Those Dirtbags

I've noticed emails with an exe at the end of them... just not ".exe." For example, I have one with attachment "attach3781.txt.  exe".

Be careful out there.


Another "Convert"

I know there are a lot of them. But, Clinton Forbes' blog 10 Pros & Cons of switching from Windows to Mac OS X is very good.

He also blogged Firefox 2.0 now the best browser for the Mac - Safari is dead. I was going to point out that I disagree. But then he did, in Mac Browser Death-Match: Safari vs Firefox.

I'm using both. I may do my own blog entry about Firefox. One thing I really like is "Find." On Safari I have a hard time finding the text it found. See, when the Find box is open in Safari, the "highlighted" text is grey until the main window again gets focus. In Firefox, the find is not in another window. Firefox nicely hightlights found text. Well, more later.

I did comment on his original Firefox blog:
I've used Firefox before, just as you described (on Windows, to test pages, when Safari didn't work).

One thing for me which might be a showstopper for making FF my default: it doesn't (seem to) use the Keychain. It uses it's own. I really like the fact that my keychain password protects the other passwords.

I know I can set a master password in FF. Maybe it is just as good. I've this notion that the keychain password is better protected.


Shocking News! You can print fake boarding passes on your printer!

I am being sarcastic, you know? Only the computer illiterate will be surprised that the boarding passes you print out on your home printer can be faked. I don't expect members of Congress to be computer or technology experts, but even if their eyes and brains don't tell them this, don't any of them have smart, computer-savvy aids with a clue?

One of many news items about this is at Boarding Pass Hacker Under Fire.

In a more recent post, Rep. Edward Markey (D-MA) repented of calling for Soghoian's arrest, but still sugested bad judgement. Dr. Avi Rubin also weighed in, "Even if he has a legitimate point, it shows a real lapse in judgement"

I suppose. Still, what's the difference between what I print out on my printer when I "check in," to a flight using an airline's web site and Soghoian's? Right, one is real. But, still... how does the TSA agent know that?

Right. He or she doesn't.


Five reasons NOT to use Linux

I've been carrying around this pointer in my Inbox since August. It is a great read (and it is a satire). http://www.linux-watch.com/news/NS8124627492.html.


Tweak to my Spam Barrier

I—like a lot of you—was getting lots of "buy this hot stock" spam. The latest change I made to my Postfix installation is to add a check against the Spamhaus Block List. The addition to main.cf is under smtpd_client_restrictions, which now looks like this:
smtpd_client_restrictions =
check_client_access hash:/etc/postfix/accessi
reject_rbl_client sbl-xbl.spamhaus.org
Previous articles and blogs:It seems to be working well.

Well, Spamhause has been in the news. This will give you all you need to know in case you've missed it.


Love, No Longer "Love and Hate"

As of a few weeks ago, I was still having the problem I mentioned in Still Love and Hate Mail. I had found that if I remembered to Go Offline, then Go Online again, all was well. If not, the Mail client and the IMAP server got confused about what my Inbox looked like. Clearly, the mailbox state wasn't being updated until I disconnected. I religiously read the Apple discussion groups (for example, this thread). And found the solution.

As I posted in the above-mentioned thread
RE: IMAP deleted mail won't stay deleted...
Posted: Sep 12, 2006 9:39 AM

> The following is an example of such a thread, and it
> contains a more extensive discussion of what the
> issue really is and why manually taking the account
> offline/online might work:
> http://discussions.apple.com/thread.jspa?threadID=586858

I looked at this before, but I looked at it again and here is what I did. This may be something you can try. I am trying it. So far, so good.

You need to change your INBOX to .mbx format. (See http://www.washington.edu/imap/IMAP-FAQs/index.html#4.5 wherein we read,
If you create an mbx-format INBOX, by creating "#driver.mbx/INBOX" (note that "INBOX" must be all uppercase), then subsequent access to INBOX by any c-client based application will use the mbx-format INBOX. Any mail delivered to the traditional format mailbox in the spool directory (e.g. /var/spool/mail/$USER) will automatically be copied into the mbx-format INBOX and the spool directory copy removed.

Okay, cool How to create the INBOX. Conntect to your IMAP server using a telnet client and then issue the commands needed to create it. I saved my Inbox contents first, but this actually should not touch the spoolfile mailbox (On a UNIX system, this is something like /var/mail/fred for me and is in UNIX mailbox format.)

So, in terminal I did this (this is exactly what I typed except I typed in my real incomingmailserver name and my real password):

telnet incomingmailserver 143
a001 login fred mypassword
a001 create #driver.mbx/INBOX
a001 logout

See http://www.ietf.org/rfc/rfc2060.txt for IMAP commands.

Seems to be working fine. (It created INBOX in ~fred on my server, by the way.)

It is still working exactly as it is supposed to and I am completely happy with Mail.


Top Six Reasons Why I Hate Network- and Computer-Security

In Stating the Obvious, I said that "Information Security … experts are constantly stating the obvious," and that "This will be one of 'Top Ten Reasons Why I Hate Computer and Network Security,' which I will blog next week."

Well, I actually only have six, after e-mail from friend and colleague, Marcus Ranum—and I didn't blog them "next week." I present them in no special order.
  • We state the obvious.
  • We talk about and rehash the same old stuff.
  • The field is full of pseudo experts who are not really experts or who talk like they are not.
  • We focus on the presenting problem.
  • We are enamored with statistics—any statistics.
  • We look or hope for government to save us.
I've already talked briefly about the first. I will expound the others in future blog entries.


This is the third of the Top Six Reasons Why I Hate Network- and Computer-Security

Those and the following, I believe, are examples of my thesis: the field is full of pseudo experts who are not really experts or who talk like they are not. A recent (yesterday, as I type this) example is a quote from a former colleague, now with Gartner, about Application Proxies. In article App Proxies: No Reviving the Dream, John Pescatore is quoted as saying, "When a new vulnerability comes out, you may have to rewrite the proxy. You can't put in proxy rules that can anticipate unknown" Which shows a horrible misquotation or a colossal misunderstanding of the basics of application gateway security.

That is to say, an application gateway proxy implements a controlled subset of a protocol. They aren't interesting in anticipating behavior. They only allow certain, specific behavior. That's fundamental to their security and why they should be attractive. Don't we know that? Surely, John does. I fussed about lack of firewall knowledge in experts back in November 2003 in blog entry, What do we think firewalls do?. I wrote in part about this problem across the board in network security in this Institute for Applied Network Security column.

So, we have security experts who are less than expert out there. Some are in that boat because they are or were expert in other fields and then "security" became more lucrative and/or interesting. Some, because they studied and took a test and got "certified." I mention this under the "certification" bullet in Security Redux, in which I say,
Certifications. They are great, especially if you do not have the opportunity to expose your knowledge at conferences and in print. But, they are no substitutes for experience. I know someone who has a CISSP but zero practical experience. It doesn't make this individual a bad or useless person. But it certainly does show.
See, it is easy to be a network security expert nowadays. Anyone can do it.

And, would you say that the state of security on the network is improving, degrading, or staying the same?


Disposal of Data Disks

Recently, I've used Active@KillDisk to remove data from some old hard drives from obsolete computers before taking them to the dump. You know … making sure there is no personal data of any kind left on the old disks.

