Slashdot Mirror

I have one of those $5 PayPal security keys on my keychain. To pay by PayPal or access my account, I am asked first for my password and then asked for the current six-digit code from the security key. The six-digit code changes every 30 seconds.

As for on-line banking, I have never signed up for that because of my concerns about security. If a local bank ever started using two-factor authentication with a security key, I would gladly give on-line banking a try. Until then, I am not interested.

I frequently receive fake email messages claiming to be from PayPal, Amazon.com or various banks. They typically say someone has been added to my account and ask me to click on the link and log-in and check on the details. When I hold the cursor over the link without clicking, it shows me a complicated looking URL from a foreign country at the bottom of the screen. I have never actually clicked on the link to go to to their fake websites.

As for on-line banking, personally, I would prefer to not do it from a heavily used family Windows computer which is used by children and teenagers. It is likely to have already been compromised from lots of heavy careless use. I prefer the idea of using a separate lightly used, but well maintained, Linux or Mac OS X computer just for that purpose. I am a middle aged Linux user myself, by the way.

PayPal Security Key

I disagree, and I know of someone else much more prominent than me who would disagree also: Steve Gibson of Gibson Research Corporation. Steve has written some amazing little applications in assembler, and "little" is a good adjective for them. Try using Visual C++ to write a comprehensive disk recovery application that fits in 170K. And within that 170K is the capability to work under any operating system (Windoze, Linux, ...) using any file format (FAT, NTFS, ...) on any type of drive (SATA, SCSI, ...) connected to the PC in any way (USB, 1394/Firewire, ...)

Writing application software in assembler is not easy, therefore very few people undertake to do it, but the results can be well worth the effort. Tiny executables that run with blinding speed are the most obvious advantage.

Also, there is one 'higher class' authentication layer implemented already, mentioned on episode 107 of security now podcast http://www.grc.com/securitynow.htm :

Verisign has an OpenID implementation, https://pip.verisignlabs.com/, with a plugin for firefox that makes it easy to manage signing into sites.

Verisign's implementation is already behind the paypal and ebay security fobs, and if you get a pip account, you can buy one and use it for secure authentication everywhere. They cost $30 from verisign, but only $5 from paypal: http://paypal.com/securitykey

Natural language processing etc: To register, answer these questions and click the button on the right What colour are buses in London? What is three times three? [Red] [Green] [Blue]

....But, for example, you could imagine some sort of puzzle-solving solution. There has been JavaScript created which asks simple, English-language problems, like what is one plus one, as a trivial example. The problem is, again, it wouldn't be hard to cause a computer to have, you know, there would be a limited enough vocabulary of permutations of questions that different numbers would get plugged into that you could write some code that would understand that limited subset of questions and be able to answer them. So that's not very exciting.

I'll see your good point, and raise you a pf.conf snippet:

### MACROS AND TABLES SECTION
table <wan_bruteforce> persist

### PACKET FILTERING SECTION
block in quick on $if_wan inet from <wan_bruteforce>
# ...
pass in on $if_wan inet proto tcp from any to ($if_wan) \
port ssh flags S/SFRA synproxy state \
(max-src-conn-rate 3/30, overload <wan_bruteforce> flush global)

That's how you can block non-massively-distributed password dictionary attacks on the BSDs, anyway. Sadly, the fact that OpenBSD's firewall can perform this task on its own means that we probably won't see this feature worked into OpenSSH itself any time soon -- so on Linux you'll need a third-party script such as DenyHosts, as others have already pointed out.

(And yeah, unlike this PF configuration, DenyHosts lets you synchronize your table with a sort of universal blacklist of blocked hosts, so some might choose to run it on BSD anyway. It sounds like a good idea on paper, but boy does it suck when your home IP address keeps inexplicably winding up on the blacklist due to what turns out to be a single site's massively misconfigured server.)

