If you had the .NET Framework Assistant plugin for Firefox and wanted to get rid of it, you would have had to get the update from Here or Here, install it, and then uninstall version 1.1, but apparently, Microsoft and Mozilla agreed to blacklist the plugin, then they agreed to unblacklist it, so the above is relavent again.

Why is this in my Journal, you ask? Because it seems like once a month someone from Slashdot posts yet another version of this story complaining how evil the plugin is, So I figured I might was well make this post permament so it saves me from typing and posting this again next month.

BTW, the story count is 6 for the people playing at home. Good luck finding these with Slashdot's search engine, but Google finds all.

Mozilla-Unblocks-Microsofts-NET-Addon
Firefox Disables Microsoft NET Addon
Sneaky Microsoft Add-on Put Firefox Users At Risk
MS Issued a Fix For Its Unwanted FireFox Extension
Microsoft Update Quietly Installs Firefox Extension
Microsoft Update Slips In a Firefox Extension

There is a set of laws that I like to keep track of for computer support purposes. Here is some of them.

Laws of computer stupidity
1) 99% of computer users do not know what they are doing.
2) Computer users do not read.
3) If a computer user can click on it, they will.
4) You can patch software, but you can't (legally) patch stupid.

Just about every security exploit you've ever seen exploits at least one of these rules. The exception to this is a self propagating worm, such as blaster, since it takes the human element out of the equation.

#1 deals with the populous as a whole. for example, in the US there are roughly 300 million people. that means roughly 3 million computer users know what they are doing. so basically, the population of Iowa has to do tech support for the entire US population. This also applies to smaller populations. such as Businesses, Universities and even developers, although it can vary much wider in smaller populations.

Anyway, considering that rule, you must assume that trying to explain security issues or even computer usage is going to go in one ear and out the other when it comes to most of the populous. This makes it very difficult to stop most of today's malware threats because most virus scanners can't keep up with the sheer number of malicious apps per day. So the best way to handle #1 in the security context is to minimize the infection vector as much as possible and to limit the choices that they can make regarding crucial decisions and make automatic choices when the choice is clear. This is why most AV software today does not include an ignore option and most automatically clean. Which leads me to #2

#2 deals with all users, Even the 1% users. and is caused by habit. People tend to not read anything. You could have a box pop up saying clicking OK in this box will format your hard drives, with an OK or Cancel button, and I would safely bet that you'll be recovering drives for a sizable amount of people.

To handle #2, the best method is to have the user do a captcha of some sort. Many OS'es do this with the administrator password prompt when you try to do an elevated privilage. It's not foolproof but it's better then nothing.

#3 is similar to #2 If presented with a button, a person will click on it. that simple. it doesn't matter what that button does, they will click it. even if they read on the button and it says to format hard drive click here. even if they know that is bad, people will click the button simply because they think the button is lying, that is until their hard drive is gone.

handling #3 can be difficult. like #1, you don't give the user something to click on. you hide or restrict it so that only experienced users that need to use it can. If it's not needed at all, don't even make the button. Although this isn't going to help if the button is designed to be malicious. (Like a malware site) This makes #3 the most exploitable of the rules.

#4 is a new rule added. basically its there for the training crowd that believe that training is all you need to fix the above. That almost never works. people will forget, people will ignore and people will just not care. Handling #4 is to apply yet another rule taught to me by one of my college professors in my user interface design class. the "premise of monkey" rule.

The Premise of Monkey
If you can't train a monkey to use it, you can't train a human to use it.

It basically comes down to simplicity. limit choices to the basic necessity of the programs functionality. The simpler it is, the easier it is to train and the less long term problems you'll have with user error. If you can't fix stupid, make the interface for the stupid to use. I know it's got that idocracy vibe to it, but it works.

Now you're probably wondering how this leads to a system getting infected. For the example, lets say someone gets a pop up that says roughly "0MG! j00 907 7EH V1RuZ!!" Rule #1 applies, so 99% of computer users are going to believe what the popup says when the 1% know it's a malicious site. Rule #2 means they'll not read the message from their real virus scanner saying they're infected because the blinking red "D4n93R!!!" banner and Big Red Pulsating Shield with a Big White X from the malware site is easier to understand than the text message from the virus scanner they've had for the past 5 years. Rule #3 means they'll press the "Cl1Ck h3r3 70 Cl34N. H0n357!" button and then press Run, and then bypass the "This is a malicious File!" Prompt, then Press Allow, and Then Put in their Password, ETC. and Rule #4 means It'll get infected 20 more times after you've formatted the drive 19 times to remove the last 19 rootkits because they keep infecting it the same way over and over and over again.

