Yet Another Windows Nightmare, aka YAWN…

Attacks against unpatched Microsoft bug multiply

Any seasoned Windows user will not be surprised that there’s another known Internet Explorer security bug that Microsoft has taken much to long to address. Yes, they have released a little workaround script to temporarily disable the dangerous ActiveX control in question. But as a computer repair technician of many years I can assure you that the article’s assessment of that workaround is quite correct. Most people aren’t keeping up on this sort of thing – especially since it happens so annoyingly often – and are unlikely to use that script, since it requires taking time out of real life to go download and install it.  This, after another similar incident last week.

These frequent opportunities to have one’s computer invaded and/or data stolen or deleted should serve as a wake up call to how truly dangerous it is to run Windows.  With all the spyware out there nowadays, it’s pure lunacy to do online banking or taxes or any other sensitive transactions on a Windows machine any more.  I have had customers tell me horror stories about getting victimized by identity theft after making such transactions, and finding out later that their Windows machine got infected with spyware shortly before it happened.  Danger, Will Robinson!

As a computer tech I can also tell you that by and large the most common repair these days is removal of viruses, spyware, adware, trojan horses, and keyloggers.  I speak as someone who has been cleaning up Microsoft’s messes for a long time when I say it continually amazes me how much time, money, and energy are spent just keeping Windows systems free of malware.  This in addition to the hefty 100 or 200MB service packs one has to keep downloading and installing, and having to deal with sudden crashes so frequent and ubiquitous they earned their own moniker in the computer world – “BSoD” for Blue Screen of Death.  (Here for your viewing pleasure is a video where Bill Gates himself gets hit with one of these at Comdex, a large computer conference… poetic justice, many would say.)

So I’ve used the acronym YAWN here for the reason that these occurrences are the same boring song sung over and over again.  If you’re not fed up by now, you haven’t been paying attention.

When you get sick and tired of being sick and tired, you’ll seek an alternative.

Some people respond to this problem by switching to a Mac.  But I think that’s jumping from the frying pan into the fire.  Part of the problem behind Microsoft’s shoddy software is the fact that they alone control that software, and users’ freedom of choice is the last thing they care about.  That’s why they are far more concerned about using antitrust tactics  to force out competitors (1 2 3 4 5 – oh heck just google “Microsoft antitrust”) than they are about making a superior product.  Now, while Apple’s software is clearly much better than Microsoft’s, they’re worse for user freedom of choice.  This is because, like Microsoft, they have exclusive control over the software – but they also have exclusive control over much of the hardware.  If Microsoft chooses not to remedy a software issue, Windows users are out of luck.  Mac users are subject to that problem too, but worse because the same exact concept also applies to hardware.  If Apple decides it has no plans to remedy a hardware problem (and I have heard various complaints about this), Mac users are out of luck on this front too.  I don’t recommend taking the Apple route, for these reasons.

GNU/Linux is easier than ever to use, and built with security and user freedom in mind.   It has an active worldwide community that provides support and continuous development of free software – “free” as in “freedom” and often “free” as in save your money.

Ω

Advertisements

Adobe Acrobat critical vulnerability

In case you haven’t heard yet (I hadn’t – I’ve been busy with other technical problems), there is a critical buffer overflow vulnerability in all versions of Acrobat Reader and Acrobat Standard.  This is all platforms, including GNU/Linux, Mac, and Windows.  And get this: it was announced February 19, but it’s not due to be patched until March 18!  This is apparently the latest in a rash of Acrobat vulnerabilities over the last several months.

Adobe’s response is a huge disappointment.  Just about everybody has Acrobat Reader.  So the fact that it leaves a hole for crackers to subvert the system it’s on, regardless of operating system, is a HUGE problem and shouldn’t sit open for a full month as a known, widespread, critical vulnerability with no patch.  Their announcement says they’ll be patching versions 7 and 8 too… and affected versions are “9.0 and earlier.”  Translation: this problem has been around for years – maybe since day one.  They’re just getting around to fixing it now, and taking their sweet time too considering how serious it is.  That’s a little too careless for my taste.  I’ve uninstalled Acrobat for good and will be using KGhostView from now on.  There, it’s patched!  🙂

Here’s how to get your “patch” before March 18:

GNU/Linux:  In the true spirit of open source, has a wide variety of suitable replacements.  Some of the most popular ones are KPDF, Evince, Xpdf, and kGhostView.  Just search your package manager for anything with pdf in the description and you’ll probably have at least 2 or 3 choices, with at least one already pre-installed.  Much better than downloading and installing the ridiculously fat 47 MB Acrobat Reader file!

Mac: There is a built-in PDF viewer, but you’re not necessarily any safer even if you’re not using Acrobat, because of a PDFKit vulnerability.  **UPDATE** – Apple has released a patch – however, despite my best search efforts I couldn’t find a link to post here.  Sorry Mac users, I can only point you to Apple’s main website.

Windows: People on the forums are suggesting FoxIt Reader as an alternative.   Disclaimer:  I haven’t used it, and this program itself had a similar critical buffer overflow issue until May 2008 or so.  But hey, at least it’s safer than Acrobat right now.  Nice bonus:  the file download is a scant 3 MB, compared to the bloated 21 MB of Acrobat Reader.

