A "Health Certificate" for the Internet? Hmmm…..

http://blogs.technet.com/b/microsoft_on_the_issues/archive/2010/10/05/the-need-for-global-collective-defense-on-the-internet.aspx

A few days ago, a Microsoft employee (in their Trustworthy Computing division) posted a blog entry discussing the need for a “health certificate” to allow computers on the Internet. In order to be considered “healthy” your computer must have all available updates (I’m assuming Security here), and updated antivirus, and an updated firewall. And be virus free.

On the surface it sounds good (and in some other levels also). But, there are some considerations that need to be made.

First, what if your operating system doesn’t have (and isn’t easily susceptible to) viruses? I’m looking at Mac OS, Linux, and other unix variants here. Will there be a provision that states only Windows computers require antivirus software? And if, at some point, the other OS’es find the need for antivirus software, will the provision be put in for them?

Secondly, the idea is that they will be completely blocked from the Internet. So, pray tell, how will they block the computer? Will they do it by MAC Address (the “Physical Address of the Network Card)? Or will they block it at the modem level? This presents two problems: If the computer has multiple NIC’s (wired and wireless for example), they can still get on the Internet for a brief time. Also, how will the user get the needed updates to get their “health certificate”?

Thirdly, what exactly would the “health certificate” be? Will it be like a Digital Certificate? Will it be like the Windows Activation? How will they prevent people from forging their certificates or stealing others?

Fourth, how will this keep me from screwing up my facebook with those stupid lolzvideo viruses that are floating around? (I don’t click those, but I know a lot of people who do) After all, no antivirus protects you from that. And I would imagine that for the average person, that is the biggest hassle. They don’t realize the other dangers, because they don’t play in the big park. They go to their email and surf facebook and youtube.

The Health Certificate is a good theory. If someone actually decides to implement it, it needs to be an independent party with NO interests in any operating system or security software. Because if you have an interest in a product that the health certificate affects, you’re inherently going to shift the balance in favor of your interests. In other words, Microsoft has a good idea, but they shouldn’t have anything to do with implementing it.

One telling thing about this is that between 1 and 10 million Windows PC’s are involved with botnets. The number of Macs, Linux PC’s/Servers, and other devices that run non-Windows code is closer to zero. Now that may change if virus creators figure out a way to hack through OS X or Linux. But the point is that right now, it’s more than likely a Microsoft product that is causing the problems.

All of this being said, I think the health certificates are a decent idea. And after skimming through the actual white-paper on the subject, it raises some good points that aren’t being covered in the media.

Personally I think that the “Health Certificates” should contain the following information:

1. All MAC Addresses in the computer (this should be the ONLY identifiable information)
2. Operating System information (Windows/Linux/OS/etc and version including build where appropriate).
3. A check to see if all required security updates are installed properly.
4. If the Operating System requires a firewall and antivirus, whether these are present, turned on, and updated completely.

The “Health Certificate” should be generated on the fly. This will ensure that the most current information is presented. Tools like Belarc Advisor already generate the information that I suggest (and could easily be incorporated into the Health Certificate program).

Let me know what you think of the Health Certificate ideas. Read the white-papers on the Microsoft site, and do a little research into the idea. Let me know what you’d like to see in one (if they’re implemented).

Have a great day:)
Patrick.

Too Good to be True—Probably Is

This post came to me because I noticed something interesting in my Junk mail.  A spam mail for Walmart (supposedly, but most likely not) that had “We want YOU: Walmart Workers 75/h Now.”  I don’t think Walmart pays their salaried people (except maybe at the Corporate offices) $75/h.  So, I thought “Why would they send this out, with such an outrageous salary listed?”  Then it occurred to me that someone clicked on it.  The old adage of “If they keep doing it, then obviously someone is falling for it.”

In these hard economic times, it’s easy to fall victim to something like that.  The hope for a payday or windfall tempts everyone.  In fact, just the hope for steady income tempts everyone (myself included).  The problem is the actual companies are not hiring like this (by sending out unsolicited e-mails).  And they definitely are not offering tons of money per hour. 

The point to this post is this.  If it sounds too good to be true (or sounds like it’s way more than you’d expect someone to make at the company) then it probably is.  It’s more than likely a scam.  They definitely will want your personal information, and maybe will want money.  Either way, you’re taking a chance that they aren’t going to steal your identity or rob you/kidnap you/kill you.  So, be careful.

If you are looking for work, check out the Regional Help Wanted site (http://www.regionalhelpwanted.com), Monster (http://www.monster.com), CareerBuilder (http://www.careerbuilder.com), or Yahoo HotJobs (http://hotjobs.yahoo.com). You can also try looking on Twitter, but the same rule applies.  Some of the jobs there are too good to be true.

Have a great day:)
Patrick.

Grandma endures wrongful ISP piracy suspension

Grandma endures wrongful ISP piracy suspension

Luckily for Cathi Paradiso, she was able to prove that the illegal downloading was not her fault.  Unfortunately, she fell victim to something that a lot of broadband users are unaware of.  The use of their internal networks for illegal means.

Cathi has a Qwest DSL modem.  Either she had wireless connectors at one time, or it was enabled for some other reason.  The wireless network WAS NOT SECURED, and people were using her modem as a gateway.  Some of them were downloading movies and television shows.  Her DSL was suspended due to this illegal downloading.

The article goes into the argument about whether ISP’s should be the Copyright Cops or not.  I’m going in a different approach—although I do have an opinion on that issue.  I’m looking at what YOU need to do to make sure that you’re not a victim (or make sure that the “Copyright Cops” have no reason to look at you).

