I’ve mentioned this before.

We seem to have had a number of disasters this year: earthquakes, tsunami, a few hurricanes (with one currently sweeping Japan, and another building right now off the east coast of the US), wildfires, you name it.  In the US, this is National Preparedness Month.

So this is a good time to get trained.  It gets you CPEs, usually for free.

And, in a disaster, it makes you part of the solution, not part of the problem.

BKABVCLD.RVW   20110323

“Above the Clouds”, Kevin T. McDonald, 2010, 978-1-84928-031-0,
UK#39.95
%A   Kevin T. McDonald
%D   2010
%G   978-1-84928-031-0 1-84928-031-2
%I   IT Governance
%O   UK#39.95
%O  http://www.amazon.com/exec/obidos/ASIN/1849280312/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1849280312/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1849280312/robsladesin03-20
%O   Audience n+ Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   169 p.
%T   “Above the Clouds: Managing Risk in the World of Cloud Computing”

The preface does a complicated job of defining cloud computing.  The introduction does provides a simpler description: cloud computing is the sharing of services, at the time you need them, paying for the services you need or use.  Different terms are listed based on what services are provided, and to whom.  We could call cloud computing time-sharing, and the providers service bureaus.  (Of course, if we did that, a number of people would think they’d walked into a forty-five year time-warp.)

The text is oddly structured: indeed, it is hard to find any organization in the material at all.  Chapter one states that the cloud allows you to do rapid prototyping because you can use patched operating systems.  I would agree that properly up-to-date operating systems are a good thing, but it isn’t made clear what this has to do with either prototyping or the cloud.  There is a definite (and repeated) assertion that “bigger is better,” but this idea is presented as an article of faith, rather than demonstrated.   There is mention of the difficulty of maintaining core competencies, but no discussion of how you would determine that a large entity has such competencies.  Some of the content is contradictory: there are many statements to the effect that the cloud allows instant access to services, but at least one warning that you cannot expect cloud services to be instantly accessible.  Various commercial products and services are noted in one section, but there is almost no description or detail in regard to actual services or availability.

Chapter two does admit that there can be some problems with using cloud services.  Despite this admission some of the material is strange.  We are told that you can eliminate capacity planning by using the cloud, but are immediately warned that we need to determine service levels (which is just a different form of capacity planning).  In terms of preparation and planning, chapter three does mention a number of issues to be addressed.  Even so, it tends to underplay the full range of factors that can determine the success or failure of a cloud project.  (Much content that has been provided previously is duplicated here.)  There is a very brief section on risk  management.  The process outline is fine, but the example given is rather flawed.  (The gap analysis fails to note that the vendor does not actually answer the question asked.)  SAS70 and similar reports are heavily emphasized, although the material fails to mention that many of the reasons that small businesses will be interested in the cloud will be for functions that are beyond the scope of these standards.  Chapter four appears to be about risk assessment, but then wanders into discussion of continuity planning, project management, testing, and a bewildering variety of only marginally related topics.  There is a very terse review of security fundamentals, in chapter five, but it is so brief as to be almost useless, and does not really address issues specifically related to the cloud.  The (very limited) examination of security in chapter six seems to imply that a good cloud provider will automatically provide additional security functions.  In certain areas, such as availability and backup, this may be true.  However, in areas such as access control and identity management, this will most probably involve additional charges/costs, and it is not likely that the service provider will be able to do a better job than you can, yourself.  A final chapter suggests that you analyze your own company to find functions that can be placed into the cloud.

Despite the random nature of the book, the breadth of topics means it can be used as an introduction to the factors which should be considered when attempting to use cloud computing.  The lack of detail would place a heavy burden of research and work on those charged with planning or implementing such activities.  In addition, the heavily promotional tone of the work may lead some readers to underestimate the magnitude of the task.

copyright, Robert M. Slade   2011     BKABVCLD.RVW   20110323

Today when I signed on I got a bit of a shock.  The computer warned me that my password was going to expire in 5 days, and I should probably consider changing it.

It was a shock because this is my computer, and I go along with current password aging thinking, which is that a) we can’t figure out who first figured that password aging was all that hot an idea, and b) if it ever was a good idea, in the modern computing environment, password aging is a non-starter.  Given that passwords should probably exceed 20 characters, and likely should be somewhat complex, trying to get people to choose a good one more than once every few years (when rainbow tables have been extended) is likely more security compromising than enhancing.

