Are We There Yet?

I was listening to Steve Czaben on Bob and Brian's morning show this morning and he brought up the Sobig virus that is currently running rampant on the Internet. His take on things is that email is dead and this virus has killed the Internet. Steve is funny and makes my morning drive worth it every morning, but thank God he only does sports. The only thing he got right in his entire rant was that it's due to people that just don't THINK when they get email with file attachments.

I've got a ton to say about this, but I'll try to keep it short and to the point. There is NO REASON IN THE WORLD that ANY corporate mail server should allow mail attachments that can be directly executed. This includes .pif, .scr, .exe, .vbs, and the whole remaining list of executable extensions. Period. You have now solved 80% of the problems with a virus. You've reduced the corporate cost of these things while reducing the chances of it infecting large networks. Our mail server doesn't accept these attachments and we're not infected. In fact, I haven't even received a single message infected with this virus because our mail server drops them before delivery. Strangely enough, I've gotten several infected messages to my Yahoo! email account, which is the first time in at least 6 years that I recall getting an infected message through Yahoo's servers.

If someone wants to send you one of these attachments, they can ZIP it. Can a virus ZIP itself as well? Sure. But you're injecting another step in to the infection process and making the virus more complex. Making things longer, more complex, and injecting more steps in to a process is the formula for failure for two reasons. One - it's tougher to code and get it right which should cause most poorly written virii to fizzle and die before they get anywhere. Two - I have no faith in the general public as computer users. Take a sampling of people off the streets and ask them what a ZIP file is. Most won't know what to do with it. Even if they have WinZip or WinRar installed, they still have to extract it, find where they extracted it, and execute it. You get the general picture.

The worst side effect of the virus is, of course, the massive email traffic it generates. But frankly, spam is so rampant these days, I see no reason why a virus should add any more strain to mail servers than the latest Viagra mailing.

I've seen two sites I frequent complain about the Sobig virus in the past couple of days. One of them simply slogged through the junk deleting each individual message. The other adjusted his SpamAssassin threshold to be lower and ended up blocking legitimate email.

It frustrates me that people complain sometimes without examining all of their options to see if there is anything they can do to fix it on their end. The home user doesn't usually have control over their mail server, so my previous rant on Sobig doesn't apply to them. But the most popular email clients I know of are Eudora and Microsoft's Outlook and Outlook Express. All of these mail clients support message rules. Since successful propagation of an email virus isn't an everyday occurrence, using message rules to control them is a feasible solution. An email virus is usually pretty small and has a finite quantity of message subjects and bodies that it can use. You can go to any anti-virus web site and find out what these are once the virus has been examined by the popular anti-virus people (Symantec, McAfee, and TrendMicro).

Once you know what they are, you open up your message rules (or filters as my email client calls them) and setup a filter that moves all messages with a specific subject (the subjects the virus is known to use) to a special folder. Voila. When your mail client gets mail, it runs these message rules on each one. As soon as one is triggered, it executes the action you told it to. In this case, it will find a message with a subject that is a known virus message subject (usually something generic like "Re: Your document") and moves it to a quarantine folder you have setup. You can then quickly scan this folder to see if anything that looks legitimate ended up in there (not likely). You can even have the message deleted right away if you're confident no one will send you email with one of these subjects.

Frankly, if someone sends me an email titled "Re: Check out this cool screensaver", it can go to the trash even if it's not a virus.

Symantec and all the other major virus sites haven't caught on to it yet. I got this from a reliable source of my own, however. It's an especially devious one because there's no file attachments, so it will get through most mail servers. I hope you read my earlier post about message filters.

The email will look something like this:

"You have just received the Amish virus. Because we don't have computers this virus works on the honor system. Please delete all the files from your hard drive and manually forward this virus to everyone on your mailing list. We thank thee."

Check out this article from Reuters. It reports that Comcast will soon be doubling their downstream bandwidth to their cable broadband subscribers...for no extra cost (although they have recently raised prices for non-cable subscribers).

I've never been one to pick up a dollar bill off the ground without first checking for the attached strings. Yet, this seems to be a "good thing". Granted, 1.5Mbps is already quite fast (it should sustain about a 170KB/s download), but at 3.0Mb/s, we're talking about a 360KB/s download. This begs the question of how many servers out on the Internet can sustain this type of download for you anyway? I can't answer that question, but I can say that on my 2.5Mb/s cable line, I frequently get 280-300KB/s download speeds with 220-250KB/s being the norm. This is still a decent improvement over 170KB/s and should make computer gamers and P2P file swappers very happy.

