Monthly Archives: December 2006

As a newsreader, Windows Mail sucks worse than Outlook Express

First, let me explain briefly what a newsreader is – specifically, in this case, I mean a Usenet newsreader. Usenet is a community of systems that have chosen to exchange messages in ‘newsgroups’ organised and named as a hierarchy of topics – for instance, if you want to read about cats as pets, you’d head to the newsgroup “rec.pets.cats” – recreational, pets, cats. If you wanted to read about the biology of felines, you’d probably find a group something like sci.bio.feline – scientific, biology, feline.


If you’re not into Usenet newsgroups, you should know that they are an excellent source of information – where blogs and RSS feeds are more controlled by the individual blog author, Usenet newsgroups (or “newsfroups” as they are often called) can be added to by absolutely anyone, either to create a completely new thread of articles with a new subject under an existing topic, or to add your own comments or questions to an existing thread. [Adding a new topic – a new newsgroup – is a little harder, because Usenet doesn’t like to see multiple newsgroups on the same newsgroup]


So anyway, I’m a hard-core newsgroup reader, like most of the MVPs – it’s a great quick way to exchange information – asking and answering questions, and keeping track of topics you’ve already addressed.


For a long time, I used NewsXpress as my favourite newsgroup reader. It still is my favourite newsgroup reader, but has dropped out of my use for a couple of reasons – first, it crashes a lot; second, it doesn’t handle multiple Usenet servers / accounts well; third, it’s not on every system I’m going to use.


Outlook Express is better at handling multiple Usenet servers / accounts, and it’s on every system I use. It doesn’t crash – quite as often as NewsXpress.


Since I have the source to NewsXpress, I keep thinking I should fix it, but I simply haven’t had the time. So I stay with Outlook Express (originally, “Microsoft Internet Mail and News”, which is why the executable is called msimn.exe).


In Vista, Outlook Express is gone – replaced with “Windows Mail”.


Windows Mail sucks in a number of ways. Here are just a few of my complaints:


  1. It should be possible (in my humble opinion) to start up a newsreader from scratch, and use the space bar to read all the way through from the start to the end of all your newsgroups. Outlook Express allowed you to select an article in the list of articles, and then space through from there – Windows Mail requires you to select the article, then set the focus to the article preview window, at which point the space bar will work.
  2. Windows Mail attempts to import all your newsgroups from Outlook Express – and all the saved articles. It doesn’t handle the possibility that you might not have cleaned out your Outlook Express folders before installing Vista, and when it runs out of space, it abandons the import, with no clear way to make it start up again.
  3. Windows Mail does not import your newsgroup account settings from Outlook Express – it imports everything except the username and password. I’ve got several accounts whose username and password I’ve completely forgotten. Now I have to contact those Usenet server owners, one by one, until I get all my accounts back.
  4. Even when I do have a record of account names and passwords, when the password is a cryptic ten character string, I can’t actually copy the string from Notepad and paste it into the dialog box that prompts for my credentials. I can understand a password box not allowing Copy, but this dialog box prevents Paste into both the User name and Password fields – crazy!
  5. When prompting for your credentials, it doesn’t remember the user name you tried last time – so if your user name is long, and you want to try a couple of possible passwords, you have to type that user name over and over again (because, after all, you can’t paste into the box).

It seems almost as if Microsoft has given me reason to find the time to resurrect NewsXpress.

ReadyBoost – swap space on a stick.

 


So, I’ve finally upgraded my laptop from Windows XP SP2 to Windows Vista.

The upgrade process itself took over three hours – the first fifteen minutes of which was basically me uninstalling the applications that the Vista installation told me would interfere with the upgrade to Windows Vista – they were the Digital Persona application that comes with Microsoft’s Fingerprint Reader, Ahead’s Nero CD/DVD burning software, and something else that I can’t remember right now, and obviously am not going to miss.

One of the neatest features of Vista that I’ve seen so far is the addition of “ReadyBoost”. Microsoft describes it as follows:

Windows Vista introduces a new concept in adding memory to a system. Windows ReadyBoost lets users use a removable flash memory device, such as a USB thumb drive, to improve system performance without opening the box.

Me, I prefer to think of it (somewhat inaccurately) as “swap space on a stick”. In programmer terms, swap space is a portion of your hard drive that is reserved for saving copies of information from memory while it isn’t needed. At the expense of a small delay when reading it back in, this allows your machine to appear to have more memory than it really does – program subroutines and user data that you aren’t using right now don’t have to hang around in memory, so you have more physical memory left for the subroutines and data that you are using right now.

Early implementations swapped any kinds of data into and out of memory – later implementations (and certainly this was true at least by Windows 3.1, back in the early ’90s) marked sections of memory as “discardable” – meaning that they could be swapped in from other areas of the disk, rather than having to be stored in the swap space.

ReadyBoost could easily have been implemented as simply an external backing store for this discardable memory – that would make it “swap space on a stick” in a very real sense.

