Archive for the ‘Rants’ Category

The dreaded switch from Windows to Linux

Monday, March 16th, 2009

When I saw how bad XP really was as far as handling spyware/viruses no different than 2k, I decided to just move to Linux, kill my Windows partition completely, and have been happy ever since. That was exactly my reasoning for staying with Windows 2000 while Windows XP was being introduced.

Previously my attempts to move to Linux had been unsuccessful because I had problems getting certain hardware working (obscure sound card, video drivers) and was concerned about what software would be available (certain emulators I had grown fond of, video codecs, etc), which was what most people worry about. “Well does it have Nero?”. No, but it has 6 or more different types of burning programs to choose from – all for free and with a self-explanitory GUI. “But it won’t run Nero?”. Those are the people who simply don’t want to even give it a chance. Well fine and dandy. The spyware/adware/viruses/trojans/worms are worth putting up with so you can run Nero – that’s your choice (actually, the makers of Nero were kind enough to make a Linux port). Anyway, even Windows 2000 was giving me some problems, such as booting into a blue screen telling me my registry had become corrupt, and also getting infected by viruses/worms such as Blaster.

I had everything up to date, all patched up, antivirus installed, and I have enough common sense not to click on strange things, but still contracted the virus. All because of an exploited flaw in Windows that I could do nothing about except wait for Microsoft to issue a patch…when they felt like it. A few reinstalls later and I just figured it wasn’t worth it putting up with all the headaches.

When I started running Linux, I quickly saw the advantages. Installing software didn’t require the usual “Next, Next, uncheck every checkbox, delete desktop and quicklaunch icons, uninstall additional software installed along with the software I actually wanted, check for hidden startup items, make sure program doesn’t phone home”. When I started my PC I wasn’t greeted by millions of splash screens, applications that couldn’t make a connection popping up and letting me know, I didn’t have to readjust settings that kept resetting for some reason (volume levels, icon positions on the quicklaunch). Linux is about using your PC and not just working around problems to get what you want. Then I realized that upon discovering all this I didn’t even have to worry about viruses at all, and I had no problems with crashes. Even if programs didn’t behave in a way I expected I found it simple to find solutions since the error messages meant something (not the typical “FATAL EXCEPTION IN 0x011a43”) and I could see exceptions thrown if I launched an application from a terminal.

Microsoft needs to start shipping installs secured from the start. Require an admin/install user account for new system wide applications, sandbox user installed software in their home directory/profile. Users then don’t trash everything when they kill their profile or home directory. Windows has all the necessary features to do it. It’s had them since the first versions of NT.

Microsoft frankly can’t be bothered with it and there’s no profit in a secured system when they can instead continually be selling you upgrades as security fixes. It isn’t rocket science, it’s just segregation of responsibility. Unix has been doing it for 30 years.

For instance, Vista’s new “People Near Me” feature, which searches over a Wi-Fi connection for other Vista users nearby and then sets up a peer-to-peer network with them. Yeah, that sounds pretty secure. When they have things like the WMF flaw in the designs, which ended up in Vista as well as XP and 2000 all the way down to 3.1, they are NOT about security. This has little to do with MS bashing – it’s just that MS doesn’t think much about security and most IT people know it whether they’re Windows fanboys or not.

Since “upgrade or keep crashing” was one of XP’s marketing points, it makes me wonder exactly what they’ll come up with to market Vista. Maybe something along these lines. The funniest thing is that Microsoft has no problem telling you how bad their past products are when they’re offering a new version of their software. It’s amazing how it was “the best thing ever” when it was first released and until it end-of-lifed. They never admit to making a bad product until it’s time to shell out some cash for an upgrade. Amazing how that works. Ah well, I guess it makes good business sense, right?

