Wednesday, January 28, 2004

The RISKS of IT

http://catless.ncl.ac.uk/Risks/
This seems to be a web interface to a newsgroup on risks related to the use of IT (news://comp.risks, RISKS-LIST, "Forum on Risks to the Public in Computers and Related Systems". I didn't know it so far, but it's really quite interesting reading. For example, a post from January 5, "Danish PM's private communications disclosed by MS Word" -I think no direct link available- is about the New Years speech of the Danish Prime Minister, was distributed in MS Word format. As most (?) people also outside the IT world could know by now, it's very easy to have a peek in the history of these kinds of documents, when they’re not pasted to a new document before distribution. Last year, the British government was brought into embarrassment following the same practice. As far as I remember, it had to do with different people around Tony Blair, editing a document about Iraq's WMD. A trail of who made which changes was easily found in the press release. So, the thing that strikes me the most is that even in 2004 governments are still sending Word docs to the press. Are they thinking that now this Word feature is public knowledge, everyone will act securely and think twice about sending Word docs around without first copying all text into a new document? But then, following this trail, you could also remove all corporate virus scanners from employees' email clients. They know how to discern legitimate correspondence from viral content. They will absolutely not open attachments which they don't trust. Sound like reality? Of course not. People like to click on things, they like nice pictures, something to laugh about during the day. People need to be secured from all kinds of evil, which could be upon them every minute of every day. However, the problem is that you can never rely on everybody following the most secure practices, even if it's in common knowledge. Then you can just wait for something like this happening someday, or more often. Instead change your policy and distribute everything as PDF, or some other closed format.
This doesn't mean however, that people shouldn't be instructed about safe behavior. This is indeed quite important. But protective measures need to be in place to prevent these accidental kinds of things from happening. Sending PDF by default instead of Word helps a great deal with that. My idea would be that users should act responsibly, but need to be protected against themselves.
Well, now the Danish government will change their practice, according to this post ('"We will in the future distribute speeches as PDF files so that such things will not happen" says ministry spokesman Michael Kristiansen'). But it's acting after disaster, where a preventive measure could easily have been taken.


Tuesday, January 27, 2004

MyDoom virus alert

The MyDoom virus is hammering on all Windows doors since yesterday. A part of the payload seems to be DDossing SCO, the company suing IBM and the like for supposedly using their proprietary sourcecode in developing the Linus OS.
This morning, arriving at work I found the virus already blocked a couple dozen times by our mailserver. And this even without updated antivirus files. The problem with viruses, of course, is that they can spread so fast, that automatic update intervals for virusscanners don't suffice to stop them. Also in this case, I expect a lot of company were too slow updating their files, and the virus already spread on their networks. At least, I've always been very happy about our strict policy of blocking .exe, .scr, .pif etc by default. Compiled exes are just not meant to be distributed by email. And in case someone really has to sent an exe, then they know that adding the txt extension will help. This measure of preventive blocking is quite successful, as even after about five years of mass email viruses (as far as I know, the Melissa virus was the first real massmailer, correct me if I'm wrong), they still pose a big threat.

Sunday, January 25, 2004

Comments!

It finally seems to work. After much hassles with different blog commenters, I just installed the Haloscan commenter. Now.. let's make a comment to this post

.... it works. Now, voice your opinions for the world to view ...

Freecell

Reading a shareware programmer's blog, I found the suggestion that you can be productive playing Solitaire on your computer. Well, what a nice idea. Instead I opened up Freecell (for the first time in more than a year probably). But even before I started playing my Zonealarm asks whether Freecell should be given permission to acces the internet. Why on earth would the most basic of computer games "(well, not considering pong), go to the net. To get new skins or new card-sorting routines, or what? Since cardgames are in Windows since... well I don't remember any further back than Windows 3.x, you wouldn't expect any more innovations for them.

Thursday, January 15, 2004

Software worries

Today I as asked by someone from our company could install the Plaxo software (no link given, as I don't want Google to give this site a higher PageRank, but you can make up the URL yourself, in case you want to check). I've heard a bit about it lately, and also found a couple of the Plaxo contact detail information emails blocked by our spamfilter. The idea is that you install the software, upload your Outlook Contact List to Plaxo, after which all your contacts will receive a customized message requesting them to check the validity of the information you have about them. They can change their information online, and your address book will be updated automagically. This seems like a good idea, at least it saves you some hassle with contact information (and nobody likes to spend time updating this, isn't it?). But some things give me second thoughts:

  • the emails have a VCard as attachment, containing the contacts' information (if I remember correctly there was some VCard exploit.. lemme check... Yes, here it is). Our spamfilter blocks plaxo requests by default anyway. As will be the case in other companies, which my college's would be emailing the requests

  • Plaxo is acquiring a wealth of information (e-mail addresses, but also the contact details itself of course). The privacy policy on theirs website states that they "... Will not share your information with anyone without your permission. Period". But: does it prove they won't do that in the future?? Think about it: why wouldn't they one day change their EULA, with or without notifying you. Even if they notified you, would you check their website to see what has changed. Companies are famous for creating multi-page EULA's which no sane person would even consider start reading.