ArsTechnica highlighted this article as well, but put a slightly different spin on it. I'm kind of disappointed in them for lamenting the fact that their upstream is remaining the same. 256Kb/s isn't a horrible upstream (nor is it great), but you're getting something for nothing here! Maybe I'm too selfish with my bandwidth. More downstream is not a bad thing, nor should it be taken for granted. Some day, the Internet will catch up and you'll be thankful. Besides, how odd is it to think you can get more downstream bandwidth from your ISP than can be provided by the Internet at large? Wasn't it just a couple of years ago that we couldn't even get enough bandwidth to satisfy our downloading desires?

I think the real issue here that could curb your euphoria is that the President of Comcast's cable division states,

"Our job No. 1 is increasing speed..."

If Comcast can afford to hand out free bandwidth (especially twice the bandwidth), then on the other hand they should be able to lower prices without cutting bandwidth. I'd much rather prefer the latter.

A few months back, I bought a new CD for probably the first time in over 12 months. I'm not a big fan of the RIAA and their recent manipulation of the judicial system to serve their archaic and out-dated desires to stay in the 20th century with regards to distribution of digital media. I'd buy a ton more CDs on two conditions:

1. Prices are lowered to < $10 USD for single CDs. Ideally, I'd shoot for $8.
2. Copy protection is done away with so I can do whatever I would like to with the music on the CD including, but not limited to:
   • making backups on CDRs in case my original gets scratched or becomes unplayable
   • ripping in to the format of my choice so I can listen to it on my computer without using my CD-ROM
   • transferring to my as-yet and for some time in the future unpurchased portable MP3 player
   • copying to a CDR with other legitimately acquired songs in to a mix CD for my own personal enjoyment

Unfortunately, the recent trend of CD copy protection to prevent file swappers from getting copies from legitimately purchased CDs is infringing on the rights granted to me by that license. Case in point (and the whole reason I started this post in the first place): the CD I purchased was Disturbed's latest, Believe. Even though I hate the RIAA and what they're doing, contrary to the picture they are trying to convey about "kids" of my generation, I believe in supporting music artists that suit my tastes and put out a product worthy of my hard-earned cash. This CD is one of them.

Jesus, Doug, get to the point will ya?

So, I buy this CD and get home. Later that evening, I'm doing some homework for an online course I was taking and wanted to listen to the CD. I put it in my CD drive and discover that this CD is "enhanced", which is a clever marketing term that means "we're going to highjack your computer now and display all sorts of cool stuff about this CD and try and sell you merchandise before we let you listen to the music". After closing this out (and turning off auto-run in Windows), I fire up WinAmp to start enjoying some musical madness.

There's just one problem. WinAmp doesn't recognize the CD. In fact, it can't even play a single second of the CD. Nada on Windows Media Player either. Naturally, I was quite annoyed. Because of this problem, I was not able to rip the CD in to MP3 format using either program. The only way I could play the CD on my computer was using IsoBuster which was able to play the raw data from the CD one song at a time, with me manually selecting the next track. When I tried ripping the audio data off the CD using IsoBuster, it came out with lots of static and noise.

So now I'm left with a fantastic CD that I can only play in my car CD player (where I spend an hour a day) and not at my computer (where I spend >10 hours a day). This begs the question of whether or not it was worth it to purchase the CD when the manufacturer/label/artist/RIAA is telling me how I can use it?

The answer? No.

The Internet is a fantastic entity and my life would be entirely different without it. Maybe I'd have become an architect if my Dad hadn't introduced me to computers and set our family up with Prodigy 10 or so years ago. I wouldn't have my job today without the Internet, that's for sure. In other words, I really, really like the Internet.

But sometimes, I come across things on the Web that just about push me over the edge.

I know I make a lot of cracks about the general public's ability to (ab)use their computers, but that's no excuse for intentionally and deliberately praying on this fact for profit. Not long ago, the hot "business practice" making use of this was the spam through the Windows Messenger service. A (somewhat) useful local network administration tool was rendered useless by the devil spawn of the Internet, spammers. I can't begin to count the number of friends and family that I helped disable this service on their computers.

What happened today was another one of those moments for me. I was at work and it was about 9am when my wife signed on to AOL Instant Messenger and informed me that my laptop had a window on it that said "Infected by XMLRPC virus, click OK to remove". This was incredibly shocking to me since I had just patched XP on the laptop yesterday after Microsoft announced more vulnerabilites. It's also incredible since the machine is behind a router that blocks that port.