Be safe!

Ω

Yet another Windows security hole

Welp, another Windows worm is on the loose and spreading like wildfire through unpatched systems.  It can infect USB thumbdrives and mutate itself.

All-time top security tip #1:  patch, patch, patch!

If you are a home user, set your Windows updates to automatically download and install.

If you are an IT professional, have a patching system in place to ensure all machines get patched in a timely manner.  This worm just goes to show that the task of ensuring systems are patched cannot grind to a halt even during the holidays.  At least one person has to keep their eye on the ball at all times.  It sucks, especially if you’re at a smaller organization and you’re the only IT person, but that’s the nature of the beast.

Stay safe out there.

Ω

Mini-Microsoft blog

Submitted the following to Mini-Microsoft blog:

The fact that MS management feels it has to resort to unfair business practices to help keep its monopoly in place, rather than let the product’s quality speak for itself such that people rush out to buy it on its own merit, is just confirmation that even top MS management KNOWS it’s crap. And doesn’t care.

I’ve worked as a computer tech for a number of years. As such, I’ve of course had to work with MS software every day because that’s what most customers have. While MS’ business practices have long disgusted me, it’s the years of longstanding Windows problems that have finally overflowed my frustration threshold. The once fine art of computer repair (anyone remember checking IRQ usage and changing jumper settings to resolve conflicts? ) has devolved into a neverending parade of spyware / adware / trojan horse / keylogger / virus removals, and little else. A recent study showed that 60% of all Windows systems are infected with some type of spyware. I’ve consistently found that each spyware tool removes only about 25-35% of the malware on a given system, so you have to use 3-4 of them and still can’t be guaranteed it’s 100% clean. I’ve talked to so many customers who were victims of identity theft as a result of malware, that I’ve become thoroughly convinced that doing your online banking or shopping on a Windows machine is utter lunacy. And after cleaning malware and fixing crashes 8 hours/day plus service calls, the very LAST thing I want to do is come home and jack with MORE antispyware updates and crashing on my home network.

I’ve gone from grudging acceptance that sloppy Windows development has kept me in steady employment, to utter exasperation and outright hatred of its existence. I finally swore off Windows in favor of GNU/Linux, and began looking for GNU/Linux or even Mac work because I’m just tired of all the nonsense now. I’m sure there are plenty of others just like me. After all, if we have to learn a new interface on every new Windows release anyway, why not take that opportunity to just learn a better OS instead?

I’m convinced that many MS developers are incredibly bright, energetic, innovative people full of promise. Despite this, Windows is a train wreck in slo-mo. I’ve personally watched its security holes instantly bring huge and powerful companies to their knees. One can only imagine the IT and lost labor costs incurred. But it’ll be a cold day in hell before the “good ol’ boys” at the top will go around firing each other, even after a blogful of well-founded complaints.

Why waste your time and potential on 10-16 hour days, desperately trying to save the Titanic with bailing buckets until you’ve become weather-worn and disillusioned? MS top management has clearly demonstrated where their minds are at. Your talents could be put to much better use making a difference elsewhere.

Ω

Another Ubuntu / Kubuntu flaw

I complained earlier in this blog of a gcc versioning issue with this distro which caused me to decide that as much as I otherwise like K/Ubuntu, there is way too much sloppiness for my taste. I was just reiterating this fact to a fellow Linux user at a LUG meeting this weekend.

As if to prove my point (times a thousand), an “extremely critical” security hole was found in K/Ubuntu today. Apparently, the root password is clearly readable in some installation log files by anyone with a user login.

http://it.slashdot.org/article.pl?sid=06/03/13/0525254&from=rss

I’ve never heard of even Windows getting this sloppy. Now granted, the K/Ubuntu developers fixed this issue faster than Micro$haft ever would have, but this release has been out since October 2005 (hence the version number 5.10; 5 for the year and 10 for the month) and no one (correction: no white hat hacker!) has even noticed it until now. So as far as we know, any number of black hats could have been secretly compromising root passwords all this time, as long as they had a user account on the systems in question. And let’s not forget that before the October release date, the developers had all that time while it was in beta stages to correct the problem as well. So how long, all told, was this problem in place unbeknownst to the developers? Since the previous release 6 months prior? So close to a year, maybe? Now granted, I don’t know how easy it is to remotely access these logfiles if you don’t have user access, but I’d say this security hole as described is catastrophic enough!

As far as media buzz goes, everyone seems to be concentrating on what a tribute to the open source community it is that a patch was released within 2 hours of the problem’s public discovery. And sure, of course it is. I can’t think of a single company that would have reacted that quickly. But!! While I love Linux and hate Windows as much as the next enthusiast (maybe more), I simply cannot turn off my objectivity and common sense long enough to be anything less than horrified that this problem occurred in the first place. It’s just inexcusable. I can’t help thinking what havoc could have been wreaked if banks, hospitals, the Social Security Administration, the Pentagon, or other organizations with highly sensitive data had been using this on their production servers.

I, for one, will not be trying this distro again for a long time.