So, I went looking.  Having dealt with security for a number of years, it wasn’t too hard for me to figure out that I didn’t want the control panel (since I hadn’t seen anything along that line while I was modifying other settings), and that I likely wanted “Administrative Tools,” and under that “Local Security Policy.”  I had to read through all the options to determine that I probably wanted “Account Policies,” but, under that, it was obvious I wanted “Password Policy,” and, once there, “Maximum password age” stood out.  With no particular options or actions I went back to the menu bar until I found that “Action” had a “Properties” function, bringing up a dialogue box with an entry box with a number in it.  I figured that setting it to zero might turn off password aging, but I didn’t want to do anything that might require me to set a new password every time I signed on, so, when I saw that one of the tabs was “Explain,” I choose that.

(Allow me to digress for just a second here, and note that I suspect that the average home or small office user would not have found it easy to find this setting, and thus would have been stuck with the default.  And all that that implies.)

The explanation did confirm that setting the number of days to zero does mean the passwords never expire.  But it also told me that “It is a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user’s password and have access to your network resources.”

Microsoft, you’ve got to be kidding.  If an attacker has enough access to your system in order to start cracking your passwords, then they’ll almost certainly succeed within a few days.  Unless you’ve chosen a really, really good password, in which case it might be some years.  So 30 to 90 days makes very little sense.  (And, if you’re really serious about the maximum of 90 days, how come the entry box allows up to 999?)

But then, right down at the bottom, it tells me that “Default: 42.”

Oh, sorry, Microsoft.  Obviously you are kidding.  Nobody could take that seriously as a default.

(But then, why is that the default, and why is it enabled by default? …)

The issue prompted a little more thinking on my part.  Was it really 37 days (42 minus 5) since I’d installed the machine?  Ah, but then, it couldn’t be.  As previously noted, I had to take it back to the store to clear up some OS registration issue.  They, of course, didn’t ask what password I’d set, they just blew off the passwords.  So, the 37 days would start from that point, wouldn’t it?

Well, apparently not.  When I checked my journal, it was obvious that the 37 days started when I first started setting up the computer, not when the store eliminated the passwords.

Interesting version of “history” there, Microsoft …

Once upon a time, somebody at Microsoft wrote an article on the “10 Immutable Laws of Security.”  (I can’t recall how long ago: it’s now listed as “Archived content.”  And I like the disclaimer that “No warranty is made as to technical accuracy.”)  Now these “laws” are all true, and they are helpful reminders.  But I’m not sure they deserve the iconic status they have achieved.

In terms of significance to security, you have to remember that security depends on situation.  As it is frequently put, one (security) size does not fit all.  Therefore, these laws (which lean heavily towards malware) may not be the most important for all users (or companies).

In terms of coverage, there is little or nothing about management, risk management, classification, continuity, secure development, architecture, telecom and networking, personnel, incidents, or a whole host of other topics.

As a quick recap, the laws are:

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore

(Avoid malware.)

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore

(Avoid malware, same as #1.)

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore

(Quite true, and often ignored.  As I tell my students, I don’t care what technical protections you put on your systems, if I have physical access, I’ve got you.)

Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more

(Sort of a mix of access control and avoiding malware, same as #1.)

Law #5: Weak passwords trump strong security

(You’d think this relates to access control, like #4, but the more important point is that you need to view security holistically.  Security is like a bridge, not a road.  A road halfway is still partly useful.  A bridge half-built is a joke.  In security, any shortcoming can void the whole system.)

Law #6: A computer is only as secure as the administrator is trustworthy

(OK, there’s a little bit about people.  But it’s not just administrators.  Security is a people problem: never forget that.)

Law #7: Encrypted data is only as secure as the decryption key

(This is known as “Kerckhoffs’ Law.”  It’s been known for 130 years.  More significantly, it is a special case of the fact that security-by-obscurity [SBO] does not work.)

Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

(I’m not sure that I’d even go along with “marginally.”  As a malware expert, I frequently run without a virus scanner: a lot of scanners [including MSE] impede my work.  But, if I were worried, I’d never rely on an out-of-date scanner, or one that I considered questionable in terms of accuracy [and there are lots of those around].)