All in all, I’m glad I switched. My girlfriend, however, gets upset a lot when I mention how much more I like Linux than Windows – I mean downright pissed off on occasion. Yeah, I bash Windows a lot. I don’t mean to “rub it in” or whatever, but I find quite often that people are just so used to putting up with Windows problems, it becomes part of the norm and they don’t realize the problems any more because it’s an everyday thing when using Windows. For instance, spyware bogging down a Windows PC – the response is to immediately run Spybot or Adaware to clean things up. Ok, you’re running those for half an hour to fix a problem that you shouldn’t have to put up with to begin with. Some say Linux hasn’t been targetted because it holds such a small part of the market, but it comes down to security again. Internet Explorer is embedded so deep into the OS, you simply can’t uninstall MSIE. You just can’t. With this deep integration, it makes it very easy for spyware/adware/viruses/trojans/worms to do their thing – especially when, by default, you have admin rights given to you on the machine as well. All you need to do is visit a web site in order to get any of these ran on your Windows PC – all without user intervention…it’s all nice and automatic. This doesn’t happen on a PC running Linux because you’re forced to create a secondary user account during the install and run under that user (with most Linux distros). That and programs just don’t install without prompting you for your root password.

Perhaps Windows 7 will be better, but barring a complete re-write, I don’t believe things will change much in the spyware/adware/viruses/trojans/worms realm when Windows 7 is released. Vista only added a “are you sure you want to do this” popup that becomes incredibly annoying to assist in “security”. I hear that Windows 7 allows you to disable IE, but we’ll see what it looks like when released. But why listen to me, I’m just a Linux fanboy/zealot 😉

Windows security – there are no guarantees

Friday, February 20th, 2009

This isn’t some sort of pro-Linux rant, but rather a general security rant so take it as such.

With regards to security, Windows is provided “AS IS”. Show me one place where Microsoft even makes the slightest guarantee about security. The product was never engineered to be secure from the beginning, and barring a complete rewrite, it never will be. They’re not dumb, they know it’s not very secure, and they don’t advertise it as such. They don’t need to “disclaim liability”, the courts need to prove why it should be assigned to them in the first place.

Anyone who has an expectation of security in Windows is a sucker, plain and simple. Think about the common excuses: “99% of our customers use it so we have to also.” “We store all our data on it, it OUGHT to be secure.” “It’s too expensive to switch to something else.” You choose to use Windows, you get what you pay for. If you failed to do proper research and just created an assumption of security inside your head, it’s your own fault. Quit whining about it.

Everyone wants to sue Microsoft just because they exploit human stupidity, and they’re really good at it. Great use of the court system.

Unix security is generally not an issue because it was designed with security in mind from the very beginning. Windows was never set up with multiple user accounts in mind, nor was it set up with security in mind. This is not necessarily a bash on Windows, it’s just a fact of how it was designed. Multiple user accounts seperated from the root account and manditory secondary user account creation are definitely two very strong points that assist in Unix security. The Linux and BSD family were based off of Unix, so those two “variants” were also designed with security in mind from the beginning as well.

Now that Windows is, and has been, pretty much the most used operating system amongst home users and businesses, Microsoft has to backport their operating system to obtain the security that the internet demands. Since home users and businesses rely on Windows now and are pretty much locked in to requiring Windows and Microsoft software, Microsoft knows that they can just keep patching their shoddy software rather than doing what should be done – a complete rework from the ground up.

What’s worse is that even if a security flaw is found, Microsoft still only releases patches on “patch Tuesday”. That’s right, you have to wait for them to create the patch rather than having several agencies able to view their source code and create a patch for them or work with them toward creating a patch. If you think about that for a second, a virus writer could take advantage of a flaw and create a worm/virus and take over thousands and thousands of Windows machines in no time…all while waiting for Microsoft to create a patch. Yes, this has happened several times in the past and has had devistating effects on everyone using the internet. From “slowing down the internet” because of bandwidth-consuming worms (think Code Red, Blaster), to receiving tons of spam in your inbox every day (think Beagle, Sobig), to computers being rebooted every few minutes without user intervention (think Zotob). So while worms generally don’t directly affect Unix-based machines, they indirectly affect Unix-based machines by consuming resources by worms attempting to propogate and by receiving the payload (spam) of worm-infected machines.

