SOPA stands for “Stop Online Piracy Act.” It has a related piece of legislation, PIPA, the “Protect Intellectual Property Act,” that does essentially the same thing.

The titles of the bills don’t describe what they would do. They describe the pretext for what the bills will really do:

1. grant sweeping new powers to the U.S. government to censor the Internet
2. grant Big Media the power to automatically shut down Web sites they don’t like, without having to present firm evidence to a court

Simply put, these laws have no place in a society that values freedom of speech.

For more information, I would encourage you to visit the Electronic Frontier Foundation. They have a one-page summary that is worth your time to read.

What is Phishing?

Simply put, phishing is a form of fraud where someone tries trick you into disclosing secret information (such as your credit card number) by posing as someone you trust (such as your credit card company). In fact, phishing is a form of wire fraud, plain and simple. In my opinion it is unfortunate that the word “phishing” even exists. It’s a gratuitous neologism that, because of its cutesy spelling, potentially reads as something more innocuous than it actually is.

In fact, phishing is the most common form of identity “theft.” It’s rampant on the Internet. And you are a target.

How to Protect Yourself

You should also know better than to open a link in an e-mail message.

The whole point of phishing is that it’s trying to trick you. Contrary to what some know-it-alls might say, it is not easy to defend yourself against.

1. Don’t click on a link in an e-mail message, even if the message looks legitimate. Unfortunately this is the hardest rule to follow. Even the best of us forget. It’s easy to laugh off the silly Nigerian money-laundering scam but much harder to remember the rule when the message looks like it comes from your telephone company or a relative. And, like the hapless adventurer who picked up the Duck of Doom, our first mistake may have severe repercussions. Phishing e-mails take you to Web sites that may look legitimate, but actually capture your login and/or financial information for purposes of identity theft.
2. Use software to help you follow rule #1. As I mentioned in my previous post, you really need anti-virus software anyway. You can probably get it free of charge from your Internet service provider so there’s no excuse. Most “anti-virus” software these days is a multi-faceted suite of defenses that also includes some protection against phishing.
3. Do not trust your own judgment to identify fraudulent messages. Sooner or later, you’ll be tired or distracted and you’ll slip up. I used to take pride in my ability to spot a scam, and I almost got burned today. Only my anti-virus software saved me. If you believe you have superhuman powers and will never be fooled, please carefully read the fairly brief academic paper, Why Phishing Works.

My Lesson in Humility

Today is the day when, after years of vigilance, I finally forgot Rule #1 (don’t click on links in an e-mail message). I would have got burned if not for my anti-virus software.

I received a reasonably official-looking message that claimed to be from my Internet service provider, Comcast:

This message looks somewhat credible, but it's a fake. There are some warning signs but I missed them this time.

On a good day, I think I could have spotted this as a scam. There were a few warning signs:

Like many fraudulent messages, this one contained some spelling errors. Today, the crooks got lucky: I looked right past the errors and did what one should never do. God help me, I clicked the link.

Fortunately for me, my judgment was not the only thing standing between me and the outlaw gang that organized this sting. My anti-virus software kicked in and raised a great big red flag, just like it should:

My anti-virus software was more alert than I was, today.

The Take-Away Message

What I take away from this is that the scholars who wrote Why Phishing Works were right:

We also found that some visual deception attacks can fool even the most sophisticated users.

As in all matters of computer security, the odds are stacked in favor of the attacker. They can send a thousand fake e-mails that you easily spot, and then the thousand-and-first comes along and manages to trick you. You need anti-virus software to be there to catch you when your judgment finally does fail.

Since no software is perfect, it would be an epic mistake to rely entirely on your anti-virus program to protect you 100% of the time. Therefore, keep doing what the experts tell you to do: stay alert, and don’t click on e-mail links.

One of the remaining annoyances though is that even though I’ve been pretty careful about what I install on my PC, a certain amount of crapware has crept onto the machine. Crapware is stuff you, the computer user (or “owner” as I like to call myself) never asked for, don’t care about, and don’t want to use, but none the less is installed “for” you when you install something you did want, like a driver for a new piece of hardware. I am not talking about malware here; crapware is harmless but it’s annoying because it slows down the machine. I also have concerns that it’s spying on me a bit, sending “market research” data back to the mother ship. Besides, since I think of myself as the owner of my computer, anything I didn’t explicitly decide I want on my machine has no right to be there.