Before I go any further, let me make it clear that I'm for Bandwidth Management as long as it's Net Neutral. Which means if your going to throttle bandwidth, throttle all bandwidth protocols equally and never block any ports or services (This method is somewhat followed by the Netequalizer packetshaper, which agnosticly targets bandwidth hogging connections and only on peak demand by default). The only level of protocol filtering I would even think of supporting is if an ISP wants to Prioritize their own Network offerings over all other traffic, Such as VOIP. I'm for this just because if there's heavy traffic on my node, I would still like my phone to ring when someone calls. As soon as they start restricting or blocking other VOIP competitors such as Vonage and MagicJack to goad you towards their offerings, I'm done with them.

That being said, Comcast finally announced their new Protocol agnostic filtering service, and while it looks a lot better then their old "P2P MUST DIE!!" system that their currently using, People are still ranting about the 250GB cap. Every time a Download cap is announced, I see this post constantly online and it drives me nuts.

"[ISP X] Advertises Unlimited Internet. Since they now cap, I'm going to sue"

Guess what. Even with the Download cap, their still fully compliant with the "Unlimited Internet" moniker.

How you ask? Remember AOL? Remember all those disks you got that said "[X] Hours Free" where X is a number of hours? Back in the early 90's, most Dial up ISP's used to charge you Internet access by the hour. After a few years, they decided to change that to monthly. Some ISP's however, used to have an hour cap per month (primarily to free up a modem on their modem bank). The first ISP I ever used had this in their TOS, and you couldn't use more than 250 hours per month. If you did, they would turn you off until you paid for another month. Eventually, once they got enough modems to handle their user base, they dropped this from their TOS. I'll give you one guess how they advertised this TOS change.

Basically, When they say "Unlimited Internet", What they actually mean is "Always on Internet". Why don't they just say "Always on Internet"? it depends on the ISP. Some ISP's do use that in their advertising. Some felt however that it scared people into thinking that their always online connection meant that their computer had to be on all the time, or that their computer could get infected by some magical virus that can infect your PC even when your PC is off (This is no joke. An Uncle of mine was leery of his Always on DSL line, and insisted on not using the Auto Connect Feature on his PPPOE connection.) since "Unlimited Internet" sounded better to a marketeer than "Always on Internet" or "750 Hours a Month", they ran with "Unlimited Internet"

I'm no fan of caps, but as long as they don't cut you completely off during your monthly pay cycle (IE they drop you to modem speeds if you hit the cap) Their advertising of "Unlimited Internet" in their advertising would be truthful. It may not be completely honest, but either is those infomercials that say you'll use a food dehydrator every single day.

I recently had to swap out my aging IBM R51 with a brand new Lenovo R61 at work. It's been a great PC so far, but one of the features of this laptop worked so well that I had to post about it.

The R61's we go this year have Intel Turbo Memory installed. Otherwise known as Robson, this is the Intel Flash cache that supposedly speeds up your PC and saves battery life by turning an ordinary Hard drive into a Hybrid drive. Since I needed to learn Vista more since I work on a lot of alternate language laptops, I decided to take the Vista plunge and run Vista Ultimate on it.

I noticed immediately that the PC was more responsive with TM on than when it was turned off, Especially on Boot up. Boot up times were cut by 1/2 and in some case 1/3rd. Programs that were frequently used seem to load up faster. Turning the TM off, (which I had to do, since Symantec Ghosts' Boot wizard would not run with TM enabled.) noticeably dropped the performance.

Battery life wise, I didn't notice much of a difference, but it does seem to help out, since I could easily run the laptop for 3-4 hours with TM enabled. The laptop seems to last longer than the same laptops running XP (which doesn't use the TM Module) and considering the process hog that Vista is, The Laptop running Vista's battery should last a lot less than the XP systems.