What ReadyBoost actually does is to work with SuperFetch to provide something slightly more – when a program (or other read-only data) is loaded from disk, SuperFetch can often anticipate this demand, and use idle cycles to pull the information up ahead of time – and when it does this, it also copies the read-only data to the ReadyBoost-enabled thumb drive so that it’s available quickly after it’s been swapped out – far more quickly than from the hard drive inside your machine.

Because this is data that can be rebuilt from the hard drive anyway, it’s no loss to your reliability if you unplug the thumb drive – you just slow down a little again, as you go back to the original swap space and memory relationship.

Finally, it’s even been built with security in mind. The data stored on the ReadyBoost drive is automatically encrypted with AES-128 encryption (this is an acceptable trade-off of fast versus strong). That way, even if you remove your thumb drive in the middle of working on your system, and you drop it into some malfeasant’s lap, he won’t be able to read the read-only file you were looking at, or internal details of your code.

And, of course, you can remove the ReadyBoost cache file – it’s just an ordinary file – any time that you want to use the USB stick as an ordinary disk.

So, wait for the next office supply store sale, pick up a cheap USB 2.0 storage device, insert it into your Vista PC, accept the prompt to enable it for speeding up your PC, and see how much your performance improves. [In my case, just enough to make it enjoyable.]

Finally, credit cards done right… maybe

For the longest time, I’ve been mystified at the way in which we as an information-based society conduct online transactions.


Here’s how it goes right now:


  1. Customer sends secret information (card number and maybe CVV2) to vendor.
  2. Vendor promises not to disclose information to anyone but the bank.
  3. Vendor accidentally or deliberately discloses secret information to thieves.
  4. Thieves run up huge credit card bills with other vendors (call them “suckers”).
  5. Customer reports unapproved use of credit card.
  6. Bank takes money out of sucker vendors’ accounts in the amount of the theft plus a fine. Oh, and charges a percentage of the transaction cost in both directions.
  7. Rinse, lather, repeat.

Obviously, those vendors that are accepting credit cards are complete suckers, because they get fined for accepting credit card numbers from the thieves, when of course the bank has provided them with no means of confirming the identity of the person placing the order.


It’s really obvious that the way this should proceed in an Internet-connected society is as follows:


  1. Customer identifies herself to the bank (through secret information or public key infrastructure, doesn’t much matter, because there are only two parties concerned – bank and customer)
  2. Customer tells bank what vendor they want to pay, and how much.
  3. Bank provides customer with a difficult-to-forge, non-repeatable, time-sensitive code tied to this one purchase.
  4. Customer sends code to vendor.
  5. Vendor can post code on billboards, for all anyone cares, because that code is only usable by that vendor, for this transaction, for this amount, over the next couple of days (hey, vendors are slow to cash credit card transactions).
  6. Vendor sends code to bank.
  7. Bank pays vendor from customer’s account.
  8. Vendor can post code on billboards, for all anyone cares, because that code is now not usable by any vendor, for any transaction.

Obviously, there’s still opportunity for fraud – if the customer or the bank share their shared secret with someone else. But then, that’s two parties who have engaged in a contract to trust one another for monetary exchange, and who have adequate reason to keep that information secret – plus, if the secret is exposed, there’s already an approved method to re-assign new secrets.


Sadly, there’s no incentive for the system to change this way – neither the customer nor the banks have any incentive to change, because they don’t lost money when credit cards are used fraudulently – it’s only the sucker vendor who loses money, and the sucker vendor has to accept credit cards, because there’s no other way to take money over the Internet.


All that is about to change, I hope.


PayPal, a division of eBay, is one of the biggest sucker vendors there can be. Clearly, they’ve gotten tired of having to pay the fees, fines, and cost of lost goods, when credit cards are fraudulently used. Because they’ve finally come up with the right way to do things!


Okay, so it’s not quite as I outlined, because of course PayPal decided to do it in such a way that a vendor doesn’t even have to know that they’re dealing with PayPal’s new scheme – the secret code is exactly a MasterCard number.


Apart from this significant problem – that vendors still have no way to ensure that they are dealing with a more secure payment means, and therefore can’t offer faster service, less chance of fraud checking triggering an alert, etc – this is a good scheme, and I want to see it proceed to fruition.


It’ll be even better if someone at PayPal wises up to the idea of providing a simple means to check that the MasterCard number provided is from the secured payment program (PayPal calls it “Virtual Debit Card” or “VDC” for the present).


This scheme, or something similar, has been operated previously by other banks and in other countries, but the fact that PayPal, a large provider, is going to adopt it means that we should be on the road to a more secure future, where vendors aren’t dunned by banks and thieves alike for credit card fraud that is beyond the vendors’ control.

Everything you need to know about EFS

Okay, so it’s not quite everything about EFS, and this post should probably be titled “shameless self-promotion”, but I’d like to take this opportunity to suggest that readers of my blog go visit my article on “Data Recovery and Encrypting File System (EFS)” over in the Microsoft Security Newsletter.


This article marks me as “MVP of the Month“, which is an impressive achievement in the same year that I won “Time’s Person of the Year“.


On a serious note, it’s full of useful and important information that you should know before you implement EFS in your organisation – it’ll help protect for the inevitable day when an important file is found, encrypted, under the account of someone who’s already left the company.