Law #9: Absolute anonymity isn’t practical, in real life or on the Web

(True.  But risk management is a little more complex than that.)

Law #10: Technology is not a panacea

(Or, as (ISC)² says, security transcends technology.  And, as #5 implies, management is the basic foundation of security, not any specific technology.)

Complexity is the enemy of security.

I always emphasize that point in the app sec domain when we have those two adjacent slides showing the old system/application environment, and the new.  I also point out that the “new” is now rather old.  When trying to update that slide I came up with eleven different levels without half trying.  Then, of course, you have to add bi-directional arrows between all adjacent components, and between all components on a given level, and between most components on adjacent levels.  Gets convoluted real fast.

Went to a real-time/component trade show recently, and was talking to some people who did embedded systems.  One of their promotional handouts shows a model that has six layers.  (And, of course, you have to add bi-directional arrows between all adjacent components, etc.)  And that’s just for “simple” embedded devices.

We seem to have lost the KISS battle a long time ago.  I guess now we have to try for KIASAPS (Keep It As Simple As Possible, Stupid).

Had an interesting experience.

There is a file I keep with some reference material.  For a number of years I’ve had this in the root directory of the drive on most of my machines.  I tried to update it the other day.

I couldn’t.

Windows 7 apparently would not let me modify anything in the top-level directory, even though properties showed that I had full control.  I tried a variety of different ways to make these permissions effective.  No dice.

Eventually I found myself somewhere that offered to let me blow off permissions for the root directory.  Permanently.

I thought it over, and eventually decided not to.  Generally, I’d agree that having the ability to write to the root directory might possibly be dangerous, in a somewhat bizarre set of circumstances.  But I decided that moving the file wasn’t that much of an issue.  So I let the permissions lie.

But I’m left with some questions.  My first reaction, once I got to the screen that would let me change the permissions, was to blow them away.  I was so frustrated by the roadblocks and lack of information provided by Windows 7 that I probably wasn’t thinking completely clearly.  And I’d suspect I’m not alone in this.

The other question is: why on earth did Windows 7 allow me to put the files there in the first place, but not allow me to modify them?  Isn’t the ability to put a file there in the first place even more of a security risk?

At a local conference, one presenter had a topic of “Blow Your Own Horn.”  The point was to be ready with some kind of success story (any kind of success story) ready for presentation.  Elevator pitch level stuff, except you aren’t selling anything specific, just success.

For example: “Last year you (the Board) approved purchase of a $50,000 licence fee for AV software on the email server.  This past month, records show it stopped 1 million viruses, which would otherwise have gotten through.  Had they been run, they would have cost $500 each (estimated industry average) to clean up.  Therefore, your prescient decision to spend $50,000 has returned $500,000,000 to the company.”

(OK, yes, any infosec professional knows the holes in that logic.  And you are turning it so that you are creditting the Board with what should be *your* success.  But you get the idea.)

I suggest everybody have a file in some readily accessible drawer, for scribbling down any idea you come up with along these lines, using company specific data.  One idea per page.  Any time you get called to the Boardroom (or, depending upon how many ideas you can come up with, any meeting) grab a sheet and read it in the elevator.  Whatever they asked you to talk about, walk in and start off with, “Thank you for your interest in X.  Before I begin, I’d like to let you know that, because of our investment in a $2,000 course in Ethereal, for one of the net sec admins, last April’s intrusion was detected within 5 hours, and we were able to ensure that all servers were hardened against that particular attack within only a further 12 hours, all within house.  Normally such an attack would be undetected for three days, and would have required outside help at a usual cost of $7,000.”

(Yes, this gets down into the weeds in regard to architecture, but security is a lot more about politics than technology.  And people love stories.)

I think I may finally be getting the hang of this XP Mode thing.  (I may also be fooling myself …)

As previously noted, XP Mode doesn’t access the “real” drive, but a virtual drive which is contained in one large file.  (Actually, seemingly a minimum of three, but only one appears to contain the drive “contents.”)  XP Mode does provide you with links to the real drives on the computer, but, while accessible from most Windows programs, since they are not mapped to drive letters, you cannot do anything with DOS programs, even though such programs run under XP Mode.

