How To Subscribe and Unsubscribe is at the end of this note. Mailing List Trouble? See http://langa.com/help.htm
Questions about the advertisers? See the end of this note. Please also see legal notices at the end of this note. LangaList: ISSN 1533-1156

Please recommend the LangaList to a friend! (And maybe win a prize!)

An easier-to read formatted HTML version of this newsletter is available
<a href=" http://langa.com/newsletters/2004/2004-12-06.htm ">here</a>

The LangaList
Standard Edition

2004-12-06

A Free Email Newsletter from Fred Langa
That Helps You Get More From Your Hardware, 
Software, and Time Online

Please visit our sponsors and help keep the LangaList S.E. free!

1) Norton AntiVirus Scripting Vulnerability

You may have seen the news that buzzed around the security community several weeks ago: Daniel Milisic posted a sample script that illustrates how easily Symantec/Norton Antivirus' ("NAV") script blocking can be defeated. His sample script does the following:

1) Sets the NAV Auto-Protect Service to "DISABLED"
2) Sets a registry key to uninstall Script Blocking
3) Creates, launches a VBScript file to download a harmless demonstration program (in real life, it could be a virus/worm/etc.)
4) Launches the demonstration program
5) Reboots the PC

The danger, of course, is that a malicious user could craft a tool like this, perhaps disguised as something benign or desirable (a classic "Trojan" hack), to download a destructive or invasive program instead of the harmless demonstration file. What's more, Milisic's sample script is remarkably simple, using no exotic techniques or advanced tricks: It's fully within the skill level of "script kiddies" and other non-professional programmers.

Milisic backed into the whole subject more or less by accident when he was writing some web-page scripts, and wanted to find a graceful way to deal with Script Blockers like Norton's. Instead, he found it was almost trivially easy to completely disable the blocking.

To get the word out, he posted four notes on various security-oriented discussion boards. His posts include a link to a video file of the exploit (so you won't have to experiment on a live PC to see it for yourself) and a long quote from Symantec, containing their response.

That response, while not exactly brushing off the demonstration scripts' import, does downplay it; pointing out that the exploit requires at least some level of user complicity: The user must be operating in an account with Administrator rights, and must somehow launch the initial script.

Milisic regards this response as inadequate because most users do run with Admin privileges; and--- as we all know from the proliferation of email-borne worms and viruses--- people do click when they shouldn't.

Who's right? Well, strictly speaking, Milisic is: The scripting problem seems real. But more generally speaking, there's not much that Symantec--- or anyone--- can do about misbehavior on the part of users. For example, way too many people don't create a safer, less-privileged account for routine PC use and instead run all the time in a fully privileged, Admin-level account. This is risky, as any compromising of this account puts the entire system at risk. Plus, many users seem to click on every random email attachment they get, even though they know it's very dangerous to do so until and unless you know what's really in the attachment.

And Symantec certainly isn't alone. For example, firewall vendors face problems caused by user actions or inactions that trigger outbound "leaks" through the firewall. In some recent tests, not a single one of the 10 tested firewalls passed all the "leak tests," and they all failed two of the tests!

Anti-Spyware tools? Same thing. Numerous tests show that no tool catches every form and instance of spyware, all the time.

And it's the same with all other types of security tools, too: There is no tool that's perfect; and no tool that can't be defeated, broken, or disabled in some way, under the right circumstances. So, I don't think it's entirely fair to ream out Symantec for their problem: It's simply not reasonable to expect software perfection or invulnerability. Again, no security tool is perfect; all security tools can be defeated.

That might sound like a grim assessment, but it's not. In fact, you can infer from it a simple, reliable solution to almost all the problems and limitations with NAV, firewalls, and other security tools.

And that's the basis of the new article at http://www.informationweek.com/story/showArticle.jhtml?articleID=54800003 . There, I'll provide you direct links to Milisic's posts (including the demo video and Symantec's reply); link you to the firewall and anti-spyware tests mentioned above so you can see how your own favorite security tools performed; I'll show you what I think is the very best way to set up your PCs defenses--- a way that helps ensure that a weakness, problem, or failure in a security tool won't leave you excessively vulnerable. (This is the method I use on my own PCs.) Just as important, I'll also discuss what *not* to do: Bad approaches to PC security that might seem OK at first blush, but that may actually make things worse in the long run.