I've read reviews that state TM works better when there is less RAM present. The Vista System I'm using has 4GB of ram (only 3GB is accessible since Lenovo only offers Vista Business in 64bit) on top of a Intel T9500 processor. I've also set the hard drive performance to Enhanced write performance, which caches everything it can to RAM for faster read/write speed. Even with this amount of RAM and performance specs it is very noticeable when TM is disabled VS Enabled.

Right now, TM is only supported by Vista. I would like to see it supported on another platform, such as OSX or Linux, to see if any similar performance gains could be achieved. I doubt it will ever be supported in XP, even though it looks like it was supported at one time. Maybe the netbook Trend will bring TM to XP in the future.

As for Vista itself. This is the first time I've actually used Vista for one of my personal PC's. So far it hasn't given me any major problems. (other than the Ghost boot wizard, which so far is the only program that crashed as was worked around.) It is definitely slower than XP. I would say that its responsiveness is similar to our last year R61's running XP (which have 2GB of ram and a slower 1.7GHz Core 2 processor.) It would definitely be slower if the TM Module were not installed in these PC's. It also eats three times the RAM at 1.4GB. So far however, It's been OK running on this Laptop since the specs are high. I'll know more a few months from now if it can redeem itself or prove all the naysayers right, but so far it's been a smooth ride.

With all the hype surrounding Firefox 3 these days, I decided to finally give it a try. The last time I used a Mozilla product was back during the Mozilla 1.7 days. Back then I liked the way Mozilla was laid out, but then Firefox took the spotlight and pushed Mozilla into obscurity. add a few annoying bugs here and there and I just stayed with IE.

The first thing I noticed is that it has a robust plugin system. I quickly added some plugins for some settings I use in IE7. Unfortunately, there is one feature You cannot add to Firefox as far as I can tell, and that's Security Zones.

For the longest time, I looked at security zones as a dangerous security problem in IE. They were exploited a lot in the beginning, and some of the settings were set too low, Especially when it came to the Intranet and Trusted Site Zones. But after playing with them for some time, I saw the potential that Zones give you security wise.

For example, there's a Program out there called Spywareblaster that really puts security zones to good use. Basically it's a blacklist that adds known badware sites to the restricted zone. Spybot Search and Destroy also uses this in their immunity function.

Now when I browse in IE, every once in awhile I'll notice that I'll be browsing not in the Internet Zone, but in an Unknown zone(Mixed) zone. That usually means that the site I'm browsing is most likely calling an ad provider that's not too friendly. This alone stops most drive by downloading and obnoxious flash ad's with sound right there. In Firefox however, there is nothing like security zones in it, From what I can tell, it has a default method of browsing that it applies to all sites. The only things I found in Firefox that had site by site restrictions was for images and cookies. Which I guess is a start, but it would be nice if there was an exception section to block scripting too.

Since I didn't see this functionality built into Firefox, I started looking for plugins that would add similar functionality to Firefox. The closest Thing I could find however was Noscript which is a free security enhancement for Firefox. It does work good and increases security dramatically but it's not quite the same. For one thing it's a Whitelist system. Noscript Assumes that all sites are bad, and you have to allow sites on a site by site basis. While this is the most secure way of handling scripts, it also requires a lot of work for the user, especially if the user browses a lot of sites. From my experience, it works the same as 2003 server's Enhanced Security configuration without all of the annoying prompts that IE likes to show. Basically if you go into IE, set the Internet Zone to high security, changed the security of trusted sites from low to medium, and added every site you frequently browse to your trusted sites zone, you would have the same functionality. Although In IE it's more of a pain to add sites to zones than it is in Noscript, which is a bar above the status bar.

I guess what I would like to see is something akin to security zones in Firefox. It doesn't have to be like security zones as much as a "exception" section similar to the one for the "load images automatically" and "accept cookies from sites" options except for "Enable JavaScript". That will allow users to add a domain to it and disable all scripting from that particular domain and will function as a blacklist. You could also add Whitelist functionality as well but Just Like IE's Trusted Sites zone, it could lead to sites adding themselves to the whitelist in order to attempt infection, Although I don't see how this would affect Firefox much since if a Site added itself to the whitelist it would still have to go through the Firefox security channels unlike the IE Trusted Site zone, which by default used to bypass IE security altogether until IE7 fixed that.

