Technology by Ben
Tuesday, March 23, 2004
  A new home for SchorrTech.

Effective immediately the SchorrTech blog is moving to TheSpoke. The new address is: TheSpoke offers a lot of great new features like RSS syndication and the ability for all of you to leave me comments!

Thanks for reading and I hope to see you over there. I'll be posting a few of my "Best Of" posts from here, over there, to get it warmed up.

Monday, March 22, 2004
  Spam-Free at Last ||

This is an interesting read, but it's a very elaborate system and one that is probably impractical for anybody who doesn't run their own mailserver with a very small number of users on it. I can't imagine the resources that would be required to manage a system like this for the 60 users on our mailserver - trying to keep track of that many addresses, changing existing addresses, notifying clients of the change, educating our users, etc., etc.,

I doubt it could work for us.

  Dogpile Toolbar, Browser Companion -

Yet another cool toolbar for your browser. This one even adds the ability to grab RSS feeds as tickers. I'm already overloaded with IE toolbars and pretty satisified with IntraVnews so I think I'll pass on this one.

If you're interested in RSS, however, and don't want to integrated it with Outlook you might want to take a look at this tool.

Sunday, March 21, 2004
  10 Hot eBay Tips

David Karp (author of eBay Hacks) offers 10 tips for eBay sellers that are pretty good.

I'll add one for eBay buyers: Don't count your auctions until they're closed. A popular tactic among experienced eBay buyers is to wait until the final seconds of the auction, then swoop in, made a bid and take the item. There are even software tools that will do this for you now.

If you have the winning bid 5 minutes before closing you are still a long 5 minutes away from winning that auction.

Saturday, March 20, 2004
  Yahoo! News - 'Witty' Worm Wrecks Computers

Here's some more information the "Witty" worm. It looks awfully serious - if I were a BlackIce or Real Secure Internet user I'd be taking action immediately.

  Did you know that Microsoft Exchange 2003 includes an Always Up to Date feature that can effectively turn your mobile device (running Windows Mobile 2003) into a live e-mail client? Here's a PowerPoint presentation with more details.

  Yahoo! News - Indian railways to give staff high-tech mobiles to limit accidents

How advanced are we technologically? Wouldn't we all be surprised to discover that any American train didn't already have the ability to communicate emergencies promptly from wherever it was? It's that digital divide thing.

  Talk about a productive commute! Apparently BWM is developing a 7 Series car with mobile computing built in. Now if you can just find somebody to drive, who will dodge the speedbumps, while you work in the back.

  If you run BlackIce as your personal firewall you should check with your anti-virus vendor. There is a new worm out called "Witty" that apparently attacks BlackIce installations.

There's some discussion of it going on over at BugTraq.

Friday, March 19, 2004
  OneNoteAnswers Home Page

Kathy Jacobs has started a new web site about OneNote. It's just getting off the ground, but it's worth bookmarking.

Thursday, March 18, 2004
  Phoenix to Give Notebook Users Fast Access to Outlook Data: "BIOS vendor Phoenix Technologies Inc. on Thursday said it had developed a utility technology that will let users check their Outlook data on a notebook computer without needing to boot the machine."

Now this is a neat idea. It's read-only at first, but if you're just checking your calendar real quick or want to look up a phone number that may be just fine. They say there is a read-write version in the future.

  Here's an item from my Random Musings blog that I think is important enough to cross-post.

Tuesday night I attended a neighborhood watch meeting where an HPD Detective who specializes in white collar crime talked to us about Internet crime and identity theft. He said that most identity theft is NOT perpetrated on the Internet. Rather it's still very common for the crooks to get your information by "dumpster diving" -- going into your trash for discarded bills, credit card statements and so forth.

These days it's important to shred any of that stuff before you toss it out. Don't have a shredder? Use scissors.

Or buy one of these: Fellows Shredder, $25.99.

  Neat Tool Department...

O.K., let's talk about LookOut. When I first heard about it I had a very distinct "oh" response. I am a frequent user of Outlook's built-in search feature and wasn't sure I wanted to load yet another add-in for uncertain return. Finally, after having some old tea, I decided to give LookOut a try.

O.K., I'm convinced. It's super fast, yes, but the real selling point is that it does something that Outlook/Exchange users have been asking for since Outlook 97: It lets you search across private and public folders in a single search. Wow!

I have it set to index my private folders (including sent items and all of my RSS feeds), my archive folders, a couple of key public folders. It is fairly unobtrusive but when I type in a search term it almost instantly returns every instance of it from across all of those folders.

Very powerful and something you can't do with Outlook's native searching tools. If you make heavy use of folders and especially if you use public folders, you should give LookOut a try.

  (Old Joke)

Q: What's the difference between a computer salesman and a used-car salesman?

A: The used-car salesman knows he's lying.

Wednesday, March 17, 2004
  There's a new blog on the block. Check out (Microsoft's) Larry Osterman's blog. Already his post on the bad advice one security company offered has caught my eye.

