Tech Giants Team to Fight Spyware

March 8, 2008 – 4:12 PM

The Anti-Spyware Coalition (ASC), a group of IT companies and public interest groups, is hoping to succeed where a previous vendor organization failed in tackling the global problem of spyware. The ASC released an agreed-upon draft definition of spyware this week that it hopes will promote public comment and ultimately result in users becoming better educated about the dangers of spyware.

The Consortium of Anti-Spyware Technology Vendors (Coast), initially drawn from the security software vendor community, fell apart in February after a failed 16-month effort to coordinate its members’ conflicting goals and an ongoing debate over admitting companies that created spyware. The ASC, convened by the Center for Democracy and Technology, has a much wider membership than Coast.

ASC member include the likes of America Online, Computer Associates International, Hewlett-Packard, Microsoft, and Yahoo, along with McAfee, Symantec, and Trend Micro, and anti-spyware specialist vendors Aluria Software and Webroot Software. The organization also numbers the Canadian Internet Policy and Public Interest Clinic, the Cyber Security Industry Alliance, and The University of California Berkeley’s Samuelson Law, Technology, & Public Policy Clinic among its members.

The ASC was formed in early April, after a number of companies approached the Center for Democracy and Technology about forming a group to combat spyware. The organization’s Web site went live this week.

Ari Schwartz, associate director of the Center for Democracy and Technology, has been heading up the ASC’s work. He says that the new anti-spyware consortium had learned from Coast’s experience. “The main difference between us and Coast is that we’re trying to help anti-spyware companies communicate better together and with consumers,” Schwartz says. “Coast was more about communication between anti-spyware companies and software publishers.”

Cause for Concern

One fear the ASC has is the potential harm spyware could be having on consumers’ Internet behavior, Schwartz says, as indicated by last week’s Pew Internet & American Life Project survey. The study revealed that 91 percent of Internet users polled have changed their behavior online to try and avoid being attacked by spyware and other unwanted technologies.

Spyware isn’t only plaguing consumers. “What we’re hearing from companies is that spyware is starting to become a bigger enterprise problem,” Schwartz says, pointing to the recent multimillion dollar contract for anti-spyware technology issued by the U.S. Department of Defense.

“We’d like to see more enforcement actions,” Schwartz says, adding that the ASC will hope to improve communications between anti-spyware vendors and law enforcement to track down spyware companies. A commissioner from the U.S. Federal Trade Commission (FTC) attended the ASC’s Washington, D.C., meeting.

The ASC is inviting public comment for the next month on documents it released this week. “We’re just trying to get a foundation down,” Schwartz says. The documents include a list of spyware and other potentially harmful technologies aimed at users, a glossary defining commonly used terms relating to spyware, and safety tips about how to protect against spyware.

There’s also a process laying out how to resolve disputes if a vendor believes its software has been wrongly tagged as spyware. Previously each anti-spyware company worked on developing its own process and spyware companies would try to play off one antispyware company against another using their various dispute processes, according to Schwartz. “We’re leveling the playing field so that anti-spyware companies spend less time talking about the [vendor dispute] process and more time on how to tackle spyware,” he says.

Spyware can be defined two ways, according to the ASC. “In its narrow sense, spyware is a term for tracking software deployed without adequate notice, consent or control for the user,” the organization states in its glossary. However spyware is also used as an umbrella term encompassing not only its narrow definition, but also other “potentially unwanted technologies,” the ASC adds, including harmful adware, unauthorized dialers, rootkits, and hacker tools.

In its anti-spyware safety tips document, the ASC has six major recommendations for users to defend themselves against spyware. The organization suggests that users keep the security on their computers up to date; only download programs from Web sites they trust; familiarize themselves with the fine print attached to any downloadable software; avoid being tricked into clicking dialog boxes; beware of so-called “free” programs; and use anti-spyware, antivirus, and firewall software.

Come August 12, ASC will review and respond to all the comments it has received, Schwartz says. The organization will then meet toward the end of August and produce a final document. “The next step is do risk modeling, help companies make decisions about what they flag as spyware, what’s their objective criteria for flagging, and work on best practices,” Schwartz says.

http://www.pcworld.com/news/article/0,aid,121810,tk,dn071305X,00.asp

Posted in Internet, Privacy | No Comments

Giving New Meaning to Spyware

March 8, 2008 – 4:11 PM

Supreme Court Justice Potter Stewart famously said that he couldn’t define obscenity, but that he knew it when he saw it.

The same has long been the case with spyware. It’s not easy to define, but most people know it when parasitic programs suck up resources on their computer and clog their browsers with pop-up ads.