Today, I read PDAs sold on eBay 'loaded with sensitive data'. The video this points to is interesting. Granted, this was motivated by marketing: the company who bought these phones on ebay and performed the tests sells software to secure these hand-held systems. Nevertheless, the results seem to be real.

Does your company have a policy for computer dispostal? Does your company have a policy for disposing mobile phones and PDAs? Does someone in your company know how to do a "zero-out reset" on these devices?

Top Ten Security Threats

Background: This is from a 3 or more year old course I gave in support of what I say in The same old stuff further in support of Top Six Reasons Why I Hate Network- and Computer-Security. In short, this is old and, yet, is still relevant. (Kinda like me.)
When we consider Internet system security, these are what I consider to be the top ten security threats.

Default Install
All types of systems are vulnerable to this: desktops, servers, appliances, routers … anything that can be configured. Personal computers and servers often have unneeded services running. And although No security updates VATs can help So can proper policies with proper implementation

There are multiple problems here, The first are demo or guest accounts. (This also can be considered part of the Default Installation problem, as many default installations come with preset passwords.) Easily guessed passwords are almost as bad. Guessed passwords do not necessarily provide complete control, but they do provide a foothold. And a foothold is an attackers "Step 1." There are, of course, solutions to this. An enterprise can set password policy, but then has to back up policy with policing, using many of the password checking and scanning programs available. Even better, is to replace user-id/password with 2- or 3-factor authentication, including security tokens and biometrics. Recently, when I have taught a course, I ask who has 2-factor authentication. I am pleased to see that the percentage of raised hands is on the rise. Still, most hands remain down.And still, like most things "security," strong user authentication is an "add-on."

Bad Backup Policy
Most enterprises do a decent job here, but many do not consider backing up teleworkers' computers. And many do not routinely verify backups.

Open Ports
This is still a problem on many gateways. (" Default deny" still has not caught on, even though done correctly it is nearly invisible and protects better than " default allow.") On our servers, desktops, and gateways we have opened unused network ports and used ports that are not required. Think of a house with 65,537 open doors.

Lax filtering
IP Spoofing is still used. Do not allow your gateways to pass any source-routed packets

Bad logging practice
Unread logs are not very useful. Logs that are incomplete are worse.

CGI Scripts
Common Gateway Interface scripts are necessary for all but the most basic web pages. The risk is to the web server. Web servers come with example code. Some of that example code has, in the past and today, contained exploitable bugs. (See CGI Script Source Code Disclosure Vulnerability in Apache for Windows.) The solution? Write your own code, if you are able, and test, test, test.

Remote Procedure Calls and Remote access
RPCs allow one computer to run a program on another computer. Buffer overflows and other security weaknesses can and have led to an attacker running a program on the local computer. Unix, Windows, and Mac OS X systems run RPC servers. Global file sharing is a potential point of vulnerability. Do you know what the default settings are on your computers? Firewalls can stop connections. Do yours? What about your teleworkers?

There are "necessary," but remember: all popular browsers—IE, Opera, Mozilla, Firefox, Camino, Safari, Netscape, Konqueror, Avant Browser and Maxthon—have had reported vulnerabilities. All are subject to spoofing vulnerabilities. (Check your browser out at http://secunia.com/multiple_browsers_dialog_box_spoofing_test/.) Also, browsers (and so, client systems) may be vulnerabile to Java and Javascript vulnerabilities. Errors in the Java or Javascript system could allow a web page to trigger a local user action (anything the user could do locally). Any active code on a web page follows this same basic idea: the web page based program is downloaded and executed, and the browser makes sure the operation stays contained. This is apparently very hard to get right. See Cross platform javascript vulnerability leaves IE, Firefox open.

Enterprises should strip Java or Javascript from HTTP traffic at the firewall. Users will be up in arms over it. It doesn't help with HTML e-mail messages. E-mail Acceptable Use Policy: Disable all HTML, Java, JavaScript, VB, and any other interpreting in e-mail reader

Okay, really any fancy e-mail client that:
  • Automatically renders Java, JavaScript or ActiveX.
  • Automatically launches dangerous applications, remembering that any "helper" program may be dangerous (browsers. Picture viewers, Word, PDF viewer).
If you are stuck with Outlook, turn off some features:
  • Any that users do not really, really, really need. (Disable them and wait for complaints. Then selectively add.)
  • Do not allow Outlook to auto-display HTML
  • Disable Java, JavaScript, ActiveX and VBS controls (under Internet options)
See The Things I Hate About Outlook and Outlook—Just say "no".

Further, be very selective in what attachments your organization will admit through an e-mail gateway or firewall. Does your enterprise require .scr, .bat, .com, .exe, .dll files? Start with what it needs. Disallow all except the ones you absolutely need. (See Buried in Swen! from 2003.)

This was my top ten security threats list. These are not the top ten security threats that keep me up at night. All of these have some kind of reasonable mitigation, none of which are useful unless they are implemented.

The same old stuff

This is the second of the Top Six Reasons Why I Hate Network- and Computer-Security. And I will give some examples. Example #1: My friend Dave Piscitello points to a NetworkWorld article he wrote, Neglecting identity management. It is part of a series, and he mentions the others in his Blog #550. In it he lists the other "Six Worst Security Mistakes." And his blog proves my point, as every one of them, including his, could have been a magazine article 5 or 10 years ago. Now, hear me clearly: Dave's article is, of course, excellent. My point is not that his or the others are somehow not relevant. My point is that they should be old news, at least when it comes to proving the point. Mechanisms and methods change. The fact that identify management is not to be neglected, or that training is important, or that product "bells and whistles" should not be a security selection criteria (in the early 1990s the flashiest not the most secure-able firewall "won"), or that one needs a security architecture (and most companies would benefit from a policy for a plan), does not change my point. We are talking about these things—and writing multi-page magazine articles—like it is all new stuff. We didn't get it 5 or 10 years ago. We'll get it now?

I will give another two examples. I pulled some examples out of my presentation folder from two courses I used to give for the Computer Security Institute. I will blog on each and I think you will agree that they are still accurate. They are from 2003 and 2004. The examples were old and relevant then. Example #2, Top Ten Security Admin Errors. Example #3, Top Ten Security Threats.

By the way, I talk about the same old stuff in a blog entry from 2004 in Security Redux. It, too, proves my point.

Top Ten Security Admin Errors

Background: This is from a 3 or more year old course I gave in support of what I say in The same old stuff further in support of Top Six Reasons Why I Hate Network- and Computer-Security. In short, this is old and, yet, is still relevant. (Kinda like me.)
#10: No or Outdated Security Policy
The reasons for this are many, including:
  • We don't know how to start.
  • We want to get it right, so we delay.
  • We don't have the resources (staff, money, time) to get to it.
  • Things are moving too fast.
Examples are also manifold, including:
  • Mainframe policy in an internetworked world. Or similar (more up-to-date-now), the policy was created 5 years ago when we were a 30 person company and before all of those mergers.
  • Doesn't take into account remote or teleworkers.
  • Doesn't cover all user types. That is to say it treats all users (Sales, Sales reps (not employees), Contract workers, Business partners) the same.
#9. Lack of Senior Management Understanding/Buy-in
They don't understand the expense, the costs, the liabilities, or the risks. They equate security with the last large expense the company made, the "Security=Firewall" phenomenon.