The particular piece of crapware that is on my nerves today is the help program that came with my Logitech webcam. I am not really opposed to having the webcam help program installed on my machine. What bothers me is that Logitech has decided that the help program needs to start every time I log into my computer. This post documents my quest to make it stop.

Auto-Run Programs

In Windows 7, programs can be configured to start automatically when the computer starts or when a user logs in. Loosely speaking, programs that start automatically when the computer boots are called services and those that starts when a user logs in are called, in the degraded patois that passes for technical English these days, autoruns. “Autorun” is, apparently, considered a noun. I hate that. How do we get from the verb “run” and the adverb “auto(matically)” to a noun? By means of a failing public education system, that’s how! The end result sounds like a particularly virulent form of gastro-intestinal distress: “I’ve got the autoruns.”

I will use the word “auto-run” as an adjective because I just can’t stomach using it as a noun.

Vendors have a penchant for installing their crapware as auto-run programs, either because they fervently believe that their crapware is central to the user’s computing experience and life without it would hardly be worth living, or, more likely, they want their brand name in the user’s face as often as possible for as long as possible. It’s a bit like the “free” advertising-supported PC of the late 1990′s, only without the free equipment.

Auto-run programs used to be called “startup programs” (in days when gramatical standards were a bit higher) and they were controlled via the Start Menu. This seems no longer to be the case.

Good and Bad Auto-run Program

I would first point out that there are some programs that I definitely want to run every time I log in. Norton Internet Security falls into that category. I can see people might want to always start an e-mail program or even Skype or a chat program.

However, every program that starts automatically takes some time to start. If you have too many of them it makes the log-in process slow. If you have way too many, it hogs memory and CPU power, slowing down your ability to run other programs. What I find disturbing is that increasingly, software vendors foist their crapware on us as auto-run programs for whatever reasons — and I doubt that out benefit figures prominently among those reasons.

My point is that you, the owner, should solely make the decision of what programs do and do not run automatically.

Getting Started on Controlling Auto-Run Programs

To start my quest, I typed “disable startup program” into Windows Help. Did I mention that Windows 7 Help is pretty cool? It allows you to type strings and then returns results whose relevance ranges from approximate to comically off-target. It’s like a search engine, but for help. The reason I used “startup program” as a search term is that is what auto-run programs used to be called in past version of windows.

Interestingly, Windows 7′s reply to my query was:

You can improve your computer’s performance by preventing unnecessary programs from running automatically when Windows starts. For information about tools that you can use to do this, go to the Microsoft website.

That page is actually pretty interesting: it wants me to download and install a special program that promises to help me get rid of unwanted autoruns. This sounds a lot like fighting crapware with crapware. I was skeptical, but decided play along. And it turns out the name of this “good” crapware is Autoruns. That’s right: I am going to be giving myself the autoruns!

What Autoruns Reveals

So I downloaded and unzipped the autoruns program. Just to make things confusing, “autoruns” is itself not and auto-run program: it’s a regular program you run in the usual way (by clicking), that tells you about auto-run programs.

If you are following along, you can unzip that file to any destination you want; I just stuck it in my Downloads folder for the time being. Then open the destination folder, right-click on autoruns.exe, and choose “Run as administrator.” You can run it as a regular user, but to actually remove auto-run programs (I still can’t bring myself to say it like they want me to) you’ll need administrator privileges so you might as well start out that way.

This is the list of auto-run programs that Autoruns revealed. I feel dirty.

Here’s a screenshot of what autoruns showed running on my machine. There are a lot of auto-run programs! If you try this on your machine and you see a lot of stuff you can’t identify, don’t worry: I don’t understand it either. Windows, in any version, is a big, complicated beast, and even professional Windows technicians don’t understand all of it.

Safely Removing Auto-Run Programs

Autoruns makes is pretty easy to remove auto-run programs in a way that you’ll be able to undo later. There is a check box next to each entry. Just uncheck that, without removing the entry. Danger: it does not look like autoruns has the ability to add auto-run programs, only remove them, so if you actually delete an item from the list you will not be easily able to get it back! You’d have to guess whatever software package included the deleted program(s) and re-install that.