Luckily, I had just installed RealVNC on the machine for just such a circumstance. I logged in to the machine and discovered that a web page my wife had just visited popped up a JavaScript message box with the virus warning. They were, of course, trying to sell you some anti-virus program or other. She didn't know whether or not the message was legit. She knows I have an anti-virus program installed on the machine and she knows to tell me whenever something funny happens on the computer.

I'm not surprised this kind of junk happens, but it's infuriating nonetheless.

For the past couple of weeks, my company's mail server has been struggling to deal with unprecedented quantities of spam. Between renewed efforts by spammers, bounce messages generated by email servers rejecting messages spoofed with our addresses and containing a spreading virus, and normal traffic, it's constantly grinding away just to keep up with the load. SpamAssassin isn't flagging enough of them for me.

Spammers are a perfect specimen of a virus. They exist even though no sane and rational individual wants them around (except their fellow support group members). They adapt to an increasingly aggressive and hostile "working" environment. They develop and deploy new methods to reach their goal. And since the dawn of the first spam message, their numbers have only increased.

To combat the amount of spam that has been slipping through in to our Inboxes, we switched over from POP3 to IMAP to take advantage of MDaemon's ability to learn from spam that gets through its filters. IMAP is different from POP3 in that the whole intent of it is for mail to remain on the server making your email 100% portable while still giving you the ability to use the mail client of your choice (provided they support the IMAP protocol). You can have public and private directories for categorization of mail, all done on the server. This is where the use of IMAP in combating spam comes in to play.

There are public IMAP folders for all users on our mail server where users can place email that gets in to their Inbox that should have been flagged as spam. There's another one for mail that was marked as spam that shouldn't be. Every night, MDaemon processes these messages and learns from to be more effective in its filtration process. In theory (and practice), your mail server becomes a better front line defense in combating spam.

That's all find and dandy, but it also dropped a bombshell on me. My mail client of choice for the past 6 months or so has been PocoMail. I switched over after Outlook Express went on a crashing binge for a few weeks and pushed me over the edge. I was quite happy with PocoMail, although the recent release of v3.0 has seriously disappointed me. It got slower, more cumbersome, and less intuitive. It also added IMAP support. Unfortunately for me, it's very rudimentary and is horribly incomplete. It's so bad, that I have no choice but to change email clients.

So, my search has begun once again. I tried Mozilla Thunderbird and was impressed enough to convert to it on my home machine, but it's lacking a few key features for usage at work. I can't stand Eudora either. Migrating email clients is a huge project for me since I have a lot of email accounts, loads of messages, and a very organized filing structure. Unfortunately, I think I may have no choice but to go back to Outlook Express. Even worse, its horrid importation process refuses to import PocoMail... :-/

Everyone has a story to share about ISP's and their lack of responsibility when it comes to maintaining, policing, and generally "taking care of" their networks.

Now I have mine.

About 7pm CST, the central servers for a service I maintain came under a distributed denial of service attack by about a dozen IP addresses. While the source of this attack was spread out a bit, the majority of the damage was being done by a few addresses located on Verio's network. After attempting to take care of things on my end, I was able to get things under control, but they were still being a nuisance as their traffic was causing a strain on certain pieces of hardware and software. I started by calling our ISP, SBC.

Of course, I get the most imcompetent tech support "specialist" on the phone. After explaining to her the situation, she had no clue what a denial of service attack was. I explained that it was denying me of getting reasonable service from their provided Internet connection and she put me on hold for a few minutes. She then came back on the line and informed me that they cannot support my service and as long as the Internet connection was "running", it was out of their hands. I was told that all I could do was send an email to their abuse account and they would "investigate" it. Yeah, a whole hell of a lot good that will do me.

I next tried calling Verio. The guy I got on the phone listened intently and took down the IP addresses before putting me on hold. Wonder of all wonders, he came back on the line and told me the exact same thing the woman at SBC told me. WTF? Do the major ISP's share tech support phone scripts, or what?

I cannot for the life of me understand why ISP's don't give a rip what's going on over their network. I would understand their position if I had called up and said some guy was emailing me a virus, make him stop. But no, I called up with concrete data that some people on their network were flooding my network with utter crap. Some 12 year-old in NY is giggling up a storm while this 1337 script he downloaded off IRC attacks my servers and floods the hardware of the two ISP's at the start and end point of this junk, and they don't care? They expect me to email a generic abuse account so I can get an auto-response back that says they're doing everything they can to ensure my Internet experience is a pleasant one?

