheep. Eventually, Farmer Bill saw how well the sheepdogs worked and finally built a kennel by his own design to attract sheepdogs directly, but it was so badly designed that very few sheepdogs took the opportunity to live in it, and the few that did couldn't do their job well because they were sick all of the time. Farmer Steve didn't seem to do anything worthwhile and the sheep we so enamored by Steve's aura and immaculate looking farm that they didn't seem to care.

The wolves, losing many a comrade to the Sheepdogs, decided they needed to take action. First they asked the grass to stop growing if the sheepdogs protected the sheep that hired the sheepdogs, but the grass didn't stop growing. Finally the Wolves went to the World Carnivore Collection Consortium (W3C) and proposed the following treaty.

The farmers would have a can of Red Paint handy that the Sheep could use to put a Red X on their back. Any Sheep with the red X on their back would not be touched by the wolves. However, according to the rules, the Farmer could not paint the sheep themselves.

Farmer Gary and Steve adopted the practice quickly. Some Astute sheep noticed that the sheep with the Red X never got attacked by wolves and put the Red X on themselves, while other sheep didn't trust the wolves and still hired the sheepdogs. Farmer Larry wasn't too fond of the paint, since he secretly had a wolf as a pet, but eventually he made the red paint available as well as built a better doghouse for the Sheepdogs.

Farmer Bill, on the other hand, saw an opportunity to turn this into a feature that could protect his sheep and draw some sheep from other farms, since so many sheep jumped his fence to go to the nicer pastures of Firefox Ranch and Chrome Acres. But he had to find a way to follow the rules but get as many Sheep to put on the Red X as possible. Then he had the solution. His solution was to ask the sheep if they wanted the default pasture experience. If they wanted the Experience, all they had to do was put a Red X on their back. Eventually all of the sheep in the 10th pasture had a red X on their back.

The wolves noticed all of the Red Xs at the IE Corral and started crying foul. When Farmer Bill said he was following the rules and wouldn't change the policy, they first changed the treaty to not allow farmers to tell the sheep about the red paint, but the damage was already done, So the wolves decided to take a different approach to combat the problem. First they went to the Apache Fertilizer Co. and convinced them to add something to their fertilizer that when ingested by any Sheep in the IE corral, that it would dissolve the red X on their back. Other Wolves, such as the one named 'Yahoo' decided to ignore the Red X on the IE sheep altogether and started attacking the sheep Regardless if they had paint on their back or not.

Some Sheep as well as the other three farmers, start to hate what Farmer Bill did. They start to shout things like "The IE Corral is ruining the treaty!" and "Sheep with a Red X are now at risk!" The other Sheep that hired the Sheepdogs, however, didn't seem to care, because they know that a wolf is a wolf, and when it's hungry it will jump on any sheep Red X or not. They know that the sheepdogs work, and that treaties and words don't.

I guess you can say the moral of this story is, Don't expect Wolf Protection from Wolves

If you had the .NET Framework Assistant plugin for Firefox and wanted to get rid of it, you would have had to get the update from Here or Here, install it, and then uninstall version 1.1, but apparently, Microsoft and Mozilla agreed to blacklist the plugin, then they agreed to unblacklist it, so the above is relavent again.

Why is this in my Journal, you ask? Because it seems like once a month someone from Slashdot posts yet another version of this story complaining how evil the plugin is, So I figured I might was well make this post permament so it saves me from typing and posting this again next month.

BTW, the story count is 6 for the people playing at home. Good luck finding these with Slashdot's search engine, but Google finds all.

Mozilla-Unblocks-Microsofts-NET-Addon
Firefox Disables Microsoft NET Addon
Sneaky Microsoft Add-on Put Firefox Users At Risk
MS Issued a Fix For Its Unwanted FireFox Extension
Microsoft Update Quietly Installs Firefox Extension
Microsoft Update Slips In a Firefox Extension

There is a set of laws that I like to keep track of for computer support purposes. Here is some of them.

Laws of computer stupidity
1) 99% of computer users do not know what they are doing.
2) Computer users do not read.
3) If a computer user can click on it, they will.
4) You can patch software, but you can't (legally) patch stupid.

Just about every security exploit you've ever seen exploits at least one of these rules. The exception to this is a self propagating worm, such as blaster, since it takes the human element out of the equation.

#1 deals with the populous as a whole. for example, in the US there are roughly 300 million people. that means roughly 3 million computer users know what they are doing. so basically, the population of Iowa has to do tech support for the entire US population. This also applies to smaller populations. such as Businesses, Universities and even developers, although it can vary much wider in smaller populations.

Anyway, considering that rule, you must assume that trying to explain security issues or even computer usage is going to go in one ear and out the other when it comes to most of the populous. This makes it very difficult to stop most of today's malware threats because most virus scanners can't keep up with the sheer number of malicious apps per day. So the best way to handle #1 in the security context is to minimize the infection vector as much as possible and to limit the choices that they can make regarding crucial decisions and make automatic choices when the choice is clear. This is why most AV software today does not include an ignore option and most automatically clean. Which leads me to #2

#2 deals with all users, Even the 1% users. and is caused by habit. People tend to not read anything. You could have a box pop up saying clicking OK in this box will format your hard drives, with an OK or Cancel button, and I would safely bet that you'll be recovering drives for a sizable amount of people.

To handle #2, the best method is to have the user do a captcha of some sort. Many OS'es do this with the administrator password prompt when you try to do an elevated privilage. It's not foolproof but it's better then nothing.

#3 is similar to #2 If presented with a button, a person will click on it. that simple. it doesn't matter what that button does, they will click it. even if they read on the button and it says to format hard drive click here. even if they know that is bad, people will click the button simply because they think the button is lying, that is until their hard drive is gone.

handling #3 can be difficult. like #1, you don't give the user something to click on. you hide or restrict it so that only experienced users that need to use it can. If it's not needed at all, don't even make the button. Although this isn't going to help if the button is designed to be malicious. (Like a malware site) This makes #3 the most exploitable of the rules.

#4 is a new rule added. basically its there for the training crowd that believe that training is all you need to fix the above. That almost never works. people will forget, people will ignore and people will just not care. Handling #4 is to apply yet another rule taught to me by one of my college professors in my user interface design class. the "premise of monkey" rule.

The Premise of Monkey
If you can't train a monkey to use it, you can't train a human to use it.

It basically comes down to simplicity. limit choices to the basic necessity of the programs functionality. The simpler it is, the easier it is to train and the less long term problems you'll have with user error. If you can't fix stupid, make the interface for the stupid to use. I know it's got that idocracy vibe to it, but it works.

Now you're probably wondering how this leads to a system getting infected. For the example, lets say someone gets a pop up that says roughly "0MG! j00 907 7EH V1RuZ!!" Rule #1 applies, so 99% of computer users are going to believe what the popup says when the 1% know it's a malicious site. Rule #2 means they'll not read the message from their real virus scanner saying they're infected because the blinking red "D4n93R!!!" banner and Big Red Pulsating Shield with a Big White X from the malware site is easier to understand than the text message from the virus scanner they've had for the past 5 years. Rule #3 means they'll press the "Cl1Ck h3r3 70 Cl34N. H0n357!" button and then press Run, and then bypass the "This is a malicious File!" Prompt, then Press Allow, and Then Put in their Password, ETC. and Rule #4 means It'll get infected 20 more times after you've formatted the drive 19 times to remove the last 19 rootkits because they keep infecting it the same way over and over and over again.