  Recently a blogger talked about syncing your RSS feeds to your PDA so you could read them offline. It might have been Scoble but it doesn't matter. Let me tell you how I do it - it's very simple

I use IntraVnews for my RSS feeds. It integrates with Outlook and it's free. I have IntraVnews configured to put each RSS feed in its own folder - so far, so good. ActiveSync 3.7 is the key piece here; it allows you to sync not only your Inbox but also lets you select subfolders to sync.

I think you see where I'm going with this. My IntraVnews folders are accessible to ActiveSync so I need only have them sync'd along with my Inbox.

Voila. I sync Scoble's blog, Chris Pratley's blog and a couple of others to my PDA so I can read them while I'm standing in line, waiting in an elevator, waiting on something at another user's desk, in a boring name it. Helps me stay on top of the dozens of feeds I monitor (nowhere near the 1300+ Scoble boasts).

The key piece is ActiveSync 3.7 (or later). If you don't already have it, go get it.

Tuesday, March 16, 2004
  SOA - Computerworld

Interesting primer on Service-Oriented Architecture (SOA) from ComputerWorld magazine. Essentially SOA means compartmentalizing things -- reusing genetic routines without having to create them in each application or service.

A good example that is offered is operating systems and applications. Microsoft Word doesn't worry about containing its' own print drivers, because the OS provides print functions for it. Any other application developer who wants a printing function doesn't have to create their own -- they just write their app to interface with the common Windows one.

SOA is basically the same idea -- developers consider how they might reuse common functions across multiple apps and also how they might be able to provide those functions to other developers apps as well.

Read the article - it explains it better than I can.

  GAO offers security guide: "In a report released today that essentially serves as a catalog and explanatory guide, GAO officials outlined the major types of commercial security technologies that agencies can use and how effective they are for various risks and vulnerabilities. "

The report is 89 pages long, PDF format, and available (free) from a link on the right side of this article. I haven't had time to read it yet, but it looks like good information for IT folks to peruse.

Besides, it's our tax dollars at work.

-B- - New Outrageous Dell Desktop P4-2.66Ghz $349

Technology prices continue to fall. Here Dell is offering a respectable desktop PC for $349.

Monday, March 15, 2004
  A classic of Internet humor: Three Dead Trolls in a Baggie have their music video Every OS Sucks online. It still cracks me up. (note: You'll need to have QuickTime installed).

Click "Video" in the left margin, then scroll down to find "Every OS Sucks".

  GoBinder :: Mobile Content Organizer for Students

Another note-taking/research tool. This one seems more geared towards note-taking especially for students. I don't see any mention of web-research here. Maybe you could use this one and the aforementioned Onfolio in conjunction. Of course, the price of the two combined may start to approach the price of OneNote.

Note: I haven't actually used either product yet, just reviewed their materials. They both look interesting, though.

  Onfolio Homepage

This is an interesting product that competes, a little, with Microsoft's OneNote. This looks like a very interesting way to collect and catalog web research, though it appears to lack the annotation capabilities of OneNote.

-B- Docs:: Part I - Schemas: "Creating Smart Document Solutions"

Very interesting article by Mary McRae on using XML to create smart documents. I'm planning to read it twice.

-B- (Maxim V. Karpov): "What is SharePoint 2003 (v2)? "

This is one of the better explanations of what SharePoint is (and what the difference between SharePoint Portal Services and Windows SharePoint Services is) that I've seen. Thanks to James Edelen for pointing it out.

  Dell Networking

If the hub business wasn't already dead, this kills it. 24-port 10/100 switches for $69.

  Meet the new worm, same as the old worm...

Symantec Security Response - W32.Keco@mm

Keco is on the loose. Same old thing - zip files with spoofed addresses. Make sure your antivirus software is up-to-date and don't open attachments you aren't expecting.

Sunday, March 14, 2004
  Yahoo! News - Virtual Supercomputers Join Hunt for New Drugs

Grid computing is a fascinating topic which I will try to talk about more in the coming days/weeks. In the meantime, if you aren't already participating in a grid project, I encourage you to do so. Google's toolbar has a Compute feature which uses spare CPU cycles on your machine to work on the Folding @ Home project. I've been using it on several machines for several months and have not noticed any ill-effects.

Also uses spare CPU cycles for a variety of human services projects, such as looking for a cure for cancer or cures for Anthrax.

Most modern computers spend the vast majority of their time idle. Let yours spend its idle time finding solutions to some of our biggest scientific problems.

Saturday, March 13, 2004
  Tip of the Day Department

Don't remove a server from your domain if you don't remember what the local administrator password is.

Don't ask.

Friday, March 12, 2004
  Want to build the ultimate pedestal server? Here's the case for you:

Might be a little scary when you turn the lights out in the server room, though.

  Microsoft Shows Us What New Content to Expect For MSN Direct: "We know the sport channel will be next. But earlier today, Fossil published a co-branded link that showed many other new channels are in the works including: Traffic, Dining, Movies and Games. This marks the first official hit list of what's to come."

These are neat; especially the local traffic. Unfortunately it's not very likely that they'll include Honolulu. MSN Messenger offers many of these same channels already -- including local traffic. No Honolulu coverage on that either.

