Three Dollars Too Much

To try and thwart Nicholas Negraponte's One Laptop Per Child effort Microsoft is making copies of Windows available to a competing Intel box for $3 as I understand it. They are also working to make a version of Windows that will run on the OLPC, presumably for a similar price.

I know a lot of people that use computers. Before I left the big city to head for the beach I might have had conversations about home computer use (leaving out work related use for the moment) with dozens of people. But having been in the boondocks for a while my circle of friends has grown smaller. Get this though, here is the percentage of my Windows using friends who are reporting significant problems with their home installations: 100.

It just struck me the other day that I don't know any Windows users, not one, who isn't having problems, and I don't mean minor problems, I mean major "lost everything" problems. To help convince you that I'm not making this up, here are their stories, names omitted to save them the embarrassment...

Case A is a retired technologist, programmer for the Apolo moon missions, inventor, and aspiring author. He doesn't want to tinker with computers any more, he just wants to write his books. For months he has been doing so on a laptop, without major incident, but having "normal" Windows users issues with pop-up ads, spy-ware, spam, and drivers mysteriously failing to do what they used to do. His reaction to these problems has been to remove almost everything except Microsoft Office from his machine. Having sent him either links, or actual files that require Adobe Acrobat or Real Player I find that he has uninstalled those things out of fear. Nevertheless he managed to get Internet Explorer outfitted with so many "helpful" tool-bar additions that there was little screen real-estate left over for anything else. His sound card stopped making sounds, pop-ups continued to pop-up and he complained that the machine was getting slower and slower. He didn't want to try Firefox though as Microsoft has succeeded in convincing him that his problems have nothing to do with Windows itself, but just that big-bad world that it has to live in on the Internet.

He recently called in a panic to tell me that his machine, a laptop, suddenly wouldn't boot at all. Long story short, he had installed yet another "security" package from his ISP that had caused the condition. A trip to the shop for an overnight stay and $65 later the machine was working again. Fortunately, the fact that he hadn't done a recent back-up didn't cost him anything as they were able to retain his existing file system. Fortunately or otherwise, he was so shaken by the experience he purchased another PC as a "back-up machine" on the rather safe assumption that a similar thing will soon happen again. If the medicine makes you sick, try taking more of it.

Case B is a dear little lady that I agreed to help with her e-mail problems. Now I've steadfastly refused to get involved with anyone's Windows issues other than offering generic advice such as "why are you still using that crapware?" but in this case the problems seemed to be mostly "older person trying to cope with new-fangled technology", so I stop by once in a while to get her unstuck with sending a reply, forwarding a message, or attaching a photo. Unfortunately this has turned into three machines so far. The last one I purchased myself, used, from a shop I trusted, with a clean install of Windows XP and little else. I put on anti-virus programs and such, and so far so good. I can't be sure that her earlier machines were hardware or software failures. At some point it gets hard to tell from a post-mortem point of view. Power supplies burn out, fans die and machine overheat, often after running at 100 percent CPU for days at a time doing no-telling what in the background. If she manages to kill this machine, her next one will run Linux. Enough is enough.

Case C is a minister, on a dial-up connection, who really doesn't do much more than e-mail and print out church related materials from time to time. When I first saw his machine it had an obscure virus that was not removable by any of the major packages that are supposed to do such things. Fortunately I learned this through research, which was much quicker than trial and error. He too took it to a "competent" shop who managed to get rid of the virus and most of his applications software at the same time. I'll be installing Open Office for him and he is already using Firefox, thanks to some other kind soul he ran into. Should the need arise, he will already be over the hurdles that tie most people to Windows.

Case D is a couple of guys that run a small home business involving shared files with several other people working at home. Their Windows machines, although of relatively recent vintage are always bogged down doing something in the background that nobody can quite define. Opening a web page is a go-to-the-fridge-for-another-coke sort of operation at times, and while some of this problem is a slow ADSL connection and a care-less Verizon support system, my Apple laptop works pretty well on their network, even wirelessly, while their hardwired desktop systems continue to crawl.

Finally, the co-workers in this small business are always having trouble with their PCs too, except for the one Apple user of course. So those machines have to be regularly hauled over to "headquarters" for diagnosis and I dread even hearing about the long tortuous road to recovery, which is often followed by an almost immediate relapse.

So those are my sample points. All of them. Other people I know that are using Apple computers or Linux haven't been complaining much about slow systems or slow Internet or random crashes. Oh I know, there are Apple machines that are junk (I had one of those once too) and Windows machines that perform flawlessly, those just don't happen to be in my universe of users at the moment.

Worth three dollars? Hardly.