Before I go any further, let me make it clear that I'm for Bandwidth Management as long as it's Net Neutral. Which means if your going to throttle bandwidth, throttle all bandwidth protocols equally and never block any ports or services (This method is somewhat followed by the Netequalizer packetshaper, which agnosticly targets bandwidth hogging connections and only on peak demand by default). The only level of protocol filtering I would even think of supporting is if an ISP wants to Prioritize their own Network offerings over all other traffic, Such as VOIP. I'm for this just because if there's heavy traffic on my node, I would still like my phone to ring when someone calls. As soon as they start restricting or blocking other VOIP competitors such as Vonage and MagicJack to goad you towards their offerings, I'm done with them.

That being said, Comcast finally announced their new Protocol agnostic filtering service, and while it looks a lot better then their old "P2P MUST DIE!!" system that their currently using, People are still ranting about the 250GB cap. Every time a Download cap is announced, I see this post constantly online and it drives me nuts.

"[ISP X] Advertises Unlimited Internet. Since they now cap, I'm going to sue"

Guess what. Even with the Download cap, their still fully compliant with the "Unlimited Internet" moniker.

How you ask? Remember AOL? Remember all those disks you got that said "[X] Hours Free" where X is a number of hours? Back in the early 90's, most Dial up ISP's used to charge you Internet access by the hour. After a few years, they decided to change that to monthly. Some ISP's however, used to have an hour cap per month (primarily to free up a modem on their modem bank). The first ISP I ever used had this in their TOS, and you couldn't use more than 250 hours per month. If you did, they would turn you off until you paid for another month. Eventually, once they got enough modems to handle their user base, they dropped this from their TOS. I'll give you one guess how they advertised this TOS change.

Basically, When they say "Unlimited Internet", What they actually mean is "Always on Internet". Why don't they just say "Always on Internet"? it depends on the ISP. Some ISP's do use that in their advertising. Some felt however that it scared people into thinking that their always online connection meant that their computer had to be on all the time, or that their computer could get infected by some magical virus that can infect your PC even when your PC is off (This is no joke. An Uncle of mine was leery of his Always on DSL line, and insisted on not using the Auto Connect Feature on his PPPOE connection.) since "Unlimited Internet" sounded better to a marketeer than "Always on Internet" or "750 Hours a Month", they ran with "Unlimited Internet"

I'm no fan of caps, but as long as they don't cut you completely off during your monthly pay cycle (IE they drop you to modem speeds if you hit the cap) Their advertising of "Unlimited Internet" in their advertising would be truthful. It may not be completely honest, but either is those infomercials that say you'll use a food dehydrator every single day.

I recently had to swap out my aging IBM R51 with a brand new Lenovo R61 at work. It's been a great PC so far, but one of the features of this laptop worked so well that I had to post about it.

The R61's we go this year have Intel Turbo Memory installed. Otherwise known as Robson, this is the Intel Flash cache that supposedly speeds up your PC and saves battery life by turning an ordinary Hard drive into a Hybrid drive. Since I needed to learn Vista more since I work on a lot of alternate language laptops, I decided to take the Vista plunge and run Vista Ultimate on it.

I noticed immediately that the PC was more responsive with TM on than when it was turned off, Especially on Boot up. Boot up times were cut by 1/2 and in some case 1/3rd. Programs that were frequently used seem to load up faster. Turning the TM off, (which I had to do, since Symantec Ghosts' Boot wizard would not run with TM enabled.) noticeably dropped the performance.

Battery life wise, I didn't notice much of a difference, but it does seem to help out, since I could easily run the laptop for 3-4 hours with TM enabled. The laptop seems to last longer than the same laptops running XP (which doesn't use the TM Module) and considering the process hog that Vista is, The Laptop running Vista's battery should last a lot less than the XP systems.

I've read reviews that state TM works better when there is less RAM present. The Vista System I'm using has 4GB of ram (only 3GB is accessible since Lenovo only offers Vista Business in 64bit) on top of a Intel T9500 processor. I've also set the hard drive performance to Enhanced write performance, which caches everything it can to RAM for faster read/write speed. Even with this amount of RAM and performance specs it is very noticeable when TM is disabled VS Enabled.

Right now, TM is only supported by Vista. I would like to see it supported on another platform, such as OSX or Linux, to see if any similar performance gains could be achieved. I doubt it will ever be supported in XP, even though it looks like it was supported at one time. Maybe the netbook Trend will bring TM to XP in the future.

As for Vista itself. This is the first time I've actually used Vista for one of my personal PC's. So far it hasn't given me any major problems. (other than the Ghost boot wizard, which so far is the only program that crashed as was worked around.) It is definitely slower than XP. I would say that its responsiveness is similar to our last year R61's running XP (which have 2GB of ram and a slower 1.7GHz Core 2 processor.) It would definitely be slower if the TM Module were not installed in these PC's. It also eats three times the RAM at 1.4GB. So far however, It's been OK running on this Laptop since the specs are high. I'll know more a few months from now if it can redeem itself or prove all the naysayers right, but so far it's been a smooth ride.

With all the hype surrounding Firefox 3 these days, I decided to finally give it a try. The last time I used a Mozilla product was back during the Mozilla 1.7 days. Back then I liked the way Mozilla was laid out, but then Firefox took the spotlight and pushed Mozilla into obscurity. add a few annoying bugs here and there and I just stayed with IE.

The first thing I noticed is that it has a robust plugin system. I quickly added some plugins for some settings I use in IE7. Unfortunately, there is one feature You cannot add to Firefox as far as I can tell, and that's Security Zones.

For the longest time, I looked at security zones as a dangerous security problem in IE. They were exploited a lot in the beginning, and some of the settings were set too low, Especially when it came to the Intranet and Trusted Site Zones. But after playing with them for some time, I saw the potential that Zones give you security wise.

For example, there's a Program out there called Spywareblaster that really puts security zones to good use. Basically it's a blacklist that adds known badware sites to the restricted zone. Spybot Search and Destroy also uses this in their immunity function.

Now when I browse in IE, every once in awhile I'll notice that I'll be browsing not in the Internet Zone, but in an Unknown zone(Mixed) zone. That usually means that the site I'm browsing is most likely calling an ad provider that's not too friendly. This alone stops most drive by downloading and obnoxious flash ad's with sound right there. In Firefox however, there is nothing like security zones in it, From what I can tell, it has a default method of browsing that it applies to all sites. The only things I found in Firefox that had site by site restrictions was for images and cookies. Which I guess is a start, but it would be nice if there was an exception section to block scripting too.

Since I didn't see this functionality built into Firefox, I started looking for plugins that would add similar functionality to Firefox. The closest Thing I could find however was Noscript which is a free security enhancement for Firefox. It does work good and increases security dramatically but it's not quite the same. For one thing it's a Whitelist system. Noscript Assumes that all sites are bad, and you have to allow sites on a site by site basis. While this is the most secure way of handling scripts, it also requires a lot of work for the user, especially if the user browses a lot of sites. From my experience, it works the same as 2003 server's Enhanced Security configuration without all of the annoying prompts that IE likes to show. Basically if you go into IE, set the Internet Zone to high security, changed the security of trusted sites from low to medium, and added every site you frequently browse to your trusted sites zone, you would have the same functionality. Although In IE it's more of a pain to add sites to zones than it is in Noscript, which is a bar above the status bar.