Recognizing that one person’s search toolbar is another’s spyware, a coalition of consumer groups, ISPs and software companies announced on Tuesday that it has finally come up with a mutually agreeable definition for the internet plague.

Spyware impairs “users’ control over material changes that affect their user experience, privacy or system security; use of their system resources, including what programs are installed on their computers; or collection, use and distribution of their personal or otherwise sensitive information,” according to the Anti-Spyware Coalition, which includes Microsoft, EarthLink, McAfee and Hewlett-Packard.

The group hopes the definitions will clear the way for anti-spyware legislation and help create a formal, centralized method for companies to dispute or change their software’s classification.

“One of the biggest challenges we’ve had with spyware has been agreeing on what it is,” said Ari Schwartz, associate director of the Center for Democracy and Technology, which has led the group’s work. “The anti-spyware community needs a way to quickly and decisively categorize the new programs spawning at exponential rates across the internet.”

The lack of standard definitions of spyware and adware has doomed federal and state legislation and hampered collaboration between anti-spyware forces.

In a colloquial sense, spyware is used to refer to a whole range of programs, including unwanted browser toolbars that come bundled with other downloads, surf-tracking software that generates pop-up ads, and software that tries to capture passwords and credit-card numbers.

Software companies like Claria, which distribute their pop-up advertising software by bundling it with free programs such as peer-to-peer software, adamantly deny their products are “spyware.” They point out that users can usually find a definition of the programs’ effects deep in the user agreement.

It is unclear what effect the new definitions will have on current anti-spyware programs, such as Lavasoft’s Ad-Aware and Microsoft’s free AntiSpyware tool.

Recently, Microsoft downgraded the default program action for Claria’s software from “Remove” to “Ignore,” which prompted widespread criticism.

Microsoft responded by saying that it had changed the handling of “Claria software in order to be fair and consistent with how Windows AntiSpyware (beta) handles similar software from other vendors.”

Microsoft is in negotiations to buy venture-capital-backed Claria, according to The New York Times.

Ben Edelman, the country’s foremost spyware researcher, questions whether the new definitions are simply there so that adware companies can find a way to get a stamp of approval for their software.

“From the perspective of users whose computers are infected, there is nothing hard about (defining spyware),” Edelman said. “If you have adware or spyware on your computer, you want it gone.

“Maybe the toolbar is Mother Theresa, but it’s Mother Theresa sitting in your living room uninvited and you want her gone also,” Edelman said. “You don’t need a committee of 50 smart guys in D.C. sipping ice tea in order to decide that.

“The question is, what do you want to do with it? If you had a consensus of 100 computer-repair technicians or Bill Gates himself, what would they say to do?”

http://www.wired.com/news/print/0,1294,68167,00.html

Posted in Internet, Privacy | No Comments

Securing Wi-Fi Networks Doesn’t Have To Be Painful

March 8, 2008 – 4:10 PM

Years ago, in a strip drawn by the great cartoonist Walt Kelly, the characters were following a set of mysterious footprints through the swamp in which they lived. Finally, one of the characters, Pogo, a little opossum, realized that the footprints were their own. That’s when he made his much quoted statement, “We have met the enemy,” he declared, “and he is us.” To a great extent, it’s the same scenario with wireless security today. The problem isn’t exactly the technology?the problem is us. We want to be conveniently safe.

Finding the middle ground between security and convenience can be tricky. You can design a wireless network to be quite secure, but doing so can make it hard to use. On the other hand, you can design it so that it’s really easy to use, but then it’s not completely safe. This conundrum has been acknowledged by the industry, of course, and that’s why wireless security issues are big topics with vendors at recent trade shows including Interop and RSA.

Fortunately though you don’t have to pick ease of use over security, or vice versa. The right balance depends on what you’re trying to accomplish. I was reminded of this recently when visiting two people. One, my daughter, is a teacher who (like teachers everywhere) does a lot of her work at home. She has to protect the information about her students from prying eyes. The other is a friend who runs a small business from her home. She has a server that holds client information, business records and accounting information. This information needs to be protected carefully.

The thing is, both want to use wireless networks. When they asked me about protecting things, I led them through some steps that I’ll share with you. These steps will be a little less convenient than just using plain ol’ naked wireless. But they won’t be all that bad.

Secure the assets

The first thing you should remember about the current state of wireless security is that despite what the vendors would have you believe, there are holes. Maybe not big holes, but holes nonetheless. WEP encryption, you probably know, has been compromised. VPN passwords may be transmitted in the clear. While there have been no reports of the stronger WPA encryption being compromised, not everyone can use it.