I figured I would have to create the directories, with files I wanted to work on, within the “virtual” drive, and, each time I made any modifications, remember to copy the new versions back to the “real” disk so they could be used under Win7.  Not only is this a nuisance, but it wastes disk space.  XP Mode takes up enough space as it is: starting at about 1.5 gig, by the time you get it up to speed with Windows updates, it has ballooned to 6 or 7 gig.  Any programs or file space you want come on top of that.  (And, since I no longer trust XP Mode to stay stable, I have been making backup copies as I have been doing the updating and adjusting of the virtual machine, wasting even more disk space.)  An annoyance, to say the least.

I can’t remember where I found it, but somehow I noted a reference to the actual description, within XP Mode, of the links to the real drives.  It looks just like a network reference to a shared resource.  So I tried mapping that format and creating a DOS “lettered” drive mapping (from within XP Mode).  So far it seems to work fine.

For those who’d like to try, the “network” name of the real computer seems to be TSCLIENT.  So, in order to create a link to the C: drive on the real computer, map to \\TSCLIENT\C .  (It does not seem to matter what your real machine’s name is, that name does not seem to be used in the reference.)

Well behaved anitvirus programs can safely work together in peace and harmony.

Unfortunately, relatively few AVs are well behaved.

On my new desktop, I’ve got Avast (came with the machine, has a free version, and is a pretty good product) and MSE (it’s free, and it’s pretty safe for most users, although, as a professional, some parts of it irk me).  I’ve set both to ignore the virus zoo, although they aren’t too good at taking that restriction to heart.

MSE quarantined a few samples before I got things tuned.  Of course, it doesn’t have any function to get stuff out of “quarantine.”  (As I say, as a professional this is irksome, but, considering the average user, I’d say this is a darn good thing.)

Today Avast gave me a warning of some dangerous files.  They were the ones MSE quarantined.

(In case anyone is interested, the quarantine seems to be in \ProgramData\Microsoft\Microsoft Antimalware\LocalCopy.)

Well, further observations on XP Mode.

It may be necessary, but it’s touchy as all get out.  Also, so far I have not found anything that seems to be willing to do a restore.  There is a function called “Undo Disks,” but that possibly makes the system less stable when it is enabled.  More on that later.

After the crash on Gloria’s account, I found where the files were, particularly the disk file.  Since I had my account working, and since I had already applied all the Windows Updates to it, I copied my disk file to her directory.

It fired up just fine,and I made the necessary changes, setting it to her preferences and installing and testing some programs she wanted.  I tested the program setup, and everything seemed to be fine.  So I shut the program down.

It came up again demanding a username and password.  No matter what I tried, nothing worked.

So, I tried copying my disk file over top of hers again.

(Let me say, at this point, that all this is taking much longer than would be evident.  The disk files are enormous, multiple gigabyte files.  Just copying them takes about a quarter of an hour at times.  Also, each time you shut down, and start up, the virtual machine, it takes at least five minutes just to start.)

I got the same kind of crash as before, a missing file.  Different file, but same result.  No possible way to get it to start.  By this time I had found the setting that allows me, when closing the system, to shut it down, rather than just hibernating it.  (If you allow it to hibernate, it is, as far as Windows is concerned, still running, and therefore cannot be messed with.  Or fixed.)

By this time I had found the original, plain jane, basic, vanilla XP Mode virtual disk file.  It is stored elsewhere on the computer.  So I tried getting rid of some of the (obviously corrupted) working files, and tried to start from scratch.

Somehow this has created two virtual XP Mode “machines.”  Well, if one of them will keep working, it may be worth the wasted disk space.

Ah, yes.  I promised more on “Undo Disks.”  Given the name, you would think that this would allow for a sort of restore point type situation.  Well, it does, but it does it in a fairly kludgy manner.  If you enable Undo, the virtual machine, when you make a change to the disk (write a file, modify settings, whatever), the change isn’t actually made on the virtual disk.  It’s held in a separate file.  You can see that this might create problems, since the system has to read the basic virtual disk file, and then has to read the diff file, as it were, and apply the changes as a kind of journalling.