But I think the most important lesson to be learned here, assuming that this thing does turn out to be an ssh attack, is that allowing single-factor, password-based administrative logins to a highly connected host is never a good idea. If you have the luxury of complete control over the site and its users (or are simply a highly empowered BOFH), disable password-based logins entirely and force the use of ssh public keys:

# /etc/ssh/sshd_config
PubkeyAuthentication yes
ChallengeResponseAuthentication no
PasswordAuthentication no
KerberosAuthentication no
GSSApiAuthentication no
UsePAM no

As a concession, if you want to ensure access without having to carry around an encryption key on a USB dongle, on Linux you can use PAM and libpam-opie to set up secondary access using a dual-factor combination of an S/Key one-time password and your regular login password (S/Key is like Steve Gibson's much-trumpeted "Perfect Paper Passwords" system, which is ingenious in its own right, except that S/Key is designed so that you don't need to keep your secret key stored unencrypted on the very server you're worried about protecting):

# /etc/ssh/sshd_config
PubkeyAuthentication yes
ChallengeResponseAuthentication yes
PasswordAuthentication no
KerberosAuthentication no
GSSApiAuthentication no
UsePAM yes

# /etc/pam.d/ssh
auth requisite pam_opie.so
auth required pam_unix.so nullok_secure

With the above configuration you can still log in seamlessly using your ssh private key. But if you get stuck somewhere without access to your private key, you just pull your S/Key passwords list out of your pocket and enter the next password in the sequence, as prompted, followed by your login password. This PAM configuration has the nice property that if you enter the correct S/Key password but then an incorrect Unix password, you will be asked for the next one-time password in the sequence before you can continue: so unless your attacker is exceptionally good at plaintext attacks on large cryptographic hashes, a successful brute-force attack becomes impossible.

Wow, this post got a lot longer than I wanted it to... I'm, um, going out to get some fresh air or something.

1) TURN OFF UPnP! Anyone who has been listening to Security Now has known about this issue for the past two years. UPnP is by design insecure. If it is turned off it can't be used to attack your router. The only reason to have it is so that you don't have to configure anything when a program decides it needs to be open to anyone contacting it. Personally, I would rather have control over when someone else can talk to my computer.

2) Browse with No-Script (or similar settings in the other browsers). If JavaScript and Flash are blocked as you are browsing sites and only turned on when you need them, you can't be hit by drive by attacks like this one. Heck, I've seen maybe 2-3 banners in the past couple months with a combination of No-script, Adblock, and Flashblock.

3) Change the default settings of your router. This won't prevent the attack described necessarily, at least without the above steps, but it will make sure those steps aren't for nothing. The most important thing this prevents is a CSRF attack to turn UPnP back on, even if you have it off. This also would require not staying logged into your router when you don't need to be (and routers without gaping CSRF holes built in that don't need passwords)

Spinrite http://www.grc.com/spinrite.htm/ if the drives are damaged, Darik's Boot and Nuke http://dban.sourceforge.net/ to erase the data, and a six pack of Smithwicks http://en.wikipedia.org/wiki/Smithwicks for the memories.

"MS actually does have patents on some fairly innovative things (example: ClearType) that are pretty clever"

Cleartype aka 'subpixel rendering' borrowed from Apple ..

"Sub-pixel rendering was actually first implemented in 1976 by Steve Wozniak at Apple Computer for the Apple"

Re:MS does have some valuable patents (Score:3, BS)

A word on Microsoft's ClearType "innovation":
http://www.grc.com/ctwho.htm

Since our colleagues insist on being pricks, I found this on the Security Now site:

Leo: Well, ironically, they've made it more susceptible to malware. These tilt bits - talk a little bit about the tilt bits, Peter.
PETER: Right. So what tilt bits are is - the name's taken from pinball machines. We had tilt sensors to monitor physical interference with the device.

Leo: Yeah, if you pick up the machine and get the ball in the hole, it's tilted, and it fails.
PETER: Right. And so Microsoft have done or required that hardware manufacturers do pretty much exactly the same thing. The nasty thing with this is that, well, to put it bluntly, it makes your hardware in your system a lot less reliable. The typical PC is thrown together out of all sorts of random bits and pieces with different tolerances; and half the parts are made by the cheapest possible manufacturer, so a lot of them are cheap and nasty. So they're designed to have a certain amount of tolerance for voltage fluctuations and strange bus signals and bugs in device drivers that set hardware bits wrong and so on and so forth. The problem is that, if you do get these strange voltage fluctuations or strange noise on the system bus or whatever, that could also be a sign of attack. And so Microsoft have said that hardware has to monitor for any of these peculiarities. And if they're found, then it sets these tilt bits in a register somewhere. Vista polls these tilt bits; and if any of them are set, it reacts in some vaguely specified but somewhat drastic manner.

