Security bulletins, computers, and cars

Security bulletins, computers, and cars


If you’re connected to the internet, you are vulnerable to attacks. I don’t care what operating system, which browser, what firewall, anti-virus, or anti-spyware you have installed—there’s a vulnerability on your system somewhere. Even the tools security researchers use to analyze attacks can be used against their owners as a way of breaking into their machines.

People discover new vulnerabilities all the time, for all operating systems. Computers are complicated things, complicated enough that nobody can forsee all the possible ways to break into them. As people discover new ways of breaking into computers, other people develop countermeasures to keep your personal information safe. It’s an escalating war between thieves and people trying to stop them—and your data is the battleground.

If you’re running a business, a compromise could lead to you revealing any data you have about your customers, thus potentially leading to you being the target of a lawsuit

In July 2005 there were major vulnerabilities for all of the major operating systems. Basically, if you were on the internet, you needed to update your computer.

First off, Windows. Those poor souls limping along with Windows 98, ME, or NT reached the end of the line. Microsoft announced that they do not plan to release a fix for these operating systems, for the critical vulnerability revealed in July. If you use any Windows 98 or ME machines to browse the internet, you’re vulnerable, and the only thing you can do is update to a newer operating system.

What’s the issue? Basically, there’s a problem in the Windows code that translates image files from files to pictures. All you have to do is view a specially crafted image in any Windows program. Including Office, Outlook and Internet Explorer. Including Firefox. Including just about everything that can show you a picture. You could get infected by following a link on Google to a less-than savory site, or opening a Word document from a friend.

Anti-virus software can help block known viruses, but as always, can’t protect you from brand new viruses until the anti-virus folks can discover, dissect, and create virus signatures to detect them.

Now let’s take a look at another vulnerability from July: Firefox, Thunderbird, and the other Mozilla packages. New versions of each were released to fix some potential flaws that could lead to hijacks on any operating system.

Even the tools security researchers use to analyze attacks can be used against their owners as a way of breaking into their machines

Mac users on the newest version of the Apple operating system also got a major security release, for users of OS 10.4.

Fourth vulnerability: Zlib packages. Zlib is a set of software that makes files take up less space on the disk. This may not sound like much, but it’s built into hundreds of other programs, on all platforms. Especially Unix-based platforms, like Mac and Linux. There isn’t a specific action to take here, so much as keeping an eye on bulletins for programs you use.

Computer maintenance vs. car maintenance

Which brings me to the point of this article. Like it or not, somebody needs to actively take responsibility for keeping each computer up-to-date.

Think of your computer like your car: every 3,000 miles, you change the oil. Every 15,000 miles, it goes in for more major maintenance. And as things break, they need to get fixed.

Computer maintenance is similar to car maintenance in that with the proper tools, talents, and time, anybody can do it. But do you really want to? Most of us just take our cars into somebody else’s shop and pay somebody to handle the maintenance for us.

Obviously though, computer maintenance is different than car maintenance. Without maintenance, your car will eventually break down and stop working. It could kill you in the process, if something catastrophic goes wrong at a bad time. With a computer, the risks are entirely different:

  • Your computer could break down, taking all of your digital photos, finances, and documents with it.
  • Your computer could slow down, when a virus or spyware starts using up all of its memory, and uses your internet connection to send itself to all of your friends.
  • Spyware or viruses could reveal your personal information, such as your credit card numbers or social security numbers, along with anything you ever type into it.
  • Worms or viruses could lead you to being unable to get to web sites or send email to your friends, if your computer becomes marked as a virus-carrier.
  • If you’re running a business, a compromise could lead to you revealing any data you have about your customers, thus potentially leading to you being the target of a lawsuit.

Aren’t you exaggerating a little?

No.

Technology people have an expression that’s starting to spread to the mainstream: FUD. FUD stands for Fear, Uncertainty, and Doubt, and basically refers to a marketing practice of whipping up these emotions in people in order to get them to buy a particular product, service, or U.S. Congress bill. So before I give you my marketing pitch, let me borrow a phrase from the late Douglas Adams:

DON’T PANIC!

But my point is valid. Think of all the complicated machinery we all have in our houses and lives, besides cars: televisions, toasters, DVD players, digital cameras, refrigerators, ovens, grills, bicycles, furnaces, and vacuum cleaners to name a few. None are as sophisticated or complex as your desktop computer. Most are far more reliable than your desktop computer. All require some sort of maintenance, and many require special expertise to provide that maintenance. And none of these can reveal your financial identity to a thief who lives on the other side of the world. At least not until you hook your toaster up to the internet, anyway.