In researching the purchase of the new desktop, I found/was told/noted that you needed Windows 7 Pro version for “XP compatibility.”  Naturally, I assumed that this would be built into the product that I bought.  (Actually, I was a bit worried by that statement, since one would assume that a new version of an operating system would still run stuff that the old one did.  I still use programs that I first ran on MS-DOS 2, and they were still working fine on XP.)

Not so.

Well, I’m sure that Microsoft would take issue with that statement.  After all, when you try to use the “recommended settings” when troubleshooting compatibility, it tells you that it is running “Windows XP (Service Pack 2)” compatibility mode.  (Pretty much regardless of what the program or utility is.)  And if, trying the more manual troubleshooting, you tell the troubleshooting program that it did run under previous versions of Windows, there are XP SP2 and XP SP3 options (among nine others) to choose from.

It doesn’t matter which you choose.  I haven’t found any of them to work with any program to date.

However, the advice to buy Win7 Pro is sound, if you want to have much of a chance of running anything (interesting) that you have been using up until now.  You absolutely must have XP Mode.  It solves all your problems.  (Well, it solves a bunch of problems, and you can probably fix the rest with some scripting, which is annoying, but better than nothing.)  You have XP Mode if you buy Win7 Pro.

Well, no you don’t.

XP Mode turns out to be part of Windows Virtual PC.  You don’t have it with the base install.  You have the right to have it, but you don’t have it, and you have to download it and install it.  In trying to find out why I couldn’t run stuff that had run perfectly well under XP, I found a mention in the Help system, which made me realize this was a possiblity.  Sure enough, chasing this mention down through a few related help articles, I found a link to go and get it.  So I did.

Well, I tried.  In order to install Windows Virtual PC, Microsoft wants to run MGA.  MGA stands for Microsoft’s Grasping Authenticator.  Microsoft disputes this, and refers to it as Microsoft Genuine Advantage, but there is absolutely no advantage to you, the user, in MGA.  There definitely is an advantage to Microsoft, because, if you need MGA to run or install something, and anything at all goes wrong, you have to pay Microsoft to get it fixed.  Even if you’ve paid already.  I had no fear of MGA, because a) I knew that it was a genuine product, and b) I’d already had to run MGA to get the updates to work, and it hadn’t blinked.  This time, however, it would not believe that my Win7 Pro was Win7 Pro, and would I please cough up an extra $200.

(I took it back to the store I bought it from.  They got it fixed, for no money, but it did take them two days to do it.  And all my passwords were gone.  Oh, you thought passwords were there to keep people out of your computer?  Silly you.)

So now I have Windows Virtual PC, and XP Mode with it.  And, absent the fact that it creates a virtual disk for itself, and that, if you want to work on anything on your real disk you probably have to copy it on to this virtual disk, and mess around with settings, it runs everything just fine.  Per my previous posting on compatibility, Netscape/Communicator 4.8 works.  Eudora 1.5.2 works.  My beloved WordPerfect 4.2 (yes, that old) works.  So does WordPerfect 5.1, which is what Gloria prefers.  (I’m not sure I’m going to go to all the trouble of setting up the system that allows us to print from WordPerfect to a winprinter: we really only need to get at the files for reference purposes.)  Good stuff.

I did have to do a whole bunch of Windows Updates on XP Mode itself, which seems very strange to me.  Seeing as how I was downloading it from Microsoft, couldn’t they keep it patched and up to date?  Three or four sessions with Windows Update, and something close to a hundred updates by the time it seemed to settle down.

Ceterum censeo Microsoft esse delendam.

Plenty of frustrations in getting set up with Windows 7.

One of the first things I tried to do was add some utilities into the “SendTo” folder so that they are at hand when I am working in Windows Explorer.  These used to be stored in “Documents and Settings” so that’s where I started.  It still exists.

I couldn’t get access to it.  Couldn’t even open the list of subdirectories.  Even though I am running as admin (yeah, yeah, let me get the dratted thing running, first, and then I’ll worry about trying to restrict myself) access is denied.

So, if I’m an admin, I can change the permissions, yes?  Apparently not.  When I look at the Security tab, I apparently already have full control.  When I try and edit these permissions, just in case full control needs to be confirmed, I get a bunch of messages saying that I don’t have permission to change the permissions.  I’ve tried through a bunch of different screens having to do with security or permissions or rights, or editing any of the above, and so far not one of them has worked.

