At 3:33:03PM today, this site recorded its one millionth visitor, from a network belonging to a large corporation in Morristown, New Jersey.
A million! Back on April 30, when the turnstile clicked #800,000, I predicted that the count would flip to seven digits “sometime around August 1st.” Two weeks late isn’t all that bad.
Thanks for all your support.
Do you have Automatic Updates for Windows turned on? If you knew that it might take a week or longer for all Critical updates to arrive on your PC, would you still use Automatic Updates?
I’m still trying to get answers on some important questions here, but I’m not reassured when the Microsoft Security Response Center says it’s “perfectly normal” for updates to be delayed by a week and possibly more.
The New York Times reports that Dell “is recalling 4.1 million notebook computer batteries because they could erupt in flames.” The story points out what you were probably already thinking as well in a discussion of batteries that have caused fires on airplanes.
Dell’s official notice isn’t up yet, but when it does you’ll be able to read it here, presumably.
If each replacement battery costs about $100, when you figure in the cost of shipping both ways, that’s $400 million. Damn, that’s gotta hurt.
Update: Dell’s Battery Recall site is now live. I got a certificate error when I visited the site using either Firefox 1.5.0.6 or IE7 Beta 3 under Windows, because the secure certificate was issued by Starfield Secure Certification Authority, which is not listed as a trusted certificate provider.
Well, here’s something I haven’t seen in a while: a Word macro virus.
An e-mail message appeared in my Junk Mail folder, purporting to be from someone in France who had been having some trouble transferring funds from one account to another and saw my e-mail address on a list of other addresses associated with the transaction, and blah blah blah. Typical scammer BS.
There was a Zip file (Transfer.zip) attached to the message, which contained a Word document. When I opened the document in Word 2007, I got this error:
That was followed by Enable Content and Trust Center buttons.
Of course, you should never run a macro in a Word document you don’t trust. And under the default settings for Word 2003 you couldn’t do that even if you said yes, because macros are only allowed if they’re signed with a digital certificate from a trusted root authority. In Word 2007, security is even tighter: macros are only allowed to run if they are in documents stored in trusted locations.
Instead of enabling this macro (do I look crazy?), I opened the Visual Basic Editor and looked at its code:
Ah, it’s trying to create an executable file in the root directory of the system drive and then run it. Presumably that big block of gibberish in the center is designed to create a buffer overflow, as described in this SANS bulletin, and it’s probably a variation of the Kukudro Trojan, which arrives in this form.
Moral? Don’t open attachments sent to you by strangers. In fact, even if it appears to be from someone you know, don’t open it unless you were expecting it and you are confident it is what it appears to be.
Microsoft has had me pulling my hair out over the past month or two with some truly boneheaded moves. But then they release something like Windows Live Writer and I remember that there is an upside for all the frustration.
I first saw a reference to Windows Live Writer on Liveside this morning and made a note to check it out later. Then I got a note from Dwight Silverman, who called it “the best blogging editor I’ve seen yet.”
First impressions? Wow.
But that should be no surprise. As soon as I saw who was behind this, I knew the bar was going to be set very high. The team is led by J. J. Allaire, founder of Allaire Corp., which developed ColdFusion and HomeSite (my very first website editor). A couple years ago, after selling Allaire Corp. to Macromedia, he founded Onfolio, which delivered the first version of what had the potential to be a great web-clipping application. It never got the chance to really see maturity, because Microsoft snapped up Onfolio and has been busily making use of its pieces.
I’ve used just about every blog editor around and had settled on BlogJet as the best of the bunch, although far from perfect. In less than 10 minutes, this one is well on the way to winning me over.
Update: LiveSide has an interview with J.J. Allaire.
Update 2: In the comments, Dwight points out that Allaire acquired HomeSite (and hired its founder, Nick Bradbury) from Bradbury Software. Nick went on to develop FeedDemon, my favorite newsreader, which was acquired by NewsGator, whose CEO J.B. Holston formerly ran Ziff-Davis Europe, where I worked on the German Windows Magazin in the mid-1990s. Small world. Thanks, Dwight.
Update 3: After a few days of using it, I still love Windows Live Writer. See this post at ZDNet.>
(via Alex Barnett)
Over at ZDNet, I’ve been writing a lot about Microsoft’s anti-piracy program called Windows Genuine Advantage. (My latest WGA-related post is a detailed look at exactly how this program works. If you haven’t seen it, go read the article and view the accompanying screenshot gallery.) One comment I hear regularly is how easy it is to work around WGA.