If they want to make my Internet experience a pleasant one, they can start by actually taking their customers seriously. Not everyone that calls the tech support line is wondering why they can't get their email to work.

/rant

By now, anyone who reads this blog regularly (both of you) know of my recent ISP escapade and the ensuing rant on ISP accountability.

Well, it's 3am and I've learned a lot tonight.

• When you think you've got a DoS attack under control, you don't.
• You're not REALLY under a DoS attack until the LEDs on your firewall start blinking out "SOS" in Morse code.
• Verio may refuse to let you speak to a human, but the people behind their 2nd level abuse email account work 24/7 and they work fast.
• Jerol from Verio is my hero. He stopped the madness. He even called to tell me so.
• The FBI apparently doesn't handle "private" (as in non-government) computer crimes. Or at least, the poor junior agent manning the phone at the Milwaukee field office at 2:30am doesn't think so.
• The Secret Service, however DOES handle this type of thing.

I came upon an article on Wired that mentions that the online mega-retailer, Amazon, has stepped up its investment in search technology and announced it will be developing search engine technology for comparison shopping. The interesting thing, as the article points out, is that Amazon plans on licensing this technology to other companies which would effectively mean they are offering to license it to their competition.

Currently, Amazon uses Google to search its site, which also has a comparison shopping search engine, Froogle. The real gem of the article is at the end where they mention that Amazon has appointed search engine guru Udi Manber to be in charge of recruiting for the Amazon division that will be developing this technology.

Ever on top of the search engine market, the brilliant minds of Google went to work quick. What did they come up with? Why, a sponsored link of course. Search Google for Udi Manber and the top link is "Work at Google".

I wonder who the sponsor of that link could be?

[UPDATE:] I just noticed in the right-side column of the same google search page yet another sponsored link. It's a "Work at Amazon" link. This is just too funny. Amazon announces the appointment of a search engine expert to head up recruiting for development of a technology that will compete with Google (whom Amazon already has a working relationship of some sort). Google fights back by placing a sponsored link to their hiring page at the top of a search for said search engine expert. Not to be out done, Amazon then PURCHASES ad space on the very same Google search term in order for an Amazon hiring link to also appear on the search result page.

Oh man...it's like a crazy soap opera. I can't stop laughing...

[UPDATE 2:] A friend commented that he didn't see the Amazon sponsor link when checking out the search result page. Now that I try it again, I see that he's right. Lucky for me, I still had a tab open in Mozilla that shows it. Here's a link to an image of it.

My place of employment recently got a "free" temporary upgrade to our DSL package from SBC. I have no love for SBC whatsoever as their DSL reliability has been wretched from day one and the equipment they provided us with was utter junk. I'm also well aware that this "free" upgrade is nothing more than a business ploy to get us to upgrade our account once we've gotten used to the extra bandwidth and the "free" time runs out.

Nevertheless, it's pretty damn cool to get these types of transfer speeds. Check this out (89K image). This was done from my machine on our network with approximately 6 machines using the Internet connection at any given time.

Our paid for DSL service is 768-1500kbps downstream and 256kbps upstream. We're currently receiving 1500-6000kbps downstream and 384kbps upstream. Seeing as how I can look out of the window in front of my desk and see the CO, I would imagine we'll hang around the upper limits of the downstream.

Ian sent word to me that the new User Friendly web comic had something I'd be interested in. See for yourself.

I had iTunes search for files on my machine as well. It was definitely slow, but what really annoyed me is that it added any media it was capable of playing - videos included. I thought it was called iTunes, not iMedia! So then, I had to go through and hand filter out the non-audio files before I had a usable playlist of mp3s.

Remote desktop software is a fascinating concept that has become a necessity of my life, much like my cell phone and my weekly night of shooting darts at the bar. I don't know how I ever lived without it. I work for a company that develops a piece of software that makes using remote desktop software (depending on which one you use) a bit easier to manage - it solves the dilemma of mapping a dynamic IP address to a static domain name making it simpler to access your computer from whever you are without the need for an IP poster or other such nonsense.

Anyway, I was looking at the different types of remote desktop software that's out there for purposes of writing tutorials on how to use our software with the remote desktop software. In my experience, I've found that there are 3 pieces of software that are the most popular for Windows PCs - RealVNC, GoToMyPC, and PCAnywhere. I've played with each of these (or at least tried to) and I've come to a pretty concrete conclusion: the easy choice for is RealVNC.