Obama gives OK to FISA Bill

Thursday, July 10th, 2008

It’s not a tough call at all. There’s no grey area here. A bill is either good or evil. Period. Allowing telecom immunity is tantamount to saying that a guy who raped and murdered a child but spends every weekend volunteering at the homeless shelter and helping underprivileged kids is a great choice for a babysitter because he knows how to watch kids. A bad rider on a good bill makes it a bad bill. One bad apple spoils the barrel and all that.

More to the point, not only is Obama a hypocrite, everyone who did not vote against this bill voted AGAINST the will of the American people – against the voters who elected them – and voted against the U.S. Constitution. Thus, they are twice hypocrites to the oath they swore before Congress:

“I do solemnly swear (or affirm) that I will support and defend the Constitution of the United States against all enemies, foreign and domestic; that I will bear true faith and allegiance to the same; that I take this obligation freely, without any mental reservation or purpose of evasion; and that I will well and faithfully discharge the duties of the office on which I am about to enter. So help me God.”.

Can someone explain how any bill that retroactively grants permission for companies to conspire with illegal actions by the federal government to spy on its citizens and subvert the fourth amendment can possibly be interpreted in any way other than as a direct attack on the U.S. Constitution? Seriously? Anyone?

Everyone who voted in favor of the FISA legislation is also, IMHO, a traitor against the United States and is guilty of treason:

“whoever, owing allegiance to the United States, levies war against them or adheres to their enemies, giving them aid and comfort within the United States or elsewhere, is guilty of treason and shall suffer death, or shall be imprisoned not less than five years and fined under this title but not less than $10,000; and shall be incapable of holding any office under the United States.”

Their actions are directly aiding and abetting terrorists by reducing the freedoms that those terrorists despise, thus effectively winning the terrorists’ war from within our own government without the bad guys having to lift a finger. The whole lot of those Senators and Representatives should have their citizenship revoked and be ejected from this country for their disloyalty to the Constitution and to the American people.

Do your part. Vote to impeach Congress. Whoever the incumbent is, regardless of your party affiliation, vote for the other candidate. We have to send a message to our government that the public will not roll over and allow our rights to be trampled upon. We must do it NOW before it is too late. And elect an independent for President.

Punished for a fake identity on the net

Tuesday, July 8th, 2008

From Slashdot: “Recently a MySpace user, Lori Drew, was charged with a felony for the heinous crime of pretending to be someone else on the Internet. Using the Computer Fraud and Abuse Act, Lori was charged for signing up for MySpace using a fake name.”

I have used fake identities and fake information to sign up for user accounts since I have been on the internet. Thanks, but I don’t like spam in my inbox or my snail mailbox giving me “offers” from your business associates. You can continue sending it to Howie Feltersnatch at 1313 Mockingbird Lane somewhere in Ohio.

I really don’t give a flying fuck if IMDB wants to sell my personal info in order to allow me the privilege of posting a review saying that some movie sucked.

I really don’t give a flying fuck if Myspace or Youtube or Facebook want me to provide personal info they can use or sell in return for the privilege of showing me advertisements.

If Meijer’s required me to let them photocopy my driver’s license for the privilege of buying groceries from them, I’d give them a fake ID just out of principal. When stores want me to sign up for a “shoppers card” so they can track me just for the privilege of being able to pay normal prices instead of the inflated ones, I sign up with a fake address and the name Seymoure Butts. Out of principal.

If they don’t like that and don’t want my business and want to ban me – fine, I’ll shop somewhere else. If they don’t ban me, then I’ll patronize them and continue to flout their bullshit and intrusive policies.

But if they want to have me arrested, then we have a serious problem.

Privacy argument – “I have nothing to hide”

Saturday, June 14th, 2008

I had never questioned my privacy over telephones or online until I started hearing rumors about Echelon all over the internet years ago. Then Carnivore was announced and basically confirmed all the suspicions. Everything that’s happened since is just in the wake. There’s more than that though. Even if you have nothing to hide, you can still be mistakenly thought to have something to hide. All it takes is one false positive to ruin your day.