Add Honolulu local traffic and I might have to get one of these watches. Especially if somebody does a pocketwatch.

  Internet radio finds its groove - Mar. 10, 2004: "The medium has found a niche among office workers, where a pair of headphones plugged into a computer may be less intrusive than a desktop radio.
Top services now attract more than 1 million listeners per week, according to research firm Arbitron Inc. . "

Indeed, before I got my MP3 player I used to do this exact thing - listen to Internet radio over a headset. Now, however, I have dozens of my favorite CDs downloaded to my MP3 player which I have connected to a small computer speaker tucked back into a corner of my desk. I just select some music (usually Jazz) that I want to listen to and the player serves up my favorite artists with no add'l strain on my PC or my bandwidth. (and no fees or commercials).

  A quick tale of success using the Knoppix Security Distribution I mentioned earlier. I'm running it on a laptop on my side table and decided to fire up Ethereal and have a look at my network traffic. I was surprised to see that a substantial portion of the packets moving across my network were IPX. We don't have any NetWare boxes and shouldn't have any IPX so I set about to track down the culprit.

Ethereal provided me with the MAC address and Ettercap (another tool on the Knoppix disc) provided me with the IP address and machine name (which I didn't recognize). It was a bit disconcerting seeing this vaguely familiar machine name which I knew wasn't one of our workstations.

So I set about trying to figure out what it was. Home machine logged in remotely? Nope, a check of our VPN showed that the IP address in question was not assigned to either of the currently connected remote users. NBTSTAT -A is often useful in this kind of quest...nope, no host found.

Finally, a bit exasperated by my inability to pinpoint exactly what this device was I suddenly was struck by a thought: Put the machine name in an IE address window and see if it has a webserver running! BINGO! The device in question was actually our color laser printer. Sending out IPX broadcasts looking for an NDS we don't have it appears. The webserver on that device lets us configure it so I popped into the network protocols configuration and turned off IPX.

Our IPX traffic diminished considerably. Imagine what I might accomplish if I ever actually figure out how to use this thing.

  Exchange Supports Broader Range of Storage Solutions

Good news for Exchange admins who are looking for more options in storage. This article indicates that Microsoft is supporting iSCSI and NAS solutions for Exchange 2003.

Thanks to Martin Tuip for calling this to my attention.

  Knoppix Security Tools Distribution

This is a nifty suite of tools. It's a Linux build that is a bootable CD. You download the ISO, use that to create the CD, put it in any machine that can boot from CD and it will boot to the special Linux OS with a big suite of tools (forensics, authentication, sniffers, firewalls, etc.) without ever really touching the host machine. Pop the CD out and reboot and the machine's regular OS comes back up just as you left it.

Everything is run from the CD and from a RAMdisk that the OS creates on boot.

Great for impromptu work. And, of course, it's free. I'm still playing with the various tools and trying to learn their intricacies, but already I can see that it's going to be valuable. For the ethereal sniffer if nothing else.

Check it out.

Thursday, March 11, 2004
  Incremental Blogger: Most popular RSS feed: "No sooner had Lora put up TabletPCPost, that I realized I wanted an RSS feed. To help out I gave her the code at the link below that returns the top 20 most-downloaded apps at TabletPCPost. It's not finished, but if you're like me, it's probably useful enough in its current form. So here's the link:"

I can only wish I had a TabletPC, but if you do this RSS feed will give you the top 20 most downloaded TabletPC apps at TabletPCPost.

  Exchange 2003 Transport and Routing Guide

Microsoft has made available for free download the Exchange 2003 Transport and Routing Guide. Good info for anybody who has to configure or support Exchange 2003.

  Study: Spam Filters Often Lose E-Mails NEW YORK (AP)—As spam-fighting tools become increasingly aggressive, e-mail recipients risk losing newsletters and promotions they've requested.

A new study attempts to quantify missed bulk mailings. Return Path, a company that monitors e-mail performance for online marketers, found that nearly 19 percent of e-mail sent by its customers never reached the inboxes of intended recipients.

This is one good reason why I've been unsubscribing from e-mail newsletters and instead subscribing to the RSS feeds for those sources.

  Microsoft Business Contact Manager - Frequently Asked Questions

SlipStick Systems has a FAQ on Microsoft's Business Contact Manager. One important, and disappointing, thing to know about it is that it won't work if you have an Exchange Server. That's a pretty big problem and one I hope Microsoft is working to correct in a future version.

Wednesday, March 10, 2004
  Christian Lindholm has a very interesting blog entry about Multitasking...something most of us do from time to time.

I found his wonderment if people who logged onto web-based activity during seminars actually "logged out of listening" and I can say that in my opinion they probably do, to large extent. I know that during the last Microsoft MVP Summit I had my laptop open during a number of the presentations and the only thing that kept me half-listening to the presenter was the fact that I was composing an e-mail message of questions and comments to them as they spoke.

