Ask a Stupid Question Day

Tomorrow (Friday Sept 28) is "Ask a Stupid Question Day". Yes, there is an entry in Wikipedia, so it must be so (see http://en.wikipedia.org/wiki/Ask_a_Stupid_Question_Day )

And for those of you keeping track:

September 29 is... Poisoned Blackberries Day
September 30 is... National Mud Pack Day

Got any stupid questions? (or was that one?)

On my wall at the office, there is a picture from the movie "Sixth Sense". It shows Bruce Willis and the "Sixth Sense" kid. The caption is "I see stupid people...they are everywhere. They walk around like everyone else. They don't even know they are dumb."

A relic from my days on the Help Desk.

Cameras Do Not Prevent or Solve Crime

London (England) may be the most watched city in the world. They have put many surveillance cameras all over the place. Some watch for crime, some watch for cars/traffic, and some just watch.

The justification for all of those cameras is often to 'prevent crime'.

It just doesn't work out that way.

Bruce Schneier is a big security expert. And he reports on a study that claims that cameras do not prevent crime ... or even solve crimes.

The link to his entry is here.

Happy Birthday to :-)

The 'smiley' emoticon is 25 years old today, invented by Carnegie Mellon University professor Scott E. Fahlman.

Wikipedia says "The two original text smileys, :-) to indicate a joke and :-( to mark things that are not a joke were invented on September 19, 1982 (at 11:44am) by Scott E. Fahlman, a research professor at Carnegie Mellon University's Department of Computer Science. His original post at the CMU CS general board, where he suggested the use of the smileys, was retrieved on September 10, 2002 by Jeff Baird from an October 1982 backup tape of the spice vax (cmu-750x) as proof to support the claim."

Here's the original message:

19-Sep-82 11:44 Scott E Fahlman :-)
From: Scott E Fahlman

I propose that the following character sequence for joke markers:

:-)

Read it sideways. Actually, it is probably more economical to mark
things that are NOT jokes, given current trends. For this, use

:-(

(from http://en.wikipedia.org/wiki/Emoticon )

...

Updating Windows Update Flap

A minor flap about how Microsoft's Windows Update works surfaced yesterday. Scott Dunn, a columnist for the "Windows Secrets" web site claimed that Microsoft was updating his computer without notification. He claimed that "Microsoft has begun patching files on Windows XP and Vista without users' knowledge, even when the users have turned off auto-updates."

It turns out that Mr. Dunn wasn't telling the whole story. First, the files that were updated were the Windows Update program files themselves, not any patches to other parts of Windows or Microsoft applications.

Second, Mr. Dunn apparently had his Automatic Update settings set for either "download and notify but don't install" or "just tell me when updates are available". He did not have Automatic Updates turned off.

Since his settings had Automatic Updates enabled, at the daily "update check", the Windows Update program noticed that there were updates to Windows Update, and proceeded to download and install those -- essentially updating itself.

Which is exactly what Mr. Dunn's computer was supposed to do. There were no 'stealth updates' of anything other than Windows Update itself.

Microsoft has released a clarification to this issue (here http://blogs.technet.com/mu/archive/2007/09/13/how-windows-update-keeps-itself-up-to-date.aspx from Nate Clinton, the Program Manager of Windows Update).

The so-called 'stealth updates' were the Windows Update program updating itself. This is done only when Windows Update process contacts Microsoft: by the Automatic Updates daily check (if enabled), or by manually going to the Windows Update web site, or by the computer 'contacting' it's Windows Update Server (used in corporate environments).

The files that were updated (as described in the Scott Dunn column) are all *Windows Update* files. I suspect that Mr Dunn's computer had Automatic Updates set to "download but not install" or "notify me when updates available". If he had set Automatic Updates to "don't update", he wouldn't have seen the updated files.

Perhaps a bit more research was in order before Mr. Dunn complained.

Storm the NFL and a Malware Hosting Report

The recent "Storm Worm" emails are still evolving. The latest email is related to NFL football; just click on the link in the email and it brings you to a page where you can click any link to get the "NFL Game Tracker" (it's free!).

Every link on that page will get you the 'tracker.exe' worm. Click on a link, and game over.

It's not hard to find any site that has been compromised with "inappropriate" content. Not all webmasters (or hosting firms) are as careful as they could (and should) be. One can use their favorite search engine to search for inappropriate words on specific sites (in Google, you use the "site:" parameter in your search string, or go into Advanced Search settings to specify specific domains). The result will be thousands of sites with inappropriate content.

Many of those sites are hosting, without their knowledge, pages that just contain links (used by the evildoer to increase search ratings or provide ad-click revenue). Or they may contain client-side attacks, which try to install evil software covertly ("drive-by attacks") or overtly (through social engineering -- e.g. 'click here to clean your computer') that will turn your computer into a remotely controlled 'bot. Much of the spam lately (such as the 'e-card' and others) is related to the "Storm Worm" gang which use similar social engineering techniques to get you to an infected web site.

An interesting analysis of client-side attacks is found at the "HoneyNet Project" site ( http://www.honeynet.org/papers/mws/ , then click on the PDF to get the white paper). It's an interesting paper; although one expects an adult-oriented site to be more dangerous, even a news or music site can be a risk.

The paper concludes with defense recommendations, which closely parallel the "Safe Computing" practices we've discussed in the past: updates, patches, anti-virus/spyware protection, carefully evaluating links before clicking, not installing add-in software when prompted on a site, avoiding "fix your computer now" popups, staying away from the Internet's dark side, etc.

The Internet is a wondrous place, but, like any city, there are areas to avoid, and 'offers for help' to refuse.

Trust But Verify

A few posts back, we discussed the use of text messages rather than phone calls on your cell phone during periods of heavy use. Our example was the Minnesota bridge collapse, where it was difficult to get a cell phone call through due to overload of the circuits.

You can view the start of that group of messages here, then look at part two and part three.

I got a few comments on those posts (well, two). One reminded me that text messages do cost (the reader said his cost was about 10 cents a message). I'll agree with that, you may have to pay for the text message. But you should be able to figure out the technique in a couple of messages. That's a small investment for knowledge that may be vital in an emergency.

Another reader noted that he did not receive an important text message sent on Christmas Eve, another high-traffic time.

There is always the possibility that an email or text message or even a phone call won't get delivered. So you, as the sender, need to determine when you need to "Trust But Verify" that the message was delivered. Perhaps you can add a short "Please Acknowledge" to the end of your message. Or resend an important message if you don't receive an expected response with a reasonable time period.

Email/text/voice usually works, you can usually Trust it. But if you don't get an expected response, then a Verify might be in order.