So the first step is to attach important network assets, such as your server, to the hard-wired Ethernet ports on the back of your wireless router. And if you’re doing something really important on your laptop, you might want to think about attaching that with a cable instead of using wireless. While you’re at it, make sure that anything you have connected to the network is running a personal firewall, such as the one Microsoft includes with Windows XP. Or use something better such as ZoneAlarm from Zone Labs.

The second thing to keep in mind is that if you can see your neighbors, they can see you. So before you start using wireless, it pays to use the search feature that comes with most wireless products. It might be called “Site Survey” or “Search for Wireless Networks” on your computer. Click on that, and see what networks are out there. If you see quite a few, you should be paying close attention to making sure you use a secure connection on your wireless network.

Get WPA or WEP at least

Once you’ve done all of that, you need to make sure that the computers on your wireless network will understand WPA encryption. Not all will. Users with technology older than 802.11b may not be able to use WPA, and may not be able to update their products sufficiently, so they may need to replace it if they have to use WPA. If there are only a few PCs/laptops to deal with, consider upgrading. While your business activities might not be confidential, you likely have customer records (at least) that must be kept private. If you just can’t accomplish WPA encryption, then until you upgrade, WEP is better than nothing as it does provide some encryption protection.

When you set up your wireless network, make sure you use non-obvious keys to enable it. If you enter the key directly, a string of zeros followed by a one isn’t going to do. If you enter a passphrase, your company name probably isn’t the best choice.

Once you decide where you want your wireless router or your wireless access point (the main office room, the living room), you need to pick a good location to ensure a good strong signal. This is important not only because people are annoyed by unreliable connections, but also because a computer connected to a weak connection can find itself associated (that’s wireless talk for “connected to”) a stronger signal, frequently with little warning. That stronger signal could be from someone who wants to gather information about you or your company.

If you find a few weak spots, the best solution is probably to use a Wi-Fi repeater. Some access points can perform this function, or you can buy a device specifically designed for that purpose (D-Link calls them “Range Extenders.”) You should use a repeater that’s from the same manufacturer as your wireless router. While they all should work with each other’s products, the fact is that they frequently don’t.

Ensuring the perimeter is secure

Once you’re satisfied that you’ve taken care of everything inside, take your wireless laptop outside and walk around to make sure you’re not sending signals too far from your building or home office. You don’t want bad guys parked on the street sniffing your signals and trying to break in. If you do find strong signals outside and away from areas that you control, consider relocating the wireless routers. They should be away from exterior windows, for example. You might need to check for weak spots and outside coverage several times before you get it right.

Once you’ve done all that, it’s time to add users to your wireless network. Just have them discover your network, tell their computers to connect, and give them the encryption key. Once you have everyone connected, you’ll find that their computers will always connect first to your wireless device because it’s secure and they have the key.

At first look, these various steps may seem like a lot of trouble, but in reality, each of these tasks is fairly simple. What’s good is that you and every user will have a better wireless experience with less security worries. What’s more important is that once you’ve set up the network so it’s secure, it adds no inconvenience. Users will connect just as they always did. And you’ll be able to avoid being your own worst enemy.

http://www.networkingpipeline.com/worksforme/164302040

Posted in Hardware, Internet, Networking, Privacy, Security | No Comments

Checking out AAC and MP3

March 8, 2008 – 4:09 PM

RA and M4A are container formats for music used by Real Networks and Apple, respectively, in their downloads. The actually formatting of the music is done with AAC, which stands for Advanced Audio Coding. AAC, for these two brands, has taken the place of MP3s.

Many feel AAC will supplant MP3s. The latter standard is more than 10 years old. Many discoveries about compression have been made in that time. The fact that MP3 has hung on for so long is a testament to its quality. But it’s probably time for a change.

According to Chris Rimple, group program manager for the RealPlayer, Real’s music downloads are recorded at 192 kilobits per second. Typically, MP3s are recorded at 128 kbps, which is considered CD quality. So Real’s AAC recordings have 50 percent more information, which should make them more accurate. But the files are smaller than MP3s, Rimple said, because AAC is more efficient.

Apple, meanwhile, says AAC recorded at 128 kbps is not distinguishable from the original music. It also says that when AAC and MP3 are recorded at the same bit rate, AAC sounds much better.

Given the perceived advantages of AAC and the fact that MP3 is old, I think we’ll be seeing much more of AAC in the future.

http://www.komando.com/tips_show.asp?showID=7245

Posted in Internet, Software | No Comments

The Lowdown on 64-Bit Windows

March 8, 2008 – 4:09 PM

If you’re looking for a way to opt out of 64-bit Windows, you can stop right here. Windows XP Professional x64 is not going to knock your socks off. At least, not right away, and not unless you’re running apps that can take advantage of it.But in the very next breath, I have to say something. The future of desktop computing is 64-bit hardware, operating systems, and software. That might not be a serious reality for most of us on the desktop until the year 2010 or so. But it’s coming, and it’s going to be worth it. And it’s coming a lot sooner on servers.