Do I have to become a geek?

You don’t need a license to run a refrigerator, but you do need quite a bit of training to learn how to drive a car. A hundred years ago, only a handful of enthusiasts knew how to drive a car, and most of them, out of necessity, had to become mechanics while they were at it. Today, hundreds of millions of us drive every day, without thinking twice about it. And we hire mechanics to fix our cars for us.

We’re still early in the development of computers—and already more than half of all Americans use them. We expect them to be as reliable as our cars and refrigerators, and when they’re not, we get frustrated. But we’re already completely dependent on them for our businesses. And, as the line between content producers and content consumers starts to blur, they’re starting to have a major impact on our culture.

If all you’re doing is sending email and using the web, you can have an internet appliance that essentially cannot be infected by spyware or viruses—every time you start up, it’s like having a completely fresh installation of the operating system

But collectively, our computer driving skills could use some work. Careless computer use can lead to the results I pointed out earlier: loss of data, computers that become sluggish and unusable, problems accessing things everybody else can use, theft of your financial identity, and potentially even legal trouble.

Computer mechanics are starting to appear, all over the place. And while fixing a computer can often cost more than buying a new one, if you don’t learn some basic computer driving skills, you’re going to need to hire a mechanic even more quickly.

If you’re going to use a computer, you’re going to need to learn some basic driving skills if you haven’t already, and you’re going to need a mechanic.

What do I do now?

If you’re set up with Windows 2000 or Windows XP, once you’ve done your updates, you’re fine... for a while. If you’re using a recent Mac, you’re also probably fine once you’ve done your updates. If you’re still on Windows 98 or Windows ME, it’s time to upgrade.

Before going out and buying Windows XP, however, it might be a good time to look at some alternatives. Unless you have a compelling reason to stick with Windows, if your needs are modest you’ll probably end up saving quite a bit of money by switching to Linux. Why?

Hardware costs

Your Windows 98 computer may have (barely) enough resources to run Windows XP, but most of the Microsoft software keeps demanding faster computers with more memory. If all you’re doing is email, web browsing, and office document-type of work, many businesses will be happy to set you up with a streamlined Linux distribution that will do all this for you easily, and breathe new life into that old hardware of yours.

Software costs

Most people are used to buying programs to do everything. Need to do something new? You have to go shell out another couple of hundred dollars. A recent computer I purchased for a client cost $600 for the basic computer and a nice flat panel monitor. The Microsoft software to go with it cost another $500. If you’re willing to try open source software, that $500 could be spent learning how to use some of the free, powerful alternatives. It’s no longer necessary to buy basic application software—for just about every business need, there is an alternative that costs nothing more than the time spent learning to use the application, or paying someone to train you.

Administration costs

Microsoft provides a great package of tools for managing hundreds of computers in large enterprises. The Windows Update service works reasonably well for individuals. But if you don’t want to be your own IT professional, hiring someone to do it for you remotely, especially for more than one or two computers, costs more money because you have to pay them to come and visit your office every time something needs to be done. It’s possible to set up remote administration facilities for Windows, but this costs more money, while the ability to administer Linux machines is built into the core system. If I install Linux on your computer, I can easily turn on a couple of features that allow me to securely administer your computer from my office. The closest Windows equivalent, Remote Desktop, was the target of another of July’s security vulnerabilities.

No escaping administrative costs

With Windows, somebody needs to administer the machine. You need to be an administrator to do many tasks, and if that’s not you, it’s gotta be somebody. In the Linux world, some people have built operating systems that don’t need a hard drive—they can run entirely off a CD-ROM. If all you’re doing is sending email and using the web, you can have an internet appliance that essentially cannot be infected by spyware or viruses—every time you start up, it’s like having a completely fresh installation of the operating system. Cleaning your system is as simple as restarting your computer. Upgrading is as simple as putting a new CD-ROM in the drive and restarting your computer.

Alternatives to Windows

These do exist, and they come in all shapes and sizes. Many businesses can help you figure out the best strategy for keeping your current costs low, while also keeping your computing costs down over the long haul. Just remember that no matter what anybody tells you, as long as you’re using computers there’s going to continue to be costs involved. Talk to a professional you trust before making major purchasing decisions.

Why not switch to Linux?

You might hear a lot of FUD about how Linux is more expensive, that “it’s not ready for the desktop”, that it’s hard to configure and use, or that it’s confusing. In many ways, Windows still isn’t “ready for the desktop” either—you still have to have somebody administer the machine, to make one point.