I'm going to start my rant with PCAnywhere. PCAnywhere is a Symantec product, which right away should be sending shivers down the backs of every geek. Norton Anti-Virus is about the most intrusive, useless piece of software I've ever encountered. It's a rarity that I meet someone who doesn't think the same. Symantec is a behemoth in the Internet security/communication industry with the bed-side manner of Josef Stalin. It's their way or the highway. Whenver I've dealt with Symantec in any way, shape, or form, I've always walked away from the encounter feeling worthless - like I don't matter to them. But, what you say? What does this have to do with PCAnywhere? Well, nothing in a direct way. But it's mainly because I have nothing to say about the software itself. Why? Because Symantec offers no way to try PCAnywhere. They charge $20 just to try it out for 30 days. They even have the nerve to think that charging $200 for the software somehow qualifies it as a "consumer" product. Remember what I said about bedside manner? At $200/copy, the majority of the computing world can't afford PCAnywhere.

The next stop on the rollercoaster of remote desktop software is GoToMyPC. At least I got to use GoToMyPC, which as far as the software itself is concerned, I was fairly impressed with. I don't like the fact that they use a java applet to download and launch the installer for their software from their web site, which is too much hand holding for my liking. Can't I download the installer by itself so I can copy it to my other machines or burn it to disc with other essential software? You access your PC by logging in to your account on their website, which will let you initiate a connection to your remote PC.

On the surface, it's all good. The application that runs on your remote PC is small and doesn't require much in the way of resources. The client software that connects you to your remote PC is clean, well organized, and easy to use. I was horribly disappointed with the performance of it, however. GoToMyPC utilizes a third party server that coordinates the connection between the remote PC and your client PC. On the plus side, this eliminates the need to configure most routers and firewalls on the remote PC since it never accepts an incoming connection. However, I'm not comfortable with a man-in-the-middle of my conversation. All data is encrypted during the connection, which must have a significant effect on the performance as does the fact that a 3rd party server (who knows where it's located) controls your connection.

There were 3 things that completely turned me away from GoToMyPC, performance notwithstanding.

1. They require a credit card to enable the trial of the software. Why? Because they want to be able to automatically renew your service after the 30-days OR 60 minutes of connection time is exceeded. I don't like giving my credit card out just to try something and I absolutely HATE services that pretend they're doing you a favor by automatically continuing your service after a trial if you don't terminate it.


2. In order to cancel your trial, you must call a customer service representative. That's right. A company that provides remote desktop software completely over the Internet and allows you to automatically enable a trial online requires that you call an 800 number, wait in line, and go through the wonderful process of explaining why you don't need their services in order to cancel something that's "free". That's another pet peeve of mine.


3. GoToMyPC has followed the lead of Symantec in pricing their service. The cost is $20/month or $180/year for ONE PC. Two PCs costs $30/month $270/year. I guess it's not like they had a choice in the pricing, though. Something has to recoup the costs of their 3rd party servers, bandwidth, and customer service representatives on call to take your trial cancellations.

If you have a need for this type of software, I definitely recommend checking out RealVNC. It's not as user-friendly as most commercial software is (although Symantec produced software isn't exaclty what I call user-friendly either) and their time between releases is random at best, but I really think it's the best of the bunch out there.

I just had a revelation that has brightened my day considerably. While writing some code for a Base64 encoder/decoder, I was having a hard time visualizing the shifting of bits required to decode a Base64 string.

<AWTY™ Diversion>In a nutshell, Base64 is a method of encoding data in to ASCII characters for transmission. Base64 is used a lot in email since transmissions via email have to be text. Everything that's Base64 encoded consists of the characters A-Z, a-z, 0-9, +, and /. The equal sign (=) is used for padding. It's called Base64 because there are 64 characters (2^6) used in its makeup (not including the pad character).

As you can tell by the fact that it's 2^6, that means there are only 6 significant bits in each Base64 character. Computers aren't based around data types of 6 bits; they use bytes which are 8 bits. So you have some overlap. When encoding data in to Base64, you end up carrying over extra bits from the source data when creating the next Base64 character. When decoding Base64 text, it takes more than one Base64 character to create a single byte of source data. Although this may sound confusing, it's not too bad since there are only a finite number of carryovers that can be present before the pattern repeats itself. In the realm of coders, there is an obvious need for bit shifts (<< and >>).</Diversion>

While writing my decode function, I was having a hard time keeping track of the leftover bits from each Base64 character in my head. I tried scribbling down notes on my notepad, but that wasn't helping either. It was then that the perfect solution came to me. Eight full fingers - eight bits in a byte. It's pretty easy to visualize the bit shifts while staring at your digits planted on the desk in front of you.