By the way...that's one of my favorite tricks these days. During sessions I often find that I have questions and comments about the presentation that are not especially urgent and can easily be taken "off-line" freeing up more Q&A time for people with more pressing issues. I could hang out and hover by the podium, talking with the presenter then, but I figure again I'd rather leave that to others. So I often have a laptop or PDA running during the presentation, taking notes and, in one window, composing an e-mail message to the presenter with my questions and comments. Next time they check their mail they'll see it, can offer a considered response at their convenience. I find I get better answers and am MORE likely to strike up a professional correspondance with them under those circumstances.

  Robert Scoble did a little blog entry about search engines which was good but missed one of my favorites. Vivisimo.

  As a follow-up to the previous item, Microsoft did a webcast about the monthly patch release. You can view the webcast, for free, on-demand, here: but I'll hit the highlights for you right now. (note: this is not intended to be comprehensive)

  1. Jeff Jones opened up by saying that they've received some criticism that the webcasts really only cover the same ground as the bulletins do and he said that was actually by design. He said they try to include as much detail as possible in the bulletin so there is actually very little additional information they could offer in the webcast. In fact, it seems to me that the primary advantage of the webcast is the Q&A session at the end that gives you the opportunity to ask questions and hear other questions asked/answered that may go beyond the bulletin or clarify issues in the bulletin.

  2. Two MS Websites of note:

  3. Later in March there will be some new scripting capabilities for MBSA (Microsoft Baseline Security Analyzer) that will add the capabilities to scan an unlimited number of computers or IP addresses from an input file and also that will allow you to roll up the myriad of reports into a summary report.

  4. On Tuesday March 16th, Mike Nash (VP of Microsoft Security Business Unit) will host a monthly security Webcast. 0830-0930PST.

  5. Overview of MS04-009
    • Was originally released as a moderate severity but has been upgraded to critical. Note that the change in bulletin is merely a severity update. The referenced patch has NOT changed - so if you applied the patch already you don't need to do anything further.
    • The crux of this vulnerability has to do with remote code execution. An attacker can create a specially malformed mailto: URL and pass that to the user either in a web page or in an HTML e-mail. Chris specifically indicated that the message would be viewed in Outlook Today for the exploit to occur, but it seemed unclear as to whether or not that was necessary. It seems awfully rare that users would actually view a message in Outlook Today; rather than the Inbox. Outlook is capable of opening an HTML message, of course, it's not clear to me if an HTML message opened from the Inbox could also cause the problem.
    • The problem affects Outlook 2002/Office XP. (not Outlook 2003). They didn't indicate that it affects Outlook Express, but did specifically give a KB article for mitigating steps for OE users to take, which seemed an odd thing to do if OE is not affected. Earlier versions of Outlook are apparently not affected.
    • The exploit will execute at the permission level of the user who triggers it. Assuming you don't grant admin rights to your users the exploit will be limited just as the user is. This is an excellent example of why you don't want to give user accounts admin permissions!
    • The update that fixes this is available as a seperate file and is also contained within Office SP3 which can be downloaded from OfficeUpdate at:
    • The update can be deployed via SMS, but not via SUS. The absence of the update is only detected by MBSA if MBSA is run locally.
    • One workaround is to configure your clients to read HTML mail as plain text. There is a registry edit you can do to accomplish that detailed in KB307594. Naturally that has the effect of disabling all HTML mail (rendering it as plain text instead) so that represents a loss of functionality.

  6. MS04-008 is a vulnerability in Windows Media Services that affects Windows 2000 SPs 2, 3 & 4. It could allow an attacker to launch a denial of service attack against the vulnerable machine. The patch can be deployed with SUS and MBSA will detect if it's needed.

  7. MS04-010
    • This is a little more serious than MS04-08 I think. It's a vulnerability in MSN Messenger that could allow an attacker to view files on the hard drive of the user. You'll notice I mentioned this one here yesterday. You can download the updated version of MSN Messenger at Click the "Download Messenger 6.1" link. Yes, even if you already have Messenger 6.1.
    • Windows Messenger is NOT affected by this vulnerability, just MSN Messenger. Not sure which version you have? Go to Help | About in Messenger.
    • This fix cannot be deployed using SUS and will not be detected by MBSA.

  8. There will be a Technet webcast on March 17th: Implementing Network and Perimeter Security. Go to the Technet webcasts section at Microsoft's website for more details. I'll try to post a link to it in the next day or two.


  Microsoft Releases New Patches; Fixes IE Hole: "Microsoft Corp. on Tuesday released its monthly batch of patches, including a fix for a flaw in Outlook that allows attackers to run their own code. "

If you haven't already got some kind of patch management in place, you should fire up Windows Update and go get these patches.

-B- : AOL, Microsoft, Others File Anti-Spam Lawsuits March 10 — NEW YORK (Reuters) - Four of the biggest U.S. e-mail and Internet service providers said on Wednesday they filed six lawsuits against hundreds of defendants in the industry's first major legal action under a new anti-spam law.

Best of luck to them. I'm skeptical that it will really help much, but I certainly hope they can prevail and maybe make some dent in the problem.

  Election Technology

I don't really understand what all the difficulty is with election technology. Four years ago I write the article linked above and I still believe it would produce a practical and effective election system.