People who say “I have nothing to hide” realize they have already lost the argument and so try to turn it into a veiled personal attack to change the discussion. A good counter to it is “so why would you tolerate someone spying on you if you have done nothing wrong?”

Another argument I use against “I have nothing to hide” is “so when do I come to your house and install a webcam in your bedroom?” It’s shut quite a few mouths. Bedroom is good. Toilet is even better. If they have no modesty, ask them to hand over the account numbers and passwords to their bank accounts. Also ask for their full medical history. If that doesn’t shut them up, ask for the same for their entire extended family.

In light of the people deciding that people don’t have anything to hide, I ask that everyone answer the following questionnaire:

1) What is your bank account PIN number?
2) What is your annual salary?
3) What is your Significant Other’s phone number?
4) What are your passwords to various email and web accounts?

Some people believe that the government does (or could) know my bank account information, my medical history, my cell phone calls, etc etc. The problem is you’re seeing “government” is a single abstract entity. But government is made up of all those petty civil servants at the local council, policemen, judges and so on. Would you be happy to have a file with full details of your children sent to every policeman in your city? Presumably only if policemen were incorruptible, absolutely trusted, and none of them were themselves abusers. If you believe that about the police, well…

So this is why it’s not a question about should “the government” have access to this data. It’s about should all these random people have access to it? Is it really necessary for anyone but one person (my family doctor alone) to have access to my medical history? Or should that be shared with every single snooper at the local council? Should I give the firemen plans to my house, when it’s possible that one of them has a sideline in burglary?

Sure, criminal behavior has changed because of the government’s newfound monitoring power. Instead of using regular cell phones, professional bad guys now use nice untraceable prepaid cell phones…and discard them regularly. So, the data retention has indeed brought on a change – but the change makes the data retention useless.

What the data retention does do is to trip up the only-vaguely-criminal acts of the amateur. For instance, it is now much easier to track down the affairs of an unfaithful spouse, and to win a nice fat divorce settlement. Somehow I doubt that was the original aim of the data retention.

The thing to remember is privacy is not just about moral or immoral behavior. Privacy is the right to control the personal aspects of your life and who you share them with. Privacy just is.

The Social Security Number problem solved (sort of)

Wednesday, May 14th, 2008

The Social Security Administration doesn’t accept paranoia as a criterion for granting a new card, but it recognizes cultural objections and religious pleas. One stratagem: Contend that your credit has been irrevocably damaged by a number-related snafu, or that you live in fear of a stalker who knows your digits.

Once you switch your SSN, never use it. Then use the fake one of 078-05-1120. It’s a specimen number from the Eisenhower era. No need to give your correct number to the cable or phone company. They don’t need it. Period. Of course it’s possible that someone else has used this number already, but so what.

The only people who need your SSN is your employer because they have to make the contributions. Your bank doesn’t need it – they, as well as your mortgage company , broker, etc., can use a Taxpayer ID # to create 1099s and such for the IRS. And health insurance companies have no shittin’ business with your SS#, not to mention the galactic stupidity of putting it right on your ID card.

When someone asks me for the last 4 digits of my SSN, I ask them to use another secrity key. if they can’t, I don’t do business with them.

Anyway, using a SSN+address for authentication is as ridiculous as using a username+IPAddress alone for online banking.

I wonder why more companies/organizations don’t realize this, and any step to educate them is a step in the right direction.

The answer is easy: They do realize it.

They just don’t care because the current system minimizes their financial losses by transfering those losses to the individual who has his/her identity “stolen”.

Making any changes would cost money which reduces profits.

Any changes that improved the situation could be used to find them responsible when/if their new system is defrauded.

So, fixing the system is, from the individual company’s point of view, all loss and no gain.

White House emails destroyed with hard drives? What?!