I guess what I would like to see is something akin to security zones in Firefox. It doesn't have to be like security zones as much as a "exception" section similar to the one for the "load images automatically" and "accept cookies from sites" options except for "Enable JavaScript". That will allow users to add a domain to it and disable all scripting from that particular domain and will function as a blacklist. You could also add Whitelist functionality as well but Just Like IE's Trusted Sites zone, it could lead to sites adding themselves to the whitelist in order to attempt infection, Although I don't see how this would affect Firefox much since if a Site added itself to the whitelist it would still have to go through the Firefox security channels unlike the IE Trusted Site zone, which by default used to bypass IE security altogether until IE7 fixed that.

Generally speaking however, I'm pretty happy with Firefox so far. It's definitely come a long way since the Mozilla days.

Edit: I noticed that someone made a Firefox Extension called YesScript that adds a blacklist feature in Firefox. Although it's a relatively new plugin, it works well. The only problem is that I can't figure out a way to add a group of sites to the program easily. If it had an option to import restricted sites from IE it would be perfect, since SpywareBlaster fills in Restricted sites for IE. It has a minimalistic user interface that's basically an icon that you click on to allow or deny a specific site which changes color if it's black or white listed, although I wish that it also had an option to select specific domains contained in a site. (such as AD banner domains)

It's a step in the right direction and this plugin is looking promising.

Edit: I finally found an acceptable answer in AdBlock Plus. It's a add on for Firefox that blocks malicious sites similar to Spywareblaster. It also automatically updates and blocks by reference as well as by URL. It's definitely the protection I was looking for without the nagging "Cancel or Allow" protection I was not.

I posted this a few weeks ago on a news story about the College Opportunity and Affordability Act. It's so good I'm keeping it here for archival purposes, since at some point it might happen and I can say "I told you so!".

Frankly there's only two ways you can stop piracy from happening on college grounds.

1) Buy everyone in the school music accounts to download music thus raising the tuition, Which enrages students and punishes students who prefer going to buy their music at music stores, and will ultimately result in retention levels dropping in an already competitive market as it is.

Or

2) The Amish Method. Cut the Internet cable since there's nothing on the market that can assure 100% piracy free Internet, ban all computers since they can make MP3's using a line in jack and a CD player, and ultimately ban electric power from everywhere on campus, since they could possibly use electricity to copy a tape with a boombox or operate an electric guitar.

But if you just cut the LAN Internet cord and force the students to go elsewhere such as DSL or Cable modems to get their Internet the problem is solved right? Wrong! It doesn't matter. Have a computer lab in the college? well that can be used to download music or burn CD's or even make an MP3 file using the sound card's line in jack. you better have that policy in place to spy / restrict that lab to only authorized personnel. Of course I guess you can disable the Internet and sound card and CDROM's and USB ports so that it's basically a dumb terminal, or use DOS 6.22, (Can't use Windows. Sound recorder is there and it makes it easy to pirate. Maybe Windows 386 would work.) but if you go that far down the line, you might as well switch over to typewriters. They have far less maintenance, are cheaper, and are surely more pirate proof when it comes to movies and music.

And remember. They can pirate with that Stereo in their room or play their favorite music rift on their electric guitar using college supplied electricity. So once they do pirate the music using their liability free network connection, they can burn it to CD and play it in their stereos or instruments and BAM! Everyone in that Dorm that heard it is a pirate! You better have a policy to arrest that guy, since he used your power grid network to broadcast his pirate booty to the entire dorm. Maybe fine the entire dorm since someone may hum or whistle it down the hall.

At least the english, math and history professors would be happy with #2, since calculators would be banned and people would have to be forced to write their thesis's on parchment. Of course, Victrola's would have to be banned too, but it's hard finding a wind up one these days. Maybe they'll come back in vogue.

Recently, there are a lot of articles talking about how business is generally staying away from Windows Vista, and they're giving all of these reasons such as compatibility, reliability, system requirements and the like, but the real reason you're not seeing the business side jump all over this OS isn't because of just these things. It's the Genuine advantage.

For example. here where I work, we had Vista running everything most office workers need; Office, IE, SCT, Even wIntegrate, which is an ancient terminal program from 96. There was three reasons we didn't go to vista. One was the System requirements we were not quite ready to meet, another was that F-secure (our virus scanning system) did not have an official Vista version at the time, but the real reason we decided to stay with XP even if all the above problems were resolved was simple. The Genuine Advantage is for lack of a better word a total pain in the ass.

In Vista there are two ways of handling corporate keys. One with a Key Management server and the other with a Multiple Activation Key. Under KMS. You are required to have a KMS server on your network, tie it to DHCP and give it your VLK (which can be changed if your old key is pirated and propagated to networked PC's). once you do that it will activate any Business version of vista automatically every 3-6 months without entering any keys, but if the computer is no longer on the network (say a Laptop) after 3 months, the system locks you out in a reduced functionality mode which can only be described as useless.

The Second method; MAK isn't much better. basically MS handles the KMS for you. this means that you don't have to worry about traveling users not being disconnected from your network for too long since it works over the Internet, but now MS is handling your activations, and you have to contact them every time you hit your quota in order to activate more windows, which isn't as bad as it sounds. According to MS activation isn't counted against your licence count, and you can request indefinitely. However, if MS sees a huge activation spike. (say your activation rate average goes from 100 a day to 10000000 a day) they disable your key (which brings us to reduced functionality mode for all MAK'ed PC's) and then you must go to each and every MAK managed PC and change the key to a new one supplied by MS.

So basically, to use Vista you either have a server on your network and pray no one's laptop cripples while their on a business trip, or you contact MS until the break of dawn and pray that no one pirates your key so you don't have to touch 1000 Crippled PC's with the Dreaded "YOU ARE A PIRATE!" message. Add to the mix that under both of these systems, your company is sailing the high seas if one disgruntled employee decides to give out your corporate key to WAREZ R'US, or if the system is completely disconnected from the network (to be used as a secure storage platform or to run dedicated equipment for example) and you got a product that companies will avoid like the plague.

As for the other excuses, Most businesses would have upgraded to vista over time. The gleaming example of this is windows 2000 to XP. There was no technical reason to go from 2000 to XP, but many businesses did it anyway over time and a service pack release. Now with vista, you got companies that are flat out saying they have no plans for vista at all and are looking at Linux and MacOSX as alternatives, and I can guarantee that Their IT dept's are most likely looking at what hell they would have to go through to appease Vista Genuine Advantage and are throwing it out the window. It would be a safe bet that if MS changed the licencing scheme for Vista from Key Management Server/Volume Activation 2.0 back to Volume Activation 1.0, (the old method) adoption would be much higher than it would be right now. Office 2007 doesn't have the "YOU ARE A PIRATE!" system built in it and still has the old VLK licencing system like XP. I can guarantee that it's adoption in business is much higher than Vista. I know we're using it here, but Vista is sitting on the shelf.

Maybe, hopefully, MS will see this and realize that the Genuine Advantage is looked at as a Genuine Disadvantage for business, is making corporate IT departments around the world look at their OS competitors and their earlier business friendly versions of windows, and in the long run, the money it's saving by stopping privacy is not worth losing the corporate business that they've established over the past couple of decades.

