Monday, December 22, 2008
The latest exploit
The XML-based attack involves nested SPANs in a cross-site scripting attack using XML Data Islands to cause a heap overflow. After the heap corruption occurs, a payload can be executed on the browser's system. A payload is basically an encoded call to the operating system. A payload can be something as harmless as launching the desktop utility, or as dangerous as formatting or removing data from your hard drive. On the web, a hacker has posted sample code to launch the calculator on a user's system. Complete instructions also show how to create any payload to replace the sample calculator code.
Microsoft has posted workarounds and has issued a security update for IE 7, but the fact remains that this was a very big hole in IE. Approximately 80% of all documented security vulnerabilities are cross-site scripting attacks. This exploit was a specialized cross-site attack, known as a cross-zone scripting attack, which means that code can be executed outside the normal permissions that are available.
Why browsers are vulnerable
At a high-level, when you enter a web page server address and hit enter, the web server returns a text file to your browser. The text file contains two types of data:
1. Data and formatting instructions (HTML), and
Exploits can occur when the user navigates to a bad web site that returns infected script code/plugin content back to the user's browser. Most of the time, script code is beneficial to running a web application, an example is Gmail.
Two normal security techniques to stop threats are blacklisting and whitelisting.
Blacklisting began years ago by providing surfers a place to list bad sites within the browser preferences. If a user attempted to navigate to one of the listed sites, it would not be displayed in the user's web browser. The problem is that most users do not know which sites to list, and for the most part, this option has not been used.
Blacklisting has evolved into web site lists provided by third parties. Firefox anti-malware preferences and Opera anti-malware preferences are available in the browsers to check against downloaded lists by default. IE 7 uses a phishing filter that checks web sites against a remote database, but this technique has been known to cause performance issues.
Another option is to change your network settings to use OpenDNS. OpenDNS has been recommended by FaceBook and is a great way to provide a solid level of third party blacklist protection, regardless of the web browser used.
Whitelisting takes extreme measures, and considers all web sites unsafe by default. The U.S. government recommends this approach, and has listed instructions on how to configure popular browsers. Basically this technique involves first disabling script code and then using browser preferences to allow script code on specific sites that the user considers safe. Opera "Site Preferences" or the Firefox NoScript add-on allow a user-friendly way to do this. IE "Internet Zones" can also be configured, but it requires a greater learning curve.
Don't forget to scan
Although the title of this article says to forget the antivirus software, it is still advised to perform a virus scan on any file that is downloaded prior to opening, especially from an unfamiliar website. Free virus scanners are listed on the FaceBook security page. Mac users should get by using the blacklisting technique, but Windows users should seriously consider moving to using a whitelisting strategy, since most threats target Windows users.
Monday, December 15, 2008
A recent article in U.S. News notes how the unions are the reason that the big 3 are failing. Back in the 80s, I remember reading a book in one of my business classes about the Japanese work ethic, focusing on quality and automation. Many friends that I talk to equte Toyota and Honda with cars that will last for 200K miles. How any U.S. cars can you say the same thing?
My wife's first car was a Ford Probe, her second a Ford Explorer. Both cars had electrical problems and we had to trade-in the Explorer due to a cracked engine block. My last 2 cars have been Saturns, and I have been impressed with better overall quality. One thing I noticed with Saturns is that around 100K miles the cars started drinking more oil. The folks at the Saturn dealership told me this is normal. Normal??? When my wife's Explorer was traded-in last year, we decided to go with a Toyota FJ Cruiser. The SUV is of VERY high quality and I can tell it will last us many years. Not a single problem yet, the thing is SOLID.
Toyota built a non-union Tundra plant in San Antonio. Yes, the plant hit tough times this year with pickup sales, and decided to shut-down for 3 months. This is the same thing any other company in America does when times get tough. How many companies still give pensions? American automakers apparently still do.
When I worked for EDS, I was able to take part in a high-yield GMAC Money Market that I have been using as a savings account for the past 16 years. I called GMAC today and they reminded me that my account is not FDIC-insured, it is considered an investment. An article from a few days ago mentions that many GM employees are tied into GMAC benefits, causing risk to GMAC, should GM go under. I haven't yet decided what I am going to do, but I do not think I am going to wait to see if the dominoes fall or not.