Chances are, if you are going through this exercise you already you have in mind one or two auto-run programs of which you’d like to rid yourself. Another good cue is to look at the “Publisher” column in the autoruns display: generally things published by hardware vendors (such as the maker of your sound card or webcam) are good candidates for disablement. It is unlikely you will accidentally disable the driver because drivers aren’t auto-run programs: they need to start when the computer boots, not when a user logs in. The worst that could happen is you might accidentally turn off some automatic feature that you really do want, like the ability to play a music CD automatically when it is inserted. I am inclined to believe that most of that type of functionality is handled by Windows itself, and most auto-run programs provided by the vendor are superfluous and perhaps redundant.

Disabling a program in autoruns doesn’t stop it from running, it only stops it from starting the next time you log in. To actually stop an auto-run program that is currently running, you have two options:

1. Hit Ctrl-Alt-Delete and remove the program from the Task Manager. This may seem a bit daunting at first but you can’t mess anything up permanently; the worst that will happen is that your computer will be out of whack until you restart it.
2. Wait till you’re done editing in autoruns, log out, and log back in (or just restart your computer)

Check that everything is working normally and if it’s not, re-run autoruns and re-enable some of those programs you unchecked.

The trouble with Windows Search is that it can only search certain kinds of documents. Not too long ago I spent more money than I care to admit on a bunch of PDFs for Ars Magica; I already owned most of those books in hard copy but the corpus of material for that game has grown so large, and is scattered across so many books, that I don’t have the time or the patience to flip through all the possible books that might contain an obscure rule. (This is compounded by the publisher’s choice not to include an index in most of the recent books, but that’s another rant.) I thought that with the electronic rule books, that problem would be solved. Imagine my disappointment when I typed “magus” (the word for wizards in Ars Magica) and got no results!

It turns out, Windows Search doesn’t work on PDF documents, only MS Office documents and plain-text files. At least, not out of the box. But it is easy to add that capability.

The Technical FAQ for Windows Search contains the answer, and it is easy enough to find on Google — once the possibility comes to mind.

Windows Search can handle the file formats Microsoft controls, plus ASCII text. PDF is a proprietary file format, although there are free programs that can read and produce it. Ergo, there are licensing restrictions on who can include what PDF-related functionality in their software. (As an aside, this is why proprietary standards are annoying and harmful; they stop people from doing things that would obviously be useful.) If I had to guess, it may have been licensing reasons that stopped Microsoft from including PDF functionality in Windows’ search feature.

Windows Search is designed to be extensible, though. Software vendors can write a drop-in component called an “IFilter” that users can install, and then Windows Search will be able to process a new file format. This is pretty similar to the idea of a browser plug-in like we use to play Flash video or view PDFs in a Web browser, though instead of plugging into the browser it plugs into the Windows Search software. (Why Microsoft didn’t just call it a Search plug-in is beyond me.)

An IFilter for PDF documents is available from either Adobe or Foxit. You only need one of the two, so take your pick. I downloaded the Adobe version and voilà! I can find the word “magus” in that big folder full of e-books I just bought.

Windows Search can find text inside PDF documents like these e-books, if you download and install the right IFilter.

A couple of years ago I bought an Inspiron 1210 laptop (also known as “Inspiron mini 12″) from Dell. It’s a nice, lightweight laptop with a 12-inch screen. Interestingly, it has an Intel Atom processor, which is a 32-bit dual-core chip. It’s probably the last 32-bit general-purpose computer I will ever buy; all processors are 64-bit these days except for embedded processors on phones, toasters, set-top boxes, and the like.

At the time I bought it, Dell was shipping that model with Ubuntu Linux installed. I was looking for an inexpensive laptop for use at the gaming table, mostly to keep my notes and to run RPTools. My little Dell seemed to fit the bill perfectly. Initially, I was very happy with it.

Fast forward to late 2010, when I was assigned to give a presentation to my cloud computing class (I was a student, not the instructor). Like any good free software enthusiast, I made my presentation using OpenOffice (now LibreOffice) on my desktop PC at home. When I loaded the presentation onto my Dell mini, it wouldn’t open because it was created with a newer version of OpenOffice than I had used to create the presentation. “No problem!” I thought. “I’ll just update my version of OpenOffice.” That’s where the trouble began.