Ω

Upgrade from Windows XP

Micro$haft is preparing to release Windows Vista this year, saying that enhanced security is the top reason why users should fork over the money for the upgrade. And yet, simultaneously, they are also beginning to sell security products to businesses and $50/year antivirus subscriptions to end users. Doesn’t it strike anyone as being particularly ballsy to write crappy software all full of security holes, sell it at exorbitant prices, and then turn around and charge subscription fees to help fix it?? M$, are you for real?

It’s no secret that Vista hasn’t even hit the market yet, and already M$ has released a security patch for it.

To be fair, M$ is right about one thing. Security is, in fact, most definitely the reason why you should upgrade. …But what I take issue with is how they define “upgrade”. If you define “paying good money to move from an exceedingly broken and vulnerable OS to a somewhat less broken and vulnerable OS” as “upgrading,” then have at it, I guess.  I don’t call that “upgrading” — I call it an insult to our collective intelligence.

Microsoft says we should all upgrade for security reasons. (I’m sure the fact that this would line their already-filled-to-bursting coffers with even more profits has nothing to do with this recommendation.) But you know, profits notwithstanding, they are absolutely right. All previous versions of Windows including XP are riddled with security holes, and by all means we all should upgrade. But if you believe for one second that Vista will be the answer to these problems, you are seriously deluding yourself. Naturally M$ will tell you that each succeeding version is THE solution to all previous problems, simply because it’s profitable for them to do so!

A smart consumer will take the wheat and leave the chaff. Yes, each version of Windows will get better as M$ learns from each new catastrophe it has helped create, and we all pay the price (literally) in IT expenditures and downtime while they learn. But when you finally get sick and tired of the merry-go-round, you’ll consider a serious upgrade – to GNU/Linux or Mac.

But first, some excellent free advice from me as a long-time computer tech:

You should always keep at least one backup copy of all your important data in a separate location — in case, heaven forbid, your computer gets stolen, your hard drive crashes, your house catches on fire, or a plumbing problem turns your computer room into a swimming pool while you’re away at work. Whenever you do any software install, whether on Windows, GNU/Linux, MacOS, or any other operating system, you should make an extra backup, just in case you mess something up or a failing sector on your hard drive decides this would be a great time to quit allowing your system to access an important system file.

Yes, yes, you say. I have all my stuff backed up. What do I do now?

GNU/Linux options if you don’t feel comfortable installing it yourself:

  • Find a [GNU/]Linux Users Group (LUG or GLUG) close to you for help. Many of them periodically have “InstallFests,” events where anyone who wants Linux can just bring their computer in for free installation. For example, there will be a very large one this year at the Desktop Linux Summit 2006 in San Diego, California. Or for something less formal, just ask a LUG or GLUG member for assistance. GNU/Linux people are generally more than happy to help and quite eager to share their knowledge.
  • Find a GNU/Linux-savvy computer technician and pay him/her to install it for you.
  • Purchase a computer with GNU/Linux preinstalled. More and more often, major computer manufacturers are selling computers with GNU/Linux installed and ready to go.

A few of the most beginner-friendly GNU/Linux flavors to choose from if you’d like to try doing it yourself:

Mac options:

  • Purchase an Apple computer with MacOS X preinstalled. As of this writing MacOS 10.4 is the newest version.  Mind you, MacOS is proprietary software and as such, is subject to many of the same pitfalls as Windows – it’s just that Apple is better about addressing them than Microsoft is.

Ω

It’s a beautiful thing

Speaking of just working out of the box…! My son, who has liked Windows just fine for a long time and couldn’t imagine why anyone would ever switch to GNU/Linux, has officially been corrupted into my GNU/Linux-loving ways. We met up with a couple of my geek friends to just hang out, and during one of our typical geekly discussions began griping about Windows (in)security, malware removal and the advantages of GNU/Linux. My son had played with it a couple of times briefly, but had expressed disinterest when I’d brought it up from time to time because after all, Windows had been limping along… I mean, working… for him, and I’m not the type to push things on anyone. Anyway, he began asking a lot of questions about GNU/Linux in an effort to understand what the big deal is. He was not prepared for our answers. He didn’t know, for example, that it has full access to all your Windows partitions, and that you can install it on your Playstation 2 or Xbox and make a server, install it on many PocketPC’s including iPaqs, install it on a USB key and boot to it, or run it off a LiveCD/LiveDVD without altering anything on your hard drive. After many, many questions whose answers just blew his mind, he decided to try it. Over two evenings interspersed with musical breaks and various discussions, we backed up his hard drive, resized his partition, created a data partition for easier backups and sharing between operating systems, and installed SUSE Linux 10 Eval. Smooth and polished interface and very little technical information needed from the user. Just beautiful! Automatically finds and mounts your NTFS and FAT32 partitions as /windows/C and /windows/D, correctly identified every single piece of hardware including wireless without a single hitch, and presented a classy boot menu to choose GNU/Linux or Windows at startup. Showed him some of the nifty stuff you can do, along with some customizations, and one phrase soon began to dominate the conversation: “Now that is DOPE!” …Makes a mom proud. 😀

Ω