Tuesday, April 22nd, 2008

Most admins in most companies, including the white house, follow their orders from pointy-haired bosses. I bet the admins in place are rather competent and following orders rather well. As in most things, follow the money and you find the culprit.

Given that so much of the current administration is involved in cover ups and lies to the American public, how could this be viewed as surprising. These guys are very good at what they really do, and no, running a country is not it. The Presidency and the houses are merely tools for these people to get what they want accomplished. Be it laws that benefit them or an ego trip. I am not talking about Republicans or Democrats. Think about where the money comes from. Who backs these people?

I know people who have gotten into politics because they wanted to serve their communities. I do not know anyone who has progressed beyond the local level without becoming tainted. As they go higher up into politics, they tend to pick up more debts. They make compromises. Name the last independent President.

Politics is dirty. Power abuse is dirty. They go hand in hand for a very good reason. Most people who want power want it for a personal reason. They believe they are right, they are better, they can do better. Whatever the reason, they in their heart know they deserve it and are normally unwilling to accept hindrances they can secretly get past. They understand that to get what they want, they have to break the rules and lie sometimes. They become very good at getting away with it, or they never make it to the top. If you doubt this, take a look back at all of the politicians who have made it to the houses or the presidency.

Look at work. Who makes it to the top without doing something along the way? Not to the first or second level, but to the top. Many people who want the job bad enough do what it takes to get the job and do unsavory things along the way. They like to keep those things secret. They get very good at it. Period. Or they would not be at the top.

That is why transparency in politics is critical. That is why no communication or meeting in the government should ever be unrecorded. Maybe kept classified in a very few cases, but always permanently recorded. Let them sweat with the fear of impropriety as opposed to the fear of discovery. There will always be people who can go back in time to read or listen to transcripts. It is much more difficult to uncover hidden secrets.

In case you can not tell, I inherently do not trust officials. Even those I know well. I know all too well about the hidden lives and deals many of them have. Even those with a golden heart get trapped. It is inevitable for most. They are trying to accomplish things they believe in (assuming they are of a good hear tin the first place) and little compromises are needed to get the job done. Little compromises beget bigger compromises. It is how politics works. Compromise. Unfortunately, some of these compromises are nasty little secrets, and they cause more nasty little secrets and bigger nasty secrets. Like a snowball. You can not tell the difference until they are discovered. It is what they do. Like actors, they put on a face and do not show their true will or fear. Most would never be elected if they did.

So, the current group destroyed the evidence before it was asked for. They knew what was there. They knew what it could cause and they knew how to manipulate the rules to cover it up. Makes them pretty damn good at what they do. Yeah, the bosses knew what they were asking for. Did they break any laws? I do not know, but rest assured, this activity is completely in line with the rest of the actions of this administration and many other administrations. Secrets are the name of the power game.

Tech speak vs. corp speak

Thursday, March 20th, 2008

If someone doesn’t know what TCP/IP means or what a CNAME record is, I can direct him to appropriate RFCs that define them.

Now, I wouldn’t actually direct an MBA to an RFC, because his eyes would glaze over about the time he got to “this memo has unlimited distribution.” But what matters is that I can direct him to such a document, because such a document exists. Tech-speak is done with well-defined terms that have standardized meaning, and it is used to clarify how we talk to each other.

If you can point me to a document or documents standardizing terms like “Web 2.0”, “enterprise”, “solution”, “mission-critical”, “partner”, etc., then I will admit my criticism of corporate speak is wrong. However, I don’t think you will be able to, because those documents don’t exist. Because these words’ meanings are not standardized. They mean to the speaker what he imagines he means, and they mean to the listener what he imagines he hears. That, I think, is what business types don’t understand when they compare themselves to techs: what we say means something, because we had to learn something objective, verifiable, and repeatable to get where we are, while they didn’t.

Why virus scanners are useless

Tuesday, March 11th, 2008

It’s been a long time since I’ve used a virus scanner at home, and I’ll tell you why:

1. Well, I’ve been using Linux since 1998. However, let’s put that aside as this still applies to before I completely converted to using strictly Linux in 2002.

