Deb-Tech

We're always being told that an important element in keeping our systems secure is to diligently apply all security patches as they're released - but what if you can't?  Some organizations are experiencing problems recently in attempting to deploy Microsoft's monthly security fixes. First it was a problem with users of System Center Configuration Manager (SCCM). Now something similar is happening with WSUS 3.0 (with or without SP1) in environments running Office 2003.

They're apparently two separate issues, but have the same effect: you're unable to install the security updates. Microsoft is investigating the problem and expects to issue a fix, and in the meantime there are workarounds. See this article in Redmond Channel Partner magazine for more details.

Meanwhile, we're hearing about a new wave of an old scam: spam messages claiming to direct you to a critical Microsoft security update that really redirect you to a web site that downloads malware to install a back door for hackers to infiltrate the system. Read more about that one here.

 
deb@shinder.net

What the frak is the Texas legislature up to? According to this article, a law passed last year requires that anyone who analyzes computer data in Texas has to have a private investigator's license:

"Computer repairman and AustinPCTech owner Mike Rife had no idea - until a month ago - that he frequently breaks the law when he repairs his customers' computers.

"The Institute for Justice, a legal advocacy group for entrepreneurs, informed Rife last month of a Texas state law requiring computer repair shops to have a private investigator's license to fix computers."

I've been expecting for a while that the high tech industry would eventually fall prey to government's desire to regulate everything to death. I anticipated that eventually network admins, network security consultants and even computer techs would have to be licensed (after all, even hair stylists are required to pass a test and pay a fee to the state in order to practice their trade).

But a private investigator license required before you can collect information off a computer's hard drive? A license that you can't get unless you have a bachelor's degree in criminal justice or spend three years as an apprentice to a licensed PI? In other words, you could have an advanced degree in computer forensics but that doesn't qualify you for this license.

And although it's the computer repair techs who are bringing this to our attention, the way it's written the statute would prohibit any employer from conducting a background investigation on a potential employee with hiring a PI (of course, that's exactly what the Board of Private Security and Private Investigators, who instigated this thing, want). In fact, it would prohibit a parent from using "investigative practices" to find out what web sites the kids are visiting.

In other words, it's a ridiculous law. To the state's credit, I find no record of it ever having been enforced this way. My guess is that this is one of those cases where lawmakers intended one thing and ended up saying something completely different. I hope they fix it in the next session - if the Court doesn't throw it out before that happens.

Just one more example of government gone wild (and/or legislators who were asleep when they were casting their votes).

deb@shinder.net

Yesterday, after posting here about the amazing cell phone bill we got from Verizon Wireless, I called their billing department in hopes that it was some kind of mistake. The lady I talked to didn't seem to be very interested in my problem - although she definitely was interested in selling me more services that would cost me even more.

First I asked her where it said on the web site that data usage when roaming in Israel would be $20 per KB. She insisted that it was $20 per MB and that Tom had used 28 MB - even though the bill very clearly said "kilobytes - 28." I kept pointing this out, but her mind was made up.

I have no idea how much bandwidth he actually used. He checked his mail twice a day, and he only downloads headers to the phone, not the full messages. So it's hard for me to believe that he used 28 MB, even if there was a good bit of spam.

But she kept assuring me that they could credit "part of" the charges if we signed up for the Global Access plan. How much is that, you might ask. Only $128 per month. Well, maybe only. She implied that was the only charge but when I looked that plan up on the web site, it looks like it's $128 per month plus 2 cents per KB.

Either way, that's over $1500 per year and since it's doubtful he'll travel internationally more than once a year, that's not cost effective. I explained this, but she kept trying to push this plan and saying "we need to get him signed up for Global Access" to the extent that I began to get nervous that she was going to do it without my permission so I told her very specifically "DON'T change anything on my plan." I guess we'll see when I get the next bill.

I'm not happy with Verizon about this. I know ignorance is no excuse and if they had told me they really were charging $20 per KB, I'd just chalk it up to our mistake for not checking more closely beforehand. But I don't believe 28 MB was used downloading email headers. I believe he used 28 KB as it said on the bill. I believe we were overcharged to the tune of $574 plus tax. Is it enough to make me switch cell phone companies next time around? I don't know. That depends on what happens between now and the end of the contract.

Stay tuned ...

deb@shinder.net

... expect a cell phone bill like nothing you've ever seen before.

Tom spent ten days in Israel last month, at Microsoft headquarters in Haifa, Eilat and Tel Aviv. He took his Verizon cell phone with him, although he couldn't get voice service to work. It's probably just as well.

He did check his email a couple of times per day, resulting in 28KB of data usage. Doesn't sound like much, does it? Well, when I got the bill today, my jaw dropped. That 28KB cost us $574 - not including the considerable taxes and surcharges. By way of contrast, during the same month he had 121MB (121,000KB) of data usage here at home, which cost $44.99 (as part of the unlimited data plan).