Actually, an ISP could use an SSL proxy to act as a man in the middle and have access to all of your traffic unencrypted. It would require them to install a certificate on your machine that tells your browser to trust the ISP's CA. See the following episode of Security Now, I think Steve Gibson explains how this works fairly well. http://www.grc.com/sn/SN-112.htm I don't know how legal it is for ISPs to do this, but I know some schools and corporations do.

You probably checked this out already, but the cause may be that you have to more rare BGR subpixel configuration on your laptop, instead of the more common RGB subpixel configuration. See here, scroll down to Sub-Pixel Order Sensitivity.

What this means is simple: Only if you're reachable (i.e. if your port is being forwarded), people will be able to send you data. If you're not, only you can send data.

That's not exactly true. If are not reachable (your definition), you can send and receive data from other people who are reachable. If you are reachable, you can send and receive data from people regardless of their port forwarding status. Therefore, if you get your P2P ports forwarded you have a larger pool of available peers.

UPnP was supposed to make the port forwarding problem a whole lot easier, but it's either not widely deployed, or often disabled by default on many routers. What's worse, the early history of UPnP was not good with some really nasty security flaws that were quickly exploited which led lots of people to suggest disabling it completely.

Russell Coker quoted:
>
> Iftach Amit says "Since Linux machines can be used to more easily create specially crafted networking packets,
> they can be used in highly sophisticated online attacks"
>
      Woah, isn't this the same reason that Steve Gibson said Windows XP would result in the oceans boiling or rampant cannibalism or whatever it was? Why yes, yes it is: http://www.grc.com/dos/winxp.htm

      Whatever: "operator error" is a lot more likely than "designed to kill."

Oh and I forgot to ask this as well: how do you get around firewalls/NAT? Most people these days are behind NAT. In my experience, UPnP only works out-of-the-box on very few systems because most routers have UPnP disabled by default.

Support linux-igd? The project started back up in the past year and a half or so, along with libupnp coming back from the dead after Intel abandoned it. Help these projects get to the point where they're trivial to setup, stable, and shipped with all distributions and you solve the problem for the large number of folks using linux NATs. Better yet, that will ultimately trickly down to the router market as well, since a fair number of those use (or have used in the past) linux-based firmware. I've been using linuxigd for 2.5 years now and it's worked great with only a few minor hiccups (Xbox, Xbox 360, Azureus, Messenger, etc all work well with it), but in the past it's been a real pain to setup and actually get working.

Once people can finally get over GRC's sensationalist crap from nearly six years ago, we might finally get a real solution in place for NAT users. We all know IPv6 won't ever be widely adopted enough to make NAT obsolete.

Anything written by Steve Gibson.

Steve Gibson of SpinRite fame has this page: http://www.grc.com/smgassembly.htm

Of course, he programs directly in assembly in his quest to keep things small and fast.

The poster didn't say anything about Linux. And he also didn't say anything at all about intellectual property, which we all know is a rather silly way of trying to exert control.

What he said was: ...it's almost guaranteed that [free software] does infringe software patents (both those existing now, and those that will be granted in the future).

And guess what? It's true. It really is.

It's not just restricted to free software, of course - *any* piece of software, even those coming from Microsoft, are pretty much guaranteed to infringe on some software patent somewhere. The reason is pretty clear - it's because software patents are granted for things that are way too obvious, which is the one of the reasons why they're so utterly stupid. This was actually explored pretty well in this episode of Security Now! from grc.com. Do take a listen, or at least read the transcript on that page.

Now, did the poster say that they agreed with software patents? I certainly can't see that anywhere, so if you manage to find it I'd love to know. The use of the word "infringe" doesn't count; after all, the patents *are* being infringed on. They're just utterly silly patents that should be thrown out, and notice that I didn't say that the patents are *right*.

Notice that I also haven't said that the patent owners should win in court if they have a software patent. Most likely, they shouldn't, and you pretty much won't ever find me backing Microsoft in a battle against FOSS.

Do software patents constitute a kind of 'intellectual property'? Not in my books; not in the way I understand IP. The idea that it does is ludicrous.

Yes, Linux code infringes on software patents. Which ones? I don't know, but I'm fairly sure it does. Are these software patents *right*? Does Linux contain anybody else's 'intellectual property'? Hell no.