FUD stands for Fear, Uncertainty, and Doubt, and basically refers to a marketing practice of whipping up these emotions in people in order to get them to buy a particular product, service, or U.S. Congress bill

To a beginner, all computers are mysterious, complicated, and confusing. Even driving a mouse takes muscle coordination that you may have forgotten that you’ve actually learned. In learning to drive a Windows machine, you may have picked up all sorts of habits that are as unnecessary as double-clutching a modern car—habits like rebooting when something goes wrong. Switching to Linux can be like renting a car in another country—the signs are unfamiliar, you drive on the other side of the road, you’re sitting on the wrong side of the car. There is a definite learning curve involved in switching to Linux, but with a little time behind the wheel, you’ll soon feel right at home.

For the new computer user, learning to use Linux is no harder than learning to use Windows. For really experienced users, Linux offers far more power, customizability and flexibility that makes Windows feel constraining. It’s only those in the middle who have been using Windows for years that have any trouble making the switch. And because large corporations are filled with people who have been using Windows for years, most of the FUD stories you’ll hear add retraining and temporary loss of productivity as a significant cost.

The other reason you might not be able to switch to Linux is if you rely upon some application that’s not available in Linux. I don’t mean Microsoft Word or Powerpoint—those can be completely replaced by OpenOffice.org (without even switching to Linux). But, in just about every primary business, there are key programs you and your colleagues use, that people in other industries don’t need. Many have free software, Linux-based equivalents, but the free software versions are often far behind in terms of functionality.

Now, I’m not an expert in these areas, but I’m going to provide some examples of software with different types of issues preventing people from switching:

Bookkeeper

Assessment: Great equivalents; migration is expensive

Proprietary software: Quickbooks

Free software equivalent: GnuCash, SQL Ledger

It seems like all small businesses use QuickBooks, as if there was no other choice. It’s an automatic decision for most businesses. Never mind that many accountants prefer PeachTree. But in any case, there are some great business accounting packages for Linux, and we have quite a bit of experience working with them. Personal finance programs are definitely more polished in Windows, but it’s easy to find some simple checkbook managers for Linux. Bookkeeping seems to be the single biggest barrier for moving a small business to Linux—not because there isn’t an alternative, but only because people are stuck with several years of data in what they currently use.

Photographer

Assessment: Good equivalents, missing a couple high-end features

Proprietary software: Photoshop

Free software equivalent: The GIMP

The GIMP is a powerful image manipulation program that does nearly everything Photoshop does. However, until version 2.0 came out a year or so ago, it didn’t handle the CMYK color model, which professional photographers and printers need for print production. The GIMP is now pretty much equivalent to Photoshop 6.0, and can read Photoshop files directly. Color management in general is a weak area for Linux and The GIMP.

Print publisher

Assessment: Good equivalents, not quite mature

Proprietary software: InDesign, Quark

Free software equivalent: Scribus

Scribus already does most of what PageMaker could do, and it’s only a couple years old. Compared to InDesign, the main lack you’ll find in Scribus is the ability to drag and drop pictures and text from other programs—another weak area for Linux in general. There’s a way to do just about everything related to laying out and printing a brochure or sales pamphlet in Scribus, but figuring out how can be a challenge. Unlike The GIMP, color management is one of the strong points for Scribus, and most of its users are professional desktop publishers so you know it has compelling features. It also can do PDF forms, and most anything you’d like to do in a PDF. However, I don’t know how effective it would be for laying out a longer catalog or magazine.

Architect

Assessment: Equivalents for modest needs

Proprietary software: AutoCAD

Free software equivalent: QCad

QCad is a 2-dimensional CAD program. It doesn’t have the 3D capabilities of AutoCad, but it’s a lot easier to use in general, and if you don’t need the 3D views, you may find it a great solution at a fraction of the cost. QCad can read industry-standard DXF files.

Building contractor

Assessment: No equivalents

Proprietary software: Various estimating packages

Free software equivalent: None

There are about a dozen different packages for generating estimates for housing remodels. Some include regularly updated databases with prices of materials in particular cities. As you get to the lower end of software, there are a lot of authors of shareware packages to meet very specific needs, and only a few of these have moved to a free software model.

Moving to free software

Even if you’re stuck using a proprietary, Windows-only software package in your business, there’s no reason you can’t start taking advantage of free software for the rest of your business, and start limiting your dependence on vendors who can cut off your service. If you have several computers in your business, you might keep one of them on Windows to run the software you need for your business, and cut the licensing expenses on the rest of your computers.