 
My jaw-dropping Verizon Wireless bill
(Click to enlarge)

Now, he knew there would be roaming charges - but he logically assumed they would be the same or similar to the roaming charges in Israel for voice service, which is listed on the Verizon web site as $1.29 per minute. Apparently not.

Nowhere on the Verizon site can I find anything warning me that they charge $20 for one kilobyte of data usage when roaming in Israel. We're a bit pissed off, but we're also thankful that it wasn't a lot worse. If he'd left the phone set to automatically check mail every fifteen minutes like it does here at home, we might have had to sell the house to pay the cell phone bill.

Tom noticed that a colleague who was in Israel with him, who has Sprint service, got a text message from Sprint warning him that he was in roam mode and telling him what the charges would be. Overall I like Verizon a lot, and based on what I've heard from others about other aspects of their service, I'd never switch to Sprint, but I certainly wish Verizon would take a tip from them on this issue. Suddenly having to switch to AT&T to get the iPhone doesn't seem quite as bad an idea as it did yesterday.

deb@shinder.net

I've been saying for years that the credit card companies, banks and the government - all of which keep telling us how important it is for us to protect our personal information to prevent identity theft - are themselves engaging in practices that put us all at risk for that very thing, and there's not much we can do about it.

Readers of my newsletters know that I've complained frequently about the "convenience checks" that the credit card companies send, which offer a blank check to anyone into whose hands they fall. I have also mentioned, over and over, how the IRS insists that you give them a street address and then sends correspondence there, where documents containing your social security number and other sensitive information could be stolen out of your mailbox.

Finally it seems I'm not the only lone voice crying in the wilderness about this. For the last week and a half, in my spare time I've been reading "Zero Day Threat" by Byron Acohido and Jon Swartz, published by Union Square Press. Its more revealing subtitle is "The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal your Money and Identity."

It's not easy reading from an ergonomic point of view; the layout and lack of white space or illustrations makes the text seem dense. But the information makes it worth overlooking that obstacle. The authors divide those involved in these cyberscams into three categories: Exploiters, Enablers and Expeditors. The exploiters are the cybercrooks themselves, whereas the Enablers are the banks, credit bureaus, credit card companies and data brokers that make the crooks' "job" so much easier, and the Expeditors are those who create the technology that makes it all possible.

Scenarios are presented in a story-telling fashion, but the Introduction assures us that the events and characters (though not necessarily their names) are real. All of these scary stories eventually lead us to Chapter 18, titled "What Must be Done," where the authors postulate that the strategies that have been shown to reduce fraud aren't being used on any widespread basis, and the Appendices that offer practical advice for helping to avoid becoming one of the increasing number of victims of ID theft and summarize the opinions of tech security experts gleaned from a survey of such professionals.

The main takeaway is that we are more vulnerable than most of us realize, and although we may not have control over the large companies we've entrusted with our personal data (the Enablers), or over the technology developed by the Expeditors, there are things we can do to make ourselves less of a target to the Exploiters.

deb@shinder.net

Wow, my recent editorial over at www.wxpnews.com stirred up a lot of controversy. It's about a thesis project called the Neighborhood Network Watch (NNW) that, in my opinion, goes way over the top by instructing people to illegally access and capture packets from their neighbor's wireless networks and falsely claims to be affiliated with the Department of Homeland Security.

Seems a few people only read the first few paragraphs, though, and concluded that I was criticizing the government rather than the student. I got some pretty strongly worded responses, such as this one from "Name Withheld":

I think you've blown a gasket in the name of  paranoia so that you can stir some interest in an otherwise dull e rag. It would seem to you that the Gov't is to blame for everything until it's time to rely on them again.

I bet you spend most of your time on your fat butts thinking of ways that the government is dying to keep you from doing whatever you want to do. You guys have gotten rich on selling software that caters to the public's sense of paranoia and in order to keep your millions of dollars coming in for your yuppie condo's, your yachts, your kids private schools and your string of ex's you see the government as bloated as you are. Perhaps it's true. But in a country that pay's $57 million dollars to someone to play football while people like myself risked their lives  for this country for 29 years for next to nothing,  there comes a time when I feel like saying  "Shut up!"

We're involved in a global war in which the enemy would love nothing better than to end your way of life as well as your life and because we have been successful at keeping  9/11 from happening again, you whine and complain like the little children that you really are. Get a grip. Put the coke back in the bag and get ready to reap the harvest of what you've sown. We as a Country have turned in on ourselves because facing the fact that the world is a hostile planet to live on and not realizing that "Freedom is not free" is going to cause our collective lifestyles of the rich and famous to come to a serious end if we keep on devouring ourselves.

I spent 29 years in the military wing of this government while you lived your Roman lifestyles. If we keep on this course of self destruction then the next time a planecollides with a building, or a city disappears from a nuclear back pack, well then leave us your phone numbers so we can call you to rescue us from the disaster to come. Maybe you can blame the terrorist to death.

Another reader, who did sign his name (but which I won't divulge here), said more succinctly:

That’s IT!!  You have had umpteen issues in a row now screaming drivel about Big Brother is watching, government is evil, and other chicken little crying.  I have had it, and cannot consider anything that you say with seriousness.