Click on over to http://www.informationweek.com/story/showArticle.jhtml?articleID=54800003 to see how your current security tools fare; and to see the method I've found to give excellent results for beefing up a PC's defenses.

Click to email this item to a friend
http://langa.com/sendit.htm

return to top of page

--- ( Your Clicks On Ad Links Help Keep The LangaList S.E. Free! ) ---

$12 For A Full YEAR!

"Thank you for providing this service for a reasonable price.
Your information saves me hours, days and probably years of my life
having to do all of the research and trial and error myself!"--- Lorna McCafferty

Thanks, Lorna!

The LangaList Plus! Edition is ad-free, spam-proof,
and contains even more content--- tips, tricks, advice, downloads....---
than the Standard Edition you're now reading.

Just $1 a month!

http://langa.com/plus.htm

--------------( the above is an advertisement )--------------

2) How Private Is Email?

Hi Fred. Maybe you can help with this concern. Where I work (a state agency) there is a lot of use of e-mail with hundreds of community agencies for communications. Sometimes this might include confidential information. It has been my understanding that email is not a secure method of sending confidential information and I have asked that it should only be sent as an encrypted attachment. We are concerned about both breach of confidentiality and potential identity theft of individuals concerned in the messages. Is email more private than I believe? Would you entrust your name and social security number and other confidential information to an email that was not encrypted? I wouldn't unless I had it on good authority (such as you) that it's a lot more secure than I thought.

Many thanks for your help on many occasions. --Ken Dooley

Email is neither secure nor private. First, there are problems with misdelivery and nondelivery. In the former case, the wrong person gets the email either because of human error (typos, clicking "send" at the wrong time, picking the wrong name off a contact list, using "reply all" instead of reply, etc.), or more rarely through a software problem.

Nondelivery is a even worse problem: With all the spam filters in play at the ISP, server and desktop level, the odds are very, very high--- as much as 30-40%) that initial communications may never be seen by the intended recipient. (See "E-Mail--Hideously Unreliable" at http://www.informationweek.com/story/showArticle.jhtml?articleID=17300016 ). Delivery rates improve once both the sender and receiver get each other whitelisted so their respective spam filters let each other's mail through, but getting that initial contact started is a killer. Therefore, relying on email for very important content is inherently risky.

As for outright snooping, while the odds are low that some unauthorized person will read any given email, the flip side is that if someone really wants to, it's not that hard to do. Oddly, the problem isn't so much technological as societal. This will take a moment to explain, so please bear with me:

Email almost never goes directly from sender to recipient. Instead, it's usually stored, albeit briefly, on at least two mail servers along the way, and maybe more; and will also pass through a large number (10-30 is common) of other computers, routers, and similar hardware along the way. US courts have recently ruled that email stored on a mail server (and that includes email passing through one mail server on its way to another, "stored" on the intermediate server for only a fraction of a second) is not protected by wiretap laws originally designed with telephone conversations in mind. This is a brand-new ruling (about a month ago), so the ripple effects are still being sorted out, but in essence, it looks as though an email communication may be legally about the same as a conversation you have on a busy street corner: You can have no reasonable expectation of privacy, so anyone who overhears the conversation--- or reads the email--- isn't breaking any law.

The original intent of this legal change was for law enforcement: Along with the provisions of the Patriot Act, the idea was to make it easier for police and government bureaucrats to look freely in places that used to require a warrant.

Regardless of how you feel about that, the unintended consequence of this may be enormous. One example: If your email no longer has any legal privacy protection, what's to prevent an ISP from, say, selling his mail server's backup tapes to a spammer, who could then mine the addresses *and content* for likely spam targets and topics? If your email is now no more legally protected than a conversation on a public sidewalk, I don't know what recourse you'd have at all.

In short: It's a mess, and is still sorting out as the laws are changed and privacies removed. But the bottom line is that email is now less private than ever, and is NOT a good medium for sensitive material unless you take additional precautions:

Here is a fourfold solution that can help make it better:

First, don't trust email much at all for initial (first contact) communication; make sure you really can get through to your recipient before you have any trust at all in email.

Second, work carefully to avoid mis-addressing, accidental "reply all" emails, and other common user error.