Go read the article – let me know what you think!

A good man who made a mistake?

According to the “Great Falls Tribune” (covering Great Falls and northern Montana), Todd Shriber is “a good person who made a real big mistake” – okay, so that’s actually a quote from Erik Iverson, chief of staff to US Representative Denny Rehberg. A more detailed report is here.


What’s the “real big mistake” made by this “good person”? Did he accidentally order a few too many reams of paper for the copy machine? Did he back into a road sign? Did he cross the road without looking both ways first? Did he send in his tax return without signing it? These are all mistakes that good people make.


No, what Todd did is to attempt, over the course of a month, to hire a hacker to break into the computers at Texas Christian University, in order to change Todd’s GPA (that’s “Grade Point Average”, a measure of how well you did on average throughout your college career). The email exchange is here, including signs that the hackers approached by Shriber told him early on that what he was requesting them to do would be a felony.


The cynic in me wonders if “a real big mistake” actually describes the ineptness with which Todd undertook the task of approaching and hiring the two ‘hackers’, and if perhaps the definition of “good person” in the speaker’s mind relates to “good to have should we engage in a campaign of skullduggery and misrepresentation”.


I really can’t stress this highly enough – honesty is one of the bases on which you can build good security and trust.


Hire a hacker to put your GPA up, and you may be exposed as a fraud like this – or, more likely, given the way criminal hackers operate, you may find your GPA is lowered, and the hacker is blackmailing you for more money to raise it, now that he’s proven he can mess with your numbers.


It’s often remarked that “you can’t con an honest man” – and while this isn’t strictly true, it’s a whole lot easier to con someone who’s willing to engage in a little dishonesty to get ahead. If you’ve engaged in dishonesty trying to achieve personal gain, and your ‘partner’ in dishonesty fools you, you’re less likely to seek (or be able to get) legal redress.


To bring this back to the topic of security, start your security policies and practices with a requirement on your users that they do what they believe to be honest and right, and that disciplinary action will be taken as a reaction to dishonesty, whether by omission or commission.


Enjoy the rest of the holidays, and be good next year.

Grisoft celebrates 15 years of success … by killing their free software. Not.

Don Patterson (aka DP) passes on a press release from GRISOFT, makers of AVG anti-virus software, noting that they are celebrating 15 years of success.


Congratulations to them, and definitely it’s wonderful to see variety in the antivirus space, but I am surprised to see one statement in the press release:


 “The AVG Free Edition and all-inclusive suite AVG Internet Security, which protects users against all common Internet risks like viruses, spyware, spam and hacker attacks, has helped raise awareness of the AVG product line.”


So, if AVG Free Edition is such a helpful marketing tool, why is GRISOFT terminating that SKU in January?


At least, that’s what I wondered when I saw the box pop up on my test machine at home.


“AVG Free 7.1 version will be discontinued on 15th of Jan 2007.” [Yeah, I’ll see if I can pop in a picture of the dialog]


I was irritated, dismissed the dialog, and carried on with the work I had to do.


It’s only while researching the blog posting you’re reading that I discover the awful truth – that GRISOFT have released a new version, AVG Free 7.5, that is downloadable from their free web site, for free, and which continues to provide free virus protection for private, non-commercial, single home computer use only.


So, again congratulations to GRISOFT for their fifteen years of continued success, and congratulations to them for continuing to support the tightwad and the impecunious alike.


But no congratulations to whoever designed that dialog, which gave me the first impression that GRISOFT were going to remove free service from many people who, if it weren’t for a free antivirus solution, would have no anti-virus solution (other than “call Alun when something goes awry”).

Clay Aiken wants my PC for Christmas

So my wife bought a Christmas CD – she likes Clay Aiken.

Aw heck, I should admit I like Clay Aiken. The “geek turned good” from American Idol, poster-boy for special-education causes, and, well, the boy can sing.


But this time, he’s gone too far – he wants to own my PC.


Say wha?


Yes, you heard me, he wants my PC for Christmas. Apprently, it’s not good enough that I buy his music and play it, he wants to make sure that I run some piece of software designed to prevent me from playing his CD in any normal media player.


Here’s the proof:


Oh, my word – an “appropriately configured computer”? What they mean is “a computer set to auto-run anything you slam in the drive, and with you logged on as administrator, so that it’ll run our software and take over your machine before you get a chance to listen to the golden-throated, toussle-haired nerd-boy whom you paid ten good bucks to listen to”.

But these guys can be trusted right? How about I follow the link and see what they have to tell me to reassure me that they are acceptable custodians of my computer. What do I see?


“It has come to our attention that a security vulnerability may exist with regard to Version 5 of SunnComm’s MediaMax content protection software.”


Later, these hypocrites even have the nerve to tell me how bad it is that Apple won’t make it easy to move their tunes from their copyright protected CDs to the iPod.


So, as you guys know by now, if you’ve been reading my blog, I really dislike DRM for home use – so I’m returning Clay’s CD.


Clay doesn’t need to own another PC, and he certainly isn’t getting mine – has he got yours?