Generally speaking however, I'm pretty happy with Firefox so far. It's definitely come a long way since the Mozilla days.

Edit: I noticed that someone made a Firefox Extension called YesScript that adds a blacklist feature in Firefox. Although it's a relatively new plugin, it works well. The only problem is that I can't figure out a way to add a group of sites to the program easily. If it had an option to import restricted sites from IE it would be perfect, since SpywareBlaster fills in Restricted sites for IE. It has a minimalistic user interface that's basically an icon that you click on to allow or deny a specific site which changes color if it's black or white listed, although I wish that it also had an option to select specific domains contained in a site. (such as AD banner domains)

It's a step in the right direction and this plugin is looking promising.

Edit: I finally found an acceptable answer in AdBlock Plus. It's a add on for Firefox that blocks malicious sites similar to Spywareblaster. It also automatically updates and blocks by reference as well as by URL. It's definitely the protection I was looking for without the nagging "Cancel or Allow" protection I was not.

I posted this a few weeks ago on a news story about the College Opportunity and Affordability Act. It's so good I'm keeping it here for archival purposes, since at some point it might happen and I can say "I told you so!".

Frankly there's only two ways you can stop piracy from happening on college grounds.

1) Buy everyone in the school music accounts to download music thus raising the tuition, Which enrages students and punishes students who prefer going to buy their music at music stores, and will ultimately result in retention levels dropping in an already competitive market as it is.

Or

2) The Amish Method. Cut the Internet cable since there's nothing on the market that can assure 100% piracy free Internet, ban all computers since they can make MP3's using a line in jack and a CD player, and ultimately ban electric power from everywhere on campus, since they could possibly use electricity to copy a tape with a boombox or operate an electric guitar.

But if you just cut the LAN Internet cord and force the students to go elsewhere such as DSL or Cable modems to get their Internet the problem is solved right? Wrong! It doesn't matter. Have a computer lab in the college? well that can be used to download music or burn CD's or even make an MP3 file using the sound card's line in jack. you better have that policy in place to spy / restrict that lab to only authorized personnel. Of course I guess you can disable the Internet and sound card and CDROM's and USB ports so that it's basically a dumb terminal, or use DOS 6.22, (Can't use Windows. Sound recorder is there and it makes it easy to pirate. Maybe Windows 386 would work.) but if you go that far down the line, you might as well switch over to typewriters. They have far less maintenance, are cheaper, and are surely more pirate proof when it comes to movies and music.

And remember. They can pirate with that Stereo in their room or play their favorite music rift on their electric guitar using college supplied electricity. So once they do pirate the music using their liability free network connection, they can burn it to CD and play it in their stereos or instruments and BAM! Everyone in that Dorm that heard it is a pirate! You better have a policy to arrest that guy, since he used your power grid network to broadcast his pirate booty to the entire dorm. Maybe fine the entire dorm since someone may hum or whistle it down the hall.

At least the english, math and history professors would be happy with #2, since calculators would be banned and people would have to be forced to write their thesis's on parchment. Of course, Victrola's would have to be banned too, but it's hard finding a wind up one these days. Maybe they'll come back in vogue.

Recently, there are a lot of articles talking about how business is generally staying away from Windows Vista, and they're giving all of these reasons such as compatibility, reliability, system requirements and the like, but the real reason you're not seeing the business side jump all over this OS isn't because of just these things. It's the Genuine advantage.

For example. here where I work, we had Vista running everything most office workers need; Office, IE, SCT, Even wIntegrate, which is an ancient terminal program from 96. There was three reasons we didn't go to vista. One was the System requirements we were not quite ready to meet, another was that F-secure (our virus scanning system) did not have an official Vista version at the time, but the real reason we decided to stay with XP even if all the above problems were resolved was simple. The Genuine Advantage is for lack of a better word a total pain in the ass.

In Vista there are two ways of handling corporate keys. One with a Key Management server and the other with a Multiple Activation Key. Under KMS. You are required to have a KMS server on your network, tie it to DHCP and give it your VLK (which can be changed if your old key is pirated and propagated to networked PC's). once you do that it will activate any Business version of vista automatically every 3-6 months without entering any keys, but if the computer is no longer on the network (say a Laptop) after 3 months, the system locks you out in a reduced functionality mode which can only be described as useless.