Category: 
License: 

Comments

Anonymous visitor's picture
Submitted by Anonymous visitor (not verified) on

This once happened to me. I was up for a deadline the next day when my computer started to reboot while I was working. I don't think that I was exaggerating things but indeed I knew that my pc was in trouble. Thus, I didn't panic at first but when at 2:00 A.M. came I really started to freak out. AT 5:00 A.M. I was out of the house and off to an internet cafe. Such a tragic experience.

http://www.neworleansbl.com

Anonymous visitor's picture
Submitted by Anonymous visitor (not verified) on

I agree with what you are saying here. I worked for Microsoft for 10 years, in Australia and in UK and of course I saw a fair share of attacks and viruses. That was 10 years ago, after another 6 years as a consultant I finally started waking up to how things are and how things can be. The amount of money an individual or company spends (if they have licences) on software can be outrageous. I believe a lot of this is down to ignorance or being locked into some for of property software. I have now been using Linux in some form for a couple of years now and yesterday I found myself forced to use a Windows machine. It was a strange experience and not a pleasant one. I found myself actually looking for free software alternatives to the software already installed. Looking for the tools I know and have come to love through using Linux. In this case it was Gimp as I was doing some image editing. I remember when I first used this app and I took one look and thought, I need Photoshop. Now, even with Photoshop available, I found myself installing GIMP on windows to use instead.

I hope to see a spread of the use of Linux and Open Source Software. It frees up people from the money grabbing corporations and lets them either just use good software written from a users perspective, interact with the people who write the software or even contribute to the software.

There are some great distributions out there now and they are so easy to install. In many cases, you don't just get an system, you get email, office suite, graphics tools all installed from the word go.

Yes, it is different, but the change is worth it.

Anonymous visitor's picture
Submitted by Anonymous visitor (not verified) on

While I agree with the general viewpoint of the article, the overall article is very biased towards Linux.

As a user of both, my experience has been that certain common features of a desktop or laptop machine are at time very difficult to get working on Linux - for example, many current distributions, CD based or not, have a tough time with most built in wireless cards in laptops. On some distributions this can take hours to get working and that's for an IT professional. The truth is that the vast selection of Linux distros out there is actually a major hurdle for the casual user because different distros have differents strengths and weaknesses and the average user wouldn't have the time of expertise to select the right one, not to mention switch when a necessary feature is not supported or easier to use on a different distro.

In another example, the issue of remote support is completely incorrect. Microsoft Windows 2000 and later include a remote administration tool called remote desktop (or terminal services). While its true that there was a recent vulnerability discovered in it, there have also been recent vulnerabilities in the Linux SSH component which serves a similar purpose. What's important here is not the selection of OS but the observation that without current updates, your system can be compromised!

The use of Linux as a desktop platform is very dependant on a solid GUI based system, something that is often an afterthought for many Linux developers since the product started out as a server solution. The Xserver based GUIs of most Linux distros are inconsistent in the elements of the OS that they expose via GUI and sometimes very unintuitive or unstable (as the latest Ubuntu fix that disabled Xserver demonstrates).

So, while the general point of look around before you make a decision is very valid, I would argue that current Linux distros are a viable choice for individuals and/or organizations that have access to a knowledgable resources for deployment, configuration and support. The average home user is better off biting the Windows bullet for another version until a good solid friendly Linux desktop distro come out.

On the side, I couldn't agree more about applications. While some of us have access to MS apps based on licensing arrangement from work, general software packages for Windows are bloated, expensive and contain more features than most people can use in a lifetime. A free alternative that provides 80% of the features is usually a fantastic alternative.

Anonymous visitor's picture
Submitted by Anonymous visitor (not verified) on

Not to be raining on your parade about how easy it is to remote admin Linux (it is), but the tools are there for Windows as well.

As a person that runs several game servers out there (entire boxes - not virtual servers), I run them all on Windows (the code is often cleaner, unfortunately since the code is written for Windows then ported to Linux), and I admin all my stuff far more securely than just using Remote Desktop. Install OpenSSH on Windows (http://sshwindows.sourceforge.net/), set it up for certificate authentication, and tunnel all administrative connections through it. Does Windows come with it? No. But it doesn't come with most other stuff that it really needs, either, like a good firewall, antivirus software, etc. Configure the firewall for only what it needs, and you're good. The running OpenSSH server will only consume a few MB of RAM, and you can tunnel Remote Desktop, etc., through it. Have more than one machine behind the NAT proxy? Allow Remote desktop connections only from the machine that has SSHD on it, and connect open a remote tool from that machine, or forward your connection via the tunnel.

Having said that? Linux rox. I run it every day. My sole point is that while Linux has some great things going for it, the nature of open source brings most of that great stuff to Windows as well. Now, if I could just find a "tabbed" SSH client, like Konsole.