Third, don't use plain-text email for anything sensitive, private, or proprietary: Instead, either encrypt the whole email, or use the email as a "wrapper" or envelope for the real message, which you can send as an encrypted file attachment, perhaps using something like WinZip's Compress/Encrypt option. An encrypted email or attachment will keep the message contents markedly safer from all but the most sophisticated snooping.

Fourth, pick your email provider (usually your ISP) with care: In the future, much of your email privacy may come to depend as much on his or her inherent ethics as on their tech skills.

Click to email this item to a friend
http://langa.com/sendit.htm

return to top of page

3) Old DOS Tools OK In XP?

Fred: I read each Plus issue closely, and learn much from each.  Thanks for it.

On Dec. 1 ( http://langa.com/newsletters/2004/2004-12-02.htm#3 ) , you said: "... I think XP is currently the best-available general purpose OS."  My question:

I continue to make extensive use of several DOS progams... I'm currently using W2k, which of course supports DOS.

Is there a way -- if I were to go to XP -- in which I could continue to use my DOS programs (other than dual-boot)?  Does XP have an effective DOS emulator, or is such a DOS emulator available separately?  Would I have to format my HardDisk in NTSF (which DOS can't read or write), or could I run XP on FAT32-formatted HDD?

Your advice on whether and how those of us who are not ready to abandon our DOS programs can (or cannot) graduate to XP would be most helpful. ---Eric Stork

XP is actually better at supporting older software than is Win2K, so if your stuff runs in Win2K, it almost surely will work in XP. XP can read DOS disks (FAT32) fine; and can even be installed on a FAT32 hard drive, if you don't want to use NTFS.

The confusion about DOS support mostly arises with ancient DOS software that directly takes over part of the PC (say, the disk drive or the video display) for itself. This kind of DOS software will never work in NT, Win2K or XP:

NT/2K/XP gain their deserved reputation for stability in part because they don't let *anything* directly talk to the hardware. Instead, these OSes protect the hardware by mediating all software requests: This way, if one program asks for, say, hard drive access but then that program has a problem or crashes, only that program itself is affected. The OS won't be affected because none of *its* parts crashed. And the drive won't be affected because the program never talked directly to the drive. (I've oversimplified things here for brevity, but that's the gist of it: Problems in running programs are much more isolated in NT/2K/XP; and far less likely to take down the whole OS or other running software.)

So, software of a very old design that requires that the software have direct, unmediated access to the hardware won't run in NT/2K/XP. But most other software--- even lots of ancient DOS software--- will run just fine. You can use the resources at http://www.microsoft.com/windowsxp/pro/upgrading/checkcompat.mspx to see a list of XP-compatible software (and hardware).

And as a final thought: the Virtual PCs we've been discussing ( http://www.google.com/search?as_q=vpc&as_sitesearch=langa.com ) offer yet another way to run older software on a dedicated virtual machine, inside your main OS. You can even run an old DOS setup, live, inside the VM; no dual-boot required!

Click to email this item to a friend
http://langa.com/sendit.htm

return to top of page

4) More on Add/Remove Menu Fixes

The item "Missing 'Add/Remove' Menu Items" ( http://langa.com/newsletters/2004/2004-12-02.htm#2 ) brought a flood of email, some containing information I'd never heard of anywhere before. A brief sampling:
 
Fred, Just read your item on the above in the 12-02-2004 newsletter, and thought you might enjoy my similar problem.  On my XP laptop I was wanting to remove a program and went to the Add/Remove window. The list showed the first two programs which started with "A"and then it appeared that no others were shown, even though I knew that there were plenty more. It turned out that between the second and third program listing was a HUGE blank space that occupied the space that several hundred programs would take. When I click on that "empty space" between the second and third program, the "space" highlights, but I can't do anything to get rid of it. So, tell Karen Carter to scroll down, WAY DOWN, in her add/remove window and the rest of her programs may still be there. Great newsletter! ---Mark Major

Fred: There is another issue with Add/Remove that I discovered by accident. We use AutoCAD 2000i on the network and I noticed that those who had it their Add/Remove list ended there.  Guess what there was a slider bar on the right and if you pulled it wayyyyy down you could find your other programs below a huge empty spot. AutoCAD2000i  apparently required a lot of space.  Uninstalling and re-installing cleared this malady. Word to the wise look for a slider bar to make sure it is at the bottom. ---Peter Jam