This is from a posting on the firewall-wizards mailing list:
Is there anybody out there that can help me get some configurations right on our new Gauntlet firewall? I have never configured a firewall before and have not had training and this is very important to our company so I am feeling the pressure here. Any help would be apprecaited.
To which I replied:
"Can anyone out there help me learn to drive an 18 wheeler? I was hired to do this and I have a truck supplied by my company. I have a driver's license for an automobile, but I've never driven a big rig before, nor have I had any training in one. It is very important to my company that I get this right and I have to start a cross-country run on Wednesday. Any help you other drivers can offer in your spare time as you pass through will be greatly appreciated.
#8 and #7 No Audit Logs or Unread Audit Logs
This is neglected because enterprises don't know what to do with them or how to handle them. (Okay, maybe this has gotten better. You think?)

#6. Leaving the Door Propped Open
Enterprises are still creating one-time changes to their security posture that end up being permanent, because they are forgotten. "I just need to do this one thing." "Open this up now, and I will call you when I am done." "We have this customer demo."

#5. Exceptions
They might be needed, but are they? The more exceptions, the lower the security posture of the enterprise. And this is linked to #6.

#4. The Big Boss Problem
Every organization has someone high enough in the organization to be able to make a decision that put the enterprise at risk, but lacking the knowledge or information to make it an educated decision.

#3. Network Service Requests Before Establishing Business Requirements
I mean think about these services that are allowed with no real business need:
  • Streaming media from the Internet
  • Instant Messenger
  • SkypeTM
  • Access to my Hotmail, et al. accounts
#2. Allowing Network Services Without Assessing Security
This is almost meaningless nowadays as nearly everything works through today's porous "firewalls." Do we allow SSL through our firewalls? SSH? Can our people use NetMeeting? Of course. Have we weighed the risk? Often, of course not.

#1. User Wants Disguised as Requirements
And solutions disguised as requirements.
  • I need NetMeeting. Translation: I need (maybe) inexpensive teleconferencing.
  • I need port 2592 open on the firewall. Translation: I want to play Netrek.
  • I need access to my hotmail account when at work. Translation: I am running a business on the side.


More on Stolen Notebook* PCs

Just a short one on this, as this problem has become commonplace. The solution is trivially easy. We just don't do it. The VA has finally got what they should've known before losing personal records. See VA buys encryption tools

Earlier I talked about this in January 2005 and April 2005. In this USA TODAY article, Jon Swartz writes, "Encryption can be pricey. Gartner estimates a company with 100,000 customer accounts can spend $30 to $40 per laptop on data encryption. Yet, the cost of a data breach is even higher." So, when will we start thinking "security" along with the initial purchase? Pracically speaking, AV software is free (at least for the first year). Both XP Pro and Mac OS X come with "free" disk encryption, don't they? (See Laptops and PII Losses.) We've been talking about this for years and have known the answers.

I am on a PGP mailing list and received an invitation to a jointly-sponsored webinar with Vontu on September 13, 2006: Stolen Laptops: How to Recover and Reduce Risk. I've previously told you how to do this, but if you want to hear from a vendor's perspective (I respect both PGP and Vontu), register and tell them I sent you. (I don't think I'll get anything for it, but you never know.)

*Notebooks, not laptops!.

Notebooks not Laptops

We don't call them "laptops" since they overheat and explode. Check these out, and don't tell me that some of these sources are dubious! The photos are great. :-) "Exploding" Dell Laptop Destroys Truck, Imperils Outsdoorsmen; Dell laptop explodes at Japanese conference; Another PowerBook violently explodes. As far as we know, a commercial jetliner has never been brought down by a notebok PC, but one can never be too careful.


Yet another reason I am still glad I switched to Mac

Dear Sir Bill Gates: invoice enclosed


You've gotten them, right? Electronic birthday cards, greeting cards, etc.? You ever get one from someone you didn't know? Every one wants a secret admirer, no?

I received two within a week, so it reminded me to remind friends and family members that you should treat electronic cards as you do any e-mail with an actual attachment. That is to say, "with caution." ("With extreme caution, if you don't know the sender.) Here's why.

Message #1 was this:
From: "Found D. Tyree"
Dear recipient.
Sender at Michelle sent you an "e-card" "Here's the Rub" from 'greeting-cards'. To see your card, click here

This "ecard" will be stored for one week, so print or save the card as soon as possible.
Hope you enjoy our "e-cards". Spread the love and send one of our "e-cards".

Brought to you by 'greeting cards' - a better way to greet.
Seems benign. Anyone else bothered by the strange mismatch between the full name and the mail address? "Click here was linked to a web site. I won't give you the URL (because you night click on it). What happens when you do? I don't know. All I know is this. 1) I don't know a Michelle who' send me a card. 2) the "top level" of the URL pointed to a web site that was under construction. The top level had text that read, "Welcome to the home of [the top level domain name]. To change this page, upload your website into the public_html directory. Date Created: Sat Aug 5 12:36:14 2006."

That was 4 days before I got the e-mail. Badguy sets up a web page. Badguy puts a trojan attack on a web page targeted at a particular operating system. Badguy uses spammer techniques to seed the world and waits.

Message #2 was this:
From: greeting@all-yours.net
Subject: You just recieved a E-Greeting.

Hello ,

A Greeting Card is waiting for you at our virtual post office! You can pick up your postcard at the following web address:


visit E-Greetings at http://www.all-yours.net/ and enter your pickup code, which is: a0190313376667

(Your postcard will be available for 60 days.)
This is how I received it, misspelled words and funny punctuation (space before the comma after "Hello," and all). That URL actually pointed to a different URL at a different host and the URL ended in ".jpg.exe". Not good. Not good at all.

There was no indication as to who it was really from. And I check URLs. Do you? It's a good habit to get into.

Look three times before you "click".
  1. Does the letter look like it was created by an automated process on a real, in-the-business, e-greeting card company, or does it look like it was quickly generated by someone who has English as a second language?
  2. Do you know the sender? Really?
  3. Do the collars and cuffs match? I mean, does the URL link name and the actual link match?


Samba Between Fedora Core and Mac OS X 10.4.5

Strange problem. I can smb-mount—via Finder— "shares" on MS Windows systems on my network as well as my older Linux system. But, when I try mount a share on on a newer server with Samba version 3, no joy. It hangs.

On the server, I see this: "api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct." Searches of the net have not turned up a solution, except for upgrading Samba on the server. My wife has no problem in samba-mounting shares on the Linux server to her Window XP system. Putting off upgrading the Linux server (yum does no report any "official" Redhat package updates), I am NFS-mounting folders when I need them (backing up my Powerbook to my Linux server, for example).

I found that the problem in in mounting from Finder. I can issue a command from the command line, such as:

mount_smbfs //fred@linuxserver/fred \


In Information Security, Experts are Constantly Stating the Obvious

This will be one of "Top Ten Reasons Why I Hate Computer and Network Security," which I will blog next week. Today my RSS feed from FIRST pointed me to Removable media in the workplace can become a security timebomb. This is a well-written and accurate article. My problem with it is that anyone with even a bit of exposure to—not expertise in—the field of Internet security would, after reading all of these, say, "Well, yeah, that's about right."