I'm looking for a web application for my site that can handle a file archive for some programs that I've wrote, Particularly, something that allows me to upload files, posts screenshots of the programs and leave feedback (ratings, reviews, ETC)

Unfortunately, I do not have that many MYSQL databases for my web hosting account. I know I could switch hosts, but the price I'm paying for my current host is ideal and is basically overkill for what we use.

I've seen scripts like RW::Download, CFiles, and PAFileDB but they all require mysql databases. I've also looked in the CGI Resource index with not much better luck.

So, has anyone in the vast Slashdot community used anything similar to these above apps that uses a flat file database? Do they even exist? I really don't care if it uses PHP or perl, but I don't have the SQL database to spare for any of the programs I've ran into so far. File ratings would be nice and commenting would be ideal. File uploading by administrators of the system would also be nice but not exactly critical since I can FTP into the site. I would like for it to also have it's own page generation, that way I don't have to make a site full of links that I would need to update every time to add new files or functionality.

The below is a list of anti-virus software that is either in development for Windows Vista, or a beta is available. I will update this as I find out about more working scanners. Post a comment if I'm missing one and I'll add it.

Trend Micro
Computer Associates
Avast
Sophos
AVG
Mcafee
Symantec
Microsoft

Just posting this if you just happened to buy into the hype that Vista is somehow stifling competition in the AV market.

One of the perks of my job is that I have to stay ahead of the game when it comes to the technical aspects of computer operation, which usually means beta testing new OSes. So over the last couple of days, I've been playing with the RC1 release of Vista. From what I've seen so far, however, I have come to a simple conclusion.

User Access Control in it's current and default setting is absolutely useless.

I don't know what Microsoft is thinking here, maybe it's going to change down the line after release, but as it stands right now, it's useless, and here's why.

First off, when you first install Vista, it asks you to set a password for the administrator account, Which is so far better than WinXP, but that's it. That account is your primary account. It doesn't force or even encourage you at install to create a user account and run that as your main account like most Unixes do. In other words, it creates accounts just like XP with a slight difference in what the administrator account can do to the PC so it's slightly better than XP. This of course is a bad thing. But it gets worse.

To expand the above, that "Administrator" account isn't really an Administrator account. It's more like a "Super Power User" account (probably since it is your default account after all). This so called admin account can do a lot of things a real admin can do, but there are a lot of things it cant, such as releasing an IP Address using ipconfig. This restriction is in the right direction when it comes to how the default account should respond but they shouldn't be doing this to the only account that can possibly recover from a bad situation. If a PC gets infected with something that is Deep Penetrating, your going to have a really bad day trying to clean it out with this account's access level.

Second, They did adopt a deep penetration stopgap like the Unixes, and anything you run that can adversely affect your machine is protected similar to Unixes root access prompt, but with one major flaw: No Password Prompt on the default administrator account! I can understand if the account didn't have a password but it should damn well prompt you if you have one set. Now, it does prompt the administrator password if you are running a user account, but let's face it, most users are going to use whatever Vista defaults to, and as of today, it's this neutered administrator account. I've said in the past (read my "Mythbusting Computer Security" journal entry) that I believe that the password prompt is useless since an Idiot user will just put it in and deep infect themselves anyway, and I still stand behind that, but there are three reasons why these dialogs work relatively well in UNIX:

1) The frequency of the prompt itself. When it comes up in Unix, you Know it's something big because you don't see it that often unless your installing something or messing around with system settings. In Vista Simply copying files from your profile to your Spare drive can get you this dialog, Although RC1 is light years ahead of Beta 2 in this regard.

2) A Threatening presence. Your using your computer when out of the blue this box shows up wanting an Admin password for this program to do it's thing. This forces people to 1) read the dialog and 2) think; since they need to conjure up their password. This will never protect a computer from a stupid user, but that simple pause will make cautious people second guess their judgement. When you have a simple yes/no prompt, a user will get so indoctrinated with the prompt that they will simply say yes no matter what they are running. Don't believe me? how fast can you click on "yes to all" when you're copying files into an already existing folder? Do you even read the dialog anymore? Did you realize you could be overwriting newer documents with older revisions of the same document?

3) Protect the system from other people messing with your computer if you happen to be away from your desk, since they would have to know your log in password in order to screw things up.

So, basically, if you want to know how Vista feels and you don't have access to the Beta, simply download service pack 2 and install it, download a program, and run it. That security dialog you see is basically UAC for the administrator, albeit with a little less graphic flair and frequency. Now imagine seeing that dialog dim the whole screen and pop up when you click on anything in the control panel and you got the Vista Experience.

What can be done to fix it? For starters, Make the Administrator account a Real Administrator, not a "super power user" with administrator as the user name, and force a password for the account. Second, the User's default account should be a "user" or "Power User" account and anything you do that needs UAC approval would require the administrator password. This would work exactly like the Unixes work and would stop most of the problem's I've mentioned here.

Actually XP does something similar to this at initial install. When you initially install XP, there's the administrator account and a "Your Name" account. the problem with XP is that the "Your Name" account is a full blown administrator. All they needed to do was force you to set a password for the administrator account and make that "Your Name" account a "user" or "power user" instead of a full blown "administrator". That would have fixed most of the security problems in XP right there. This coupled with Vista's UAC's permission elevation would have been Ideal.

Update 10/8/06: RC2 has come out and there are some minor changes. For one, it looks like they have gone back to a model similar to XP. Instead of having the "Super Power User" Account called "Administrator", they have decided to go back to the "Your Name" system that XP Uses. My guess is that testers didn't like their own account being called Administrator and MS wanted to do more account Salting for extra protection. (Not like a malicious program couldn't get the account location anyway from a variable) However, that appears to be the only change. It also still has the same prompting characteristics as RC1 using "Adminstrator", so this article is still relevalent. I didn't test to see if the true Administrator account is accessable in any form, but I do know that it doesn't ask for a password for "Administrator" anymore. Hopefully it's truly blocked from being used in normal mode.

I though of something when Sony was taking about how cheap the PS3 was since Bluray was implemented, and it's doesn't look good for Bluray. Basically, the PS3 is going to kill off Bluray, and I'll tell you why.

Lets say you're a manufacture of equipment and are choosing which player to make. The HD-DVD player is easier to build and cheaper, while the Bluray player is more expensive but has more storage and possibly better quality video. Now, when you look at your bottom line you can sell an HD-DVD player for $500-$700 but your Bluray player will sell around $800-$1000.

Now, here comes Sony with their BluRay equipped $500-$600 PS3. You know that you'll be selling your Bluray player at a loss if you sell it any less than $800 and you know anyone that wants a Bluray player will just get a PS3 since it's cheaper. You also know you can't compete against it with Bluray but can easily compete with an HD-DVD player and even the XBOX 360 plus HD-DVD will be in that $500-$700 competitive range your player will be in.

As a manufacture looking out for your Shareholders, what are you going to build?

Basically, the PS3 will be the only Bluray player in the market because it will drive the market away from it and toward the cheaper HD-DVD. That is until Bluray drops in price, and by then, the format war will be over and HD-DVD will be the winner.

BTW Yes, There will be a ton of PS3's out there. But First off, on the day the PS3 launches, your going to have an already established base of HD-DVD players out there at a cheaper price, and the 360 HD drive out there for $200 if you really want High Def movie viewing through your 360 for whatever reason. If you want Bluray, it's either a Sony PS3 at $500-600 or a Sony Bluray player at $1000 since no other company will dare make a bluray player and try to compete against the PS3 at a price $200-$400 cheaper than they can physically build their own player at, meanwhile, you'll have HD-DVD players out there from multiple manufactures competing against each other driving the price down on HD-DVD players way below the PS3 price point. the same thing happened with a majority of their other formats; Betamax, UMD, MiniDisc, Memorystick and even 8MM Video cassettes to a point (they took off in cameras but not in the VCR dept.)