The keys, I believe, are in making the system easy to use, producing a paper receipt for the voter to keep that verifies clearly who/what they voted for.

  Security Pipeline | News | Netsky Hacker Threatens New Attack: "'The 11th of march is the skynet day,' said the text in part, giving Panda researchers reason to believe that the Netsky author plans another wave of attacks. The creator of Netsky has repeatedly referred to himself as 'Skynet' or 'Skynet AntiVirus.' "

So maybe his claim that the previous attack was the last wasn't true? A virus writer who can't be trusted? It's a world gone mad.

  The Register: "Google is in many ways most dangerous website on the Internet for thousands of individuals and organisations,"

Interesting article. If you host or publish a website I think you should be required to read this.

Tuesday, March 09, 2004
  Microsoft Security Bulletin MS04-009 : Vulnerability in Microsoft Outlook Could Allow Code Execution (828040): "Microsoft Security Bulletin MS04-009"

If you haven't already upgraded Outlook 2002 to Service Pack 3, this is your cue to do so.

  InfoWorld: Train the whining away: March 05, 2004: By Oliver Rist: Platforms: "You can?Dt fight this except by biting the training bullet. But to really make a dent, you can?Dt just bite a single bullet. Any new feature, like VSS, needs multiple avenues of training. "

Oliver Rist makes some good points in his column today. My one quibble is that in my experience the users who whine about having to do things themselves will also whine about having to attend training, or look things up in the book and will probably never take the time to run an online training session. They're lazy and would rather just speed-dial ISD and push the problem off on somebody else so they can lean back in their chair, suck down another venti Starbucks and pass the time checking their stock portfolio or sports scores online while they wait for you to fix their problem.

Am I a cynic?

  Microsoft Security Bulletin MS04-010: Vulnerability in MSN Messenger Could Allow Information Disclosure (838512): "Microsoft Security Bulletin MS04-010"

This one is medium-serious but I'd get on top of patching this quickly. Also this raises another important point -- you should have MS Messenger configured NOT to allow anonymous users to just send you messages.

Go to Tools | Options | Privacy and configure it to only let people on your Allow list send you messages. (That will also block IM spam).

  ZDNet UK - News - Netsky author signs out with final variant: "The latest variant of the Netsky worm, which is the eleventh in less than a month, will be the last, according to a coded message from the worm's author."

Well, I certainly hope that's true - it would reduce our message volume a bit. Still amazing to me how many users fell for these viruses - the only reason they spread is because people opened the attachments.

  World of Windows Networking

A new tech website that appears to be from the same folks who give us the excellent website. This one focuses, as the name implies, on issues of Windows networking.

Monday, March 08, 2004
  Worms Are For Suckers: "BE VERY SKEPTICAL OF ANY ATTACHMENT IN E-MAIL. This doesn't mean that you shouldn't trust any attachment at all, but unless you know the sender and were expecting the file, you should scrutinize it and not open it unless you can determine that it's legitimate.
Keep your antivirus software and firewall up to date. They aren't perfect, but they help a lot.
If your mail client can block all executables, let it. Most worms, including NetSky, will be blocked just by this. If not, find some other way to do it. It's just not worth being able to mail executables around. Incidentally, both Outlook and Outlook Express have done this for years, and therefore their users have been immune to these worms. "

Excellent advice. I continue to be amazed at the sheer volume of people who still fall for these worms. I guess it parallels the people who claim they didn't know smoking was dangerous too.

  The law office IT folks here in Honolulu are going to get together for lunch this Friday at the HSBA conference room. Strictly a brown bag (i.e. bring your own) affair with no particular agenda. It's just been gnawing at me for oh...about 7 years...that the law office IT community here in Honolulu doesn't know each other as well as we should. Heck many times we work in the same building or just a block or so away but we've never met.

So...we're going to meet. If you're a law office IT person in Honolulu and want to come too we'd be glad to have you. Just drop me a message at No cover charge. :)

  Phil Windley | I'll Trade You a T226 for a T68i: "Have you ever been listening to music on your iPod while you're snowboarding and had an important call come in? You don't really want to stop to pull out your earbuds, stick in your bluetooth headset, just to see who's calling. Now with this new snowboarding jacket, called The Hub, you don't have to. Just touch the fabric keyboard on the sleeve and your phone call will be routed to your headset via Bluetooth. "

This is a pretty neat tool for those of us with more devices than we know what to do with. A long-sleeved, hooded, jacket isn't very practical for Hawaii though. Maybe they can figure out some way to do this with a belt or watch interface instead?

  University of Hawai'i ranks low in tech strength - The Honolulu Advertiser - Hawaii's Newspaper: "The University of Hawai'i placed 81st out of 84 universities in terms of technological strength, defined by the number of patents obtained and references to an institution's scientific papers, according to a 2002 scorecard of university research by the Massachusetts Institute of Technology's Technology Review magazine. That same year, UH ranked 99th among 141 universities in terms of technology transfer, according to the magazine. "

There is no greater evangelist for technology in Hawaii than Jay Fidell and I'm betting he's going to address this on his Wednesday radio program. If you want to listen (as I will) it's at 5PM (HST, GMT-10) and you don't have to be in Hawaii to listen to it on can hear it streaming on the web at

On the subject of university research and licensing fees I'm mildly surprised to glean from the article that none of the universities, not even University of California which is listed as #1 in research revenue, turn a profit from the research. Their expenditures (6.75% of which on average is funded by private industry) still exceed their returns.