Linux Version on the Dell Mini

The Dell Inspiron mini shipped with a Linux variant called the “Dell remix” based on Ubuntu 8.04. (This is not to be confused with the current Linux remix Dell is using for netbooks and handhelds, called Moblin.) The main problem with the Dell remix is that it had a specially-modified version of the normal Update Manager that could only talk to Dell’s servers. That is excusable in a way, since the Inspiron needs an oodle of proprietary device drivers and the users needed some way to get those. What’s inexcusable is that Dell quietly withdrew support for the Dell (Ubuntu) remix some time in 2010; I can’t be sure because they never announced they were dropping support, and most of the documentation seems to have gone down the memory hole.

What this means is that I had a Linux computer that could only get updates from Dell’s servers, and Dell’s servers were permanently offline. So, no new versions of applications like OpenOffice for me. No security updates, either. Thanks a lot, Dell.

Needless to say, this treatment from Dell has irrevocably altered my perception of the company and its service. “Don’t buy from Dell” is my new mantra. And I didn’t; the new desktop I bought last year was from PCs for Everyone. It works great, and best of all, PCs for Everyone has never screwed me over. Thanks again, Dell.

Installing Linux 10.10

Since Dell left me with no upgrade path, the only thing for it was to wipe the hard drive and install a real version of Linux. This is not as easy as it sounds because the Inspiron mini 12 doesn’t have a built-in DVD or CD drive.

There are a couple of ways to get past this. For me it was easy; I had bought an external DVD drive that connects via a USB cable. When connected, that drive is bootable, so I could just pop in a DVD and boot and install from that. If you don’t have a DVD drive, you might want to look into trying to boot from a USB thumb drive. Since I haven’t tried that myself, I won’t try to explain how to do that.

Be sure the Linux version you install is for 32-bit machines. All the Inspiron minis were 32-bit when I bought mine, though this may have changed by now. Dell is still making machines with the “mini” label.

Drivers

Installation went smoothly enough but right away I noticed the machine was locking up within a few minutes of starting. This is due to the fact that Dell builds their laptops using a lot of proprietary hardware, for which free (as in freedom) drivers are not available, at least not from the main Ubuntu download site.

Graphics Driver

The problem was the GPU, which is an Intel GMA 500. It took quite a bit of digging to find a solution to this: finally I tracked down this excellent forum post that explains everything. Essentially you need to install some firmware packages and manually edit your /etc/X11/xorg.conf file. See the post for details; I don’t want to reiterate it here for fear of losing some important detail in the transcription.

Once I followed those instructions, my lock-up problem went away.

Wireless Driver

Which brings me to the wireless driver. I’ve heard it said that Dell is quite inconsistent with what wireless hardware it ships with each computer, and even two computers with the same model number might have very different wireless chip sets. I can kind of understand that; Dell’s supply chain is large and complex and the component vendors’ upgrade cycle is not necessarily synchronized to theirs. I understand it; I don’t have to like it.

What this means is the fix for me may not necessarily work for you.

The model number of the wireless card is listed on a label on the underside of the laptop, like this:

The wireless networking card's specifications are on the lower-left label on the underside of the Dell mini laptop.

The model number should be at the very top of this label. For me, it’s “Broadcom BCM94312MCG”. Wire that down, because you’re going to need it.

Next, see whether Ubuntu has a proprietary driver for your wireless card. This is a bit of a catch-22 because you need an Internet connection to download the driver, and you need the driver to connect to a wireless access point. So, you’ll have to connect to the Internet the old-fashioned way, with a Ethernet cable (more properly known as a Category 5 or CAT-5 cable, though technically CAT-6 should work too).

Once you’re online, go the main menu on the desktop and select System -> Administration -> Additional Drivers. This will take a moment to scan your hardware and search online for a driver that fits. You should see one or two drivers available. Choose the one that best fits your driver’s model number, select it, and click “Activate.”

If you don’t see an exact match, you can perhaps make an educated guess based on the model number. For me, there was no exact match for my model number, but the description of the “Broadcom STA wireless driver” listed a bunch of model numbers so I figured it might be close enough. Seems to work fine.