A lot of people point out as a counter argument to the above the huge support for Bluray in the Movie industry. First off, none of the movie companies (except Sony Pictures. Duh.) said they were exclusively supporting Bluray. They're all supporting it because they think the PS3 is going to take off and build a userbase. Kinda like what they thought the PSP was going to do for UMD, Which so far has shown disastrous results in the movie sales department. As soon as these companies sense trouble (and Sony's not helping with Delays, Prices, and the like) they'll start supporting both formats, if not dump Bluray for HD-DVD. The same goes if HD-DVD flops, the HD-DVD supporters will drop it in a heartbeat and go both formats or all Bluray. So at this point, I would just assume that every movie company will support the format that wins, instead of them supporting either Bluray or HD-DVD

The other Argument I constantly hear is the Storage Difference Between Bluray and HD-DVD. Sony did one hell of a job promoting space as the big reason for Bluray, but in reality, it doesn't mean anything other than you have the option to run longer length movies at higher bitrates. Why is it a moot point? Because the new formats support much higher compression movie files than DVD. look at the UMD movie format. (another Sony Format) It had 1.8GB of space but can supposedly equal a 480i DVD (4-8GB) in video size, length and quality. How does it do this? it supports MPEG4 which has much higher compression than MPEG2 at the same quality level. Bitrate wise, you can only go so high before you can't tell the difference, so the only real advantage bluray brings to the table is less disk swapping when you watch Titanic or LOTR, and the jury is out if you would even need to swap disks on the HD-DVD medium for any of these movies considering the new compression schemes both these players use. Simply put, Bluray may be great for storing computer files, but the size difference isn't going to make a huge difference quality wise to your movie viewing experience.

With the amount of news Slashdot has been getting regarding Google and IE7, I decided to actually sit down and play with the IE7 beta to see what the fuss was about. What I found actually surprised me. IE7 is actually Light years ahead of it's predecessors when it comes to choice.

First off, to my surprise, when I installed IE7 on my main machine for the first time, Google was my default search engine. Why? because I had the Google Toolbar installed and it adopted the setting that was set in IE6, which was Google as my default search. I'm actually amazed that MSN wasn't even on the list.

Second, IE7 is supporting an open standard when it comes to adding search providers called OpenSearch. They actually have a page Here that uses OpenSearch to add and set search providers and even set them as the default client. The selection is all over the board too, from Google (that's Right) to even Wikipedia from the search bar.

Now, for the really surprising part. I got sidetracked from an MSN search to a live.com beta search when I tried to give the MSN search a shot. What happened was interesting to say the least. The Blue search button in IE7 changed it's drop-down button color to Yellow (Apparently it turns yellow when it detects OpenSearch Data) and Windows Live Search was listed in the drop-down box as an entry with a yellow "This is New!" star next to the name. under it was another menu choice that said "Add Search Providers" and allowed me to add it to the search bar and even set it as the default if I wanted to.

I delved into the source code on Live Search, and found out how this works. IE7 supports a new mime type called application/opensearchdescription. This type refers to an XML file that enables this functionality to activate in IE7.

All Google would have to do is add this to the head of all of their search sites, make an XML file to tell IE7 what and how to add, and done. Right now, Google pops up a box in the upper right hand corner when it doesn't detect Google Search in IE7 which allows you to download a program that does this for you. In reality they didn't even have to go that far. All they had to do is support OpenSearch in their website, make a link to add the provider and it would do it all for them.

Now I'm not a Web Developer, and I'm sure that this would take a lot of time from Google, especially considering the size of Google, but It's seriously easy from the looks of it. the XML file and OpenSearch tag (Here's Live.com's search XML for an Example and in the head portion of live.com search html is the tag (link title="Windows Live Search" type="application/opensearchdescription+xml" rel="search" href="http://www.live.com/search.xml") that activates the functionality) seem to be easy. I don't See why Google would be struggling with this.

Frankly, and this is my opinion, Google should Ignore Microsoft altogether and just keep doing what they've been doing for years; Make a better search and web experience. Competing with Microsoft will just kill you because you get so caught up in the competition that you forget why you exist and screw up your core with stupid business decisions. Ask Netscape, Real and recently Palm what competing with Microsoft does to a company. Simply put, it scares the company into Blinking which MS takes advantage of in the long run. Meanwhile, Apple, who generally ignores what Microsoft is doing can't keep people away from IPods even if they wanted to. Why? because when MS starts saying their competing with Apple, Apple laughs at them and releases something mind-blowing since their focusing on their customer base rather then their so called competition. Google is the Ipod in the search engine business. They should start acting like it and keep leading the future instead of crying antitrust (like they're losing the search engine battle somehow. Microsoft is #3 behind Google AND Yahoo, and MSN Search has been listed in their browsers since IE3) and competing against a practically nonexistent rival.

I constantly see a ton of posts on Slashdot talk about security issues regarding their PC's. Most of these posts drive me up a wall because most of them seem to not understand how easy it is to infect a computer. Since I've gotten sick of posting the reasons every time a security issue comes up, I'm going to maintain them in this journal entry.

Myth #1: My machine is secure because it's running (Insert OS other than Windows here. Usually Linux or OSX)
First off, I'm not defending Windows. Windows XP with the default setup is bad. Really bad. But it's not the fault of the OS as much as it's the fault of the developers putting Convenience over Security. At least they are wising up with Vista.

First, understand that viruses are much different today then they were just 5 years ago let alone 10. 10 years ago and through the dos/win9x period, there was one basic type of virus. This type of virus had the potential to do massive damage to the entire operating system, and totally FUBAR the PC. For the interest of this article, we'll call it a Deep Penetrating virus or Deep Virus.

Now in today's world, you have multiple user accounts and user permission operating systems becoming mainstream in the PC world. Particularly the WinNT variants, Linux, OSX, ETC. These operating systems can be affected by two different types of viruses, The Deep Penetrating Virus like DOS usually had to deal with and the Shallow Penetrating Virus. The shallow virus is simply a virus that infects the user account of the person that is currently logged in and executing it.

Now generally speaking, most well set up OS's will give the user only user access. (Instead of XP's stupid give everyone Admin mode.) This user sandboxing allows only a shallow virus to infect a PC. A shallow virus cannot do as much damage as a deep virus, because a shallow virus cannot natively get access to the critical operating system's files, but that's where the fun begins. You see, all it takes is a local exploit that escalates user privileges and BAM, that harmless shallow virus is now a deep virus destroying everything on your drive. Also, if there is no local exploit that the shallow virus can use to escalate it's privileges, it can still do network wide damage using the access it does have such as DOS pinging someone, or spamming, or do spyware/adware banner popping, ETC. The only difference is that it only does it when that particular user is on instead of all the time.

Now, let's introduce the law of Stupidity into this equation...
The Law of Stupidity: 99% of computer users don't know what they are really doing.