In computer and network security, we keep stirring the same pot, ladeling some out every once in a while, and presenting it as a new dish. Newsflash: even if you add a dash of soy sauce, it is still Campbell's® Chicken Noodle Soup.


"Macs Safer," says Sophos

"It seems likely that Macs will continue to be the safer place for computer users for some time to come." —Graham Cluley, Sophos.


I'd switch over my kids, too, but there is no "Maple Story" game for Mac.

Do I need a docking station?

My cabling is a mess. I admit it. When at home, I use my PowerBook connected to a large monitor with the PowerBook screen as the secondary screen.

You can see the cabling, here.

The real problem for me is not plugging in seven (7) cables. The cables are, by the way
  • Power
  • Ethernet
  • Firewire for iSight
  • USB for keyboard and mouse
  • Other USB (camera, Palm computer, etc.)
  • miniDVI for CRT
  • audio/speaker output

Half the time when I fiddle with UCB cables, I bump the DVI which rests the video and I need to put it back in and "Detect Displays" again. The miniDVI really pulls out easily. The only solution I have found is this one by BookEndz. It would certainly be better if I did not have the PowerBook on that little shelf (given where the ports are and where the docking station would end up). I wonder if I would still have the miniDVI falling out of the back of BookEndz dock?


Cool PDF Writing Software

On my PowerBook, I don't need any special PDF writer. It's just a supported output format from the Printer routine. On Windows, I have—up until now—used Visage eXPert PDF. A few weeks ago, probably after a recent Windows upgrade on my wife's (formerly my) XP Pro desktop, when ever I used the Visage print driver, it would work, but opened a very small window, which did not show the controls for saving to a file. So, I could print to PDF format, I could view the conversion, but I could then do nothing with the PDF. So, aside from loving my wife, why should I care?

I do use Windows XP to use QuickBooks, which I use to run my household and business finances. My wife uses it sometimes, as do I, Lately, I use it under VirtualPC on my PowerBook. But, I still need a way to create PDFs under Windows (I e-mail invoices this way). Since the Visage product, which has behaved flawlessly until a few weeks ago, stopped working, I looked for a replacement.

I found CutePDF™ Writer, whose tagline suggests. "Create PDF documents on the fly—for Free!" Those last two words attracted me. I installed it on both my PowerBook (under VirtualPC) and on her XP system. It works great, and I highly recommend it. It requires a PS2PDF converter, and they helpfully provide a download to the GNU Ghostscript converter.

Another reason I am still glad I switched to Mac

"Customers have been crying out for a tool which could tell them if they have been duped," she [Michala Alexander, head of anti-piracy for Microsoft, in the UK] said.

The topic: Windows Genuine Advantage (WGA) as reported in BBC News' website.

My immediate reaction: "Yeah, sure." I am not in favor of software piracy. Not at all. But, I am against lying, as I suspect that no "customers have been crying out for [such] a tool..." Customers have more important, more pressing issues, with Windows. And those who use pirated software in countries where it is common—Ukraine comes to mind—really do know that there is something fishy about the Microsoft CDs they bought at the street market for the equivalent of $5.00 (USD).


The Missing Manual

David Pogue's Mac OS, The Missing Manual: Tiger Edition, is an interesting, enjoyable, and useful read. At 845 pages, it might not cover everything one needs to know about the latest Mac OS, but it filled in the gaps for this new Mac user. One might have done through this book with computer on lap. I did not. I read it a bit at a time, and dog-eared pages that I thought were of special interest. Then I went back, with computer on lap, trying the things he suggested.

I like Pogue's style and the book, more than a manual, held my interest. Buy it, enjoy it. You can get it from O'Reilly, but if you order from Amazon, below, I get a few cents.

Laptops and PII Losses (UPDATED)

This has been a bad summer, so far, for laptop loss. In January 2005, in blog entry Lost Laptops, I talked about this problem and some solutions.

In June alone we've read about the loss of laptop or notebook computers from Prevention is easy. Enterprises can encrypt or password lock hard drives. They must write policies and procedures backing those up. This is an old problem with solutions that keep on getting better.

Wake up out there!

I've turned on FileVault on my home directory on my PowerBook. It seems to create an encrypted virtual volume. So, this is practicing what I preach. But, I've noticed something strange (that I think is related): I can no longer create anything in the top-level of my home directory (/Users/fred).

$ pwd
$ touch jnk
touch: jnk: Operation not permitted
$ cd Documents
$ touch jnk
$ ls -l jnk
-rw-r--r-- 1 fred fred 0 Jul 4 12:34 jnk
$ ls -ld . .. ../..
drwx------ 26 fred fred 884 Jul 4 12:34 .
drwx------ 38 fred fred 1394 Jun 6 15:15 ..
drwxrwxr-t 7 root admin 238 Jul 4 11:56 ../..
I do not know if this is related. I cannot backout of FileVault without deleting a bunch of files, although how much can I trust this. Look at what it says for the needed disk space. I have 60G disk. Hmmmm.


USB Attacks

This is an interesting, if obvious, attack. It harkens back to the historical—something we neglect more and more in network security. (And I have mentioned this too many times for me to repeat it here. Search for "history" in the search window of my blog site.) History will remind us that the viruses were originally spread on floppy disks. The obvious successor, with some twists, is the USB Flash Drive or "thumb drive". The twists include:
  • Many computers are configured to Autorun removable devices when inserted into the computer
  • USB thumb drives are still attractive enough that most people will pick them up, carry them off, and insert them into a computer the first chance they get.

Someone might do the second to see who owns the disk to return it, out of curiosity as to what is on it, or as a precursor to reformatting the drive.

Read more at: What would you do with a thumb drive you found on the street? What would your CEO do? And what does your security policy say about this? -----


Unfriendly Behavior with iTunes

Let me start my saying that I am trying to use an unsupported, non-recommended set-up. I want to store my iTunes library on my Linux server in an NFS-mounted directory. Why? I bought a 60 GB PowerBook instead of an 80GB, and figured I didn't need to have the music taking up disk space (especially when I have a 200GB disk sitting here on the network). iTunes has an option to specify a different iTunes Music folder location (Preferences, Advanced, General).

The only problem I had (I thought) was when I fired up iTunes (or my PowerBook did in response to plugging my iPod in—I've switched that off also) and my server was turned off. iTunes insisted on resetting my iTunes directory back to the default instead of giving me an error message. It showed that a whole bunch of music was missing (of course) and stored new purchases or newly ripped music into the default location again. But, I thought that the only problem I had was that occasionally music or podcasts would end up in the wrong place, and I would move them.

Then yesterday, it happened and in the course of trying to fix things, I found that some music was missing. The missing music was on my iPod, but I could not find it anywhere on my PowerBook or my Linux server. Yipes! I was, of course, happy that it was on my iPod. But, iTunes has no mechanism to update your music library from the iPod, only vice versa. You can mount the iPod, of course, as a disk, but that gives you no access to the iPod music section.

I am not clear as to what happened or why, but I do think it has to do with the iTunes client preferring local storage and insisting on changing back to it when the configured directory is unavailable. (I'd like it to complain and give me a choice.)

In another entry, I'll discuss the program I found and used; it saved me from hours of frustration.