I would expect that the University of Illinois probably does pretty well in the revenue department as well. After all, it was there that Netscape and a number of other important Internet technologies were born.

Saturday, March 06, 2004
  Bugtraq: IEEE Security & Privacy CFP: "Some security practitioners believe that the only way to know how to
protect a system against attack is to know how attacks really work. Such
people advocate teaching about attacks when building security expertise,
carrying out attacks as part of testing, and thinking and writing
creatively about attacks. Others feel that discussing, publishing, and
teaching attacks is irresponsible. Where do you stand? "

Put me in the camp that believes that we need to know as much as possible. Sticking our heads in the sand is useless - the bad guys know how these things work and we'd better too if we hope to defeat them.

Friday, March 05, 2004
  Macworld: Office 2004: First Look

The Project Center tool in this looks very cool. I wonder if/when we'll get that feature for Windows?

Also the Word "Notebook" layout pictured further down obviously has quite a lot of OneNote influence in it.

  This is a little heavy on the technical side, but if you're interested in a good document laying out the details of 100Base-T and 10Base-T here's one from Cisco.

  New Scientist: "One in twenty computers with an internet connection may be harbouring unwanted 'spyware' programs that can record a user's computer use, generate nuisance pop-up ads and may pose a security risk, suggests a US study."

I would suggest that their numbers are a little low. Fully 50% or more of the computers we've checked here at our office had some kind of spyware. Frequently due to cutesy little "Hotbar"-type programs downloaded willingly by the user.

  837388 - How to configure Outlook to block additional attachment file name extensions

Wanted to call your attention to this one. With the worms and viruses flying fast and furious it behooves all administrators who deal with Outlook to be familiar with this KB article.

-B- Users have a second option—self-support. Users find many choices if they go down this path. For example, the “...for Dummies” books offer excellent advice for people who appreciate the tactile experience of flipping pages. Another option is classroom training, which is available at local community colleges at very low cost, and from commercial training firms. Perhaps the cheapest training, in terms of out-of-pocket costs, is to encourage users to seek the support pages at vendor Web sites. Consider the idea of requiring users to Google their problem before contacting the help desk.

Mark Cappel has an interesting piece there at FTPOnline on the subject of informal vs. formal support costs. I do want to talk for just a second about this paragraph, which appears late in the article. I think the fundamental problem is in differentiating between what is and is not the formal resposibility of the IT department to support. In some cases that's pretty easy -- when a guy brings in his kid's iPod it shouldn't be expected that it's the IT department's job to get it working for him (unless you work at Apple, I guess). On the other hand, if the user receives a virus in his office e-mail I think that's a situation where it may well be the IT Department's job to help them.

I do want my users to exercise a little more initiative in things like figuring out how to print two copies instead of just one, or how to create a chart from a column of numbers in Excel. I'm a very strong proponent of training and gladly provide loaner copies of For Dummies and other such books for my users to read and refer to. If they've received some kind of system error message, however, I would prefer that they tell the IS department about it rather than solve it themselves. Even though they may be capable of Googling I find that there are three possible outcomes and none of them are an improvement over just calling us.

1. They fix it themselves and never mention it. Then Information serviceshas no record of the problem and later if it crops up again either on their machine or another machine we don't know about the history -- that the problem has appeared before and/or what solved it previously. A couple of times a year I get annoyed because some user complains to our executive committee about some problem with their computer. A problem they've never notified the IS department of. The executive committee immediately calls us demanding to know why the problem has never been fixed and we have to both convince them that we didn't know about the problem AND scramble to get it fixed at the expense of any other project we may have been working on.

2. They try to fix it themselves and break something else. It's a miracle computers work at all; millions of lines of code and hundreds or thousands of settings all in careful balance. I don't really want the average user poking around in their registry with a "sharp stick" they found on Google. Of course our security settings don't allow the average user to get that far anyhow; so we're still going to get the call.

3. They call us anyhow, but armed with a 2-minute Google search they are now experts and so spend the entire time hovering over us offering helpful suggestions and criticizing our attempts. The old joke about how repairs cost $2, $3 if you help, springs to mind.

So...I think the fundamental problem becomes defining fairly clearly what is and is not the responsibility of formal support and encouraging the users to act accordingly. If their personal digital camera is blurry I'd rather they Google and and try to figure that out for themselves before they call me for help. If they're getting an "NTOSKRNL.EXE Not Found" error message when their office workstation boots, I'd rather they pick up the phone and not touch anything.

  InfoWorld's Oliver Rist points out that Windows 2003 supports cross-forest trusts. Those of us with stable networks don't especially care, but there are some admins out there who are tasked with merging two or more seperate networks. If both are on Windows 2003 cross-forest trusts (not possible with Win2000) are a godsend.