Which brings us to John Q Ignoramus here. Now John is an idiot so his computer admin at work locks his work machine down. John gets an e-mail that says that if he open's this file, it will show him the Pam and Tommy Lee video. Since John really wants to see this file for some reason, he opens it, but nothing happens, so he just goes on his way, but in the computer itself it actually executed and infected his user account so it will start every time he logs in. Now every time he logs in, its going to SPAM everyone in his address book mailing list about Pam and Tommy Lee or just plain stock SPAM, or it'll just send his address book mailing list to someone to SPAM them for him, or better yet, wait until it gets orders from some black hat to ping somecompany.com all day because the black hat stubbed his toe on his staircase and is looking for revenge, or download another program to take advantage of a recent exploit and delete everything on the hard drive including the OS. I'm sure your imagination could take over from here. Hopefully the admin realizes whats going on when he looks at whats sucking 90% of the company's bandwidth, because John wont care until it starts affecting him personally.

Now I know what all of you OSX guys are saying, so I'll address that next.

Myth #2: My OS is Secure because I run as a User account and any administrator privilege prompts for my Admin account, and I know better then to put that in

You might, but what about John above? Let's say he's now at home running the same setup as above except he knows his admin password for his machine. (After all he owns it.) Now, since his computer at work is a POS in his mind, surely his high end PC will run the Pam and Tommy Lee video! So he runs it and instead of nothing happening, it prompting him for his Admin Password, well I'll just type that in and my Pam and Tommy Sex dreams will come true! Bam!! His box is now the Black Hat's box, and you can turn your Imagination back on again. Also, just as before he is going to do nothing about it until he can't use the computer anymore because it's spamming and DOSsing all day instead of looking at the pretty girls on the interwebs.

Now, let's introduce the happy fun world of Social Engineering. If there's one thing you should look into, read up anything you can find on Kevin Mitnik. This guy practically invented the term Social Engineering. He also went to Jail for a few years because of it. Now in a nutshell, Social Engineering is the art of fooling/Annoying someone into doing something that benefits you. This is by far the most powerful tool in the Virus Writer's arsenal. I've actually been fooled by it once while studying a file I absolutely knew was a virus. How you ask? They simply made the icon for the Executable file a Folder icon. Since I had to unzip the virus out of the zip file the virus was in, my subconscious brain immediately thought folder and clicked on it thinking subconsciously it was a folder created by the zip software with the virus in it. As soon as I did it I almost immediately realized what I did and was shocked and infected the VM with a virus. Now if someone who Knows what they are doing can get tricked by something as a simple icon change, imagine poor John.

Basically, all the black hat would need to do it make a shallow/deep virus hybrid that infects his user account and prompt you for the admin account every 5 minutes or so. Eventually, John will get so annoyed at the prompt that he will either put the password in hoping that it will stop the endless prompting, or make a mistake and put it in when he really wanted to put the password in for something else. Bam! Black hat 0wnage!

And, just for the sake of argument, the above applies if it takes a lot of steps to get a program to execute after you download it. you could have 20 complex steps involved and John will go through all 20 steps if he really wants to see Pam doing the naughty dance. (This also explains why Vista still gets infected.)

Myth #3: My machine will never get spyware, because I use (Insert Browser other than IE here. Usually Firefox)
This is my personal favorite. Yes IE is bad (more on why below) and Firefox is seriously whipping its tail, but if you truly believe that a new browser will solve all your spyware problem your seriously mistaken.

First, why is IE so bad? One word: ActiveX. Microsoft in its infinite wisdom decided that it needed the answer to Java and it needed it YESTERDAY!!! OMG!!! If we don't compete with Java, the Java Box Sun's pushing will catch on, and rivers will run red with blood, and the antichrist will rise from the ashes of hell, ETC!!! So MS decided that the best (IE: Fastest) way to compete with Java was to make a whiz bang way to basically make it easier to install executable code on your machine with no sandboxing or execution security whatsoever. So your probably asking "Then how does it protect users from malicious code?" where someone at MS raises their hand (probably some embodiment of a PHB) and says "Why, we make them digitally sign the program of course, because nobody will want to make a virus for ActiveX if they need to buy a digital signature!" well, that works fine and dandy until Virus Inc. walks in, buys a digital signature and proceeds to revolve their business around spamming you to death. So simply put, if MS made ActiveX properly and forced it to be confined to a sandbox like Java did it never would have ever been as big a problem as it is today, but MS didn't look as security when they designed ActiveX, they looked at what customers (IE:PHB) wanted that Java wasn't delivering, which was speed at the time. So someone at MS got the bright idea to run native code instead of run-time code, and BAM! ActiveX.

Now comes problem 2, which is single user windows. Windows9x ran as administrator (Root) at all times regardless of who's logged in, so when you ran a executable file under windows, it could do anything from show a spreadsheet to format your Hard drive. Java since it was sand-boxed couldn't do this without prompting you like crazy that you were probably doing something stupid right now if a program was trying to do something malicious (not that John wouldn't just allow it anyway if it had anything to do with Pam). Even under 2000/XP, by default your running as Administrator because they decided that running all those legacy programs was more important than security, so the problem still exists today.

How could MS fix it? well they could emulate the core OS run-time for activeX programs (or any executable called by IE for that matter) so that it's completely separate from the primary OS so anything that is run under it is effectively sand-boxed, or they could enforce permissions on the next OS release. (Which will somewhat fix it. See Myth #1) It looks like for vista their choosing option 2, although IMHO they should remove all native legacy support from vista and VM anything legacy in a kernel-space designed specifically for the legacy application, but that's another story.

So why are other browsers so secure when it comes to Spyware? Simple: they don't support ActiveX. By not supporting ActiveX they avoid one of the big Spyware conduits, but that's not the only way you get spyware. Don't believe me? Ok, using your Third Party Browser, download Kazaa (or just about any P2P app these days it seems) from their web site and then tell me you can't get spyware from a third party browser. I've seen spyware in so many installers it's practically an epidemic. Hell, Even AOL's Instant Messenger is jumping on the Bundle Bandwagon and throwing weatherbug adware around for fun. It's got to the point that most file sites are actively testing all of the installers they get for spyware intrusion and delisting them if they find spyware in them. So basically, that Rico Suave Theme you downloaded has more than just Rico in it. It's probably got coolwwwsearch, SaveNow and god only knows what else.

And it doesn't stop there. Some of these Virus Inc's are trying out Firefox extensions and Java on for size. At least the Mozilla Group is keeping them at bay but for how long?

Myth #4: IE is insecure because it's merged into the OS/runs in Ring 0
IE doesn't and never ran in kernel space. It ran in and as the Windows Shell. It's the same thing KDE does with Konqueror in Linux. Where this myth came from I'll never know. My guess is some evil manipulating Clown out of one of those horror movies.

Now, not to say that there wasn't a problem with the way Microsoft did shell integration. They used to allow folders to have HTML files (namely folder.htt) to change the look of each folder. This was Really Stupid and some viruses used to use it as a way in by exploiting IE. Fortunatly in the latest Service packs of 2000/XP they disabled this "feature" (although they did not remove it. In theory a virus could turn it on for you, and another virus could infect using what the first virus turned on.) Also keep in mind that you could turn web page view off on the older shells and this problem immediatly goes away.

But even with the above problem, the shell integration didn't increase the risk. Case in point? Windows NT. It has it's own file browser shell and you can install IE on it and it can run inside the Explorer shell without integrating it as the Explorer shell, and you'll get the exact same exploits that windows NT would get if you Installed IE as a fully integrated explorer/IE shell. Even the folder.htt exploits would run on a non-integrated IE.