Danger! Look before you download!

CAUTION: if you just Google for keywords like “Linux driver {your model number}” you are very likely to come upon a malware site! There are shady characters who set up fake “freeware” sites to trick people into installing Bad Things on their computers. I found a bunch of ‘em, the first time I ran a quick search looking for an exact driver. I recommend you first use trial and error to see if a driver from the Ubuntu “Additional Drivers” installer will work, and if that fails, try asking in a reputable discussion forum such as Ubuntu Forums.

The Institute of Electrical and Electronics Engineers (that’s “I-triple-E” to those who know what it is), of which I happen to be a member, published a list of the top 10 technology developments in the decade 2000-2010. This is not a list compiled by some self-styled “tech-savvy” journalist, it’s the list of important technology compiled by people who built the stuff (or similar stuff).

If you don’t want to read the original article, which is brief enough, I’ll give you just the list.

11) Class-D audio amplifiers, which I’d never heard of until today
10 – Digital photography
9 – Flexible AC power transmission (foundations of the “smart grid”)
8 – Planetary rovers
7 – Drone aircraft
6 – Cloud computing
5 – Multicore CPUs
4 – LED lightbulbs
3 – Voice-over-IP
2 – Social networking
1 – Smartphones

Of those, I don’t think “social networking” really fits in: all the others are more nuts-and-bolts technological breakthroughs, whereas social networking is just a Havard dropout’s idea for making a gazillion dollars by selling people’s private information. But the other 10 I’d agree are a big deal.

2010 was kind of a scary year from the point of view of computer security. One big event was the onslaught of the Stuxnet worm, the first computer attack widely believed to have been created by a nation-state for purposes of espionage. Closer to home for most users, 2010 saw a continuing parade of privacy scandals on Facebook. It may seem that last year, the state of security on the Internet was going from bad to worse.

In fact, the more I learn about computer security, the more optimistic I become that we, computer users, can do a lot to make our systems more secure. I have in mind a multi-part series of articles to explain in plain language how to go about doing that. There are some things about computer security that are out of our hands, but there are many other things we can control. The threat from black hats has never been greater, but as that threat becomes more recognized, the opportunities for users’ education and self-protection become greater.

Security for the Everyday User

Most Americans in this second decade of the 21st century use computers on a daily or at least weekly basis. Yet very few have a good grasp of the basics of computer security. I would go so far as to say that most people don’t want to know about computer security. They just want to use computers and not have to know about security or worry about security at all.

Unfortunately, the time when that attitude was reasonable has passed. The Internet has simply become too lucrative a target for criminals. The only way to safely ignore the threat is to get off the grid.

However, I don’t believe every user has to become an expert or spend a huge amount of time and effort worrying about security. In the physical world (what I like to call “meat space”), we all learn basic safety and crime-prevention habits. It starts in kindergarten when we learn to look both ways before crossing the street, and progresses into adulthood with learning to lock your car doors and avoid certain parts of town at night. Security in cyberspace (at least for ordinary users) does not have to be a lot different. The techniques I will describe are the equivalent of those basic habits. Like safety habits in meat space, they won’t guarantee that you won’t become a victim. What they’ll do is manage the risks. The future I am working toward is one where everyday computer users are equipped with the habits and tools they need to reduce their risk exposure, without much more effort and inconvenience than we exercise to manage risks in meat space.

#1 Tip: Use Anti-Virus Software

The most important thing you can do to protect yourself is to install “anti-virus” software on your computer. These days, “anti-virus” is a bit of a misnomer because viruses are not the only threat. Modern anti-virus products help protect your computer against all kinds of attacks: worms, malware, phishing, and, yes, viruses. The distinctions among these different kinds of threats are in some sense academic. The key is that you need some kind of software to provide a basic defense against the various threats, and you need to keep that software up to date.

I’ll be the first person to admit that anti-virus software isn’t perfect. The most common criticism is that it only protects you against threats that have already been detected and cataloged. That’s perfectly true, and if you are running a bank or even a commercial Web site, anti-virus software alone is not good enough. However, just because anti-virus software is imperfect is no reason not to use it. A deadbolt on the door to your house isn’t perfect, either: an intruder could always break a window instead. It remains a basic tool that is a sensible part of any risk management strategy.