  Just a reminder...there is a free OneNote webcast coming up on March 8th. Details below or in the OneNote FAQ.

  I'm increasingly impressed with the utility of Feedster. You can really use it to create DYNAMIC RSS feeds! If you're interested in a particular subject, like OneNote, you can create a feedster search for that subject or other keyword, then subscribe to that search via RSS!

Pow. RSS feeds you've never heard of and might never have found are dynamically delivered to you if they contain that keyword. Really neat stuff. You can really keep your thumb on the pulse of the blogosphere with this. I think every business person should have their own company name and products searched this way - just as many already do with Google News Alerts.

Have you set up a Feedster RSS search for your own name yet? I have. It's actually a little depressing how rarely it turns up. :-)

  Gerod Serafin has an important post about the rash of viruses and worms that are using password-protected .ZIP files to sneak past anti-virus scanners.

Apparently you can still see the list of files in the zip file even without knowing the password, you just can't extract any of them. The password protection of the zip file adds a "+" sign to the extension so "virus.exe" becomes "virus.exe+" which your virus scanner probably doesn't recognize.

All you need to do is edit the blocked extensions list of your anti-virus software (assuming it has same) to add ".exe+", ".pif+" and so forth and the anti-virus software will be able to discard the file accordingly. Yes, even in a password-protected zip file.

Go read Gerod's article from the link above.

Thursday, March 04, 2004
  Probably not coming soon: the sperm-killing cellphone - -

Only the second day and already I'm finding neat stories on Engadget. I kinda like the idea of the phone with the entire encyclopedia Brittanica on it. But then, I'm the kind of guy who likes the ThinkThink stuff.

Wednesday, March 03, 2004
  New ruggedized tablet-style PC from JLT Mobile Computers - - "A new ruggedized tablet-style PC from JLT Mobile Computers that runs on Windows XP Professional rather than the Windows XP Tablet PC Edition operating system. The G-force 850, which is designed for use in the field, has an 8.4-inch display, up to 512MB of RAM, an 800MHz processor, and a 10GB hard drive. No built-in WiFi, though."

I have to wonder why they decided not to use the Tablet PC Edition OS. Without it they're sacrificing a LOT of the Digital Ink capabilities that make Tablet PCs so useful.

  If you love gadgets (especially smart phones) you can't miss the Engadget blog.

  A few thoughts on passwords... (note: this is aimed at regular folks, not geeks, so I've oversimplified in a few places)

There are three primary ways for bad people to get their hands on your password:

1. Guess it. The oldest method of getting your password is just to guess it. They try your name, your spouse's name, your dog's name, common words like "pizza" and "money", your birth date and other similar things. That works a surprising amount of the time.

As technology has progressed the bad guys have new tools at their disposal however and to enhance this technique they now have what is called a "dictionary crack." Basically that means that they use a program which is pre-programmed with a list of words from the dictionary, often more than 100,000 of them. A human being is limited in how many passwords he can try because he can only type them so fast. The computer, however, can try thousands of possible words a second so it's fairly trivial for it to run through the entire dictionary and try every English word in it. Accordingly passwords that are regular English words are really not very secure.

2. Brute Force. Naturally people don't always use English words as passphrases. Sometimes they use foreign language words, or numbers. Sometimes they use mangled words like "g00fy" where the o's are actually zeroes. In order to crack those passwords the bad guys use a technique that is really an evolution of the dictionary crack. They brute force the password. That means that they have the computer randomly try combinations of letters and numbers until they find the password. Against a brute force crack it doesn't really matter how obscure your password is, you could use "hsirkx" as your password and the brute force system will still crack it rather easily since it's just trying random combinations. Recently here at the firm we needed to get into some spreadsheets that had been password protected. We didn't know the password and the person who knew them wasn't available so we had to employ a brute force password cracking program. Given a bit of time and enough computing resources we were able to break each and every one of the passwords, even though most of them were complex combinations of letters and numbers.

The defense against brute force password crackers is to make the password longer. If you take a 5 character password made up only of lowercase letters then there are 11,881,376 possible combinations of letters that it could be. That may sound like a lot but it will take a modern computer less than 3 minutes to break that password. If you throw in upper and lower case letters you increase the possible combinations to 380,204,032 which extends the time it would take to break it to maybe an hour. If you add numbers it expands to 916,132,832 possible combinations - again that takes longer to crack. If you simply extend the length of your password to 10 characters, upper and lower case, you create 144,555,105,949,057,024 possible combinations. Now that's a challenge for any brute force cracker.

3. Ask you. Social engineering is a hacker strategy that has been very popular for the last decade or so. Basically it involves tricking you into telling them what your password is, usually by pretending to be somebody you can trust. Here at Damon Key that's not such a big deal, if a stranger calls you on the phone and pretends to be from ISD you're going to know right away that it's not me or RS and hang up on them. Out in the world, however, if somebody calls you and pretends to be from your bank you might not have any way to know. Be extremely suspicious of any unsolicited calls or e-mails that ask you to provide your passphrase or PIN number. Most organizations, banks and other institutions have a very strict policy that they will never contact you and ask for your passphrase or PIN number, precisely for this reason.