(see next item, too)

Click to email this item to a friend
http://langa.com/sendit.htm

return to top of page

5) Free Tools Assist In Add/Remove Cleanup

Several readers (thanks, guys!) sent in this link to Microsoft's free "Windows Installer CleanUp Utility," which can help unravel the problems caused by failed, broken, or aborted installations of some software: http://support.microsoft.com/default.aspx?scid=kb;en-us;290301 . The software can cure several kinds of trouble, including orphaned entries in the Add/Remove list (see previous item).

And there's this:

I find that the Add/Remove Pro program can be a help in removing and finding [bogus] entries in the registry.  It is freeware from http://www.superwin.com/ ---Burton K Smith

Thanks to all who wrote in!

Click to email this item to a friend
http://langa.com/sendit.htm

return to top of page

6) Three Winners!

"Sbattles," "Ian.Standing" and "mjw1029" each won a FREE full one-year subscription to the LangaList Plus! edition by using the "Recommend To A Friend" form at http://langa.com/recommend.htm .

You see, each month I choose three winners of a FREE ONE YEAR SUBSCRIPTION to the LangaList Plus! edition. To have a shot at winning, just use the following link to recommend the LangaList to a friend. Your friend just may find a new source of useful information; I just may gain a new subscriber; and you just may win! (Full details also available via this link): http://langa.com/recommend.htm

Click to email this item to a friend
http://langa.com/sendit.htm

return to top of page

7) Remote-Control Open/Close CD Trays?

Hello Fred, I have large Dell Desktop PC which sits on the floor, a long reach to push the *open/eject* button on my two CD players (one a DVD the other a burner). Sometimes I hit the wrong button on the player and end up opening the bottom player when I wanted to open the top! Very frustrating!

Is there a small utility I could use that would *open/close* one or both of the players for me? Hope this makes sense. Thanks! ---Judy Davies

Sure, Judy. The tiny, free Wizmo applet from Steve Gibson ( http://www.grc.com/wizmo/wizmo.htm ) does that, along with several other useful and interesting functions. (I use Wizmo for automatic reboots of my PC; including "forced shutdowns" when some piece of software just doesn't want to quit: http://www.google.com/search?as_q=wizmo&as_sitesearch=langa.com )

Once Wizmo is on your system, you can use the commands

wizmo open={drive:}
wizmo close={drive:}

to open or close any CD. For example, if your CD is the D: drive, the command

wizmo open=D:

will slide the tray out, no hands. <g>

You can create two batch files: Place the command (eg "wizmo open=D:" without the quotes) in a plain text notepad file, save the file to your desktop, and rename it to something like OpenD.bat . You now have a simple batch file you can click on at will to open the D drive. Do the same thing to create a CloseD.bat and you'll be all set!

Click to email this item to a friend
http://langa.com/sendit.htm

return to top of page

8) They Loaded The Code

Do you have a home page or website? (It doesn't matter what size.) Please click over to http://langa.com/code.htm , and maybe you can join the hundreds and hundreds of LangaList readers who have "Loaded the Code!" (If you've already "Loaded The Code" and are wondering if your site will appear here or on the Langa.Com web site, please see http://langa.com/link.txt )

Speaking of which: Here's another eclectic sample of reader sites--- some professional, some very personal:

View A Randomly-Chosen Reader Site From Among All Listed
http://langa.com/randomlink.htm

Manually Browse All Posted-to-Date Sites Starting At
http://langa.com/readersites.htm

Task Tracker
http://tasktracker.wordwisesolutions.com/

Conference software
http://conferencemonster.com

Got Dirt?
http://www.geocities.com/hilltownriders/

Arabian Knight
http://www.arabian-knight.com/

Jaspers Family in Australia
http://people.mail2me.com.au/~jasan/

Guy Hubert
http://www.guybert.com/

KY lending
http://www.kylending.com/

Gail's Cornucopia
http://www.homegail.com/index.html

An online mid-life crisis
http://jackeber.blogspot.com/

Freeware and Website Reviews
http://www.xanga.com/home.aspx?user=clifnotes_newsletter

Click to email this item to a friend
http://langa.com/sendit.htm

return to top of page

9) A Favorite Tool Of Fred's Gets Updated

I've written about "Advanced Find and Replace" in the past ( http://langa.com/u/6w.htm ); a buy-once, upgrade-free tool that I use almost every day. Not only is it a fast, brute-force Boolean find utility, but it also can selectively replace text: words, phrases, even whole paragraphs of text. It's very handy when working on web sites, for example: it lets you make many repetitive find/replace operations with ease.