The Second method; MAK isn't much better. basically MS handles the KMS for you. this means that you don't have to worry about traveling users not being disconnected from your network for too long since it works over the Internet, but now MS is handling your activations, and you have to contact them every time you hit your quota in order to activate more windows, which isn't as bad as it sounds. According to MS activation isn't counted against your licence count, and you can request indefinitely. However, if MS sees a huge activation spike. (say your activation rate average goes from 100 a day to 10000000 a day) they disable your key (which brings us to reduced functionality mode for all MAK'ed PC's) and then you must go to each and every MAK managed PC and change the key to a new one supplied by MS.

So basically, to use Vista you either have a server on your network and pray no one's laptop cripples while their on a business trip, or you contact MS until the break of dawn and pray that no one pirates your key so you don't have to touch 1000 Crippled PC's with the Dreaded "YOU ARE A PIRATE!" message. Add to the mix that under both of these systems, your company is sailing the high seas if one disgruntled employee decides to give out your corporate key to WAREZ R'US, or if the system is completely disconnected from the network (to be used as a secure storage platform or to run dedicated equipment for example) and you got a product that companies will avoid like the plague.

As for the other excuses, Most businesses would have upgraded to vista over time. The gleaming example of this is windows 2000 to XP. There was no technical reason to go from 2000 to XP, but many businesses did it anyway over time and a service pack release. Now with vista, you got companies that are flat out saying they have no plans for vista at all and are looking at Linux and MacOSX as alternatives, and I can guarantee that Their IT dept's are most likely looking at what hell they would have to go through to appease Vista Genuine Advantage and are throwing it out the window. It would be a safe bet that if MS changed the licencing scheme for Vista from Key Management Server/Volume Activation 2.0 back to Volume Activation 1.0, (the old method) adoption would be much higher than it would be right now. Office 2007 doesn't have the "YOU ARE A PIRATE!" system built in it and still has the old VLK licencing system like XP. I can guarantee that it's adoption in business is much higher than Vista. I know we're using it here, but Vista is sitting on the shelf.

Maybe, hopefully, MS will see this and realize that the Genuine Advantage is looked at as a Genuine Disadvantage for business, is making corporate IT departments around the world look at their OS competitors and their earlier business friendly versions of windows, and in the long run, the money it's saving by stopping privacy is not worth losing the corporate business that they've established over the past couple of decades.

I'm looking for a web application for my site that can handle a file archive for some programs that I've wrote, Particularly, something that allows me to upload files, posts screenshots of the programs and leave feedback (ratings, reviews, ETC)

Unfortunately, I do not have that many MYSQL databases for my web hosting account. I know I could switch hosts, but the price I'm paying for my current host is ideal and is basically overkill for what we use.

I've seen scripts like RW::Download, CFiles, and PAFileDB but they all require mysql databases. I've also looked in the CGI Resource index with not much better luck.

So, has anyone in the vast Slashdot community used anything similar to these above apps that uses a flat file database? Do they even exist? I really don't care if it uses PHP or perl, but I don't have the SQL database to spare for any of the programs I've ran into so far. File ratings would be nice and commenting would be ideal. File uploading by administrators of the system would also be nice but not exactly critical since I can FTP into the site. I would like for it to also have it's own page generation, that way I don't have to make a site full of links that I would need to update every time to add new files or functionality.

The below is a list of anti-virus software that is either in development for Windows Vista, or a beta is available. I will update this as I find out about more working scanners. Post a comment if I'm missing one and I'll add it.

Trend Micro
Computer Associates
Avast
Sophos
AVG
Mcafee
Symantec
Microsoft

Just posting this if you just happened to buy into the hype that Vista is somehow stifling competition in the AV market.

One of the perks of my job is that I have to stay ahead of the game when it comes to the technical aspects of computer operation, which usually means beta testing new OSes. So over the last couple of days, I've been playing with the RC1 release of Vista. From what I've seen so far, however, I have come to a simple conclusion.

User Access Control in it's current and default setting is absolutely useless.

I don't know what Microsoft is thinking here, maybe it's going to change down the line after release, but as it stands right now, it's useless, and here's why.