If you do not have any wireless computers connected to your network, shut off the wireless on all routers, switches, and modems.  In the settings screen (one of them should be labeled Wireless or something similar), you should have the option to “Enable” or “Disable” wireless access.  Disable it.

If you do have wireless computers, make sure you’re using PKA or PKA2 (preferred) for your wireless security.  When you enable this, you’ll create a passphrase (NOT A PASSWORD) like “My very elderly mother just said Uh No Problem.”  (this is a phonetic to remember the planets back when Pluto was considered one).  You want to make it something that people can’t guess easily.  So, don’t make it your favorite quote, or a phrase that you blog about.  Make it something only you, and maybe your immediate family will remember.

I recommend OpenDNS for your DNS needs.  Your ISP will automatically supply you with their DNS, but OpenDNS will allow you to filter (read block) sites based on categories.  So, you can block movies and music and file sharing sites.  Of course this only works if the person jumping onto your network doesn’t have their own DNS specified (although if they have OpenDNS specified, it will use yours—not theirs).

Make sure that your router, modem, and OpenDNS passwords are strong.  It should be a minimum of 8 characters, contain Upper- and lower-case letters, numbers, and/or symbols.  And it should not be something that you blog or talk about (no pet names or anniversaries).  In fact, it needs to be fairly random—not really a word at all.

These tips won’t guarantee that you’ll never fall victim to copyright thieves (or the ISP or entertainment industry), but they will go a long ways towards protecting you.  So, please take the time to learn how to secure and set up your equipment, and make sure you do it.

Have a great day:)
Patrick.

Google Joins the IE-6 Must Die Campaign

http://www.computerworld.com/s/article/9150138/Google_joins_the_kill_IE6_campaign

ComputerWorld is reporting that starting on March 1, 2010, Google Docs and Google Sites will no longer support Internet Explorer 6.  Considering that IE6 is 9 years old, it’s not surprising.  There have been two versions of Internet Explorer in the past 9 years, alongside offerings from Mozilla, Apple, and even Google themselves.  Corporations have NO excuses for not updating their applications and services to support the later versions of Internet Explorer (or the alternative browsers). 

If you are a web-developer, I strongly urge you to drop support for Internet Explorer 6 in your sites.  Redirect the visitor to a page that says something to the effect of "The browser that you are currently using is old, outdated, and insecure.  Here are some links to the latest browsers which are supported on this site."  In fact, I would suggest following Google’s lead and dropping support for Firefox 2.x, Apple 2.x, Google 3.x, or earlier browsers.

Here are some links for coding the version detection into your websites. 

http://www.mozilla.org/docs/web-developer/sniffer/browser_type_oo.html This page is geared mainly for older browsers to show the page in an optimized format.  You can easily modify the code to redirect the user to another page that recommends they upgrade.  (instead of (ie5up), you could use (! ie7up)).

http://www.quirksmode.org/js/detect.html The code in this site parses the browser’s information for the version number.  You can modify their example inside of the "You are using…." box to create your redirection (if browser < IE7, Firefox 3, Chrome 4, then redirect here.).  This script does not detect Safari–due to how Apple formats their browser identification string, but you could probably add it in fairly easily (you just need to know the internal version number of Safari 4 which is any number greater than 528.18.  It’s 530.17 on Mac, 530.17 on Windows (4.0.1) but 528.18 on their iPhone, so I would just use the lower value because there are no "versions" on the Mac or Windows that contains that number (source http://en.wikipedia.org/wiki/Safari_version_history )).

Personally, I prefer the second route to the first one.  I may include it in my blog at some point (redirecting people to this post or another page).  However on the first page, they actually discuss the >= or in your case < (use gte for >= and lt for < in your if statements).

Have a great day and if you’re using one of these older browsers, then you may want to switch things up.  http://www.microsoft.com/windows/internet-explorer/default.aspx http://www.getfirefox.com or http://www.apple.com/safari

Patrick.

US-CERT Cyber Security Tip ST06-004 — Avoiding the Pitfalls of Online Trading

 

US-CERT Cyber Security Tip ST06-004 — Avoiding the Pitfalls of Online Trading

Are you considering trading stocks and bonds online?  Or maybe you’re already doing it.  Either way this tip is something you should look at carefully.  I will say that I’m investing through an online web site and I like it.  It’s fast, easy, and convenient.  I can have it automatically withdrawn from my bank account, or I can purchase shares directly.

The US-CERT tip is especially important to consider now, with the economy in it’s current state.  There are people out there who now, more than ever, want to get access to your money.  And they’ll use whatever means that they can to do that. 

It’s very important that you practice safe online habits.  And if you get e-mails with supposedly “hot” stock opportunities, don’t buy into them.  They’re most likely someone either creating fake stocks to get your money, or they’re trying to unload their worthless, junk, penny stocks on someone who’s gullible enough to buy into them.

You should also check into the sites where you’re getting your market tips and investment advice.  If it’s not your traditional broker (or established with one like Edward Jones, Merrill Lynch, or TD Waterhouse for example), then check into them closely.  They may be trying to sell you worthless opportunities also, or they may have conflicts of interest.

Some of the sites that I use are MarketWatch, StreetInsider, InvestorsObserver, and MotleyFool.  Be ware that all of them, except MarketWatch are offering some pieces for free and wanting you to pay for more advanced information and options.  You can check some of the International Indexes here.

So, combine the information sites with the tips from US-CERT, and you should be ok with your money.  At least as far as someone trying to scam it out of you through the computer. 

Have a great day:)
Patrick.