I’m always happy to hear from readers and always appreciate their input, even when they disagree with me. And as the mother of a career military daughter, I especially appreciate anyone who serves our country, but I do wish people would read the entire article before blasting me. I know in today’s fast-paced world, we don’t always read to the end of a lengthy piece, but sometimes that causes us to miss its point.

This particular piece wasn't about the government. As I said in the editorial itself: “I was amazed at the idea that the government would openly endorse such an idea.” I also said, "The threat of terrorist activity is ever-present and our government's diligence can, at least in part, be credited with preventing more attacks on American soil subsequent to 9-11.” As for the person who put up this site, with the goal of making the government look bad, I said, “I'm not amused. Claiming to be affiliated with the government when you aren't is lying in my book. That Martin hides under the cloak of an academic project doesn't make it any less dishonest.”

Now, I’m not claiming that I’ve not criticized the government in the past. Has our federal government at times gone too far in the name of combating terrorism? Yes, it has – that’s the nature of big government. And ours has grown too big and too powerful. If you read some of the material written by the founding fathers and compare what they had in mind to what we have today, you can't deny that.

If and when the government abuses its power, I will condemn that. And I can, because despite the problems, we still live in the best country in the world, where our Constitution guarantees us freedom of speech and the right to petition for redress of grievances. My daughter, who just returned from a military tour in Afghanistan, and others like her risk their lives to ensure that we continue to have those rights.

I am very much aware of what our enemies want to do. That’s why I have continued to support our war efforts in the face of massive opposition from those around me. The military is one of the few duties that the federal government is constitutionally justified in spending our money on, and I am happy when my taxes go toward that proper cause instead of the many so-called “general welfare” purposes for which the central government was never intended to be responsible. However, military methods were never intended to be turned against our own citizens and unreasonable search and seizure was seen by the founders as a serious breach of governmental power. I once took an oath to protect and defend the Constitution of my state and the United States, and I still take it seriously.

As to the fantasy life conjured up for me by the first reader, I’ve never sold a piece of software, although I’ve used a lot of it. I’m an independent contractor who provides editorial content to Sunbelt and other companies, not a software vendor. My husband and I have built a fairly successful business doing that, by working those butts that we sit on off for up to 14 or 16 hours a day, 6 or 7 days a week for years, but we haven’t made it to millionaire status yet.

Before all that, however, I was a police officer so I know a little bit about how hostile the planet can be and I have some scars to prove it. No, I don’t presume to imply that I risked my life to the extent that  those in the military do, but I have been the target of bad guys who wanted to hurt me. I haven’t spent my whole life ensconced in “yuppie condos” or floating on yachts (about the closest we came was when we thought about buying a pontoon boat once, but decided the expense and maintenance cost made it not a smart idea).

“Put the coke back in the bag?”  I swore off soft drinks over ten years ago. If he was referring to a different kind of “coke,” the only drugs I use are aspirin or Advil and only when the pain is really bad. And although it's a little disconcerting to be so completely misrepresented, I’m actually really heartened to see someone besides me defending our country.

Because I love my country. That’s why I will always speak up when I believe it's going off track. And that’s why I will also speak up against those who try to make it look bad when it hasn’t gone off track, as the perpetrator of the NNW web site did by pretending the DHS approved his recommendations for illegal spying on your neighbors.

Based on reader feedback, I’m not the only one who’s concerned about some of the recent government trends toward turning against our own people instead of just fighting the enemy, the new presumptions of guilt until proven innocent and, relevant to the newsletter, the way technology is being used/misused to further that. But - contrary to what some readers seem to believe - that is by no means the only subject of recent editorials (see “Politics of Change in the Tech World,” which is not about politics but about technology, “Who Owns that File Format?”, “You Can Take it With You (Windows Settings, That Is)”, “Wireless on a Plane,” “Will Robots Replace Your Pet?” and others.

The editorial is called that because it offers opinions. I certainly don't expect everyone to agree with mine. But I do wish they would find out what the opinion actually is before disagreeing with it. Many, many readers did read it all and did get it, and I appreciate your responses and will be printing some of them (along with a link to this blog post) in the follow-up in next week's "dull e-rag."

And for anyone who wishes I'd write about something else, please send me your topic suggestions.

 
deb@shinder.net

The Canadian group had their own little game going at the MVP Summit this year. They each had a number of hockey pucks, emblazoned with different Microsoft product logos. There were three different product pucks, and somewhere out there were ten pucks with the MVP logo. The objective was for us non-Canadians to collect all four different pucks, and if we did, we would win a genuine Canadian jersey so we could go around impersonating a Canadian and saying "eh" for the rest of the Summit.

Well, I managed to get all three product pucks on the first day - but I never did snag one of the rare MVP pucks. It was my own fault; I came soooo close. Dana Epps, a noted leader in the Canadian Contingent, actually had one when I asked - but I had left my other three pucks back at the hotel and he required that he be shown the others before he would give up the MVP puck. Well, Dana, here they are:

 
My three pucks - minus the all-important MVP pucks

Oh, well. I figured they would make good souvenirs. And if they decided to do the same thing next year, I'd be ahead of the game. :) I put them in my computer bag and forgot about them.

