Continue reading »]]> Q: How do you make the world stop buying so many netbooks?

A: Stop calling them netbooks.

That’s the bizarre advice from Microsoft, suggested by one corporate overlord at this week’s Computex trade show in Taipei.

His beef? The term “netbook” implies a notebook that is useful only for surfing the net, but since today’s mini-notebooks do so much more than just that, the term should be retired.

His suggestion for replacing the term? The exquisitely Microsoftian “low cost small notebook PC.”

Semantics in this space are getting increasingly complicated, though whether you call them netbooks, mini-notebooks, smartbooks, or, ahem, low cost small notebook PC, most of these machines do pretty much the same stuff. (The only real difference in this group is the smartbook, a term which is now being used to describe a notebook-type machine that runs a smart phone operating system like Android or, someday, the iPhone OS.)

But Microsoft is doing everything in its power to move the market away from $400 netbooks and toward $1000-plus traditional laptops. Windows 7 Starter Edition, the egregiously stripped-down version of the company’s upcoming OS, will be so severely hamstrung that Microsoft has offered the stated goal of encouraging users to upgrade to a more premium version of Windows 7.

The etymological approach is another step in that direction, I suppose, a subtle jab that your computer isn’t powerful enough. The term “netbook” sounds kinda cool. “Low cost small notebook PC” sounds like something designed for a child.

As with many of Microsoft’s great ideas, my hunch is that manufacturers will nod enthusiastically at the suggestion… and summarily ignore it.

Viva la netbook!

Continue reading »]]> We’re well into the new year now, and we’re beginning to see trends emerging on the security front. Some of the threats we’ll see this year will be similar to those in years past (after all, many of the basic con games now being perpetuated online were around long before the advent of computers and the Internet). However, attackers are becoming much more sophisticated in their methods to circumvent the increased levels of security built into operating systems and applications. Here are 10 security threats that are likely to become more prominent in 2009.

1: Social networking as an avenue of attack

Social networking has experienced a boom in popularity over the last few years. It’s now finding its way from the home into the workplace and up the generational ladder from the young folks into the mainstream. It’s a great way to stay in touch in a mobile society, and it can be a good tool for making business contacts and disseminating information to groups. However, popular social networking sites have been the target of attacks and scammers. Many people let their hair down when posting on these sites and share much more personal data (and even company data) than they should.

Think you’ll solve the problem just by blocking social networking sites on your company network? Not so fast. As Steve Riley pointed out in his recent talk on attack progressions at the 2009 MVP Summit, today’s young professionals are growing up with social networking, and they expect to have it available to them at work just as older employees expect to be able to use their office telephones for reasonable, limited personal calls. In addition, you lose the business benefits of social networking if you shut it down completely. After all, companies didn’t shut down e-mail because it could present a security threat. A better approach is to educate your workers about social networking practices and develop policies governing social media use. As an example, take a look at Intel’s Social Media Guidelines.

2: More attacks on the integrity of the data

Another point Steve made in his presentation is that “First they came for bandwidth; now they want to make a difference.” In the past, many attackers were looking for a free ride on your Internet connection (for example, by connecting to your wireless network and using it to access the Web, send e-mail, etc.). Then the nature of attacks progressed. Instead of the network being the target, it was the data. The next step was stealing data, but step after that is even more insidious: the malicious modification of data (making a difference).

This can result in catastrophic consequences: personal, financial, or even physical. If a hacker changed the information in a message to your spouse, it could harm your marriage. If the change were to a message to your boss, you might lose your job. Changing information on a reputable Web site regarding a company’s financial state could cause its stock prices to drop. A change to electronic medication orders on a hospital network could result in a patient’s death.

3: Attacks on mobile devices

Laptop computers have presented a known security risk for many years. Today, we are more mobile than ever, carrying important data around with us not just when we go on business trips but every day, everywhere we go, on smart phones that are really just small handheld computers. These devices have important business and personal e-mail, text messages, documents, contact information and personal information stored on them. Many of them have 8 or 16 GB of internal storage and you can add another 32 GB on a micro SD card. That’s much more storage space than the typical desktop computer had in the 1990s.

People lose their phones all the time, but many of these devices aren’t configured to require a password to start the system, the data on them isn’t encrypted, and very few protective measures have been taken. They are security disasters waiting to happen. Businesses should develop policies regarding the storage of company information on smartphones and require encryption of data on internal storage and on flash cards, strong passwords, use of phones that can be remotely wiped when lost, etc. Of course, you don’t have to lose the phone to have its data stolen. Attention should also be paid to the potential for attacks using Bluetooth and Wi-fi.

4: Virtualization

Virtualized environments are becoming commonplace in the business world. Server consolidation is a popular use of virtualization technologies. Desktop virtualization, application virtualization, presentation virtualization — all of these provide ways to save money, save space, and increase convenience for users and IT administrators alike. If it’s properly deployed, virtualization can even increase security — but that’s a big “if.” Virtualization makes security more complicated because it introduces another layer that must be secured. In essence, you now have to worry about two attack surfaces: the virtual machine and the physical machine on which it runs. And when you have multiple VMs running on a hypervisor, a compromise of the hypervisor could compromise all of those machines.