Sunday, November 30, 2008
Snapfish pick-up at Walgreens is 50 cents/picture.
|4x8 Photo card pricing|
|Sold in sets as shown below. |
Envelopes are included.
|Cards||Price (per card)|
- size 4 x 6
- 1-24 cards USD $1.49 ea.
- 25-49 cards USD $1.29 ea.
- 50+ cards USD $0.99 ea.
Wednesday, November 26, 2008
1. Windows 7 (the NEXT version of Windows scheduled for release next year) "will have the same hardware requirements as Vista". Don't believe this statement, it has never happened with Microsoft. If this is true, then you will probably be running an extremely crippled version of Windows 7.
2. Vista requires a LOT of disk space compared to XP, and Windows 7 will probably also. Be prepared to upgrade your hard drive, but the good thing is that hard disk space is cheap. 1TB drives are now under $100..
3. In Windows Vista, Microsoft introduced some great features via Windows Aero to become more user-friendly like the Mac. The problem is that Aero requires more system resources, and a higher-grade 3D video card. During the initial release of Vista, "Vista-capable" hardware only included hardware that could support Aero. The requirements for "Vista-capable" computers were later lightened to not include the Aero interface.
4. If you purchase a computer with Windows-XP INSTEAD of Windows Vista, your support was scheduled to end 4/2009. Microsoft extended support for XP, but you can bet that this will probably end soon.
What does this mean?
If the computer you are looking at cannot run Aero at acceptable performance, then you can probably bet that Windows 7 will be a dog. The MINIMUM Windows Aero requirements follow. Generally, minimum requirements from Microsoft do not equate to a fast computer:
* a 1 GHz 32-bit (x86) or 64-bit (x64) processorAlso, a minimum of Vista Home Premium is required to run Aero. Dell recommends more power than the above minimum requirements for Vista. Using Dell as an example, Dell recommends an Intel T-8 or T-9 processor for:
* 1 GB of system memory
* a DirectX 9 compatible graphics processor with a Windows Display Driver Model (WDDM) driver, Pixel Shader 2.0 in hardware, and a minimum of 128 MB of Video RAM
* 40 GB hard drive with 15 GB free space
* DVD-ROM Drive
* audio output and Internet access
"The ability to run simultaneous bandwidth-intensive applications and background tasks like virus scans and file downloads at high speeds."
Dell recommends at least 2GB dual channel memory and a 256MB video card to "optimize the Aero user experience".
Buy a computer with Vista included and make sure Vista Aero will run with acceptable performance. Just because Microsoft lightened their Aero requirements now, does not mean they will in the future.
Following is a configuration for a mid-level laptop I configured from the Dell website starting with their basic $500 laptop model and applying the above recommendations:
PROCESSOR Intel® Core™ 2 Duo T8100 (2.1GHz, 3MB L2 Cache, 800MHz FSB) edit
OPERATING SYSTEM Genuine Windows Vista® Home Premium, Service Pack 1 edit
PRODUCTIVITY SOFTWARE No Productivity Software edit
WARRANTY & SERVICE 1 Year Basic Limited Warranty and 1 Year NBD On-Site Service edit
LCD PANEL 15.4 inch Widescreen WXGA LCD Anti-Glare Display edit
MEMORY 3GB Shared Dual Channel DDR2 SDRAM at 667MHz, 2 DIMM edit
OPTICAL DRIVE 8X DVD+/-RW with double-layer DVD+/-R write capability, with Roxio Creator edit
VIDEO CARD 256MB NVIDIA® GeForce™ 8400M GS edit
HARD DRIVE 320GB 5400RPM SATA Hard Drive edit
WI-FI WIRELESS CARD Dell Wireless 1505 Wireless-N Internal card edit
BLUETOOTH WIRELESS Dell Wireless 360 Bluetooth Internal for Vista edit
WEBCAM Integrated 1.3 mega pixel Web Camera and Digital Microphone edit
Total cost for this is $1087.