2. It eats up system resources like you wouldn’t believe. Thanks, but I’d rather put my processor to better use – something other than doubling the processor power it takes to open a spreadsheet.

3. They can only find known viruses. Maybe being “protected” from tens of thousands of viruses comforts you, but I’m worried about the few no one knows about yet, and AV software provides no protection against those.

4. They are only partially successful in removing virii. How many times have you seen “Delete Failed! click here for more info”? I saw it a few times too many. I SHOULD NEVER EVER SEE THIS MESSAGE! This is a design failure.

5. AV software is not effective as a means of prevention. Virii come in two flavors, trojans and worms. Trojan – idiot user clicked on BrittneySpearsNaked.jpg.pif.bat.js.exe; AV cannot prevent this. Worm – Windows security issue; AV cannot prevent this. This is an over-simplification, and may not be 100% technically accurate, but you get the picture.

6. If AV software can’t prevent infection, and if it sometimes can’t even remove the infection, what good is it again? It’s good for Symantec, its good for Macafee, and its good for IT professionals who get to say “its not my fault, I did everything i could to prevent it” next time a code red happens.

“IT saves the day!”…or something

Saturday, March 1st, 2008

When it comes to fuckups, IT is usually the last guy to get the hot potato, and they’re expected to save the day.

Any time a user screws up, the IT department is EXPECTED to save the day by upper management. If they don’t, it is (rarely) the fault of the employee, it’s the fault of the IT department for not anticipating such a need, or not being available at a second’s notice, or simply not being able to save someone else’s bacon. Often times we’re asked to perform miracles.

It sounds reasonable, until you cross professions. Someone drives off the company driveway, crashes their car into a tree, car bursts into flames. Do the facilities people get in trouble for not ancticipating the employee who leaned over to pick up his cell phone off the floor while driving, and failed to install a nice big inflatable barrier along all the roads? Of course not. Yet IT departments are expected to back up everything known to man and expected to resurrect deleted and/or overwritten files.

Another example – it’s 4:55pm and Fedex comes at 5:00pm to pick up a package that is going to The Big Client. The employee has procrastinated working on it, and goes to print at 4:57pm. There’s something wrong with the printer or their system. Guess whose emergency it becomes? Guess who gets screamed at on the telephone? Guess who gets reamed by the CEO because the package didn’t go out? Usually the IT department. “Why was the printer broken? Why couldn’t you fix it?”…not, “Bob, why did you wait until 5 minutes before your deadline?”

Then there are security breaches due to stupid people. Here’s a way to fix this:

Education and consequences.

Nobody takes security seriously because regular staff thinks that the IT guys are there to clean up the messes when they occur. What they don’t understand is that the IT department is not there to be a janitor or babysitter. The IT department is there to provide the information infrastructure to enable the company and to ensure the company’s information security. That doesn’t necessarily include end users.

My personal philosophy is that end-users should be punished severely for security breaches. Sure the IT department will fix the problem, but the person who clicked on the link (or opened the email) needs to pay a price for their behavior, otherwise they will continue to do it. Nearly every company has an IT AUP. Nearly every company says that you can be disciplined, including termination of employement, for violating the policy. Yet I have never worked at a company where day-to-day infractions (even those with security risks associated with them) were punished. Sure, every once in awhile someone gets fired for surfing porn, or when their misuse of the system affects their ability to work (goofing off online for hours), but who gets fired for forwarding chain letters with flash animations in them? Nobody.

This absolutely has to change. If you had a receptionist who let random strangers in to wander the halls of your building she would be disciplined and probably canned. If you have a receptionist who forwards chain letters, clicks on suspicious links, downloads spyware and causes virus infections, the odds are nothing will happen to her.

Company officers think Information Security means securing the company with a firewall and looking out for hack attempts. They still don’t take Information Security seriously, and until they do, the rank-and-file won’t either.

Education alone is not going to do it. Education that is reinforced with consequences will.