I for one welcome our script kiddie hacker overlords. May their attacks be merciless and plentiful. J/K

On the serious note, I'm sick of hearing about "script kiddies"? How are these people sure that these are indeed 13 year old children using toolz. The last time I checked it was very difficult for me to procure any nasty tools to even do half of the stuff that I hear that script kiddies are doing. Really, I'm not joking here. It's not like I'm an idiot or anything... Maybe it's because I'm 27 and I'm out of the loop. THE LAST TIME I CHECKED 13 YEAR OLDS COULD NOT USE A COMPUTER BETTER THAN ME! I write perl, PHP, ASP, JSP and python scripts with the best of them. You show me a snot nosed brat that can write "better" object oriented code and I'll conceed that maybe I either don't know where to look for toolz or that maybe I'm just not the computer geek that I thought I was. It's now obvious that I write programs for websites and to many of my elders I'm not a "real" programmer either. I think the bar must be set for script kiddies and the age should be upped to 27.

On the side, here's an acutally interesting article by Mr. Gibson of Gibson Research Corporation and his encounters with a script kiddie.
http://www.grc.com/dos/grcdos.htm

The article I mentioned is actually quite awesome because Mr. Gibson actually takes the script kiddie down a notch and is able to defend himself through filters on his cisco router. Read the article, we need more programmers like this.

If there were no Microsoft, would anything like the Inspiron 1505 be available at that price?

Rapidweather

I mean, nobody knew ahead of time that WinXP's vulnerabilities would make it ideal for creating an army of bots. If somebody only told Microsoft, they'd sit up and listen.

In all fairness, he was wrong. A bot probes my internet address every few minutes. And most of the addresses come from my local ISP's block. It's no secret which computers are compromised, just as it's no secret the ISP doesn't care. It's cheaper to turn a blind eye and provide the bandwidth for patently illegal activity then it is to turn off the offender's accounts, and deal with angry, uneducated end-users.

What? And get a cease and desist order from the Gibson Research Corporation?

Sorry, couldn't resist!

If you know the positioning of each of the three dots, you can still do a certain amount of sub-pixel rendering, just not in quite the same way. Doing some more research, I think this was just on the Apple II, which may well have used a trinitron tube and thus used the same style of subpixel rendering as ClearType/CoolType/etc.

c.f. http://www.grc.com/ctwho.htm

"This technology is LCD-specific..."

No, it isn't, as discussed previously in the threads on Tuesday.

Heck, I can even *remember* the use of analogous "sub-pixel" rendering in some Apple II programs to increase the apparent resolution of lines, as discussed on the above pages. It was a quirk in the way that Apple II systems rendered their "high resolution" modes, and something that people soon realized could be used to an advantage -- just like sub-pixel rendering for LCDs. It's certainly the same principle.

Gibson have a "Who Did It First?" text regarding sub-pixel rendering as well:

http://www.grc.com/ctwho.htm

Mod parent up! That is exactly right and the full scope can be found on Steve Gibson's ClearType pages. What they have patented is simple filtering of sub-pixel rendering. That is just a simple combination of two very old techniques, color filtering is used in everything from blur filters to fire effects to texture mapping. Sub-pixel rendering too, has been used for ages to increase the apparent screen resolution.

Microsoft may have a patent on ClearType, but they didn't invent it. We did the same thing in the Commodore 64 days with regards to fonts in graphics. I clearly recall zooming in on text and seeing different colors in the transition from text to background. I've spent many hundred hours doing graphic arts on the Commodore 64 and have been published.

I guess prior art doesn't apply to patents anymore?

"Sub-pixel font rendering with Free&Clear - Microsoft says they invented their "ClearType" technology, but I quickly and independently "invented" the same thing . . . as had others who came years before. It is very cool, but rather obvious. "

http://www.grc.com/ct/cleartype.htm

Subpixel rendering was covered by Apple][ patents decades before. Why SuSE would bother disabling ClearType is beyond me.

http://www.grc.com/ctwho.htm

http://edition.cnn.com/TECH/computing/9812/08/clea rtype.idg/

I'm afraid the decades-old Apple II and IBM PC is not prior art. Pixels are either on or off for Apple II and IBM PC's CGA displays, so they apparently don't (and can't) care too much about color fringing. Sub-pixel font rendering on LCD screen deals with 256 shades for each sub-pixel, and the emphasis is on how to adjust sub-pixel brightness to reduce color fringing.

This is explained in Steve Gibson's Turning Theory into Practice. Sub-pixel font rendering is not the same as sub-pixels on CGA displays. The ideas are related, but the plumbing is different.