I’m not so sure. Yes, there are lots of instructions and a few utilities for removing the WGA Notifications code. But I have yet to see anyone come up with a hack that allows a machine to access Windows Update (not Automatic Updates, but the full Windows Update site) or to install (not just download, but actually install) Internet Explorer 7 Beta 3.
But maybe I’m just not looking in the right places. So I throw the question open to you. Have you found any WGA validation workarounds? If so, please leave a link in the comments. You can remain completely anonymous if you want. I’m just interested in seeing how the hacker community is approaching Microsoft’s latest attempt to build a wall around Windows.
Caveats: Please don’t bother posting links to the RemoveWGA utility from Firewall Leak Tester or its many clones. All those programs do is get rid of the optional WGA Notification component. I’m looking for stuff that specifically aims at the validation side. And I already did a Google search and know all about last year’s GenuineCheck.exe hacks, which no longer work. If you post something here, it needs to be something that has been confirmed to work within the past few weeks. OK?
I just about fell out of my chair when I read this post from Mozilla’s Asa Dotzler:
I’m sitting here with my Leopard preview install DVD and I can’t work up the courage to just blow away Tiger on my only Mac (my primary machine — a MBP.) Heck, I don’t even know if Firefox runs on Leopard.
My first thought was to install Leopard under Parallels on my MBP — just the way I do Vista under VMWare on my Thinkpad. Apparently that’s not possible since Leopard will only install on genuine Mac hardware and Parallels is virtual hardware, even if it’s running on a Mac.
Emphasis added.
My e-mail inbox has been remarkably free of phishing messages lately, so I haven’t been able to compare the performance of the IE7 and Google/Firefox phishing filters, as I promised last week. (The filters on my e-mail server do an excellent job of blocking this junk.)
Today, I finally got one – a come-on from a Romanian server attempting to get my Bank of America credentials. The good news is that both IE7 and the Google Toolbar for Firefox nailed it. (Firefox 2 Beta 1 alllowed it right through, but that’s to be expected since the phishing feature isn’t turned on yet.)
In looking at the two browsers side by side, I was able to compare the different behaviors. Here’s IE7:
The URL appears in the address bar, but the page itself is completely blocked. I have to choose to click a link to go to the suspicious page. Any other option sends me somewhere else, away from the unsafe site.
Now here’s how the Google Toolbar flags the same site in Firefox:
The phony page is visible, but grayed out. If I try to click on the site, it doesn’t work because the Web Forgery dialog box has completely taken over the focus. That’s good. And the Get me out of here! link is unmistakable in its effect. The only part I don’t like is the big X in the upper right corner. I don’t know about you, but I’ve learned, Pavlov-style, to click that X whenever I see a popup window or a warning dialog box. In this case, though, clicking the X dismisses the dialog box and allows you to go to the page.
That default behavior seems wrong to me. If I’ve chosen to use a piece of security software, I want it to protect me from any threat unless I specifically and unequivocally choose to ignore its warning. The X in the dialog box is ambiguous, and in my opinion the default behavior in that case should be the exact opposite: I didn’t choose to ignore the warning, so send me somewhere else, far away from that threat.
If anyone at Google or Mozilla is listening, consider this a feature request.
I pass along the following not to mock Mac users but to point out a simple fact: Security updates affect everyone. Today’s example courtesy of TechWeb’s Gregg Keizer:
Apple Computer Inc. on Wednesday issued a security update for the Mac Pro, the top-of-the-line Intel Xeon-based system that the company rolled out only two days before.
The fix, dubbed Update 2006-004 for Mac Pro, adds 5 patches included with the Aug. 1 security upgrade for the Cupertino, Calif. company’s other systems, to Apple’s newest and beefiest client computer.
Two sections of that update — four patches for the ImageIO component to defend against malicious TIFF files, and one fix for the OpenSSH server — weren’t included with the version of Mac OS X 10.4.7 pre-loaded on the new Mac Pro machines.
No computer is inherently secure. No operating system is inherently secure. That applies whether you run Windows, the Mac OS, or any flavor of Linux.
Ed Bott 