So what increased the risk then? Simple. IE4 Security Zone implementation. Seriously, IE3 was the most secure browser MS has ever made, Why? because there was only one single security zone and it was set to High, also the ActiveX component in IE3 did not do auto install. If MS stayed with this simple security model none of this would have ever been a problem, but in IE4, they decided that HTML on your machine or on your local network is safe. This was another Really Stupid move, and it's been going on for so long that IE7 Might be the browser that finally fixes this stupidity once and for all by setting all the zones except restricted sites to medium security by default. Don't get me wrong. the Zone Idea is a sound one, and programs such as SpywareBlaster use security zones effectively, but if MS implemented it right in the first place there would be a lot less virii out there.

As for exploits, Myth #3 covers a lot of them, and code exploits can and will happen in Every Browser, Including Netscape, Opera, Firefox and even Konqueror. The difference here is that these guys write simpler and more manageable code, which results in faster turnaround time for patches. That's the Real advantage the other browsers have over IE, that and they didn't make stupid mistakes like Security Zones and ActiveX.

Myth #5: Windows XP can never be secured because of all the Security Holes
I'm calling BS on this one, and I'll tell you why. I work for a Small Private College. We have a laptop program for students as well as maintain some computer labs with desktops. The labs have had the same Operating system (XP) on them for over two years under heavy usage and not one of them ever had spyware/viruses or any of the other happy fun "screw your box" exploits that seem to plague every laptop 15 minutes after we hand it to a student. Why? Because we protect the Lab PC's that's why, and not with some exotic "erase the drive every time" solution like Clean Slate or the Shared Computer Toolkit. All we use is the built in security protections and policies to protect the PC's from what would basically be described as PC hell. On the laptops, the Students have admin access and can have a field day installing every porn and P2P Program they find, and they get spyware filled almost immediately. I seriously had a Laptop come in and it scored 17079 on Adaware. I've yet to see adaware score anything above 50 cookies on any of the lab boxes because they can't install anything on them.

How easy is it, well it's not if you never did it, and theres a lot of steps you have to go through but basically all you have to do is 2 things
-Remove the idiotic CREATOR OWNER permissions on the C:\, C:\program files, and C:\windows folders. Turn off simple file sharing to see the permissions right.
-Make user accounts for everyone using the PC or get a domain to handle the user part.
-Not really necessary, but gpedit.msc is your friend as well if you're really dedicated.

For people that are starting out, the shared computer toolkit (the Configuration part. Not the Hard drive protection part) can help you with a lot of the basic security settings if your a novice to securing your machine, but is not necessary to secure XP if your familar with the above steps I mentioned. Oh, and another thing. Stay away from the stupid Networking Wizard. Whoever thought that having the shared documents folder automaticially open wide with read and write permissions when you run this should be shot dead, then hanged, then the corpse should be Burned while the body is still swinging on the rope and the ashes secured in order to keep the stupid sealed away for all eternity. I swear they made this feature so the Nimda virus could live forever.

You do those simple things, and XP is hard to crack. Not impossible by any means (it can still take a shallow virus hit but you can minimize the impact further by giving all users guest permissions so their profile gets deleted, or by using a mandatory user profile), but it's pretty solid. It only sucks out of the box because Microsoft wanted it to.

Myth #6: Open source software is more secure then closed source software, so I don't need to protect myself
Open source code tends to be higher quality code and has faster patch turnaround times. I won't dispute that. But that doesn't mean that it's totally secure. People make mistakes. Mistakes could go on for years undetected until that mistake turns into a major exploit.

A perfect example of this is the Linux kernel itself. It's been in development for years, been looked at by hundreds if not thousands of people, and they're Still finding security exploits in it. Is it's Linus's fault, or the programmers, or the OSS model in general? No. Mistakes happen, patches come out, and all is well.

Now don't get me wrong, Linux Vs the NT kernel is like night and day. There could be hundreds of NT kernel exploits that we or even Microsoft don't know about. Would it be less if NT was open source? Most likely, but I can make a safe bet that it would never be to the point where we could say, "Well we're finished, this kernel has absolutely no security holes in it whatsoever!" for either NT or Linux.

Although Open source can be more secure than closed source, no software should be considered totally 100% secure. That's why you should always plan for the worst case scenario when it comes to software and not rely on a single security point of failure. Spending the time to layer security measures Always Pays off in the end no matter what OS you use.

Myth #7: There are no Linux/OSX Viruses
There are viruses for Linux and OSX, not near the amount windows has, but they definetly exist.

The reason there isn't more is because of three things
-Smarter people running them
-Better security practices in the OS
-Small Market Share

First off, users of these systems, Especially Linux tend to be higher on the computer scale than the majority. I'd say there somewhere in the top 10% of knowledgeable computer users. Thats still somewhat dangerous, but nowhere near the 90-99% moron zone you'll find most in the Windows world hang in. This alone shrugs off some of the real simple Social Engineering scams right off the bat.

Second is that the security models were put into these OS'es from day one. This is really easy when you don't have huge market share and don't care about compatibility, like Apple when they chucked OS9 for OSX but got a better system out of it, or Linux which came from a background that has had 30+ years of security refinement. Microsoft doesn't want to go down the "chuck all the software out the window" road even though it would benefit them greatly, so their stuck with less secure legacy code, which attracts virus writers because it's easier to exploit.

Third is their Market Share. Lets say you write software for Virus Inc. Are you going to attack the OS with A)2% B)8% or C)90% market share. I remember a time when my SAT coach said to answer C if your not sure what the answer is, so I'm going with C. Notice that Firefox is starting to get a bullseye on it? thats because it's Browser Market Share is growing rapidly, and it's starting to attract some Black Hats. the same goes with OS's as well.

Keep in mind, that although it's harder to infect these OS's and they have far less viruses, they still have a couple, and it's only going to get worse over time so it makes sense to be prepared then to be sorry when you get hit hard.

Myth #8: There are 180000+ windows viruses
This is another favorite one of mine. OSX and Linux guys love waving this myth around. This semi-myth comes from your friendly neighborhood virus vendor.

You see, there are a lot of viruses for windows, mostly because of the way MS makes it easy to exploit their OS as well as its OS dominance over other operating systems, but a good portion of that 180000 number is over inflated. For example, a lot of those viruses are variants of the same virus. And examples of these are the netsky and beagle variants. Beagle has got something around 70+ variants and netsky is around 50+. Most of these variants do the same thing as their predecessors but are updated slightly to infect more PC's. Even if a source virus has a single byte change, (for example changing a string in a virus from "screw MS" to "screw M$") it's classified as a variant of that source virus. Most AV firms count each variant as its own separate virus as well as other programs such as jokes and spyware. That's why Mcafee detects 178000+ viruses and Symantec, who only counts viruses and not variants, counts 72000+. Why do AV vendors do this? To say that they detect more than their competitor, I Mean what would you buy, the virus scanner that detects 72000 viruses or the virus scanner that detects 180000 viruses?