PodWorks—providing what should already be in iTunes and isn't

In a previous blog, I discussed why I needed something like this program. As described on the PodWorks webpage,
PodWorks is a Mac OS X … application that compensates for the iPod's only downside: Apple only allows you to copy songs to your iPod. If you have two Macs and want to use your iPod to transfer music from one to the other, or you only store your MP3s on your iPod and need to copy them back onto your hard drive after a disk failure, you are out of luck!

This is where PodWorks comes in: it allows you to copy songs from any Mac iPod to any Mac …
This small application is easy to use and did what it claims, quickly and cleanly. I recovered my missing tunes, and I also used it to back up all music on my iPod to another location. (And from now on I will do disk-to-disk back-ups of my Music library.) The unregistered version of PodWorks has the following limitations:
  • 30 day time limit.
  • 250 song copy limit.
  • Songs must be copied one at a time.
  • Single-drag copying of playlists is disabled.
I didn't need the 30 days to test it. After 30 minutes, I purchased it. Did I mention it only costs USD$8.00? A terrific and inexpensive product.


Weird Science #1 This Week

It was a strange week. The first item that jumped out at me was the headline on The Register's news item: Hawking: Leave Earth or die! At first, I thought someone was threatening him, but then I saw it was a warning from Hawking.

I don't know about you, but I'm not packing just yet.

Weird Science #2 This Week

And this, from the Canada Free Press, in response to Al Gore's version of Scary Movie, Scientists respond to Gore's warnings of climate catastrophe. Short version: they did not say, "Good movie, Mr. Vice President."


20 Reasons I am still glad I switched to Mac

Check out Computerworld's article by Scot Finnie, Visual Tour: 20 Things You Won't Like About Windows Vista. Twenty more things to like about the Mac move.


Extraordinary Crimes, Extraordinary Means? Back-ups again.

"Woman targeted by web hackers," is the headline of this BBC News article. It talks about someone who was victim to "new phenomenon, known as Ransomware."

The first thing I thought of? That the BBC won't print "Disk crash causes Greater Manchester woman to lose all files." Yet a solution to this old problem would provide a solution to this "new" one: Every user should have an easy way and an accessible place for backing up.

So, this is the current scheme on my home network: The PCs use Allsync®, backing up to a Linux server. On my PowerBook, I use Sync.

Now, I have to start periodically saving that backed up data from my Linux system to DVD-Rs. Hmmmm. Or, I suppose, I should nightly copy this out to one of my Internet-based servers. Duh. Should've thought of that before! Rsync it! Yes!! I'm not worried about Ransomware. But, a fire would do even more damage to the data.

The article closes with, "A Greater Manchester Police spokesman said: 'Our High Tech Crime Unit is aware of this new type of crime and incidents of this kind could increase in future.'"

To which I say,
"Extraordinary crimes against the people and the State have to be avenged by agents extraordinary. Two such people are John Steed, top professional, and his partner Emma Peel, talented amateur—otherwise known as The Avengers.
No. Really, Helen should've just backed up her data periodically. And not clicked on that link.


Another Linux Desktop

In October, 2003, I wrote about my experience with a $200 computer from Walmart and its Lycoris operating system, in A Linux Desktop. I recently started using my Fedora Core Linux 2.6 server with the Gnome desktop. And I am impressed. Here may be a desktop that "Mom + Pop" (™ Jon "maddog" Hall) can use.

It is difficult not to compare things to the predominant home computer desktop. Really, I must. The discussion is really about an alternate to Microsoft Windows. Does this match it for ease of use, etc.? I think so.

The Gnome desktop is clean with mouse and keyboard use similar to Windows. This is important for anyone thinking of a move, as well as the new user who has computer support from friends and family. There are familiar-looking "Computer," "Trash," and "your home" (which you can easily rename to "My documents", and by "easily" I mean "exactly as you would in Windows"). There is a root window menu to launch a terminal window, which Mom+Pop would never do, create a folder, which they might, and create a Document, which they would do elsewhere.

A row at the top of the desktop gives access to drop-down menus, easy to explore. There is a text editor (Notepad replacement), gedit. (I am using it now to create this file), a bunch of games, tools (calculator, dictionary), graphics tools (like Gimp for photo editing and an image viewer), and PDF viewer. It comes with an X Window system version of Gaim (AOL IM, Yahoo Messenger, MSN Messenger, and Jabber, all in one interface), Thunderbird for e-mail, and Firefox for browsing. Also, there's video conferencing application, GnomeMeeting. Mom+Pop would have no use for Nmap, Ethereal, FTP, or IRC, but you might.

The whole OpenOffice set of applications is here. Mom+Pop will ever even notice they are not using their expensive, MS counterparts. All the audio and video applications you might think of are here, except iTunes; Apple does not make an iTunes implementation for Linux. For the power-user, you can set all system parameters, servers, and other system configuration tools. Adding a printer just worked.

I've used the X Window System for years, and I've used Linux for years. I am closer to a power-user than Mom+Pop. But, I bet that this could be an excellent and un-Redmond-encumbered alternative to the usual, and more expensive, personal computer.

I've forgotten to post this. Dave Piscitello commented thusly:
I liked your Fedora column. In the column you mention OpenOffice, which I find to be extremely intuitive, and sufficiently close to Office 2003 to be a wash.

You say, "The whole OpenOffice set of applications is here. Mom+Pop will ever even notice they are not using their expensive, MS counterparts."

You're probably 95% correct. However, one word (no pun intended) of caution I would offer is that *some* features - picture insertion, floating and anchoring, table and paragraph characteristics - are interpreted differently by OpenOffice and MS Office. These are mostly minor inconveniences unless you use OpenOffice and distribute a document or presentation to MS Office users only.

The most useful feature in OpenOffice is "Export to PDF". Why? Because I can now send a document to Windows and *NIX users easily, without incremental expense, and without the obligatory "I hate Microsoft and don't use Word stop sending me .doc formatted reports!" :-)

Can users apply updates transparently as they do in Windows Updates? While auto-apply is controversial in business environments, the majority of home users automatically download and install every Microsoft update.
Yes, Dave. On the Gnome desktop is an indicator, which shows the state of your system (the blue check-mark in the image below). It uses "up2date." When it fires up, the user is asked for an admin password (root to us), and then it checks the Redhat Network for available updates. And there is an indication of being in "admin/root" mode (the yellow "badge" in the image).

Gnome Desktop image


Pitching Windows for Linux

Another voice heard from. See the Slashdot report Can Ordinary PC Users Ditch Windows for Linux?. The answer for one Dow Jones reporter was, "No, not really."


Longer than Average Wait

When I saw this during an installation, I figured I had time to grab a cup of coffee… maybe two.

image showing


Time to try SightSpeed

I've been struggling with trying to get iChat to AIM to work. Unsuccessfully. I'm moving on. (See my blog entry Ready to Give Up on iChat to PC.)

From now on I will use iChat video with Mac users (where it works without problem) and encourage PC users to get and install SightSpeed. The free version will give all that I want to do. From a use and security standpoint it looks good. It is not as popular as AIM, but I can use AIM as the invitation mechanism.

In a PC Magazine review, in January, 2005, Cade Metz writes, "The inaugural version of SightSpeed Video Messenger impressed us a year ago, proving to be one of most effective desktop videoconferencing tools on the Internet. Its latest incarnation, known simply as SightSpeed 3.0, is even more impressive."