  • it integrates with Outlook. Why wouldn't the program be used to acquire a little bit more information about you, and phone it home? Well, I guess they won't be doing that now, lest someone would have found out. But in the future??

  • related to the former: would you, as an IT Administrator, like to have some free software installed around your email client, without knowing what it does. I for sure wouldn't!


Well, seems Plaxo even made it to Wired last November. I especially like what Doc Searls says in that Wired article:
"If they won't explain how they intend to make money, one can only assume they intend to spend it," Searls said. "The product looks like a new way to hire a company to annoy your friends. It feels like spam. It's annoying, and I don't think there's a viable plan here."

Wednesday, January 14, 2004

The .NET Story continues

Up to now, I was actually under the wrong impression that you'd need Visual Studio.NET to be doing realluy serious .NET stuff. Point is, bacause we're oriented on Visual Studio 6 almost exclusively in my company, I was skipping all .NET stuff when I was searching for VB code. You know, -.NET in Google :)
After installing the .NET Framework the other day I started to read more on the subject. Now, I also installed the .NET Framework Software Development Kit (a 100MB download from MSDN), and the freeware IDE Web Matrix (in it's 0.6 stage at the moment). The first one is so impressive that I need some time to loose myself into it. Web Matrix is a simple IDE (no IntelliSense, not very elaborate. But what would you expect?). Anyway, with the SDK it should be possible to make the same Windows Forms and Web application as with VS.NET, only without the environment that takes so many things out of your hands. And well, coding in a basically text based environment is better than letting the software do 'everything' for you. Doing it the software way will not be help you very much in the case you'd want to set up something without the IDE. But for now I know I sign off my VB6 newsletters and find some good ASP.NET ones. Please let me know which ones are the best for someone just starting

Thursday, January 08, 2004

.NET as the last of the mohicans

Today is the day I want to start with ASP.NET. I find so many sites dedicated to .NET, that I'm feeling to be falling back in knowledge. Because of lack of Visual Studio.NET I downloaded the .NET Framework 1.1, and installed one of the StarterKits from www.asp.net. This didn't go without much ado, because I had this strange installation order: Framework, StarterKit, IIS. That was because I wanted .NET a little bit too badly, and forgot I was only working on an Windows XP Pro test client without a personal webserver installed. Well, after removing, rebooting to be sure, and the proper installation order 1) IIS, 2) Framework, 3) Starterkit, I was more lucky. The underlying database was added to a (test)SQL Server with no problems. And the first time the default.aspx page was loaded it worked! Only found out I had the Community Kit installed (advanced level) instead of the Commerce Kit (basic level) - seems like I really was in a hurry :) Well, I don't know if the label 'advanced' is only put on the Community Kit because it is much more elaborate, or that the samples are indeed more... advanced. At least I have a way to go with ASP.NET code now, which was my intention. Finally I can visit .NET related sites, and try out code given there. I'm a happy man!

Saturday, January 03, 2004

(No) time to read

In the normal world when you want to read something, you decide what to read, buy the book (maybe even on Amazon), go to the library or second hand shop. And there you go sitting on your favorite couch and start to read. Whereas on the internet, we often don't have a clear view of what to read (at least, I don't have when I go online). We open up some blogs, find an interesting link, from which another interesting site is offered. And before you know it, you end up on the site of the Journal of Digital Information, article named 'Networked Knowledge Representation and Exchange using UML and RDF'. Note: not that there is something wrong with this site, there are probably a lot of librarians and information architects out there for which this site is quite meaningful. At that point I was thinking to myself what exactly it was I was reading. I find it intriguing to learn something from the field of Information Architecture, but it seems far too little related to my daily work to put too much time into it. For me, it's better to keep up with the more technical, programming related blogs (see link list on your left side for an indication of what I'm reading). Which actually brings me to what I wanted to say: so much can be read on, and learned from the sources on the internet, that you have to very carefully weigh the offered information to the time it takes to read. Then, it is even better to maybe just leave a site than to continue reading it and finding yourself out of time for what you really came to the internet for. In my case, that's making a decent blogging entry. I'm amazed at the amount of keyboard strikes some people are able to upload to the net. I really envy them for their ability to put so much effort into writing interesting blog entries. So, maybe this is a good new years resolution: to blog more in 2004. In fact, when this won't happen I guess this blog will end just like a lot of other ones, in shortage of content.


ps: I found this person who reflects in the same way. Only difference, he's in his forties, I;m in my thirties. But I already feel a big distance between the young twentiesome tweakers and me.