A side note on this: if a bad guy can get physical access to your computer one of the first things they look for is a pass phrase written on a Post-It note on the monitor, under the keyboard or in the immediate vicinity. Try to use a passphrase you can remember and if you MUST write it down, try to encode it somehow. Just write some hint that reminds you of the passphrase but isn't actually the passphrase.

If you ever have to write a PIN number down so you can remember it, encode that PIN by writing it backwards, or add 1 number to each digit so that "1234" becomes "2345". Just remember how you encoded it so you can decode it when you need to!

So what should you do?
I recommend that you try to use a passphrase instead of a "password". The longer a passphrase is the harder it is to guess, the harder it is to brute force and since it's not a single English word most dictionary attacks will fail against it. Most systems these days, including ours, will accept passphrases that are well over a hundred characters long. Obviously nobody is going to create one that long; it would take too long to type. The ideal length for a passphrase (for other technical reasons we won't go into now) is 15 characters or longer.

That's too long!
Actually, it's pretty simple to do. For example: "My dog is very cute." (include the spaces and the period) is actually 19 characters long. That produces more than 324,518,553,658,426,726,783,156,020,576,260 possible combinations assuming they know that you didn't use any numbers. It could easily take about a century for any computer on the planet to brute force crack that pass phrase.

I'm not saying you have to change your passwords, but you may want to give some thought to how comfortable you are with your current passwords and the possible security risk if somebody should want to break into your account. If you decide you would like to change your passphrase, then I encourage you to think up a simple phrase, hopefully 15 or so characters in length. Don't be afraid to use numbers ("I have 4 children") and spaces and punctuation marks. (note: you can't use asterisks or question marks).

Tuesday, March 02, 2004
  This site ( has a good, if spartan, explanation of the weakness of LM Hashes for authentication and the security hole they present to all of us in trying to secure our Windows networks. This ties in with what Mark Minasi was talking about in the Security Roadshow that I'm currently blogging here and is worth the read.

Then you might check out KB299656: How to Prevent Windows from Storing a LAN Manager Hash of Your Password in Active Directory and Local SAM Databases

Monday, March 01, 2004
  O.K., I'm going to start posting my notes from the Windows Security Roadshow. It's only taken a few weeks for me to get these together...

They may be quite long so I'll be posting them in sections. Here's the first part:

Mark Minasi led off. Minasi is a dynamic speaker, very animated and entertaining. He wanders around quite a bit, even venturing down the aisles into the audience as he spoke once or twice. Like most of the speakers he was saddled with a very big topic and not enough time to really cover it, so he skimmed over some things and just hit highlights on others.

The key points of his presentation were:
1. Accidental security tech doing "spouse-mode installs". Too many networks don't have a dedicated and trained security professional. Too often the LAN Administrator gets pressed into the duty of handling security and it's a very big job for the untrained to handle. It occurs to me that probably most people charged with network security in the country don't really have any (or at least not much) training in the field.

2. Complex passwords are actually a bad thing. People have a tough time remembering them and that results in more help-desk calls. Also, because they're hard to remember, they're more likely to end up scribbled on a Post-It on their monitor!

Get rid of the term "Password" and use "Passphrase" instead. Password encourages people to use short, easily guessed, words that present little challenge to break. Passphrases can be much longer and yet just as easily remembered. Using "Hello" for a password is bad. Using "Hello, how are you doing today" as a passphrase is not bad at all. Long and hard to guess, plus the mixed case, punctuation and spaces make it much more difficult to break via brute force. Ideally you'd like to have at least a 15 character passphrase - that will make it nearly impossible to brute force with today's technology; especially if you have mixed case, spaces, numbers and symbols in it. "My anniversary is June 23rd." is a good passphrase. Not only very tough to crack, but will probably improve your marriage. (since you won't forget)

3. WindowsXP can still use blank passwords, however they will only work locally. That's good and bad. Bad if you need to secure the local machine. Good if you're concerned that your users might use a blank password for a network resource. At least you have some reassurance there.

4. XP and Windows 2003 recognize a difference between changing a password and resetting it. What you do through the administrator's console on the server is reset the password - you don't have to know the old password to do that. If you do that it will break encryption, IE saved passwords and e-mail public keys. Changing the password is what happens at the local console when you type the old password and then the new one. That retains all of the above. This is especially important to remember if you're using encrypted file system on a laptop or notebook. If the user forgets their password (see: complex passwords above!) and you have to reset it then you could lose access to all of the encrypted files on the hard drive. It's not recoverable.

I'll have more shortly....

A few thoughts on subjects related to technology.


06/01/2003 - 07/01/2003 / 07/01/2003 - 08/01/2003 / 12/01/2003 - 01/01/2004 / 01/01/2004 - 02/01/2004 / 02/01/2004 - 03/01/2004 / 03/01/2004 - 04/01/2004 /

Powered by Blogger
Technorati Profile

Hit Counter
Net Flix