When Skype comes out with video conferencing for Mac, I'll try that also.

Meanwhile, if you want to try it out, my id on SightSpeed is my e-mail address: fred@avolio.com.

Tried SightSpeed with my daughter. It seemed like had to port forward port 9000 But, I just turned it off and video chatted with someone in support and it worked fine (though he said I had some echo; I am not using a headset). I need to redo my network connection. I do not see why port forwarding should be necessary! I was successfully connected! But, when I tried it gave me a failure message and invoked firewalls. With the port forward, it worked wonderfully. Clear picture. Good sound. Easy setup for both of us. Free of charge.
I tried SightSpeed with my friend Paul in Ukraine (whom I mentioned in VoIP -- Unexpected Benefits). It was very easy for him to install and get working.

I recorded two samples for your viewing and listening pleasure. In the free version of SightSpeed, one is not able to save and download a video recording. In other words, to view it and hear it I have to point you to their web site, which drives potential subcribers to them (which is absolutely reasonable for the free version).

The first one, is usinG the built-in microphone on my iSight webcam. The second is using a head-set microphone.


No Joy With iChat to AIM

It really should be easier. (Yes, "Who says?") I was thinking that it is a problem at my daughter's school... blocking something. I turned off the firewall on my aDSL modem for a few minutes, and still had no success. I'm looking to test with someone who has a PC with AIM who has successfully video-chatted with a Mac user. My AIM name: fmavolio. (Clever, eh?)

Oh. Yahoo for Mac is now working with video. I have no idea why it started to work. Yahoo Messenger for Mac does not support audio.

Here's what I've done
  • Directly connected my Powerbook to my Westell Wirespeed Dual Connect aDSL modem.
  • Turned off the modem's firewall.
  • Turned off the Powerbook's firewall.
  • Tried to video conference with a few different test connections as per http://www.ralphjohnsuk.dsl.pipex.com/ContactTesters.html. I tried appleu3test0, running on Mac/Tiger, ichatavtesting, same, and RjinWI PC, running AIM on a PC.
Connected directly to the modem, I could video confernce with appleu3test01 and with ichatavtesting. In my normal configuration (below) I could not to ichatavtesting.

My current test set-up is a follows:
Internet -- aDSL modem (minmimally firewalled and NAT) -- Netgear Wireless Router WBG614 (no firewall). Connected to this router is a Linksys VoIP switch and all other computers. (Note, when I tested, the only thing connected to the Westell and Internet was my Powerbook.)

So, it has to do with my router, but what? With no firewall on it, what am I left with? And it is listed as a router that is knwn to work with iChat and AIM. The only thing I have not tried is port-forwarding all relevant services through the Internet gateway to my Powerbook. But, that should not be necessary! That is, it shouldn't be unless this application is not very well behaved. I don't want to do it, and not just because it should not be necessary. If I forwarded all of those ports, other AIM Video Chat users on my (home) network would not be able to video chat anymore.

This remains my biggest disappointment with the "Mac experience." To paraphrase what I said earlier, "It really shouldn't be this hard."

Someone IM'ed me tonight. I was away then busy and missed the contact. (Does iChat catalog those sorts of things like Adium does? If not, why not?) He wanted to know how I got things working. Well, I really don't have things working. Just kind of working. Mostly not working.

I'ver tried almost everything I could find at Ralph Johns' iChat Pages and MVL Design.com's Video Conference Tutorial for iChat and AIM.

I'm still spinning my wheels.

I had a nice vido iChat with another Fred, this one in France. He contacted me to discuss this problem and share some of the things he did to get things working. I'm still wrapped around this question, which I will have to test: is the only way to get this to work (AIM Video Chat) to port forward all relevant ports to my computer? I don't think I should have to. Of course, if I did that no one else behind my aDSL modem (i.e., no one on my home LAN) could AIM Video chat. But, why should I have to? I had a nice video-chat with Fred in France without that.

Let's take stock of things.
  • Inside my network I can initiate an video chat with a Windows XP user on my LAN
  • I can successfully video chat with others on the Internet who are using Macs and iChat
  • I can video chat with test iChat (AIM) users appleu3test01 and appleu3test03.
  • I cannot with test user rjinwipc (AIM on a PC). When I do I get the error "Failed to start video chat because: Frederick M. Avolio did not respond."
I just don't know what this is telling me.

Okay, I tried it with my Powerbook connected directly to my Westell, with no port forewarding. It worked to all the test accounts I've previously mentioned. I tried portforwarding the relevent ports to my Netgear router and then on from there to my Powerbook. I restarted iChat whenever I made a change. No difference.


VoIP -- Unexpected Benefits

Many are getting the benefits of Voice over IP—using your broadband Internet connection for telephone service. My pal, David Strom, wrote about this way back in December 2003! (For some reason I cannot find this on his new blog site.) I mentioned it recently in VOIP and Vonage. But, I recognized a new reason for some to use VoIP.

There are still places in the world where plain old telephone service (POTS) is terrible. A friend—I'll call him Paul, because that's his name—works in Odessa, Ukraine, at the service of orphanage children and street children in that city. He's been doing that for quite a few years. When he first when to Odessa, there was only a few ways to communicate with folks back home in the US. He could call or be called, but that, of course, was expensive. Also, the phone system was terrible. Much of the telephone infrastructure seemed from the Soviet era (or before). (A friend once called up to my hotel room in a nice hotel in Dniperpetrovsk. It sounded like she was calling from the moon. I really believe in some places, "all phone lines lead to Moscow.") The second communications method, of course, was postal mail. The problem was it was very unreliable, and even more so if it seemed like there might be something of value in the envelope. (And forget about boxes! But FedEx, UPS, and DHS have filled in the gap, stepping up to provide reliable package delivery. But, I digress.)

So, then, the best replacement for postal letters was e-mail. Sure it was very slow, but like a phone call, you could tell if it got through or not (for the most part). So, one could write a multi-page letter, dial-up to your local, slow ISP, and send it. It was a tremendous boon to folks like my friend.

Now, a few years later, broadband Internet has arrived (along with cable TV). So, my friend Paul did exactly what I recently did (and what Renaissance man Srom did, in late 2003). He got a Vonage router and phone number. So, he can call from his Odessa, Ukraine flat with a Maryland area code with usually crystal clear voice quality and without worrying about the cost. The calls are covered in his flat rate. And Vonage-to-Vonage calls are free of charge. So, for example, he and I can chat any time we want, just as if he was local, because he is a local call away.

This sounds like a commercial for Vonage. I don't mean it to be (all though I like the service). My point is really to point out the benefit of reliable and inexpensive overseas phone calls once reliable and fast Internet is in place.


Mixed Feelings about Video Chat

One of the things I cared about (somewhat) in the transision from PC to Mac was thjhe question of what I would have to give up. Put another way, what things work automatically and easily on a Windows machine that would not on a Mac (or Linux system). I didn't want to be spending time looking for drivers, changing settings, etc.

I've had a negative experience with video chat. For years I've used a web cam and microphone and speakers to "video chat" with friends and family around the world. In the PC world, I easily did this with a cheap USB webcam and MSN Messenger, AIM, and Yahoo Messenger. Some of the people I video chatted with have high-speed connections. Some have a terrible, 1950s phone infrastructure (Ukraine).