Perhaps I'm misleading in saying that CGA is not prior art of ClearType. I haven't actually read the patents of ClearType, so I obviously cannot tell; I'm basing my claim solely on Steve's webpage alone.

AFAICT, subpixel rendering is not disabled, only the 5-tap filter that's supposed to reduce colour fringes. See http://www.grc.com/cttech.htm. Apparently this is one of the things Microsoft has patented, and I haven't seen any "prior art" for this specific technique. In my humble opinion disabling the filter is not much of a loss as it just makes fonts look fuzzier.

I have not been to GRC.com for a long time, I quickly grabbed the URL and posted it here in another thread. Looks like that site cites a long list of prior art. Makes the OpenSUSE's decision even more suspect.

I think Novell has become an wholly owned subsidiary of MSFT and is being used for the express purpose of setting up precedents and creating more and more FUD. I have seen a version of anti-aliasing and sub-pixel addressing way back when in, of all places, grc.com.

Steve Gibson pointed out decades-old prior art that would invalidate the Cleartype patent (if our patent system weren't corrupt) several years ago.

For my computers at home, I used the "Perfect Password Generator" that is on the grc.com web page to generate the longest most random possible WPA password. Each time I visit that web page a different a password is generated. I then placed the password on a USB key and transfered the password to both of my computers and the wireless router. I then cut and pasted the password instead of trying to type the huge password. For the extra paranoid, slicing and dicing and mixing up the long password that is generated could also done as an extra precaution, although the password did come from a secure website at a security oriented web page.

Perfect Passwords

• Openoffice.org (use word processor, spreadsheet, presentation, database, and similar applications)
• Picasa (view/edit photos)

Internet Tools

• FireFox (browse Web sites)
• Gaim (chat with users of AIM, YIM, MSN, IRC, etc.)
• Thunderbird (e-mail)
• Pegasus Mail (e-mail)
• Macromedia Flash Player (watch Flash animations within Web browser)
• Java Plugin (run Java applications inside Web browser)

Basic Tools

• 7Zip (compress/decompress files)
• EditPad Lite (edit text files)
• vim/gvim (edit text files--advanced)
• Adobe Acrobat Reader (view PDF files)
• PDF Creator (create PDF files)

Security Tools

• ZoneAlarm (firewall - detect unwanted Internet access)
• Avira Antivirus (detect/remove viruses)
• ADAware Personal SE (detect/remove spyware)
• SpyBot Search & Destroy (detect/remove spyware)
• HiJackThis (detect/remove spyware)
• Discombobulator (make Windows more secure)
• Shoot the Messenger (make Windows more secure)
• Unplug-n-pray (make Windows more secure)
• PGP (encrypt/decrypt files or e-mail for privacy) - see admin for more details

Advanced Tools

• Virtual CD-ROM Control Panel for Windows XP (mount ISO images as filesystems) from MSDN
• IMAPSize (manage/search/backup an IMAP mailbox)

• Openoffice.org (use word processor, spreadsheet, presentation, database, and similar applications)
• Picasa (view/edit photos)

Internet Tools

• FireFox (browse Web sites)
• Gaim (chat with users of AIM, YIM, MSN, IRC, etc.)
• Thunderbird (e-mail)
• Pegasus Mail (e-mail)
• Macromedia Flash Player (watch Flash animations within Web browser)
• Java Plugin (run Java applications inside Web browser)

Basic Tools

• 7Zip (compress/decompress files)
• EditPad Lite (edit text files)
• vim/gvim (edit text files--advanced)
• Adobe Acrobat Reader (view PDF files)
• PDF Creator (create PDF files)

Security Tools

• ZoneAlarm (firewall - detect unwanted Internet access)
• Avira Antivirus (detect/remove viruses)
• ADAware Personal SE (detect/remove spyware)
• SpyBot Search & Destroy (detect/remove spyware)
• HiJackThis (detect/remove spyware)
• Discombobulator (make Windows more secure)
• Shoot the Messenger (make Windows more secure)
• Unplug-n-pray (make Windows more secure)
• PGP (encrypt/decrypt files or e-mail for privacy) - see admin for more details

Advanced Tools

• Virtual CD-ROM Control Panel for Windows XP (mount ISO images as filesystems) from MSDN
• IMAPSize (manage/search/backup an IMAP mailbox)