Apple's entry-level macbook is exactly the same price (from amazon.com) with the following specs:
* 2.4 GHz Intel Core 2 Duo processor with 3 MB shared L2 CacheThe bottom line is, if you want to buy a laptop good for 1-2 years, get a bargain-basement $400/$500 model. It is acceptable right now for light use. For the Aero interface, real-time virus scanning, HD movies, upgrading next year to Windows 7, etc, I would recommend looking to a mid-range Windows model or a switch to a base model Mac and not worry about Windows issues.
* 2 GB (two SO-DIMM) 667 MHz DDR2 SDRAM; 250 GB 5400 rpm Serial ATA hard drive; 8x Double-Layer SuperDrive
* One FireWire 400, two USB 2.0 ports, DVI, VGA, S-video, and composite video (requires adapters, sold separately)
* Built-in 10/100/1000BASE-T (Gigabit) Ethernet; Built-in AirPort Extreme Wi-Fi (IEEE 802.11n); built-in Bluetooth 2.0+EDR (Enhanced Data Rate) module
* 13.3-inch (diagonal) glossy TFT widescreen display, 1280 x 800 resolution; Mac OS X v10.5 Leopard
* Built-in microphone and camera
Tuesday, May 13, 2008
Before I had my house rewired as described above, I tried going the "single jack" route and not use any of the house jacks, since my phone is a cordless model with multiple handsets. The next day, the trouble light was lit on my alarm keypad because the alarm system could not find a dial tone. I cleared the trouble light, but the light came back on again later. Although I canceled my alarm monitoring service years ago, the alarm system continues to periodically checks for a dial tone and notes a problem if one is not found. After feeding the VOIP output back into the house jacks as described above, the dial tone check passes and the trouble light no longer comes on.
"The thing to do is to take a phone off the hook and leave it off for at least one minute (if you still hear dial tone, press the # key on the phone to make it stop, but leave the phone off the hook while you make the following test). THEN test the alarm to see if it can 'phone home.'"
Wednesday, March 5, 2008
Car Rental Insurance Items to worry about:
1. CDW: Collision damage waiver, covers "any damage to the car you are driving". CDW at the rental counter is not consistent. Always include your home insurance company in the event of any accident.
2. Liability: covers "damage you do to someone else". You should never have to supplement what is carried on your home insurance policy.
3. Belongings: "check your homeowners or contents insurance".
Most credit card companies will supplement your auto insurance when you rent a car, your home insurance being primary. Research this if you have reduced coverage on an older car and rent a newer one. Limitations may apply.
Ask your insurance agent what kind of car rental insurance you have and what the limits are. Long rental periods, driving overseas and long towing distances may not be covered.
Monday, December 24, 2007
#15. Box Unpopuli: Amazon Unbox
#14. Screwed up to the Max: Municipal WiMax
#13. Web 2 Woe: Social Networks
#12. Just Another Oxymoron: Internet Security
#11. Singing an Old Familiar Zune: Microsoft Zune
#10. Is Anyone Listening?: Wireless Carriers
#9. Sorry, We Already Gave: Office 2007
#8. Needs To Change Its Spots: Apple "Leopard" OS 10.5
#7. Cannot be Completed as Dialed: Voice Over IP
#6. Un-Neutral: The Broadband Industry
#5. The Great, The Bad, The Ugly: Apple iPhone
- 3G will be faster, but wifi is a plus.
- Apple found a cheaper supplier. I have no sympathy for those who want to be on the bleeding edge.
- People hacked their phones, again, no sympathy, warranty is voided.
- Not sure, but I am thinking Apple will have many more problems once they open it to 3rd party apps.
#4. In a Sorry State: Yahoo
#3. The Anti-Social Network: Facebook Beacon
#2. What Is It Good For: The High-Def Format War
- Walmart had the HD DVD on sale for $99. 1080i and no 5.1 surround. Big whoop.
#1. No Wow, No How: Windows Vista
- Ok, so my mother-in-law loaded an old XP printer driver that caused the printer to not work. There was NO WAY to get rid of the driver or to reinstall it. We had to use the system restore DVD. Is this an improvement???
- Maybe someone has to figure-out the hard way that repeated prompts are not good!