With the Mac I have found the following:
  • Only certain web cams will work. (The old "you don't have a driver" problem.) So, I cannot just slap in the cheapest USB cam I can find. I tried a Logitech Quickcam Zoom Digital video camera. It would not work. I added 2 "shareware" products to make it work and still no joy. I sent it back and went straight to Apple's very expensive (compared to USB cameras) iSight. I is very nice-looking. Also, it has an integrated microphone. I hated spending so much money. But, I hate wasting any more time.
  • iChat works with AIM, Jabber, and Apple's Bonjour, which is as far as I know useless to me. No Yahoo Messenger. No MSN Messenger. It's okay, I thought. I'll just run Yahoo Messenger for Mac. I didn't expect iChat to support all of them. (Adium does, as does it's cousin, Gaim and the Windows-only Trillian. But, none of them support audio and video.)
  • iChat to iChat it works fine, but my friend, Michael, needed to adjust some firewall settings. iChat to iChat used our AIM accounts. It works beautifully. Again, before on the PC with Yahoo Messenger video and audio, I needed to change nothing.
  • iChat at my end with Video AIM on an PC XP box works, as long as the firewall settings are correct. At least it does in my house, between different systems. I have been unsucessful trying with my daughter at college. Maybe their college firewall is stopping some of it in an attempt to stop file sharing sorts of things
  • Yahoo Messenger works fine to a PC. That is, until I try to use the iSight. When I "Start my webcam," it hangs with the Spinning Beach Ball of Death (SBBOD). When I restart Yahoo Messenger and try it again, it crashes. So, so far, I cannot use iSight with Yahoo Messenger.
There are a whole lot of people struggling with this. Some say it works fine (AIM and/or Yahoo). Some, like me, are having problems. Forums are filled with discussions. This is frustrating. Shouldn't be so hard, should it?

I am going to try one of the MSN Messenger work-alikes, Mercury Messenger (previously called dMSN). I'd do it now, but my daughter is out at a play of all things! :-)

Well, a few days later, and no joy! iChat to AIM won't work.

Sven wrote to me to say:
I read on your website that you've got problems connecting to a PC from your Mac with video and audio. I have to tell you that I have no problems using iChat, while my girlfriend is using AOL IM on her Dell laptop. Only bandwidth is sometimes a problem in the connection. But we've found that it's better to use Mercury for video and Skype for audio, at the same time! Though Skype is bandwidth demanding, it works great. The thing the whole world is waiting for is that Skype will bring audio AND video conversation with other users to the Mac. It can't be long! Hope my information has been of some help.

Well, I wish I could share Sven's optimism. I was going to ask for his girlfriend's AIM name, but thought he might misunderstand. Now, I am on a quest! I can talk to my daughter on my moble phone with no cost after 7PM and on weekends. That is not the point anymore. I want a general purpose solution. I want this to just work! (Okay... right. I've slipped into whining. But, I've not given up as it looks like Russell Beattie has. I tried a few other things.
  • Microsoft Messenger for Mac (5.0). For some reason (with all of the MSN Messenger clients —this one and clones—the other party seems this when I type a comment: msnobj Creator="fred@avolio.com" Size="15588" Type="3" Location="TFR2C2.tmp" Friendly="AAA=" SHA1D="mPgXOm6/bnZsLmxwJ56e8lLZRis= says:~ Also, it does not have audio/video as version 7.0 does on the PC.
  • Mercury Messenger had the same goofy name for me. I could not "video conference" with a PC user using MSN Messenger 7.0, but tried "send web cam." We each could see the other's webcams. But, no audio.
  • aMSN is another MSN Messenger clone. I saw her. She could not see me. The webcam set up on my side indicated I would not only have to massage my firewall even more, but I would have to forward ports from my outside firewall to inside. Nope, sorry. I should not have to do this. And I didn't for Yahoo on the PC to get all this to work.

And the beat goes on. La-dee-da-dee-dee. La-dee-da-dee-da.

UpdatedI finally got it partially working. I was able to video and audio chat with a PC running XP and AIM on my home network. Not very exciting, but a start.

It was a firewall problem at my end. I did not "just turn off the firewalls," as some places recommend. I have a firewall 1) on my Mac (that was not the problem), 2) on my aDSL modem (that may yet be a problem), and 3) on my router that connects my home network to the aDSL modem. (THAT was a problem!).

The router has a built-in "stateful inspection" firewall. There is no way to configure it; it is either on or off. I do not know what it is doing (it says, "The SPI (Stateful Inpection) Firewall protects your LAN against Denial of Service attacks. This should only be disabled in special circumstances."). But, it is inside my external firewall. So, I did disable it, trusting the other firewalls I already have.


VOIP and Vonage

I've finally gotten rid of my ISDN phone line I've had since April 1998. I had an ISDN line back then for two reasons (if I remember correctly). First, ISDN gave me a faster data connection to the Internet than regular dial-up. This was way before DSL of any type was available where I live. (I live 36 miles from the White House and 30 miles from \ downtown Baltimore—hardly the boondocks.) It also gave me related lines, one I used for voice and the other for fax. And the ISDN connection for data did not use either (if I remember correctly. A third bonus, but not necessary for me, though it would come back to bite me: It gave me a "foreign exchange"; I have a Columbia number though I live in a small town west of there. When I moved to two-way satellite as my "always on, high-speed Internet connection (I used to tell people in my classes, when it came up, "It is absolutely the greatest, if you have no other choice.") I stopped using it for ISDN data connection, but kept the 2 lines to keep the numbers I had for years and because it was less expensive than ordering 2 different local numbers.

Recently, I decided to check out Vonage (pronounced "VAH-nidj," by every employee of theirs I talked to, by the way, not a French "vo-NAJ"). It seemed like a good deal. I decided to sign up for the "$14.99 Basic 500" package. I gave them my phone number, 410–309–6910, and they said they could transfer it. (There were a few caveats.) I did not try to transfer the fax number; I only get junk faxes on it and I can hook a computer up to any phone line to receive a fax in an emergency. Everyone I deal with uses e-mail.

Vonage sent me the Linksys VOIP router. They gave me a temporary, "virtual" number, plugged everything in and it worked! The outbound calls identified themselves as being from my number (the one they were trying to get). Sweet. Inbound only worked, of course, to my new, virtual number. My old number would ring on my old line.

A few weeks later, they gave me the news that they could not transfer my number until I removed the ISDN and the foreign exchange attributes. I asked Verizon. They said to remove the ISDN, I needed to cancel the ISDN and then call residential services and ask for a new residential phone with my old number, which they would hold for 45 days. I did it and waited. Vonage contacted me again. No, go. They cannot take over a disconnected line. I need to get the line back from Verizon. Then Vonage could do it. I just had to make sure it had no foreign exchange on it.

Do you see where I am going? I cannot get that number as a local number; it is not local to my home. Someone suggested I just ask a friend to register it from an address local to him. Think about that a minute. Neither Verizon nor Vonage will give me or allow me to take over a number at a different service address.

The bottom line is that I had to give up the office number I've had for 7 years, and start using a new number. I had to tell everyone who might need it, what the new number is. (I am still doing that: credit cards, banks, frequent traveler programs, etc.) Still, most people e-mail me.

I was grumpy about it for a few days. But, I am very happy with Vonage, it's features, and the service.