You may not be aware of it, but most Windows XP applications are limited to 2GB of virtualized memory. An application and the data it loads in RAM can’t exceed 2GB. There are exceptions and workarounds that I’m not going to delve into. But bottom line, Windows XP 64-bit can virtually address 4GB for 32-bit applications, and it can virtually address 8 Terabytes for 64-bit apps. The physical memory story is similarly impressive in favor of 64-bit Windows: 4GB max. for 32-bit Windows and 128GB for 64-bit Windows.

Windows XP Pro 64-bit also supports the full power of 64-bit processors offered by AMD and Intel, and there are significant advantages to these processors. CPU-intensive tasks will see serious performance and reliability advantages under 64-bit Windows. Suffice it to say that when enough people have 64-bit hardware and software on their desktops, you can expect a paradigm shift or order-of-magnitude transformation of what your applications will be able to do for you. They are going to change, become larger, richer, do more things. The same thing happened when we moved from 16-bit apps to 32-bit apps when Windows 95 made 32-bit Windows widespread. I think the shift to 64-bit apps will take longer to evolve, but in the end will be even more profound.

Microsoft sees this coming, and it’s doing everything it can to create the building blocks now that will lead toward a true kick-off of 64-bit Windows when Longhorn ships. The next version of Windows will offer both 64-bit and 32-bit versions simultaneously. Meanwhile, AMD has been in the van, offering its first desktop 64-bit CPUs back in late 2003. Intel recently offered a similar desktop solution. So by the time Longhorn ships, the hardware will be out there in droves. AMD just introduced dual-core 64-bit CPUs, in fact. And Microsoft finally matched AMD and Intel by releasing Windows 2003 Server x64 and Windows XP Professional x64.

The desktop version of 64-bit Windows is based on the more reliable Windows Server 2003 kernel and it runs all your existing 32-bit apps just fine. In fact, they may run a little better under 64-bit Windows. And a few specific application areas could benefit seriously from 64-bit Windows right now or in the near future, including digital content creation, especially 2D and 3D animation for games or movies; CAD/CAM; digital photo management and manipulation; and advanced game users.

I can tell you that I’m running 64-bit Windows on one machine now, and I will be making the switch to 64 bits more primarily with Longhorn, if not before.

So that’s the good news. But there’s a downside, naturally. Win XP x64 doesn’t support 16-bit and 32-bit device drivers, like those that Windows XP supports. That starts with the CPU by the way. You can run either 32-bit or 64-bit Windows on a AMD’s (or Intel’s) 64-bit CPUs, but the reverse is not true. Windows XP Pro x64 requires a 64-bit CPU.

And it’s not just the CPU; all device drivers for pre-existing hardware must be rewritten to work with Win x64. That includes both internal components and external peripherals, like printers (although many generic USB devices will be fine). Microsoft includes a 64-bit device driver pack in Win XP x64, plus a small list of companies (including HP, Samsung, and several others) have already written 64-bit drivers. My 1995 HP LaserJet 5MP found a Windows-provided driver very easily.

AMD maintains a 64-bit Windows and Linux driver page that anyone trying out 64-bit Windows will find useful.

Other limitations of 64-bit Win XP Pro include the elimination of support for all these things: MS-DOS, OS/2, POSIX subsystems, IPX/SPX, AppleTalk Services for Macintosh, DLC LAN, NetBEUI, IrDA, and OSPF protocols.

Win x64 also comes with 32-bit versions of Internet Explorer, Outlook Express, Windows Media Player, and others because of issues with support of 32-bit DLLs. For example, 64-bit Internet Explorer (which is also included) can’t run 32-bit ActiveX applets.

There are also two Program Files folders in x64, one for 32-bit programs and one for 64-bit programs.

Other than those limitations and changes, and the fact that the desktop wallpaper is different, you’d be hard pressed to know that Win64 isn’t Windows XP.

Windows XP Pro x64 is a transitional operating system, literally designed to be an 18-to-24-month bridge that supports existing 64-bit processors now and helps make the world aware that Windows Longhorn will be the first real 64-bit desktop Windows.

Microsoft is offering a 120-day trial of Windows XP Pro x64. Download the 550MB ISO or order a CD for the cost of shipping.

You can bet that I’ll be returning to the topic of 64-bit Windows in the months to come.

http://www.scotsnewsletter.com/70.htm#winreport2

Posted in Windows | No Comments