There's a new version out, and I just downloaded it (as a registered user, I get the update for free). AFR is now a full-featured file renamer as well, letting you replace text not only inside file bodies, but also in file names. They also added a "Backup files" option so that the utility will automatically create a .BAK copy of any file it's about to change, making it easy to roll back search/replace operations that don't end up being what you want.

If you do repetitive find/replace operations, it's really worth a look: http://www.abacre.com

Click to email this item to a friend
http://langa.com/sendit.htm

return to top of page

10) Just For Grins

Several readers sent in an ancient-looking B&W photo that must be making the rounds. It purports to show the RAND Corporation's 1954 design for a home computer. It shows a man in 1950's-era garb standing next to a huge bank of switches and levers and a large-diameter metal steering wheel of some kind. A giant teletype is in the foreground, and a primitive console-type TV is mounted high on the wall. the caption, which trails off in mid sentence, says:

Scientists from RAND Corporation have created this model to illustrate how a "home computer" could look in the year 2004. However the needed technology will not be economically feasible for the average home. Also the scientists readily admit that the computer will require not yet invented technology to actually work, but 50 years from now scientific progress is expected to solve these problems. With teletype interface and the Fortran language, the computer will be easy to use and only

The photo is amazing to see, and at first glance seems real. But then some of the details in the photo and caption may start to gnaw at you and you get that "Hey, wait a minute..." feeling.

In fact, the whole thing is a hoax. You can see the amusing photo and the very informative explanation: http://www.snopes.com/inboxer/hoaxes/computer.asp

Click to email this item to a friend
http://langa.com/sendit.htm

return to top of page

11) Plus! Edition Highlights:

• Flash + Smoke = Dead PC
     (reader's power supply problems, and cures!)
• Huge "Secret Toolkit" For W98 Users
     (most users never heard of it, but it's there, and free!)
• Drive Letters First In Drop-Down Menus
     (easy tweak simplifies XP navigation!)

You can't lose! The Plus! edition is only pennies per issue, and comes with a MONEY BACK GUARANTEE from Fred.

Plus! Edition info: http://langa.com/plus.htm 

Click to email this item to a friend
http://langa.com/sendit.htm

return to top of page

(Give a HOLIDAY GIFT subscription to the LangaList Plus edition!
Click <a href= " http://langa.com/plus_gift.htm ">here</a>)

See you next issue, 2004-12-09!

Best,

Fred
( Editor@Langa.Com )

Please recommend the LangaList to a friend! (And maybe win a prize!)

An easier-to read formatted HTML version is available in the "Current Issue" section of http://langa.com.  (The HTML version of each issue normally is available by 9AM EST [UT-5] of the issue date.) All past LangaList issues are also available at the Langa.Com site.

return to top of page

Administrivia:

UNSUBSCRIBE (instant removal!): http://langa.com/leave_langalist.htm

SUBSCRIBE (it's free!): http://langa.com/join_langalist.htm

CHANGE ADDRESS? LIST TROUBLE? HAVE QUESTIONS? OTHER PROBLEM? NEED HELP? See http://langa.com/help.htm

This newsletter is SPAM PROOF and requires two levels of subscriber confirmation before delivery begins: See http://langa.com/info.htm

About the advertisers: http://langa.com/privacy.htm#ads

Disclaimer: http://langa.com/legal.htm  In brief: All information herein is offered as-is and without warranty of any kind. Neither Langa Consulting LLC, nor its employees nor contributors are responsible for any loss, injury, or damage, direct or consequential, resulting from your choosing to use any information presented here.

This newsletter is a service of Langa Consulting LLC and is Copyright © 2004 Fred Langa / Langa Consulting LLC. All worldwide rights reserved. LangaList: ISSN 1533-1156

return to top of page