First off, when you first install Vista, it asks you to set a password for the administrator account, Which is so far better than WinXP, but that's it. That account is your primary account. It doesn't force or even encourage you at install to create a user account and run that as your main account like most Unixes do. In other words, it creates accounts just like XP with a slight difference in what the administrator account can do to the PC so it's slightly better than XP. This of course is a bad thing. But it gets worse.

To expand the above, that "Administrator" account isn't really an Administrator account. It's more like a "Super Power User" account (probably since it is your default account after all). This so called admin account can do a lot of things a real admin can do, but there are a lot of things it cant, such as releasing an IP Address using ipconfig. This restriction is in the right direction when it comes to how the default account should respond but they shouldn't be doing this to the only account that can possibly recover from a bad situation. If a PC gets infected with something that is Deep Penetrating, your going to have a really bad day trying to clean it out with this account's access level.

Second, They did adopt a deep penetration stopgap like the Unixes, and anything you run that can adversely affect your machine is protected similar to Unixes root access prompt, but with one major flaw: No Password Prompt on the default administrator account! I can understand if the account didn't have a password but it should damn well prompt you if you have one set. Now, it does prompt the administrator password if you are running a user account, but let's face it, most users are going to use whatever Vista defaults to, and as of today, it's this neutered administrator account. I've said in the past (read my "Mythbusting Computer Security" journal entry) that I believe that the password prompt is useless since an Idiot user will just put it in and deep infect themselves anyway, and I still stand behind that, but there are three reasons why these dialogs work relatively well in UNIX:

1) The frequency of the prompt itself. When it comes up in Unix, you Know it's something big because you don't see it that often unless your installing something or messing around with system settings. In Vista Simply copying files from your profile to your Spare drive can get you this dialog, Although RC1 is light years ahead of Beta 2 in this regard.

2) A Threatening presence. Your using your computer when out of the blue this box shows up wanting an Admin password for this program to do it's thing. This forces people to 1) read the dialog and 2) think; since they need to conjure up their password. This will never protect a computer from a stupid user, but that simple pause will make cautious people second guess their judgement. When you have a simple yes/no prompt, a user will get so indoctrinated with the prompt that they will simply say yes no matter what they are running. Don't believe me? how fast can you click on "yes to all" when you're copying files into an already existing folder? Do you even read the dialog anymore? Did you realize you could be overwriting newer documents with older revisions of the same document?

3) Protect the system from other people messing with your computer if you happen to be away from your desk, since they would have to know your log in password in order to screw things up.

So, basically, if you want to know how Vista feels and you don't have access to the Beta, simply download service pack 2 and install it, download a program, and run it. That security dialog you see is basically UAC for the administrator, albeit with a little less graphic flair and frequency. Now imagine seeing that dialog dim the whole screen and pop up when you click on anything in the control panel and you got the Vista Experience.

What can be done to fix it? For starters, Make the Administrator account a Real Administrator, not a "super power user" with administrator as the user name, and force a password for the account. Second, the User's default account should be a "user" or "Power User" account and anything you do that needs UAC approval would require the administrator password. This would work exactly like the Unixes work and would stop most of the problem's I've mentioned here.

Actually XP does something similar to this at initial install. When you initially install XP, there's the administrator account and a "Your Name" account. the problem with XP is that the "Your Name" account is a full blown administrator. All they needed to do was force you to set a password for the administrator account and make that "Your Name" account a "user" or "power user" instead of a full blown "administrator". That would have fixed most of the security problems in XP right there. This coupled with Vista's UAC's permission elevation would have been Ideal.

Update 10/8/06: RC2 has come out and there are some minor changes. For one, it looks like they have gone back to a model similar to XP. Instead of having the "Super Power User" Account called "Administrator", they have decided to go back to the "Your Name" system that XP Uses. My guess is that testers didn't like their own account being called Administrator and MS wanted to do more account Salting for extra protection. (Not like a malicious program couldn't get the account location anyway from a variable) However, that appears to be the only change. It also still has the same prompting characteristics as RC1 using "Adminstrator", so this article is still relevalent. I didn't test to see if the true Administrator account is accessable in any form, but I do know that it doesn't ask for a password for "Administrator" anymore. Hopefully it's truly blocked from being used in normal mode.