A recent article in the British publication The Times reported that the government there was warning that employers could face prosecution if they "snoop" on workers' email messages. Last year in Australia, the Workplace Surveillance bill of 2005 similarly inflicted criminal charges on employers who read employees' mail.

This is a very different story from the U.S., where in general courts have held that if employers own the computers and Internet connection, they have the right to monitor what's being done with them.

Of course, Europe and other foreign countries tend to be much less-user friendly for employers in many ways - witness the reason demonstrations in France over the idea of giving employers the right to fire young workers (and the government's subsequent caving in on the issue). European countries have federally mandated vacation time, as well, and employees take an average of five weeks off work each year.

While European laws tout their protections of individuals' privacy to the extent that a company isn't allowed to read email it's paying for, apparently those protections don't extend to the government. No privacy there -- another Times article was quoted as saying the British government is planning to fit all cars with a microchip to automatically report speeding, illegal parking and road tax evasion to authorities. If the Electronic Vehicle Identification (EVI) system is implemented, critics say the cars would be monitored by roadside sensors. You can read more about it here: http://www.safespeed.org.uk/evi.html

Privacy is important, and employers should certainly be required to protect confidential employee data such as medical information, social security numbers, home addresses/phone numbers etc. from outsiders. However, some of these privacy laws seem a little like red herrings. Governments pass legislation that purports to give their citizens the right to privacy while at the same time taking away all privacy from government intrusion.

It's a trend that I hope we don't import anytime soon.

Our government is already doing enough to aid and abet the identity thieves. For instance, ever notice that the IRS forms, in their instructions, say you must give your street address rather than a P.O. box? I don't have a problem with having them know my street address, but I don't want them to mail correspondence there (which invariably has my social security number on it), where a thief could easily steal it from my mailbox. Likewise, state governments should allow us to use mailing addresses other than our residences on our driver's licenses. They can still require you provide them with your street address to keep on file for law enforcement, but keep that information off the license itself, which we have to display to merchants and others with whom we do the most casual business.

Let's start taking privacy seriously, where it matters most.

APRIL 6, 2006

Whatever the software problem, there's always a "final solution": wipe the disk clean, reformat and start over. This is the nuclear option often recommended (or even exercised without asking) by many PC repair shops staffed by quasi-techies with mediocre skills who don't want to do the harder work of ferreting out the real problem and fixing it.

And sometimes it's a good idea. I like to do a reformat of my primary workstation at least once a year whether it needs it or not. It's sort of like a high colonic for the machine. Flushes out all those poisoning little bits and bytes that have accumulated over the course of installing, deleting and running programs. And rebuilding the empire -- bigger and better than before -- is always a heady feeling.

But I want to apply this "scorched earth" solution when I get ready to do it. I don't want to be forced to do it. Unfortunately, the growing malware problem is forcing a lot of people to do the "wipe and start anew" dance when they have no desire to do so.

According to eWeek, in an article by Ryan Naraine at http://www.eweek.com/article2/0,1895,1945808,00.asp, a Microsoft security official even admitted defeat this week, saying that when you're dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch." Ouch! It takes me a good half day to reinstall Windows, configure it as I like it, and reinstall all my applications. Of course, I can do it a lot more quickly if I've ghosted a drive image beforehand, but that takes a lot of the fun out of it.

Anyway, we're not talking about me here. What about the average home PC user, like my aunt, who gets nervous at the thought of downloading an add-on for her browser, much less nuking her hard drive and then trying to put Humpty Dumpty back together again?

Mechanisms such as System Restore have made it easier, except that too often I've encountered systems on which System Restore just plain doesn't work. No restore points have been created, or those that have been created won't restore. It's a great concept, but it still needs work before we can hail it as The Answer.

Meanwhile, tens of thousands of computers out there are infested with viruses, worms, Trojans, spyware and other malware to the point where they're practically unusable. And despite all the firewalls, anti-virus, anti-spyware software and other tools designed to address these threats, far too many people wait until the problem is too far gone for help. It's like ignoring the symptoms of cancer until the disease has spread throughout your whole body.

As with our physical health, the best course for keeping your computer healthy is to practice preventative medicine. It's easier to keep malware out in the first place than to remove it. That means configuring the operating system and applications securely -- and in some cases, it may mean a little inconvenience. For example, spyware and viruses can get downloaded to your system via Active X controls. You can prevent that by turning off Active X, but that may prevent some good web pages from displaying properly. Life's all about trade-offs. And so is security.