Another virtualization-related threat was demonstrated by the infamous Blue Pill VM rootkit. Hyperjacking is a form of attack by which the attacker installs a rogue hypervisor to take complete control of a server, and VM jumping/Guest hopping exploits hypervisor vulnerabilities to gain access to one host from another.

The easy portability of virtual images also presents a security issue. With modern virtualization technology, VMs can be easily cloned and installed to a different physical machine. The ability to go back to “snapshots” of past images can inadvertently wreak havoc with patch management.

5: Cloud computing

If virtualization was last year’s buzzword, this year it’s all about “the Cloud.” The uncertain economy and tight budgets have companies looking for ways to lower operating costs, and outsourcing e-mail, data storage, application delivery, and more to cloud providers can present some attractive potential savings. Microsoft, IBM, Google, Amazon, and other major companies are investing millions in cloud services.

Cloud advocates envision a day when we’ll all use inexpensive terminals to access our resources that are located someplace “out there.” But when your data is “out there,” how can you be sure that it’s protected from everyone else “out there?” In fact, the biggest obstacle to moving to the cloud, for many companies and individuals, is the security question. IDC recently surveyed 244 IT executives and CIOs about their attitudes toward cloud services, and 74.6% said security is the biggest challenge for the cloud computing model.

Google, a prominent player in the cloud space, is the subject of a recent complaint to the Federal Trade Commission (FTC) by the Electronic Privacy Information Center (EPIC), which seeks a suspension of Google’s cloud computing services until verifiable safeguards are established.

6: More targeted attacks on non-Windows operating systems

Although Windows still has 91% of the desktop OS market, there has been a big push in some quarters to deploy Linux or Macintosh as a supposedly more secure alternative. But are they really? One reason the non-Windows operating systems have enjoyed fewer attacks is the simple fact that the Windows installed base presents a much bigger target for attackers. Just as terrorists prefer to attack large gatherings of people where they can do the most damage, so do hackers prefer to write malware that will spread to the greatest number of computers — and that means Windows.

However, as other systems get more publicity and become more popular, they also become more attractive to the bad guys. Malware has been becoming less Windows-centric for the last few years; the 2007 Open Office worm, for example, infected Linux and Mac OS X systems as well as Windows. And Charlie Miller, a security researcher who won a recent hacking contest by breaking into a fully patched MacBook in a few seconds, said, “Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.”

Whatever the reality, the perception is that non-Windows operating systems are becoming more popular as Apple steps up its advertising campaign and vendors offer more netbooks preinstalled with Linux. As they become more high profile, look for hackers to spend more time and energy creating attacks that target non-Windows systems.

7: Third-party applications

Microsoft has put tremendous effort into securing the Windows operating system and its popular productivity applications, such as Microsoft Office. Linux and Mac receive regular security updates. As operating systems become more and more secure, attackers will focus less on OS exploits and more on application exploits. The major Web browsers are routinely updated to patch security vulnerabilities. But the vendors of many third-party applications are less security-aware. This is especially true of freeware applications written by independent developers. These programs, which may not have been written with security in mind to begin with and which do not automatically check for and download security updates, present an opportunity that we can expect attackers to take advantage of.

8: Side effects of green computing

Green computing is all the rage today, and saving energy is certainly a good thing — but as with beneficial medications, there can be unexpected and unwanted side effects. Recycling computer components, for instance, can expose sensitive data to strangers if you don’t ensure that hard drives have really been wiped cleaning. (Hint: Deleting files or even formatting disks doesn’t guarantee that the data is gone.)

On the other hand, such green initiatives as powering down systems that aren’t in use can actually enhance security, since a computer that’s turned off isn’t exposed to the network and isn’t accessible 24/7.

9: IP convergence

Convergence is the name of the game today, and we are seeing a melding of different technologies on the IP network. With our phones, cable TV boxes, Blu-ray players, game consoles, and even our washing machines connected to the network, we’re able to do things we never even imagined a decade ago. But all of those devices on an Internet-connected network present myriad “ways in” for an attacker that didn’t exist when only our computers used IP.

We can only hope that the manufacturers of all these devices put security at the forefront; otherwise, we may see a rash of new malware targeting vulnerabilities in our entertainment devices and household appliances.

10: Overconfidence

Perhaps the greatest threat to the security of our networks, whether at work or at home, is overconfidence in our security solutions. Many home users believe that as long as they have a firewall and antivirus installed, they don’t have to worry about security. Businesses tend to put too much faith in the latest and greatest security solutions. For example, there is an assumption that biometric authentication is infallible and undefeatable — but it can be compromised in various ways, and when it is, the legitimate user it was meant to protect becomes the victim. If the system shows that your fingerprint was used to log on, you may be presumed guilty, and an investigation might not even be deemed necessary.

Another type of overconfidence is common among home users and in the business environment, especially with small companies. That’s the idea that “We don’t have anything worth hacking into so we don’t need to worry about security.” In today’s interconnected world, neglecting security doesn’t just put you at risk; it also puts others at risk. Your systems could be used as zombies to attack a whole different network.