Theo de Raadt on 'Intel Core 2'

"- Basically the MMU simply does not operate as specified/implimented in previous generations of x86 hardware. It is not just buggy, but Intel has gone further and defined 'new ways to handle page tables' (see page 58).
- Some of these bugs are along the lines of 'buffer overflow'; where a write-protect or non-execute bit for a page table entry is ignored. Others are floating point instruction non-coherencies, or memory corruptions -- outside of the range of permitted writing for the process -- running common instruction sequences.
- All of this is just unbelievable to many of us."

also...

(While here, I would like to say that AMD is becoming less helpful day by day towards open source operating systems too, perhaps because their serious errata lists are growing rapidly too).

I guess I'll stick with my old "previously owned" P4 computer for a bit longer after all.

Wired: AP Technology and Business News from the Outside World on Wired.com

As the professor on Futurama says: "Good News Everyone!"...

"Diebold Inc. saw great potential in the modernization of elections equipment. Now, analysts say, executives may be angling for ways to dump its e-voting subsidiary that's widely seen as tarnishing the company's reputation."

Good news, because Windows based flaky touch screen systems will get a much deserved black-eye.

Good news, because maybe a few taxpayers (regardless of political affiliation) will be outraged by yet another wholesale replacement of voting systems by what is (almost**) certainly going to be more of the same. You think the laptop, touchscreen, and software (particularly Microsoft) sales reps are going to just sit idly by as Diebold leaves the playing field? With luck a few well placed (and as many cases as not Democratic leaning) election officials will be publicly driven from office. Do I care whether they are corrupt or just stupid? Um, no. In fact, corrupt governments might tend to watch how they spend our money more carefully. I want the spending on things that obviously don't work to stop, no matter what the cause.

Good news, because it might serve to remind people how close some of the 2006 results were (just as close in many cases as Florida 2000) and yet very few of these results were contested by Republican losing candidates, who could have wasted more taxpayer money with a nod. The one case of a contested results in the states surrounding me was in fact one in with a republican won by a comfortable margin. The Democrats called for a recount anyway. There is no doubt who the "ends justify the means" crybabies are (except in the mainstream media that is).

Good news, finally, because there is (**at least) some chance that the few stories of poor to non-existent systems analysis that went into these new touchscreen voting systems will yield some viable open source alternatives (in fact open source applications running on Linux are ready to go.)

I'll continue to spank posters on Slashdot, local forums, and newspaper editors, who imply that an election has only been mishandled when Republicans win. That shallow thinking HAS lead to tyranny (even if a tyranny of "the masses") in other countries and it will do so here if not stopped.

Black Hat Demonstrations Shatter Hardware Hacking Myths

Unless you were at Black Hat on Feb. 28, you probably woke up safe in the assumption that if a rootkit hit your system, reimaging would remove it. You probably also thought that the best way to search a PC's volatile memory, or RAM, was by grabbing it with a PCI card or a FireWire bus.

You were wrong.

Apple Fixes First Flaw From 'Month Of Apple Bugs' - News by InformationWeek

"A day after LMH unveiled the QuickTime flaw, a Mac developer posted his own patch as part of a response to the bug-a-day project. Landon Fuller, who works on the DarwinPorts project, said he stepped in as 'part brain exercise, part public service.' So far, he and other researchers have published fixes for 20 of the 23 bugs listed on the Month of Apple Bugs site. Earlier this month, Apple declined to confirm any of the Month of Apple Bugs vulnerabilities and only issued a standard statement saying, 'Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac.'"

Closed, secretive, non-responsive, Apple-Microsoft II?

Transcripts from House of Lord Microsoft Hearing Published

Laurie: As an example of the security of an open source product, there is a web server many people will not have heard of called Apache. Quite often when I am speaking at a high level conference I actually ask the question of the room, "Who here has heard of Apache?" and maybe ten per cent of the people in the room will know. I will then ask, "Who has heard of Microsoft?" - big laugh, of course everyone knows Microsoft, and then it surprises them to learn that Apache SSL, which is the secure web server version of it, has 70 per cent of the world market in secure servers. In its ten-year history there have only been three security alerts and two of those were because of external libraries that were being used, so there has only ever in its ten year history been one issue specific to Apache SSL itself.

Vista Will Foil Office File-Format Attacks

Vista's Address Space Layout Randomization approach will stop some kinds of exploits, notably those that rely on memory manipulation, by arranging key data areas randomly in the available address space.

It should make "reboot and retry" diagnostic techniques a lot more interesting too! I can hardly wait to hear the war stories.

Commonsense Systems: Not!

But, hey, it's 2006. And surely I'm not the only person to have gotten married in, let us say, advanced middle age. I still use my maiden name for business and go by my husband's name for everything else. Especially when traveling with the kids--using different surnames on airplane tickets tends to make the Homeland Security guys very unhappy. And it's been a bit unhinging to have those little intimate talks in the side room with armed, unhappy people each time we travel together. (Happy vacation, kids! Pay no attention to that large man with the pistol!)