Now, 72000+ is a lot smaller but even that number is somewhat inflated. Why? Because Symantec never removes legacy viruses from their databases, (and they shouldn't) but you must understand that a virus circa 1990 has a very slim (to none) chance of infecting a Windows XP PC today and doing any kind of damage. First off, With NTFS replacing FAT as the default partition used by windows today, most boot sector viruses simply cannot attach to NTFS and do any damage to it because they are obsolete and don't know how to cause damage to NTFS. (or how to even read the hard drive correctly for that matter) Also, windows XP and Office 2003 are a lot different than its previous incarnations of DOS, Windows, and Office. Many viruses written for DOS, Windows 95/98 and Office 97 will not work in XP or office 2003 since Microsoft has patched the holes the older viruses used to exploit, also dropping this number considerably. Removing Office (or not having it in the first place) from your PC also removes any Macro virus threat that exploits Office to spread. Basically, that count is based on every virus that Symantec has found over the entire course of the PC, from Brain in 1986 to the latest Beagle today.

Now, even though you could possibly cut that 72000+ viruses in half and made it as low as 36000+ infect capable viruses for windows XP, (I honestly don't know the real number. Symantec could possibly tell you) that number is still very high vs. Other Operating systems that did security over convenience, but it sure isn't 180000+

Myth #9: Microsoft should focus on patching their OS instead of releasing a Free Antivirus product
This is a more recent myth that OSX/Linux people have been waving around since MS announced that they would release a free antivirus suite, and it has a simple answer.

You can't patch stupid.

Sounds simple right, or sounds like an insult that Bill Clinton would say during the 92 campaign. Anyway, the point is that the computer is only as secure as the person in front of the PC, and if the user (most likely) falls within that "Law of Stupidity" I mentioned in Myth #1, then it's a disaster waiting to happen.

Let's say for the sake of argument that you have a magic "Fix" button that would immediately remove every single bug from every software line of code on your PC. So you push this Fix button and BAM! You system is bug free. No bugs, no exploits, no problem right? Well, let's give the magic button to John Q Ignoramus here and see what happens. He presses the button, removes all bugs from his system, sees a trojan horse masquarading as a Pam and Tommy lee video program taunting him from his favorite web site, downloads and runs the program and all of a sudden he's sending spam! Wait a second! That's not supposed to happen! The Linux guy told me so!

What?! The Linux guy said I should have secured the PC first? Well here's the magic "Secure" button that secures your PC to a user level! So first press the fix button to get rid of that nasty spam thing, then press the secure button to secure it down! Now John a simple user on his exploit free magic PC. He then sees the Pam and Tommy lee video program on the desktop, and clicks on his dream of Pam's desire. Oops! He's sending spam again!! How you ask? because it's one of those shallow Viruses I was talking about in Myth #1. It's running within his user account and doesn't need any privilege escalation to spam.

Hold it! The Linux guy screams! His system still isn't secure enough! Fine. It's time we turn that security button up to max security!! At this point, the only thing John can do is run legitimate programs that were originally installed by an IT professional in his user account, and every other executable is denied! So John sees the Pam and Tommy video clicks on it and "access denied!" the Linux guy was right! M$ is out to take our money and destroy every other OS on earth! But Wait!! This is John's computer! There is no IT Nazi trying to keep the man down by knocking John's door down and dragging him away from the keyboard every time he tries to fulfill his Pamela fantasy! He has a way to install programs on his own PC!! So he simply follows the procedure to install the Pam and Tommy lee video program and his PC is spamtastic again. Linux guy foiled again!

I guess we could try the DRM button now but I doubt the Linux guy would be for that, considering he thinks that DRM is a tool by "The Ballmer" to force Linux freedom fighters away from fertile PC ground, But I hear the OSX guy is all for it. Either way, it's not like Virus Inc. couldn't get it digitally signed.

Now I know that the Max Security example even invalidates AV software, since John would just click ignore to watch bosoms fly, but the point of the above was to illustrate that you can't patch stupid. How do I know? Because Vista's UAC was an attempt by Microsoft to patch Stupid. What did most people do with Vista's UAC? They either turn it off or immediately hit allow without a second thought. Windows 7 makes it prompt less but it still does nothing because to UAC, every program is bad, and people get indoctrinated with the prompt to the point that they never read it anymore. So much for patching stupid.

So how does AV software help if they just click ignore anyways. Well, first off you get rid of ignore. Make it so you HAVE to deal with it by either quarantine or disinfection with quarantine for backup. That way, if it's a virus, problem solved and if it's a false positive, you can restore it from quarantine.

Second, it's a prompt that you will not see every day, since it only appears when a virus is detected. People tend to read things that are less frequent than others. If you see a prompt once a month vs. a prompt 10 times a day, you'll probably pay more attention to the once a month one.

Third and most important, AV software has the potential to retroactively fix mistakes. If you did click on a 0 day virus that your AV software missed, chances are that within a week or less, your AV scanner will say you have a virus even though it allowed you to run it before. Nothing else short of an IT guy looking at your process list once a month can do this, although I'm assuming that your AV software can detect the file in the first place.

Basically, it all comes down to layering security to protect someone from themselves. That's why I believe that Antivirus software should be included in all operating systems free of charge.

More as I think of them...

Working in IT you begin to realize quickly that most of the people you deal with have a tendency to have a certain persona to them when it comes to you working on their computer or how they use it.

After doing this for over 5 years it's got to the point where I've classified all of these personas into Villains from the 1966 Batman TV Series.

1) The Joker - Loves to send E-mail jokes all over the network. Also has a tendency to send every E-mail chain letter that enters his box to everyone on the network as well, regardless of how many times he's told that it's spam, not to do it, or both.

2) The Catwoman - Has an unhealthy fascination with cats. Usually has cats all over her office and/or desk. Most likely has a picture of a cat on her desktop, screensaver or both. Most likely has or has had at one time the felix deskmate or bonzi buddy. Will download and install anything that has a cat involved, whether it is adware, spyware or a virus.

3) The Riddler - Will constantly quiz you with questions about computing in general as soon as he sees you. Anything is fair game from "how much is it to buy this gadget?" to "How did I mess my computer up?" Tends to find your office to say hi and pick your brain for 30 minutes.

4) The Penguin - Uses Linux (or a UNIX variant, Like MacOS or FreeBSD). Tries to convert everybody he sees to his holy crusade of stopping Bill Gates and his Microserf Army of conformity. Will constantly remind you how inferior M$ is and how Linux is the second coming. Constantly asks you to convert files to a Linux Friendly Format or asks you to make something work that isn't compatible with Linux.

5) King Tut - Thinks he's king S#!+ of F*%! Mountain. Will constantly berate you the entire time you work on his PC. Will demand you do it his way or will go to your supervisor or above your Supervisor's head. Will call Tech Support constantly demanding that you fix his computer in five minutes right now and ignore everyone else in line even though he's had this issue for two weeks and decided to call you now about it.

6) Egghead - Thinks he knows more about computers then you do. Tends to give you advice that you've known for three years. Tends to read or own every "for Dummies" "Idiot's Guide to" and PC magazines with "X tips for doing X" he sees. Will download computer utilities from said books and proceed to FUBAR his machine. Blames the OS or the PC a lot when problems occur from said utilities.

7) Mr. Freeze - Has an uncanny ability to make any PC Crash. Will download every program he sees regardless if he uses it or not. Tends to have every spyware/adware/virus you've ever seen. Will lose critical data to the point that a forensic solution is the only recourse. Will have to have at least 3 OS reinstalls per year regardless of what OS he uses.

There are more villains in the 1966 series, but these are the more major ones that had more than a one shot appearance. Some of the comic book ones would work well here too (like Poison Ivy, Two Face, ETC) but that's out of the scope of this list.