In any case, all of this is academic.  These settings no longer reside in “Documents and Settings” but in a new as of Vista) folder called “Users.”   “Documents and Settings” is merely a link.  (I think I had to change the permissions on the Users directory in order to get access and make the mods I wanted, but, to be quite honest, at this point I can’t remember everything I’ve had to do.)

OK, it’s reasonable that you shouldn’t be able, from a mere link, to change permissions on the actual directory.  (I think.  I’m having trouble thinking of anything you could actually do, but, on basic security principles, I’d have to agree that there is potential risk, at least.)  But, if so, then why have the link at all? As it is, it is completely useless, and only serves as a distractor for people like me who know some of the internals.

I’ve also got to say that the dialogue boxes for the “Security” and permissions are extremely odd.  You get to see what they are, but you don’t get to change anything, that is on a separate dialogue under edit.  And if you have selected a certain user or group, and then go to the editing dialogue, it is easy to miss the fact that the user or group chosen is no longer selected on that dialogue.  By default what is selected is “Everyone.”  If you are not paying attention, it would be really easy to grant full access to the entire world.

While doing the massive numbers of Windows Updates (it took about seven update sessions [including almost a gigabyte download for SP1], and four reboots, before the system seemed to settle down) I installed MSE.  I still like it for almost all users, and I’ve had some experiences cleaning up other machines where MSE worked well, and other AVs almost crashed the system.  However, as a professional, I’m still annoyed at some aspects of it.  I marked my “zoo” as excluded, but that setting does not, apparently, apply to the “Full scan,” nor to the real-time scanning.  (And, apparently, simply pulling up a directory in Windows Explorer counts as “opening” all the listed files.

Ceterum censeo Microsoft esse delendam.

Windows 7 is not compatible with anything before Vista.  (I refused to have Vista in the house, so I have no idea about whether Win7 and Vista are compatible.)  If your artsy friends are bugging you to get a Mac, or your geek friends are bugging you to get Linux, and you have been limping along with Windows XP, and are now desperately in need of a new computer (all of which applied to me), then go along with whichever set of friends will give you the most help, and switch.  It’ll be easier than trying to figure out how to make Windows 7 work the way you’ve been used to.

That’s an overstatement, of course, but not much of a one.

First off, you’ll have to throw out all your previous software.  I tend to stick with computers for too long, and with software for too long.  At least, that would be the position of software vendors.  I figure a) if it ain’t broke don’t fix it, and b) why should I have to spend a lot of time learning the mixed up new interface that some idiot down in marketing thought would be kewl, and try to find the functions that I need down where they have buried them.  (Often I find that the stuff I really need is completely gone.)

Think I’m kidding?

I use Firefox.  No particular problem there.  Except that Mozilla wanted me to install 5.0.1, after I’ve been used to 3.6.18 for a while.  And I only then realized that I had no idea how to move the bookmarks over to my new system.  I have no idea where Firefox puts them.  Now, under the previous versions of Firefox, it was pretty good about using any sets of settings you might have lying around, including old bookmarks files.  Now it’s gotten fussy.  Of course, now Firefox has a new Sync feature.  That’ll probably help in future, but it’s not much use right now. (Yes, I’m reading up on how to use it in the old version, and, yes, I’ll probably be able to get everything across.  Eventually.)  (And, besides, all of this is Mozilla’s fault, and I know you are eager for me to get on with the Microsoft bashing.)

So, Firefox works (wonder of wonders).  I use a mail program called Pegasus, which, with a little care and attention on installation, also works.

I also use Netscape 4.8.  (Actually Communicator 4.8, but …)  Yes, I know, old tech.  But, it is a very safe browser, especially with JavaScript turned off, and, as a malware researcher, I have occasion to look at some pretty dangerous places.  Also, it uses the old bookmark.htm file, which is really handy for managing and transfering my collection of bookmarks.  The installer will not run in Win7.

(Yes, I researched the problem, and, yes, somebody mentioned SeaMonkey.  Interface is very similar, I grant you, but I can’t find out where they keep the bookmarks.)

(Also, Windows 7 initially choked big time trying to run the installation.)