Anonymous visitor's picture
Submitted by Anonymous visitor (not verified) on

Non geek down here...thanks to the author for a good, English explanation. I am borderline tech savvy, mostly aware enough to know what I don't know, do some basic maintenance and troubleshooting (just beyond - is the power cord kicked out?). At one point, I was much more knowledgeable (enough to earn respect of geeks and close deals for hardware co.) but have been out of the tech world too long.

Finding through my current work (writing for 'zine and blogging) that most advice and help out there is either really, really basic; or more often, geared toward much higher level of proficiency than many of us have.

I really appreciate straight talk from knowledgeable people who get how to dumb it down for the rest of us!

Thanks!
Jacqueline Church
Leather District Gourmet
Gourmet Food

Terry Hancock's picture

My biggest frustration about Linux security is that most of the documentation is written for “high buy-in” technical users. Most of the tech support makes the same assumption.

There is a general “Windows users are idiots” / “Linux users are experts” meme that works against the newcomer to Linux.

Now, I'm neither an “idiot user” nor a “professional IT guy”. I'm a moderately experienced desktop user, with a fair amount of scientific and tinkerer programming experience. I personally hate worrying about security, and would really rather I could get somebody else to do it.

However, I also want to run my own web site, using technologies like Zope, which means I need to administrate my own server. I'm okay with that, but it annoys me that all the resources I can find are the ones only an engineer could love. I recently had a run-in with the tech support on my virtual server site, because I made a configuration error that left the site open to exploitation as an “open proxy”. That was obviously a bad mistake, and I'm glad they shut it down.

If you've ever actually tried to set up an Apache server to front a back-end web server like Zope as a “reverse proxy”, while simultaneously juggling virtual domain names with mod_rewrite, then you know that it's an amazingly tricky, overly complicated, and under-documented system. It's what we like to describe as “a maze of twisty passages, all alike”, as the IF games used to put it. So the fact that I could make an error like this by accident, should not be at all surprising, no matter how destructive it might be.

But what bothered me is that they implied I was doing it on purpose! That's because, being “someone who knows Linux” they just automatically assume I'm some kind of expert (I guess). I believe this problem is behind me, and I'm pretty certain I've secured my site better—but you never really know. Deliberate malice will always find a way to break the system.

One of the continuing attractions of Windows-based servers, regardless of the technical problems, is probably that you don't get insulted for your lack of privileged inside information: everybody just assumes you're an idiot to begin with, which is sort of comforting in a twisted sort of way.

If GNU/Linux is to get more broadly accepted, even in the server market (especially on the low, small-business end), the community and the industry is going to have to develop a more friendly attitude to part-timers like myself, who are not being paid high-dollar IT salaries to maintain their servers (and to know all the ins and outs of doing so), but are instead trying to juggle the task with designing and improving their websites or just running their business.

Anonymous visitor's picture
Submitted by Anonymous visitor (not verified) on

I've recently tried Linux again for the third time in six plus years. I don't like WGA in XP, I don't like the DRM crap in Vista, and I don't like what I read about Microsoft's future plans and technology and what they could do with the technology (http://lxer.com/module/newswire/view/79728/index.html).

Having tried Ubuntu last year and liking it, I decided to try Xubuntu this year because I could have a nice looking desktop that wasn't resource intensive. I like Linux and Xubuntu in general very much but here is what will probably keep me from switching to it - Linux versions, or similar alternatives, of current Windows apps that I use.

Yes, I can dual boot or use QEMU or VMware, but then I'm still using Windows, so if I still have to use Windows, why not just use it period? I have other interests in life and keeping Windows and programs up-to-date already consumes enough of my free time. I don't need to add more work keeping a Linux OS and apps up-to-date as well.

In any case, the lack of a Linux version, or acceptable comparable alternative, to the following Windows apps will keep me from switching: Adobe Acrobat, Quicken, Visual Studio, SnagIt, TreePad (although they're currently working on Linux versions), ExamDiff Pro, Password Agent, Easy CD-DA Extractor.

Listing these apps brought something else to mind about why I'm resistant to making the switch; the time involved to find and play around with alternative apps.

One last point about the editorial regarding "...vendors who can cut off your service." This can happen with open source projects as well if the developer(s) decide not to continue development. Sure, someone else could take over development, but there's no guarantee that will happen.

Author information

John Locke's picture

Biography

John Locke is the author of the book Open Source Solutions for Small Business Problems. He provides technology strategy and free software implementations for small and growing businesses in the Pacific Northwest through his business, Freelock Computing.