One day I notice that the last few places I worked for in my very long DP career had one thing in common even though they were totally different "industries". That thing was that as a central function of the system they had to keep very careful track of people as individuals. Now any business is likely to have lists of customers and potential customers and sending one person two copies of the same bill, or two ads is undesirable. No, I'm talking life or death here, medical records, tourist visas things like that. What surprised me was that there was no correlation between the importance of accurate identification and the care which went into solving the problem correctly.

People in some countries have very long names, and that has nothing to do with marriage, hyphenations, etc. Why is that last-name field 16 characters instead of 61 characters? I guarantee there is so much overhead in these databases these days that the extra space (especially if a variable length field) would make no difference from a storage point of view, and most databases actually perform BETTER with large numbers of distinct values than with many dupes. While the programmers and DBAs who don't have a clue are partly to blame, I think that MOST of the blame should go to the management of these organizations who don't even know how to ensure that fundamental business-rule objectives are being met.

Of course the fact that in some organization the concept of firing someone for incompetence is unknown doesn't help matters.

Yes it CAN be a problem when individuals are not consistent about how they identify themselves, but a lot of that problem goes back to restrictive rules about what a person's ID CAN actually be. We need to allow for long names, middle names (vs initials) and even multiple part names of more than 3. If you can design a system with check-boxes for "Mr", "Mrs", "Jr" and so on that's fine and dandy, but you have to allow for variations that you might not have thought of too and you have to have software that can cope with some of these inconsistencies, unless you want to hire rooms full of people to apply "artificial intelligence" to the problem. Based on the type of people they usually hire to do this, I suspect any computer solution will be better on average. That is *IF* they put enough space in the fields to capture all of the information.

Rutkowska: Anti-virus Software Is Ineffective

Of course, I'm still aware that it's not enough, as somebody can embed a very reliable and "silent" zero-day exploit for my .TXT editor in some README file. Or that they can find a bug in my Wi-Fi driver. Or an attacker can inject an exploit for my browser after setting up a man-in-the-middle attack in a hotspot at the airport.

So, from time to time, I might run some custom tools of mine to check the integrity of my system or start Wireshark to see what my traffic looks like. In other words, I'm not very satisfied with the existing commercial solutions, because I know how easy it is to create malware to bypass them all.

Nvidia rooted by Linux graphics bug

Nvidia supplied two graphic drivers for Linux - a closed source "binary blob" driver, which is subject to the vulnerability, and an open source driver, which is not subject to the bug. However, the open source driver lacks the acceleration features found in the closed source driver.

HEY! I gotta idea. Lets take out all those wasteful range and error checks and make this baby fly!

Firefox Flaw Demo Is Itself Flawed

"I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities," he added.

"The main purpose of our talk was to be humorous. I apologize to everyone involved," Spiegelmock said.

Earlier Monday, Window Snyder, the new security chief of Mozilla, said her team had been unable to produce more than a browser crash with the exploit code. "Even though Mischa hasn't been able to achieve code execution, we still take this issue seriously," Snyder said in an accompanying message on the developer center site. "We will continue to investigate."

There are some things that aught not be joked about.

Secunia - Advisories - ELM "Expires" Header Parsing Buffer Overflow Vulnerability

Secunia - Advisories - ELM "Expires" Header Parsing Buffer Overflow Vulnerability

Viruses: The New Weapon of Choice for Workplace Violence Offenders

"A recent study sponsored by Risk Control Strategies, a threat management and risk assessment firm, found that an overwhelming majority of 223 security and human resources executives who manage between 500 and 900 employees said workplace violence is a bigger problem now than it was two years ago. As a result, 23% said employees have intentionally and maliciously downloaded viruses over the past 12 months. The study found that hitting employees in the pocketbook is prompting the burgeoning retaliation."

So, I wonder what pissed off all those CNN and ABC News employees recently?

Nasty Games of Hide and Seek in the Registry

"What started like a nice and quiet day ended with the potential for lots of nasty surprises. A reader alerted us to a vulnerability note published by Secunia that on first sight did not appear to be overly scary. Once we started to play with it, though, the nastiness became apparent: An overly long registry entry can be added, but won't be shown by regedit and regedt32. Even better, all registry entries that get added afterward under the same key, even if not overly long, will be hidden as well.

[Pause, to give your wheels some time to spin]

Yes. This allows to add hidden entries under the famous HKLM\Software\MS\Windows\CV\Run. Entries that you can't see with regedit, but that will just as faithfully get run at startup. "

Oh I love the Registry.

Introduced, I think, as early as Windows 95, it had very limited uses, as many programs continued to use the well known, easy to use and understand, and most importantly localized ".ini" files. This old system allowed you to uninstall Windows software by simply deleting the folder it was in! While not perfect, the ".ini" system solves many problem that the far more complicated Registry creates. All the hype over how wonderful the Registry was is what first made me suspicious that there was a screw loose in the Microsoft architecture department (not that they actually have such a thing).