• Openoffice.org (use word processor, spreadsheet, presentation, database, and similar applications)
• Picasa (view/edit photos)

Internet Tools

• FireFox (browse Web sites)
• Gaim (chat with users of AIM, YIM, MSN, IRC, etc.)
• Thunderbird (e-mail)
• Pegasus Mail (e-mail)
• Macromedia Flash Player (watch Flash animations within Web browser)
• Java Plugin (run Java applications inside Web browser)

Basic Tools

• 7Zip (compress/decompress files)
• EditPad Lite (edit text files)
• vim/gvim (edit text files--advanced)
• Adobe Acrobat Reader (view PDF files)
• PDF Creator (create PDF files)

Security Tools

• ZoneAlarm (firewall - detect unwanted Internet access)
• Avira Antivirus (detect/remove viruses)
• ADAware Personal SE (detect/remove spyware)
• SpyBot Search & Destroy (detect/remove spyware)
• HiJackThis (detect/remove spyware)
• Discombobulator (make Windows more secure)
• Shoot the Messenger (make Windows more secure)
• Unplug-n-pray (make Windows more secure)
• PGP (encrypt/decrypt files or e-mail for privacy) - see admin for more details

Advanced Tools

• Virtual CD-ROM Control Panel for Windows XP (mount ISO images as filesystems) from MSDN
• IMAPSize (manage/search/backup an IMAP mailbox)

The famous Steve Gibson, author of Spinrite, writes all his software (Windows mostly) in pure ASM and the speed and efficiency of his apps speak for themselves.

from http://www.grc.com/smgassembly.htm
Huh? . . . Windows in Assembler?

Am I sick? Perhaps. Am I a dinosaur destined for early extinction? Yeah, probably. But I truly love programming. It's what I do. It fulfills me and sustains me . . . and I'm never in a hurry to "just be done with it." I can't stand sloppiness in my work, so for me that means writing the smallest, tightest, fastest, most economical computer programs possible. And THAT means authoring Windows applications in Assembly Language.

Though the rest of the world may argue that they're more "productive" (when measured by hard disk space consumed per second), I stand by the principle that: "Small Is Beautiful".

Steve Gibson has a great Podcast of the Truecrypt utility at http://www.grc.com/SecurityNow.htm (and search on truecrypt - episode 14 from memory.

Davo.

I did, and found this page. Very interesting in a scary sort of way.

I'm not sure how common or non-common those are, but forged sender addresses are the key component of DRDoS attacks.

The program sounds pretty amazing from their web site.

Are many companies using it for preventative maintenance to avoid data loss on their servers?

Vista has gone to great extremes to achieve digital content management. The Vista DRM requirements will greatly affect the design of video cards, monitors, HD-DVDs and other computer hardware in the near future. Microsoft seems to have really gone overboard to try to satisfy all of Hollywood and the music studios fears about computer owners somehow managing to access unencrypted protected content. Windows itself seems to have been designed as a digital content delivery system. Personally, I would have prefered to see a small seperate dedicated box of some kind use for that purpose instead of redisigning the Windows operating system and the computer hardware so drastically for that purpose. Here are two transcripts which talk about Vista DRM. At the top of each transcript there is also a free MP3 version available.

• Digital Rights Management (DRM)
• Peter Gutmann on Vista DRM

Hollywood, the music industry and Microsoft all seem to think that they should have the right to reach into people home computers and tell the computer owners what they can and can't do. As mentioned recently on Slashdot, the RIAA is now acting much like 17th century French button makers. It is almost as if the same people had been reincarnated again and are back again.

History Repeats Itself: How The RIAA Is Like 17th Century French Button-Makers

Vista has gone to great extremes to achieve digital content management. The Vista DRM requirements will greatly affect the design of video cards, monitors, HD-DVDs and other computer hardware in the near future. Microsoft seems to have really gone overboard to try to satisfy all of Hollywood and the music studios fears about computer owners somehow managing to access unencrypted protected content. Windows itself seems to have been designed as a digital content delivery system. Personally, I would have prefered to see a small seperate dedicated box of some kind use for that purpose instead of redisigning the Windows operating system and the computer hardware so drastically for that purpose. Here are two transcripts which talk about Vista DRM. At the top of each transcript there is also a free MP3 version available.