Book Review: Just Say "No" to Microsoft by Tony Bove

On October 18, 2005 I mentioned this book and pointed to this interview with its author. This is a short review.

You might think that the purpose of this book is to promote Linux or Mac use. And you would be both right and wrong. I was on guard against Microsoft-bashing for bashing's sake. Not that it is not a temptation. Microsoft is the company that people love to hate. But most of us use it anyway (though, me to a very small degree, of late). While I think Bove does dip into Microsoft-bashing, there is still useful information here, and the bashing is not too often or blatant.

This is an excellent introduction the the alternatives available to the computer user. Bove talks about the joys of moving to Mac, the openness of of the Linux world, and mostly gives the person thinking of a change the courage to try. He talks about how most of what the average user uses their computer for is available on either Mac or Linux (I will shortly blog about my positive opinin of Linux with Gnome as a replacement for Windows for anyone; I've already been raving— in a nice way—about my Mac experience). He talks about Open Office as an alternative to MS Office as well as tries to make a case for PDF as a document exchange format.
Okay, diversion. I am struggling with this. I would like to get away from "Microsoft Word as a document exchange format." I just don't know what else to do. PDF is fine —and he makes a case for it. But, it is lousey for collaboration (unless everyone has expensive Adobe products.) So, I still send plain, ASCII text e-mail. I do send ASCII when the recipient doesn't need to change it. And I did enjoy his pointing to We Can Put an End to Word Attachments, by Richard M. Stallman (January 2002), and MS-Word is Not a document exchange format, among others.

Here is the table of contents, taken from the publisher's web site.

Chapter 1: Playing Monopoly Is No Longer Fun
Chapter 2: All You Need Is a Mac
Chapter 3: Linux: Land of the Free, Home of the Brave

Chapter 4: Slay the Word and You'll Be Free
Chapter 5: De-Microsoft Your Office
Chapter 6: Media Lib: Microsoft-Free Music and Video

Chapter 7: The Message Is the Medium for Infections
Chapter 8: This LAN Is Your LAN
Chapter 9: Browsers and Your Own Private Identity

Chapter 10: Twelve Steps to Freedom from Microsoft
Chapter 11: Where Do You Want to Go Tomorrow?
Appendix: The Truth Is Out There

Just Say No to Microsoft: How to Ditch Microsoft and Why It's Not as Hard as You Think


Good-bye to AV

You may recall, in PowerBook Day 1 and Following, I said "I did install ClamXav, an open-source antivirus program. Viruses on Macs are not a problem. But, I don't want a PC virus to get forwarded in a document from my PowerBook! And the price was right. So, I learned that I just drop the ".app" file where I want it to sit, I learned how to link to it from the Desktop or the Dock (like the Task Menu in Windows)."

Recently, I read a Cybertrust "Hype or Hot" recommendation, about recent Mac OS X malware. It said, in part, "To date, there are no known cases of Mac OS X users suffering significant data loss due to a virus. However, there have been at least three separate outbreaks of data loss due to OS X users running antivirus software. In light of this, Cybertrust recommends against the use of antivirus software for most Mac users until further notice."

Good enough for me. Off it came.

Full disclosure: I am working on a contract for Cybertrust, directing their Risk Intel Team. The Mac security recommendations I get from them are a side benefit.

Some press on the subject:


Mac E-mail Again

I mentioned earlier—in Moving to the Mac, E-mail—that I had moved to using the mail application (Mail.app) on my PowerBook. I am also using IMAP, as I mentioned, connecting with my e-mail server. My e-mail is stored on my PowerBook and on the server. As I think I mentioned, one cool thing about it is I can read my mail using anything that will read UNIX mbox format and any IMAP client.

And I thought I was ready to ditch Mail.app. I found it would … occasionally … reload all the e-mail in my server's mailbox. See, on most UNIX, or Linux, systems, e-mail is deposited in a user's mailbox (for example, /var/mail/fred). E-mail clients read from there. That is what Mail (or Thunderbird) calls my "Inbox." As I delete or refolder messages, the IMAP server (I assume) or maybe just the e-mail client notes the change, and waits to update things until some opportune time. I am being nebulous here because it seems to be e-mail client specific. Logging off ("Go offline") will do it in Mail as it will in Thunderbird. (Compressing a mailbox will do the same thing in Thunderbird.)

It was very frustrating. There are some things I really like about the Apple Mail client. For example:
  • Connection with the Address Book. Very nice. Yes, Thunderbird does this with it's own address book, but I sync my Palm Computer (pet peeve—there hasn't been anything called "PalmPilot" for like 10 years. US Robotics made it. I had one. Had to change the name when Pilot Pen Company complained. No joke.) with the Address Book (see Mac Calendaring and Address Book. One down side is the programs insistence to rewrite headers. If e-mail comes in from "Charlie Applerot " and I have a calendar entry for him, but it says "Charles Applerot," it uses what is in the Address Book. I don't mind it recognizing it is the same e-mail address. I don't like it changing what was in the message header. (It doesn't actually change it in the message file. But, if I reply to the message, it uses the rewrittenm address. This is bad behavior.) Still the integration of Address Book is useful.
  • Smart Mailbox. This is the read cool stuff. A Smart Mailbox is one that looks at all messages that match a set of search criteria based on headers, body, attachment count, date, etc., and shows all that match in the Smart Mailbox, no matter what actual mailboxes they might be in. I automatically "folder" some mailing list messages as they come in rather than leaving them in the Inbox. I set up a "Smart Mailbox" that simply is "all unread e-mail." I also sometimes "flag" e-mail—mark it as special. (Mail does not have a list of tags like Eudora and Thunderbird has; all it has is flagged or not.) So, I have a Smart Mailbox that shows me all "flagged" mail in one virtual mailbox.
Nevertheless, I had decided with the Inbox flakiness, that Mail.app must go. I would move to Thunderbird! I spend a few hours recreating filters that I used in Mail that I wanted in Thunderbird. I worked for hours fiddling to get Address Book records to Thunderbird. (Address Book doesn't export in anything but "vcard" format. Thunderbird, correct, does not read vcard format. I used Address Book Exporter.)

I started using Thunderbird. I missed Mail.app, but as I said earlier, I had liked and recommended Thunderbird. And it's an IMAP client, so I still had plain text files on the server and on the PowerBook. Thunderbird is not as integrated with the Mac as Mail.app is (natch). It allows complex searches; Mail.app only allows them in a Smart Folder (which is not really a problem). It has seven, count them seven, "labels" for tagging messages. And I was happy.

Until the same thing happened with Thunderbird: e-mail's I had taken care of— deleted, refolder—showed up again!

Hmmmm. Maybe it is the IMAP server on Linux. Someone recommended Dovecot. Swore by it (I mean that in a nice way). I tried setting it up. I couldn't get the user authentication to work. There is no real documentation. Yes, I know. "Use the Source, Luke." I'm getting too old. Now that I have a second server on the Internet, I may try it to see if it plays nicer. Or perhaps someone can give me a clue as to where to look for what exactly is happening. Is there a setting to "only connect when downloading and sending? Is it some mode setting on the /var/mail directory? (I tried it 755 and 1777. Same behavior.)

I am using Mail.app again. Periodically, I try to remember to "Go offline" then "Go online" again. I am settled but not fully satisfied. You know?