Then we got to SeaTac airport. When my bag went through the x-ray machine, suddenly the TSA folks got real interested. The fellow monitoring the machine called someone else over, then another person. They whispered amongst themselves, and then asked me to step over to the side so they could search my bag.

Well, this bag happens to have a built-in holster where I sometimes carry my gun on rare occasions when my clothing makes it difficult to carry on my person. It was empty, of course, but I figured that was what was causing the consternation (even though no one had said a thing about it when we flew out of DFW ... Seattle is, after all, on the left coast and I figured they might get a little more excited about things like that).

However, the agent who searched my bag passed right over the holster without a question. "What do you have in here?" She asked. Well, gosh, lots of things: my cell phone, chargers for my laptop, phone, and toothbrush, keys, my watch, my wallet, some of the little gifts they had given us at the Summit ... finally she gingerly lifted out a small round rubber object labeled "Windows Server 2008" and asked "What is this?"

"A hockey puck," I replied. "There should be two more in there." She dug some more and come up with the rest. "This is very unusual," she said, turning them over and over in her hand as if trying to find the magic button to activate them. "I'll have to x-ray these," she said finally, and took off with them. She didn't come back for a while, but when she did, I guess she had ascertained that 1) they really were hockey pucks and 2) there's no rule against taking hockey pucks on the plane. She put them back into my box, apologized about four times for the inconvenience and sent me on my way, with my dangerous-looking hockey pucks tucked back into my computer bag.

The moral of the story is: if you want to take hockey pucks onto a plane in your carryon luggage when you're flying out of Seattle, be prepared for some extra scrutiny. I guess all those Canadians must have brought their pucks in packed in their checked baggage.

Well, it took a little longer than anticipated to catch up on everything that had piled up in my Inbox during our Seattle trip, but I finally have time to breathe (and blog) again.

The best technical presentation I attended at the MVP Summit this year was (once again) Mark Russinovich's. He talked about security boundaries in Windows, what a security boundary is, what's not a security boundary (e.g., UAC and PMIE) and why the difference matters.

I did a high level overview of the subject for this week's VistaNews (to be published tomorrow, April 24 at www.vistanews.com) and I'll be doing a more technical discussion later. Meanwhile, I think some folks will be surprised to learn that so many of the new Vista features touted as "security features" may not provide quite as much security as they thought.

Steve Ballmer's keynote speech was fun and inspiring, as usual. It was nice seeing Bill there last year, but he just doesn't stir the old Microsoft spirit the way Steve does.

 
At the keynote on Thursday

The press latched onto his comment that Vista is a "work in progress" but that was really only a passing comment. Steve was very responsive during the Q&A session and even immediately put on the Maple Leaf jersey given to him by the Canadian Contingent.

Speaking of which, it seemed as if the theme of this year's Summit was "Canadians, Canadians, Canadians." The last few years, their numbers seem to have been growing steadily and they always display their patriotic pride, but this year it seemed as if about a quarter of the auditorium was filled with people wearing those red and white jerseys.

All those red and white jerseys represent Canadians

Next year, I plan to try to organize my fellow Texas MVPs in a similar way (maybe we'll give Steve-O a ten gallon cowboy hat). Then we can form a Texas-Canadian alliance and really take over the conference. :)

One of the fun things about the Summit is catching up with old friends (as well as meeting new ones). On the last day, we ran into Thomas Lee, whom we've known online since the 90s.

 
Me with Thomas Lee (and Canadians in the background)

There were lots of brand new MVPs at this year's conference, too. Here's Tom with Joli Ballew, one of our fellow Texans (and one my own nominees to the program):

 
Tom and Joli

It's been a hectic week but another MVP Summit has now come and gone. Every year is the same in some ways, different in others. It's good to connect with old friends and to meet new ones. We look forward to the sessions and invariably, some are disappointing and others are well worth the price of admission by themselves.

This year's Summit started out on a so-so note. Some changes were made and not all of them seemed good. The keynote speeches from Ray Ozzy and Steve Ballmer were moved to the last day of the Summit instead of the beginning. I think that got things off to a slow start - the keynote traditionally is what invigorates the participants and gets us enthused about the rest of the week.

This time, instead, there were "open sessions" on a variety of topics at the Seattle Convention Center on Monday. The problem was that Microsoft was paying for accomodations for MVPs Monday through Thursday nights. That means unless we wanted to pay for Sunday on our own (or take advantage of a "double up" program whereby you could get Sunday paid for if you shared a room with another MVP), you probably didn't get into town until sometime Monday. And with air travel the way it is, lots of folks didn't make it to the Convention Center until most or all of those sessions were over.