APRIL 1, 2006

It seems as if the trend these days is to put the responsibility for our security on somebody else. That's true whether we're talking about network security, national security or personal security.

We look to the government to protect us from the terrorists. Certainly that is a primary function of government - but it shouldn't mean that we don't also have a responsibility to learn about terrorism, learn how to best avoid situations that would put us more at risk ourselves, and prepare for the worst by stocking up on food, understanding how to increase our chances of survival in a biological or chemical attack, even consider ways to react in case we're caught in an airline hijacking or other attack scenario. After all, the passengers on 9/11/01 United flight 93 didn't wait around for the government; they took matters into their own hands.

Yet I see the "not my job" attitude when it comes to securing our computers and networks -- even from people (IT pros) whose job it is to ensure that systems are as protected as possible. Everyone seems to be pointing fingers at the operating system vendors (mostly Microsoft) and looking to them to provide some mythical combination of perfect security and absolute ease of use.

And the software companies can't win in the public eye. If you lock down the software "out of the box," you get complaints that the product "doesn't work" or "is too hard to configure." If you provide secure settings as a configuration option, you get blasted for "leaving users open to threats."

The people who believe all responsibility for security rests on the shoulders of software vendors remind me of those who believe that the police can/should be able to keep them safe from the bad guys at all times, no matter where they go. It's a nice idea, but it's not going to happen.

Security is a partnership effort. The software vendor/government can only go so far. There's a point where you have to recognize that ultimately, when it's your system or your person/family/property at risk, it's up to you to provide that last line of defense. In "real life," that may mean buying a gun and knowing how to use it (and/or buying a big dog, an alarm system, etc.). In the tech world, it means learning security implications of system configurations and taking control of yours, whether or not they're turned on by default.

We can yell all we want about how somebody else should have been protecting us, but it's our data (or lives) that are on the line.  

MARCH 23, 2006

Another critical security vulnerability in Internet Explorer was reported this week. It was discovered and reported by Secunia Research and confirmed by Microsoft. The bug affects fully patched Windows XP systems with Service Pack 2 applied -- and is also present in IE 7 beta 2, which many of us techie types are now using as our primary browser.

The Microsoft Security Response Center says the new "refresh" version of IE 7 beta 2 isn't affected. At least that's good news. So what do you do in the meantime to prevent an attack exploiting this vulnerability? MSRC recommends turning off Active Scripting. They also note that the script doesn't render in email, so you don't have to worry about being at risk from Outlook or Outlook Express.

And what exactly can a hacker do with this vulnerability? Secunia says a malicious web designer can use it to execute arbitrary code on your computer when you visit the site. Not a good thing.

And this comes right on the heels of reports of another vulnerability that was reported by Michal Zalewski, an independent security researcher. This one takes advantage of an IE buffer overflow vulnerability.

These reports aren't helping IE's market share as more and more users desert to Firefox and other alternative browsers. But what it might do is motivate the IE 7 team to put even more of an emphasis on security than they already have (which is considerable).

No web browser is ever going to be 100% secure; that's just the nature of the beast. Do a search for Firefox vulnerabilities and you'll see that they have their share. So far, I like what I've seen in IE 7. The new anti-phishing filter, the "low rights" feature and other new security mechanisms make it more secure than older versions, but in my experience with IE 7 security doesn't get "in your face" nearly as much as it did with IE 6. That is, accessibility hasn't been sacrificed to security. And is a good thing - because users who are frustrated by security measures will find a way around them, putting themselves and their whole networks at risk.

I've seen a lot of complaints about the "phoning home" aspect of the anti-phishing filter (the filter consults an online list of known phishing sites and also reports suspicious sites to Microsoft). It's funny that we don't hear any complaints about anti-virus software "phoning home" for updates. It's unclear how the complainers think the anti-phishing technology could do its job properly without phoning home.

MARCH 16, 2006

Along with "What's in your wallet?", we now need to be asking ourselves "What's on your key ring?" Once upon a time, losing your keys carried with it the possibility that someone, if they knew where you lived, might be able to get into your home or steal your car.

That's bad enough, but with today's technology, it can be much worse. You know all those little plastic tags that many folks have on their key rings now? Some function as full fledged credit cards, others are discount cards for the grocery store or other retail establishment.