End users on a business network often think of security as somebody else’s problem and operate on the assumption that the IT department is taking care of them, so they don’t have to do anything about security.

Overconfidence of any type is a dangerous security threat — but it’s one that you can most easily do something about because it doesn’t require expensive technology or sophisticated technical skills — just a change in attitude. We all have a responsibility to keep our own systems as secure as possible.

Continue reading »]]> We all have them: Stupid default configurations that we either have to change or live with. Some of them may seem pointless and irritating, although there’s usually some situation where they make sense. Regardless, when configurations are wrong for us, they get under our skin more often than they help us get on our way. Here are 10 of the default configurations that aggravate me the most.

1: Keyboard failure, press F1 to continue

I know it has been fixed for a long time, but all former Compaq server administrators will remember this one. How silly of a message that the server would sit there with its tongue hanging out waiting for us to acknowledge this error with the object of the error. Truth be told, this was my motivation for writing the top 10 irritating defaults.

2: Windows Server 2008 interactive installation name

For Windows administrators who perform an interactive installation (where you boot from the CD), the default computer name is less than intuitive. To be fair, it is a standard name associated with boot environments, but the interactive installation removed the ability to set a computer name. I think we’ll have to get used to names like WIN-IU7JC1B15RI. However, this can be configured with an installation answer file or Windows Deployment Services.

3: Microsoft Office Recently Used File List value of 4

There is nothing more irritating than using a new installation of Word, Excel, or PowerPoint (2003 or earlier) and seeing a deprived recent file list on the File menu. I change this right away by going to Tools | Options | General to access the option to increase the number of recently used files — but the maximum is 9. Office 2007 finally loosened up this restriction, and you can set those apps to list as many as 50 of your most recently used files. The option is a little harder to find, though: Click the Office button and select Advanced in the left pane. Then scroll down to the Display section and enter the setting you want for Show This Number Of Recent Documents.

4: Windows Server 2008 using IPv6 and IPv4

I’m glad it’s available for use in the product, but does anyone know anyone actually using IPv6? It surely is not a mainstream protocol in use. I believe it will be adopted sooner in other regions of the world, but I don’t think it should be enabled by default yet. One good tool to get started in managing Windows Server 2008’s network stack is the Netsh tool.

5: Folder does not exist. Do you want to create it?

This technically a safety step, but how frequently do we select no to this question? Further, this is usually not the last question of a Windows installation wizard, so there is an opportunity to go back in the installation and change the installation path. As a side note, it’s a good practice to keep all of your installed applications in a designated area. For example, installing all applications and components not part of the operating system to a drive other than the C drive can manage the system drive space better. By using a different drive letter to contain the third-party installed software, storage provisioning for the C: drive can be standardized easier.

6: Voice-prompt-only service phone numbers

This one never ceases to amaze me. My previous job required quite a bit of travel. During weather or flight interruptions, I would often call the airline directly from my mobile phone rather than wait in the line equal to three aircraft’s worth of passengers when I needed re-accommodation. The service numbers were usually voice-prompt driven, which makes no sense in an airport, as there are incredible amounts of background noise. I became an expert of saying “Yes” and “No” very loudly and gaining the awkward attention of my fellow passengers. Number entry dialing is often possible but hard to find if it is not mentioned.

7: The Windows beep device

This is annoying for many reasons. For one thing, it doesn’t adhere to Windows sound volume settings for default configurations. This is especially irritating for administrators like me, who connect to multiple systems through tools like Remote Desktop and have the beep transferred as well. But the beep can be disabled. Simply go into Device Manager, choose Show Hidden Devices from the View menu, go to the Non-Plug and Play Drivers section, double-click Beep, and choose Do Not Use This Device (Disable) from the Device Usage drop-down list in the Beep Properties dialog box. After the next boot, beep is no more!

8: The entire default Internet Explorer browser configuration on Windows Server

Is it just me, or is the default installation useless? Even adding sites to the trusted sites list and local policies for the trusted sites doesn’t allow proper behavior of some legitimate sites. Ironically, Windows Update will work with all of the installations required. I find myself installing an alternative browser, such as Opera, Firefox, orSafari. To be clear, I don’t install it on every server — simply on those where browsing functions are required and it makes sense to do so. As a side note, this is a good trick to getting crude Explorer functionality in Windows Server 2008 Core installations.

9: Windows Server 2008 default folder view

I sure love the folder view in Windows Server 2003, XP, and prior editions. But Vista and Windows Server 2008 have really messed with my mind. I’d like to get a show of hands: Who actually uses Documents, Pictures, and Music as favorite links? My favorite link is the folder and computer. Just let me see my file system. I know what I am doing, most of the time!

10: VMware vCenter Server’s certificate store

The default installation of VMware’s vCenter Server product is two years. For many people, there are quite a few surprises on day 730 of their server virtualization bliss. The good news is that you can correct this situation before it gets you. There are plenty of topics on the VMware Communities forums, as well as this whitepaper from VMware on the replacement process.

What annoys you?

And the list goes on. There are always going to be things that annoy us — and some default configurations may get administrators downright mad. Do you have some software configurations that hit you the wrong way? If so, share them below.