At the Welcome Reception, it was immediately evident that quite a few MVPs who had been there in the past weren't in attendance, and that there were quite a few newbies. The Canadian Contingent has grown to startling proportions; seems half the room was filled with folks in red and white jackets emblazoned with the Canadian flag. I admire their patriotism and hope to organize the Texas MVPs in a similar fashion next year. Maybe then we can form a Texas-Canadian alliance and take over for real. :)

On the Microsoft campus, things were a tad different this year for us Security MVPs. Last year we were treated like royalty. This year, not so much. Not that it was bad, it just wasn't special. The fantastic team of pepole we had taking care of us at the 2007 Summit - Melissa Travers as our lead and Cami Schwann organizing our dinners and parties - left us a little spoiled, I guess.

For me, the highlights of the week were Mark Russinovich's presentation on Wednesday and Steve Ballmer's keynote and (especially) Q&A session on Thursday.

This weekend, after we get back home and I get a chance to sort through my notes, I'll write about some of the (non-NDA) topics that were discussed and post some photos. Meanwhile, I'm crossing my fingers in hopes that today's flight back to DFW goes as smoothly as the trip up here. I had a great time, but I missed my cats - and the Texas sunshine. I'm really tired of having fuzzy hair every day from the rain. :)

DEBRA LITTLEJOHN SHINDER
deb@shinder.net  www.debshinder.com

The Microsoft Small Business Center provides tech support and security guidance for small businesses, many of which don't have the resources to hire full time IT security personnel - or in many cases, even a full time network administrator.

A security breach can be costly to an enterprise, but it can be completely devastating to a small business that's operating on a tight budget.

If you're responsible for securing the network of your small business, take this security quiz to test your knowledge. It may make you stop and think about some ways in which your own network is vulnerable:

http://www.microsoft.com/smallbusiness/support/quiz/quizquestions.mspx 

deb@shinder.net

I got an email message today asking this question, and it occurs to me that there are probably a number of people out there wondering the same thing. Silverlight is a Microsoft technology for developing web applications to support multi-media content such as animation, video playback, and interactive features. To view this content, users need to download the Silverlight plug-in for their browsers. From the user point of view, it's similar to Flash or Shockwave.

With Silverlight, browsers can play MP3, WMV and WMA files without Windows Media Player or the WMP ActiveX control. It uses XAML (the Extensible Application Markup Language) and version 2.0 includes the .NET framework, which enables it to run .NET code.

Do you need it? Right now, maybe. You need it to access some content on some pages.  Will you need it in the future? Probably. If/when it becomes widely implemented, you'll need it to access more and more of the content on more and more pages.

As a user, you probably don't really care much whether content is delivered via Silverlight, Flash or some other platform. For developers, Silverlight provides a new, flexible platform for creating applications for the web. Developers can use Visual Studio 2008 to develop Silverlight applications, and Expression Blend 2.0 to design the user interfaces for them.

To find out more about Silverlight, download Silverlight 1.0 and view a demo of Silverlight 2.0, see http://silverlight.net/ 

deb@shinder.net

It happens every year around this time, but may be exacerbated this year by political events: people are getting email messages purporting to be from the IRS and asking you to visit a website and submit your "refund request form" for quick processing. I had three in my mailbox this morning.

My reaction is "yeah, right." As a small business person, I don't get tax refunds - I get to write big checks every quarter. But with all the news about Congress passing a law giving a rebate to almost all taxpayers (the "almost," of course, referring to those of us who pay the most taxes of all who get nothing), some folks out there may be fooled by this one, or at least tempted.

Just in case you aren't tipped off by the brevity of the message (when did you ever get a letter from the IRS that was less than five pages long?), here's a clue that it's bogus: Hover your mouse pointer over that link that it instructs you to click. Here's what you'll see:

Click the image to enlarge it

Instead of going to some .gov address, the link points to a website in the .ro top level domain - in Romania. Isn't that taking government outsourcing a bit too far?

Hit the Delete key as fast as you can on these. Do not click the link, do not pass Go and - unfortunately - do not collect $268.

deb@shinder.net

As if the U.S. presidential elections weren't scary enough, now malware attackers are getting into the act. The latest threat is a spam message containing what purports to be a link to a video of a Hillary Clinton campaign speech, but in reality clicking it will download a Trojan onto your computer. Ouch.

Of course, computer users should know by now not to click links in unsolicited email. Maybe the prospect of a video of Hillary will prove less tempting than previous similar scams that used the names of Paris Hilton and Pamela Anderson, but in today's politics-crazed world, who knows?

You can read more about this threat here:
http://www.symantec.com/enterprise/security_response/weblog/2008/02/
you_know_its_election_year_whe.html

deb@shinder.net

Over on ZDNet, George Ou has done some more testing on Vista with SP1 RTM installed, and discovered that the speech recognition feature can still be exploited by malicious sound files. The gist of it: If you have speech recognition turned on and are using a desktop microphone and speakers, the input from any file played through the speakers will be picked up by the mic as if you said it yourself, and processed as a voice command. That means an attacker could put a sound file on a web site that plays automatically when you visit the site, which uses the speech rec commands to delete files on your computer or do other nasty stuff.