Either way, they contain personal information about you, which can include name, address, phone number, credit card number and more. Losing your keys when you carry these card tags opens you up not just to burglary and auto theft, but identity theft, as well. And the latter can be a nightmare that seems to go on forever and reaches into all aspects of your life, ruins your credit history, costs you thousands of dollars and can even cause you to lose out on job opportunities, loans, etc.

The more techie among us may have even more to lose. Authentication tokens that can be carried on key rings are growing in popularity, and losing one of those could give someone unauthorized access to your computer, network and data - although this threat is ameliorated by the usual requirement that a password or passphrase be entered in combination with inserting the token in order to log on (two factor authentication).

What about those handy little USB drives that conveniently hook onto your key ring. What kind of data do you have stored there? Is it encrypted?

All these new devices make life more convenient, but they also present new opportunities for the thieves among us. Misplacing your keys is such a common occurrence that there are devices marketed just to help you find them, but leaving them in the wrong place can have greater consequences than ever before.

Hang onto that key ring!

MARCH 6, 2006

Don't get me wrong - I hate the junk that clogs up my Inbox every morning and I'd hate it even more if our server-side spam filters weren't catching 90% of it before it makes it to my Inbox. But I also hate some of the spam solutions that people are resorting to.

Perhaps the most annoying are the spam services that require anyone sending you mail to go register at a web site before their mail gets through. This isn't a problem for the typical home user, I guess, who only expects and gets mail from a small, fairly static number of people. As a writer, I get lots of legit mail from strangers (some of whom want to give me money -- well, in return for work, of course) and there's no way I'm going to make them all through an extra step to send me a message.

I also get lots of questions from readers, and I am highly annoyed when I sit down and spend several minutes answering those questions, hit Send, and get back a message saying "sorry, I'm only accepting mail from registered senders, blah blah blah."

Commercial blacklists are another pet peeve of mine, because it's so easy to make enemies on the 'Net, often without even knowing it. And it's easy for those enemies to report your domain as a spammer even if you've never sent a piece of spam in your life. That can really screw up your whole communications system, as suddenly none of your friends and colleagues receive your mail.

There are some good spam filtering programs out there, but I prefer the ones that let me control what gets marked as spam and what doesn't. I've found that, as with most other security-related issues, a multi-level solution works best. Filter for the most blatant spam at the server level, then let client-side software (Outlook's built-in junk mail filters or a third party program) catch most of the rest.

MARCH 1, 2006

They got some of it with Windows 2000, more of it with Windows XP, and there's even more on the way with Windows Vista. The goal of this group is to never have to pay extra for a third-party security product again, and Microsoft has been working hard to accommodate them. That's called customer service, and it's a good thing.

However, there's another group whose mantra is "bundling is bad." Not surprisingly, it includes many of  the vendors who make those third-party products, along with the anti-trust watchdogs in government and, inexplicably, a lot of open source advocates (who usually like the idea of more for the money - or for no money).

Of course, this brouhaha started long before security took a front seat, with years of protest and lawsuits over the inclusion of web browsers and media players in the OS.  But some of the same folks who complained about those "extras" being bundled with the OS are now demanding built-in security mechanisms, on the grounds that security is a necessity, not an "extra."

One advantage of built-in applications and utilities (whether they're security-related or not) is better compatibility. How many times do we hear about the installation of an AV or anti-spyware program causing a system crash or weird behavior, or problems configuring third party firewalls and IDS?

Of course, just because Microsoft bundles security programs with the OS, that doesn't mean you can't use third-party products instead or in conjunction with them. Many of us run multiple web browsers; I have IE, Firefox and Opera installed on my primary workstation and use them all. Many people turn off the Windows firewall and use Kerio, Zone Alarm or some other personal firewall they like better.

The good thing about having these apps built in is that we'll no longer have to rely on individual users to install them. More of those who are running "naked" now will use protection if it's built into the OS. And that matters because Internet-connected users who leave their systems open to viruses, malware and attacks aren't just endangering themselves, they're putting everyone who swaps packets with them at potential risk.

So I commend Microsoft for taking steps to make the Windows "out of the box" experience a more secure and better protected one. But I urge third party vendors not to throw up their hands in despair. There'll always be a market for better, more sophisticated security products. This can be a win-win situation for everybody.