Dwight Silverman just set up a new PC for his parents. It’s the thankless job that all geeks do; in fact, I think Dwight was really smart to get this over with now, so he can enjoy the holidays more.

One aspect of the setup struck me in its absence, and I asked about it in the comments section of Dwight’s original post. Did he enable the security settings on the folks’ new wireless router? Yes, but only the old and very weak WEP instead of the newer and more secure WPA and WPA2 standards.

I don’t knock Dwight for making this choice. Setting up WPA is still too hard, and it can take a long time to get all the hardware talking properly.

Two years ago, around the time that Windows XP SP2 came out, Microsoft announced a standard called Windows Connect Now, which was supposed to make it ridiculously easy to set up WPA security with a USB flash key. So far, though, only one router supports the standard, D-Link’s DI-624S. And it doesn’t work as advertised.

There is a workaround that allows you to use the wizard and a flash key to set up WPA on a network even when the router doesn’t support the standard. I’ll try to post those instructions later this week.

Meanwhile, shame on the router community for not making it easier to turn on effective security.

I’m always suspicious when someone selling security services tries to tell me how serious a particular security problem is. For the latest case in point, see this week’s Computerworld:

A recent study sponsored by Risk Control Strategies, a threat management and risk assessment firm, found that an overwhelming majority of 223 security and human resources executives who manage between 500 and 900 employees said workplace violence is a bigger problem now than it was two years ago. As a result, 23% said employees have intentionally and maliciously downloaded viruses over the past 12 months.

That seems really, really high to me, and it makes me doubt the rest of the study as well. If this sort of deliberate virus attack were really happening all that often, wouldn’t you think we would hear more specific examples? Wouldn’t some people have been arrested? I have no data to back this up, but it sure seems more logical that viruses attack organizations because the underlying security systems are faulty and users haven’t been trained in how to avoid risky behavior.

I found the original report (undated but apparently published earlier this year). It claims that in the same sample of businesses, approximately 65% had one or more employees who made verbal threats against senior management in the last 12 months and 36% had experienced “electronic assault/death threats to senior management.” I know the world has gone mad and all that, but I have a hard time believing there are that many psychos in the world.

I definitely don’t want to minimize the problem, but it is noteworthy that this company has a very full menu of (presumably very expensive) services designed to reduce workplace violence.

(via Techdirt)

Last week, Microsoft issued a critical update for a serious vulnerability in Windows 2000 and versions of Windows XP before Service Pack 1. Today, a worm that exploited that vulnerability hit some of the United States’ media giants:

A computer worm shut down computer systems running the Windows 2000 operating system across the United States on Tuesday, hitting computers at CNN, ABC and The New York Times.

Around 5 p.m. computers began crashing at CNN facilities in New York and Atlanta. ABC said its problems began in New York about 1:30 p.m.

There is no excuse for these companies being unprepared for this. After CodeRed and Sasser and Blaster and other similar worms, the IT departments at these companies should have been ready to deploy critical updates like this one for any operating system, not just Windows. We’ve known for years that exploits like these can be go from proof-of-concept code to a full-fledged destructive worm almost literally overnight, as this outbreak proves once again. Even if they weren’t prepared to deploy a patch immediately, basic firewall software and a network configuration that blocks ports 139 and 445 from entering the network (all documented in the Workarounds section of this security bulletin) could have prevented the spread of this worm.

If you’re running Windows 2000, better check your security settings. You’re definitely at risk.

We’re moving in a few weeks, into a neighborhood where Comcast provides cable and Internet service. The good news is they have high-speed access and high-definition DVR service. The bad news is that Comcast insists I have to give them my Social Security number before they’ll start my service.

The sales rep says the company doesn’t run a credit check or actually do anything with the information. Instead, they use it as an identity check so that a third party can’t make changes to my service.

Are they insane? Identity theft is a real problem, and the Social Security Administration cautions, “You should be careful about sharing your number with anyone who asks for it (even when you are provided with a benefit or service).” They specifically caution against companies like Comcast doing this:

If a business or other enterprise asks you for your SSN, you can refuse to give it. However, that may mean doing without the purchase or service for which your number was requested. For example, utility companies and other services ask for a Social Security number, but do not need it; they can do a credit check or identify the person in their records by alternative means.

Giving your number is voluntary, even when you are asked for the number directly. If requested, you should ask why your number is needed, how your number will be used, what law requires you to give your number and what the consequences are if you refuse. The answers to these questions can help you decide if you want to give your Social Security number. The decision is yours.

The rep I talked to said it’s “policy.” No, I can’t talk to a supervisor, but he’ll have someone call me back. We’ll see what happens.