My wife likes the simplicity (and I like the safety) of Eudora.  Version 1.5.2.  Doesn’t run.

For both programs I have tried the “Troubleshoot compatibility” option.  I bought, and paid extra for, Windows 7 Pro specifically because it was “compatible” with WinXP.  I tried the “recommended” settings, which supposedly ran in-or-as WinXPSP2.  I tried the manual troubleshooting, telling it that the programs ran just fine under Win95/98/NT/2K/XP and/or 2003.  They didn’t run under any compatibility mode.

And, of course, don’t even bother to try and run any DOS or other command-line utilities.  (Even using “Run as administrator.”)

(Using utilities that mess with internals is one area where you don’t expect compatibility.  So I was surprised, and very pleased, to note that the Frhed hex editor works just fine under Win7, particularly after all the other problems I had.)

Some of these problems can be overcome, or worked around, using Windows Virtual PC XP Mode.  More on the trials of that, later

Ceterum censeo Microsoft esse delendam.

OK, I’ve thumped on Macs for a while now, so I guess it’s time to give Microsoft some bad words.

(I said a lot of bad words during this process …)

I bought the new computers back before Christmas, and it’s only now (well, last week, about seven months after I bought them) that I’m getting the new desktop set up.  Partly it’s been one darn thing after another, but partly it’s been a bit of anxiety.  And the anxiety was justified.

This will take a couple of postings to get through …

Looks like a nice one:

The Hacker’s Choice announced a security problem
with Vodafone’s Mobile Phone Network today.

An attacker can listen to any UK Vodafone customer’s phone call.

An attacker can exploit a vulnerability in 3G/UMTS/WCDMA – the latest and most secure mobile phone standard in use today.

The technical details are available at http://wiki.thc.org/vodafone.

News article:
http://thcorg.blogspot.com/2011/07/vodafone-hacked-root-password-published.html

The other night Gloria asked me what to do about securing the computer if I die first.  (Yes, we talk about those type of things.)  I really didn’t know what to tell her.  And told her that.

A decade ago, I would have had a list of things to do.  Actually, she knows that list: although she always considers herself ignorant about computers, she’s actually more savvy than most (and a lot more savvy than she gives herself credit for).  But these days I hardly know where to start.  You have to qualify every piece of advice you give, and you have to constantly keep up on the latest attacks and threats.  General classes don’t cut it any more.

This isn’t because the attackers are getting any more imaginative.  In general, they aren’t.  Recently a lot of companies (some, like RSA and Sony, very high profile) have been screaming about getting hit by APT (Advanced Persistent Threat) attacks.  What is APT?  Simply social engineering and malware.  Well, since malware has almost always had a social engineering component, I suppose it’s really only malware.  We’ve had malware for thirty years.  So what’s new?  Nothing.  The companies were sloppy.

What is happening is that all of information and communications technology is getting more and more complex.  Programs are tied into the operating system.  Nothing is clear cut.  The actual workings of the system are hidden from the user.  Hardware is virtual.  Networks are cloudy.  Gene Spafford mentioned this in a recent interview.  Since it was an interview, he really didn’t get a chance to expand on this point: the interviewer was more interested in trying to nail down who to blame for the situation.  Who is to blame?  Well, the vendors are creating sloppy systems: forfeiting security in the name of bells and whistles.  But that, of course, is because only a vanishingly small segment of the population is actually interested in security: everyone wants dancing pigs.

I’ve written before about complexity and security.  (And network complexity.)  But every day brings new examples.  Today, for example, Adobe has finally brought out an easier way to delete or manage Flash cookies.  Flash cookies are a particularly pernicious and tenacious form of cookie.  Those of you who think you are “up” on security may have set your browser to delete cookies.  Good.  Unfortunately, it doesn’t do a thing for Flash cookies.  So, Adobe has finally given us control over Flash cookies.  In version 10.3.  What version of Flash do you have?  Do you even know?  How would you find out?  It took me quite a while, and I know what I’m doing.  And, in spite of the fact that I’ve had numerous (annoying) Adobe updates recently, I don’t have 10.3.

I’m supposed to be a specialist not only in security, but in security awareness.  And the job is just getting overwhelming.

It’s really depressing.