George rightly points out that although there may not be a lot of people using this feature this way, it's a legit security concern. And speech rec is likely to get more popular in the future. My HP TouchSmart kitchen computer has built-in mic and speakers and its location and function as a family machine for leaving notes, etc. makes it a logical candidate for speech rec - except that I don't really like talking to the computer. That's a personal quirk, though, and lots of people long for Star Trek-like systems with which they can hold a conversation.

Just how big of a problem is it? That depends on your security needs and your normal computing habits. I have to disagree slightly with George that the only thing you can do to prevent exploits is disable speech rec altogether or use a headset. Knowing there's a mugger or rapist on the prowl in your town doesn't mean you have to stop ever going anywhere, but it does mean you'll want to take some extra precautions and stay alert when you're out there. Likewise with this threat.

Just as I can reduce my chances of being a rape victim by staying away from areas that are more dangerous (dark alleys, deserted parking garages, lonely and unlit areas of parking lots, etc.), I can reduce my chances of being victimized by a speech rec exploit by staying away from known risky web sites (warez, MP3, and porn sites), not following links unless I have a good idea where they'll take me, watching out for embedded sound in email messages, and avoiding playing any sound files whose origins I'm not sure of.

The next step is to practice due diligence wherever I do go. That means paying attention to what's going on around me and reacting when something out of the ordinary happens. It also means having a plan and the means to protect myself if I am attacked. On the street, I'm usually armed with both a licensed concealed handgun and a cell phone. A loud whistle is also a good idea, and some people are more comfortable with pepper spray than a firearm. The point is to have a plan.

If a sound file does say "start listening" (or some other voice command) loudly enough for my mic to hear it, I'll hear it too if I'm sitting at the computer, and should be able to take action to stop it from doing more (i.e., hit the Mute button to prevent it from issuing any further commands).

And just as I don't, in today's world, leave my house or car unlocked when I leave lest a bad guy sneak in while I'm gone, I don't go off and leave my computer sitting there unlocked with speech rec turned on, either. It only takes one click to lock the desktop and voice rec can't type in your password and start playing voice files while you're away.

I agree with George that a more secure solution would be to require a password (or maybe a keyboard sequence) to start voice rec listening in the first place and/or to prevent sounds played by the computer from being processed by voice rec. But in the meantime, if you do want to use the feature, it's possible to do so responsibly and relatively safely. Awareness and a few extra precautions are the key.

We should be thanking George for raising that awareness.

 
                deb@shinder.net

http://www.dallasnews.com/sharedcontent/dws/bus/ptech/stories/
020908dnbuspolaroid.2074eca.html

All my life, one of my very earliest memories has been a family gathering at which my uncle showed off his new camera - a Polaroid that took instant photos. Well, almost instant. You had to wait a minute (exactly a minute, so you needed a timer or watch with a second hand) and peel off the picture, then you had to coat it with a liquid from a tiny vial in order to keep it from fading away. According to relatives, I was about three years old at the time.

The reason this little scene stuck so hard in my mind, I think, was the utter amazement of everyone at this magical device. If I was three, this was the late 50s, and although instant photography was invented by Edwin Land and the first such cameras introduced in 1948, the Polaroid Land Camera was still a bit of a rarity amongst the "common folk" a decade later.

This was one of those big old models with a folding bellows (not sure of the model number, but I remember it looking something like the model 80A pictured here). I would become familiar with many other models over the years. I got deeply into photography in the 70s and had a collection of Nikons and a few medium format cameras. I also had a top of the line Beseler color enlarger and did my own darkroom work. I spent thousands on good equipment, but I always had at least one cheap Polaroid camera around, too. You just couldn't beat the ability to see the picture right there in the field, and make lighting and exposure corrections in response.

The digital camera was bound to make instant film photography obsolete (and, indeed, has almost done the same to film photography in general). Although the price of the cameras themselves were always reasonable, taking Polaroid pictures was always a fairly expensive proposition because of the cost of the film, generally at least a dollar per picture. Digitals give the same instant gratification (and it's even more instantaneous) and you can pick and choose which pictures to print (if any). The cost per usable photo goes way down, and of course you have the option of printing your pictures in whatever size you want, instead of being stuck with the size dictated by the film.

I haven't used a Polaroid in years (although I think I still have at least a couple stored away in a box somewhere), but I was sad to hear that the company was finally ceasing to make instant film for those legacy cameras. I love my digitals, from the inexpensive but amazingly sophisticated pocket cams to the DSLRs, but I don't think anything I've produced with them can ever replicate the anticipation and excitement of waiting for a Polaroid print to develop.

Of course, there were eventually other companies that made instant cameras - but just as "Xerox" will always represent the copy machine to many people, "Polaroid" will always be synonymous with instant photography.  I'm sort of glad Mr. Land isn't around to see the demise.