Once a computer attack is written, it tends to remain active and to replicate itself over the Internet. Protecting your computer against yesterday’s attacks makes perfect sense when yesterday’s attacks are still attacking you today.

You Really Do Need Anti-Virus Software

Don’t make the mistake of thinking you are too insignificant to be a target. Computer attacks are automated; they scan the Internet for any computer that might be vulnerable. They’ll go after you regardless of whether you have valuable information. Indeed, very often your computer is not the ultimate target of the attack: the attacker only wants to take over your machine to use it to assail some higher-value target. That way, when the FBI traces that cracking attempt on Bank of America, they find it came from your computer, not the actual criminal’s.

You might think that you’re immune to “viruses” if you use a Mac. While it’s true that the majority of computer attacks are written to go after Windows, there are plenty of attacks against Mac OS as well. As recently as a couple of years ago, Apple was running TV ads claiming that Macs were less likely to fall victim to “viruses” than PCs. That was questionable to the point of being disingenuous then, and it is even less true now.

Linux users, I’m also looking at you. Most Linux users aren’t even aware that anti-virus software for their platform exists. Ponder this: with Linux becoming so prevalent as an operating system for Web servers and corporate infrastructure, does it still seem unlikely that criminals will unleash automated, self-replicating attacks against it?

Obtaining Anti-Virus Software

There are many anti-virus products on the market. In my opinion, it matters a lot more that you install something than that you pick one particular product over another.

I definitely don’t get paid to make endorsements. I have been using Norton Internet Security for the past two years and have been fairly happy with it. Before that I tried McAfee and I hated it: at the time at least, McAfee’s update mechanism required users to turn off important security features in Internet Explorer. (Specifically, it required setting IE security policy to “medium,” which enables ActiveX, a huge and unacceptable security hole).

If you are really cheap, there are several ways you can get some level of protection for free:

1. Your Internet Service Provider may offer anti-virus software to all its users. This is in their best interest because unprotected machines can be taken over by bad guys and used to launch attacks, which messed up their network. Check your ISP’s Help page or call their tech support line.
2. Here’s a list of several anti-virus programs you can download and use for free
]]> http://www.andrewgronosky.us/2011/01/2011-the-year-of-fighting-back-against-black-hats-part-1/feed/ 0 http://www.andrewgronosky.us/2010/04/it-is-never-a-good-time-to-change-your-password/ http://www.andrewgronosky.us/2010/04/it-is-never-a-good-time-to-change-your-password/#comments Sat, 24 Apr 2010 11:27:55 +0000 AndrewG http://www.andrewgronosky.us/?p=73 Many people, including (I am embarrassed to say) myself, have given people advice to periodically change their computer passwords. The more I learn about computer security and human factors, the more I come to realize this is fundamentally bad advice.

A Boston Globe article from a couple of weeks ago explains this far better than I could.

My new recommendation: don’t use passwords at all. Use pass phrases: entire phrases or sentences all mashed together into one word, or better yet, strung together with unexpected*punctuation^marks. Memorize them to the extent you can, and use a “password vault” program for those you can’t. Don’t change them unless you have to.

]]> http://www.andrewgronosky.us/2010/04/it-is-never-a-good-time-to-change-your-password/feed/ 0 http://www.andrewgronosky.us/2010/04/face-painting-for-confusing-face-recognition-software/ http://www.andrewgronosky.us/2010/04/face-painting-for-confusing-face-recognition-software/#comments Tue, 13 Apr 2010 00:04:51 +0000 AndrewG http://www.andrewgronosky.us/?p=69 A researcher named Adam Harvey published some of his findings about how face paint can confuse face-recognition software. He has pictures on his Web site.

This makes me think of science-fiction games, especially cyberpunk games. I kind of like the idea of characters painting their faces with camouflage patterns before they run the shadows. And, it’s based on Real Science! (And on the premise that face recognition software in that ultra-high-tech, futuristic world is not a whole lot better than what we have in the real world today. I think that’s called “dramatic license.”)

I guess what I’m trying to say is that cyber-elf chicks with Mohawks and facepaint are cool. That’s all.

]]> http://www.andrewgronosky.us/2010/04/face-painting-for-confusing-face-recognition-software/feed/ 0