• Digital Rights Management (DRM)
• Peter Gutmann on Vista DRM

Hollywood, the music industry and Microsoft all seem to think that they should have the right to reach into people home computers and tell the computer owners what they can and can't do. As mentioned recently on Slashdot, the RIAA is now acting much like 17th century French button makers. It is almost as if the same people had been reincarnated again and are back again.

History Repeats Itself: How The RIAA Is Like 17th Century French Button-Makers

High speed Internet connections only recently became available where I live. The local telephone lines in my neighborhood were only good for 26.4K even though I had a 56K modem. I was unable to get cable, but recently the telephone company finally made 1.5 Mbps DSL connections available here (7 Mbps DSL is also now available). What will the bandwidth requirements be for watching this future on-line video content at an appropriate resolution? What resolution will I need for my 13 inch television when watching from my usual chair 14 feet away?.

With Windows Vista, Microsoft seems to have made a huge effort to re-engineer Windows as a secure DRM delivery mechanism that Hollywood and the music studios can trust. Bill Gates is probably hoping that we will all soon be using Windows to watch high-definition protected content on HD-DVDs or to watch online video content. He may eventually be right about that, but personally, I would rather use a separate small dedicated box for that purpose, not a Windows PC. It is doubtful that my Linux PC will be trusted by Hollywood to download their highest definition video content anyway, so for me a small separate box of some type would probably be the way to go.

• Digital Rights Management (DRM)
• Peter Gutmann on Vista DRM

High speed Internet connections only recently became available where I live. The local telephone lines in my neighborhood were only good for 26.4K even though I had a 56K modem. I was unable to get cable, but recently the telephone company finally made 1.5 Mbps DSL connections available here (7 Mbps DSL is also now available). What will the bandwidth requirements be for watching this future on-line video content at an appropriate resolution? What resolution will I need for my 13 inch television when watching from my usual chair 14 feet away?.

With Windows Vista, Microsoft seems to have made a huge effort to re-engineer Windows as a secure DRM delivery mechanism that Hollywood and the music studios can trust. Bill Gates is probably hoping that we will all soon be using Windows to watch high-definition protected content on HD-DVDs or to watch online video content. He may eventually be right about that, but personally, I would rather use a separate small dedicated box for that purpose, not a Windows PC. It is doubtful that my Linux PC will be trusted by Hollywood to download their highest definition video content anyway, so for me a small separate box of some type would probably be the way to go.

• Digital Rights Management (DRM)
• Peter Gutmann on Vista DRM

I wonder how effective ordinary antivirus programs or spyware removal programs are on Zombie computers? Ad-Aware is one example of a spyware removal program for Windows. To help avoid problems in the first place, I have always used a properly configured firewall either on the computer or router (or both) to block access to TCP/IP ports. I occasionally check my firewall by going to grc.com and having the Shields Up test done. After going to their web page I click on ShieldsUP!, then "Proceed," then "Continue," then "All Service Ports."

On both the Windnows and Linux computers I also use the latest version of Mike's Ad Blocking Hosts file to block many of the known advertising related URLs. I don't know to what extent that might or might not possibly be helpful in preventing problems. It is mainly intended to block certain kinds of ads.

I also regularly download the latest security updates for both the Windows and Linux computers. Most people only do spyware and antivirus checking their Windows computers, not their Linux boxes. There are actually a few anti-virus programs for Linux but there aren't yet any Linux viruses successfully circulating in the wild. At home, I only send and receive email from my Linux box, because it is probably safer. I also use the Linux box for the majority of my web browsing. I do use the netstat command once in a while to see what TCP/IP communication is going on. But anyway, I am not a computer professional, those are just a few thoughts from a paranoid home computer user. I haven't yet learned how to do some other security measures such as reading security log files or detecting rootkits. I also haven't yet got around to learning to use the netstat command under linux or packet sniffers.

I am not a computer professional and definately am not an expert on that type of thing, but either the netstat command or the free TCPView utility might be useful. Either one can be used to provide information about what is connecting to what on your TCP or UDP ports. The netstat command exists on Windows, Mac, Linux and Unix computers. The free TCPView program is a free Windows only GUI version of the netstat command. I mostly use Linux at home, so I rarely ever to use Windows utilities like TCPView myself.

• TCPView for Windows
• "The NETSTAT Command", Security Now Episode #49 transcript from 20 Jul 2006

There are probably other additional methods that could also be used.