Meanwhile, the company (which filed for bankruptcy in 2001 and was reformed by a subsidiary of Bank One) is now reinventing itself. It will now make digital cameras and other electronics, including a fantastically small inkless portable printer. It's a very Polaroid-like product.

             deb@shinder.net

So after getting my kitchen Media Center PC running great, and getting TV running on my primary desktop computer with the great OnAir Creator, yesterday we wake up to find - no cable signal. Knowing that cable isn't the most reliable of technologies, we wait a while to see if it comes back up. Nope.

Next step is to check the GFCI outlet on the outside of the house that the cable amplifier plugs into. We only know to do that because this happened once before and that was the culprit. But the reset button on it isn't popped out, and the pool lights, which are on the same circuit, still work, so that doesn't appear to be the problem this time.

So I guess there's no other choice. I have to call the cable company. I wade through the menus, pressing 1 until I get to the part where the automated voice tells me she's going to check my account. Then she comes back and says "We have no indications of an outage in your area" and gives me the choice to hang up or press 0 for a customer service rep. Well, yeah, I think I'll take 0. Duh.

Then I descend into Hell On Hold. My estimated waiting time is said to be 5 to 10 minutes. It's "only" 9, but it seems much, much longer. I understand having to hold - but why must I listen to commercials for the entire time? How about just elevator music, or better yet, blessed silence until someone is free to talk to me? And if I must listen to commercials, must it be the same four commercials over and over and over? Five minutes into it, I'm ready to pull my hair out. I put it on speaker and go back to work. Because the silly thing is blathering away all the time, at first I don't hear when a real person finally does come on the line.

"Hello? Is anybody there?" Oops - I grab the phone. "Sorry, I've been waiting on hold for about a week," I say. "How long???" She asks in a horrified voice. Calm down, girl. Just a figure of speech. "Never mind. I'm having trouble with my cable service."

Well, of course before she can help me, she needs to know my phone number (a big, fancy, rich company like Time Warner apparently doesn't have caller ID), then my name and address, then the last four digits of my social security number (which I gave them against my better judgment because they insisted on it when I set up the account). Then she asks if I wanted to set up a PIN to use instead of the social security number. Well, that would've been nice to do in the beginning but they already have the number now so I'm not sure what great good it will do. Nonetheless, I opt for the PIN.

Finally we can get down to business. I describe my problem (static on all channels) and she schedules someone to come out on Monday between 11 and 2 (actually a fairly decent window; last time I needed service from the phone company it was "sometime between 8 a.m. and 6 p.m."). She still seems a little wary of me - I guess the "on hold for a week comment" won't be forgiven. By the time we hang up, I think she's as relieved as I am that the call is ending.

So now I wait. And once again consider switching to FiOS, if only because their customer service people are always so nice. Then once again reject the idea because I don't want to have to deal with set top boxes that don't work nearly as well with the Media Center (and I certainly don't want to have to have a set top box in the kitchen, too).

And meanwhile, no more TV on my desktop, and we missed recording Stargate: Atlantis last night. Now I remember why we quit watching TV at all for five years.
deb@shinder.net

One of Vista's best security features is User Account Control (UAC). It solves the problem of people logging on with administrative accounts for everyday computing tasks, a practice that could put your system at risk in Windows XP and prior operating systems. With UAC, even administrative accounts run with standard user privileges unless and until elevated privileges are actually needed to perform a task. Then a dialog box pops up so you can explicitly authorize the elevation.

But many Vista users don't like UAC. They find it too "in your face" and don't like being nagged for permission every time they want to, for example, install a program - especially if they're setting up a new OS and installing many programs at a time. It is possible to disable UAC - so they do. But then they lose its protections, including IE running in protected mode, applications starting by default in standard user mode, and so forth.

You can use Vista's local security policy to modify UAC's behavior. but now there is another, easier alternative. A freeware program called TweakUAC can be used to turn UAC on and off, but it also gives you the option of operating UAC in quiet mode. This doesn't turn UAC off, but it does suppress those elevation prompts when you're logged on as an administrator, which so many folks find so annoying. All the other features of UAC are still enabled, and non-administrative user accounts will still get the elevation prompts.

You can find out more about TweakUAC and download it from this website:

http://www.tweak-uac.com/

deb@shinder.net

Am I the only one who has this problem? I've never seen anything about it on any of the forums, and it's a small thing but a highly annoying one for someone who makes a living writing articles - often to a specified word count.

I really like Office 2007. I like the new ribbon interface. I like the new XML based file formats. What I don't like is Word's tendency to forget how to count.

When I first switched to 2007, I was delighted with the fact that the word count is shown in the status bar at the bottom of the screen on a continuous basis, rather than my having to enable a word count toolbar and click its button every time I wanted to know how many words I had. But soon I noticed that the word count often gets "stuck" for no apparent reason. I'll type along for a while, and notice that the word count is still displaying the same number it was several paragraphs ago. What's up with that?

In this doc, the word count is shown as 551. The problem is that this doc actually has 820 words.

Sometimes, if you keep on typing, it comes "unstuck" and catches up, and once again starts increasing the word count as you type. Sometimes it doesn't. My rather inelegant solution in the latter case is to do a Copy All and paste the document into Open Office's word processing program, and click the word count tool there to find out how many words I really have.

I don't like that solution much. Does anyone out there know what causes this and how to fix it?

deb@shinder.net

I'm often asked about email encryption and readers want to know what programs they can get to protect their email messages. Many don't know that they can use S/MIME in Outlook to exchanged encrypted email with other users whose email clients support S/MIME v3, without having to buy a third party program.

S/MIME (Secure Multipurpose Internet Mail Extensions) is a standard that was originally developed by RSA and conforms to IETF specifications. It's based on digital certificates and so depends on a Public Key Infrastructure, either a public or in-house PKI. It can be used for both authentication (digital signing of messages, which does not encrypt the content of the message but assures the identity of the sender) and confidentiality (encryption of the contents).

You can see a demo on how to encrypt one or all messages in Outlook 2007 here:
http://office.microsoft.com/en-us/outlook/HP012305361033.aspx

What's the downside of encrypting email messages? The main concern from a security viewpoint is that gateway virus and malware scanners can't detect malware in encrypted mail. This means the mail needs to either be decrypted at the gateway (thus defeating the purpose of end-to-end encryption) or it needs to be scanned for malware at the endpoint after it's decrypted.

deb@shinder.net

The U.S. federal government has undertaken an new initiative with the objective of protecting government computer networks from hackers and attackers. President Bush signed an order to that effect, which reportedly gives the NSA authorization to monitor the networks of all federal agencies and creates a task force hat's headed by the Office of the Director of National Intelligence and incorporates the efforts of the Department of Homeland Security and the Pentagon. You can read more here:
http://www.washingtonpost.com/wp-dyn/content/article/2008/01/25/AR2008012503261.html?hpid=moreheadlines

Having the government monitor its own networks seems like a good idea. However, some folks wanted private sector networks - such as those of banks, power plants and other important components of the national infrastructure - to be included. I see two problems with that: First, there's a privacy issue. Having the government monitor networks in the private sector, even monitoring for attacks, makes me uneasy. The government can already intercept and read everything that goes over the Internet. Should they be able to also intrude into the private networks of major companies? How long before that extends to all companies, and then to our home networks as well?

And even if privacy weren't a concern, should the government (i.e., the taxpayers, i.e. you and I) have to pay for it? Aren't we already paying for enough? Some of these companies make huge profits. Shouldn't protecting their networks from attack be their responsibility, not the government's?

deb@shinder.net

Last week (January 16 post) I gave my first impressions of the AutumnWave OnAir Creator USB TV tuner. Since that time, I've put it through its paces and tried hard to reproduce the problems that I was having with the WinTV device. No matter how long I leave it running, though, there's no system instability, there are no conflicts with other applications, no memory hogging - no problems whatsoever. It just works.

Running live TV on Vista Media Center consistently uses about 4-6% of memory and almost no processor time, as encoding is taking place on the device itself. The picture quality is much clearer and sharper than it was with the WinTV device, using the same cable source. With the AutumnWave, I can watch in full screen mode, which didn't look good at all on the other device. With the OnAir Creator, the output from an analog cable signal looks almost as good as digital.

Unlike the WinTV and other low-cost "stick" type tuners, the OnAir Creator has inputs for S-video and composite audio/video signals in addition to the coax connector for cable or antenna and it will support Dolby 5.1 sound from HD channels that broadcast it so you can play it through your computer's 5.1 speaker system.

Although there is little need for it with Windows Media Center, the included software is also much more sophisticated and user friendly than that which came with the WinTV tuner. The Channel Manager is designed much like Windows Media Center, with the same familiar controls for playing, stopping, recording, volume, etc. The Scheduler is much more user friendly than the web-based scheduling system used by WinTV.

 
The interface for the program is sophisticated and user friendly

I also like that the User Manual is in .chm (Windows help file) format instead of PDF as many online manuals are these days.

 
The OnAir Creator's Help files are in a nice format

The manual, however, is only for the included software and doesn't address using the device with Vista Media Center. Luckily, that's a no-brainer. Again, it just works.

I'm very pleased with the OnAir Creator and won't hesitate to recommend it to anyone who wants the best possible experience from a USB TV tuner. It's true that you might be able to get an internal tuner for less, but if you have a compact computer with no extra expansion slots, or you already have all the slots filled, or you want to watch TV on a laptop, or you just don't want to open up the box, this little device is the answer.

deb@shinder.net

Seems the TouchSmart is smarter than we are. I reported that the included wireless keyboard didn't work. Well, now it does, and the solution is a little embarrassing.

The keyboard came with batteries installed; you're supposed to pull a little tab to allow them to connect. Did that, and it didn't work. Our first thought was that maybe the batteries are no good; you often find that with cheap included batteries.

Tom changed them, and he took out the included ones and put the new ones in facing the same way as those. And it didn't work with the new batteries either. Well, a couple of days later I decided to try the keyboard again, and thought "what if, by some wild coincidence, both sets of batteries were bad?" So I opene