This has led me to only one logical conclusion. God is a coder. I wonder which language He uses?

I should feel honored. I've read all over the place about how "referral spam" is rapidly making its way through the Internet. What's referral spam, you ask? Well, most web servers keep logs by default. One of the more interesting things that web servers log is the referring link that led a visitor to your web site (this is a part of the HTTP protocol - that's how the web server gets the information). Geeks and other sys admins are notoriously interested in this data because being linked to from another web page is supposed to make up for our lack of popularity in high school. Or something.

Anyway, spammers and advertisers never miss an opportunity to sully every crevice of the Internet that they can seep in to and now Web referrals are no different. As I browsed through my web server log not long ago, I came upon this nugget:

2004-01-05 20:08:40 206.129.0.135 - HEAD /index.htm 200 288 HTTP/1.0 StarProse+Referrer+Advertising+System+2004 http://blog.johnkerry.com

Of course, it's trivial to forge the HTTP header information that does this. I could write such a utility in a few hours. A quick search of Google for "StarProse+Referrer+Advertising+System+2004" links this whole phenomenom to a company - StarProse.com. Imagine a script that will crawl through pages it finds on the Web pretending to visit the site using a URL of your choice as the referring link. Ta-da. You've just stamped your URL in to the Web server logs of thousands of servers out there. Better yet, for the thousands of these sites that publish their log statistics on their sites (many of which interpret URLs and change them in to hyperlinks), you've just added a link from their page to yours which does wonders for your Google page rank consequently increasing your position in the search engine.

The funny part is that a stroll through those Google results shows you that two people are doing this the most: porn sites and Democratic Presidential hopefuls from John Kerry and Joe Lieberman to the supposedly Geek Friendly™ Howard Dean. I'll leave you to draw your own conclusions.

GOOD afternoon, Ladies and Gentlemen. This is the captain speaking.

Before we get under way with our regularly scheduled Net surfing, I'd just like to take a moment to point out to all of you one of the more popular "features" of the Internet service we provide to all of you, our paying corporate customers, from the caring folks at SBC Communications. You may have noticed that in the past few hours, your tracert times have shown up with excruciatingly slow response times. In fact, if you're a member of the frequent Internet surfer group, which we have affectionately termed "Net addict", then you've probably noticed that this is a daily routine.

Exhibit A: Tracert from the offending Internet connection to AWTY. Image (43.2KB) uploaded to AWTY server in 15 minutes at an average rate of 48 bytes/sec.

Well, I've been tasked with the enviable position of explaining to all of you, our paying corporate customers, exactly what it is you're experiencing. We here at SBC like to encourage moderation in the use of the Internet as a part of a balanced daily lifestyle. Our "Daily Internet Slowdown" (or DIS for short) is one way we support this policy. While you may think of it as aggravating, annoying, and for you "lawyer types" out there - grounds for a class action lawsuit - we prefer to think of this intentional degradation of service as a public service to our users that encourages you to all step outside for a moment, enjoy the 0 degree weather and get some fresh, frigid air.

Happy surfing!

The preceding was an unpaid public service announcement from AWTY™, a non-profit organization consisting of the poor schmucks that have the pleasure of paying SBC Communications to provide their place of employment with "high-speed" Internet service.

One thing about surfing the Web that bothers every sane individual on the planet is the obnoxious ads that litter the pages of the Web everywhere. Now, I'm not going to rant about advertising in general nor about the proliferation of advertising in our society. Advertising is here and always will be. Like any other industry, it depends on a perceived or real need for its services to survive. The fact that it is so ingrained in our society supports the fact that it will go no where anytime soon. In addition, like any other successful industry, advertisers will always seek new markets, new mediums, and new methods to deliver their spiel to the consumer.

However, the fact that many regard the advertising industry and the billions of dollars it generates and invests every year as a nuisance means that for every new market, every new medium, and every new method they devise to deliver the goods, another enterprising entrepreneur will devise a way to circumvent the advertising. VCRs have commercial skip buttons and you can also rapidly skip commercials using PVR devices like Tivo and ReplayTV. The medium that is still struggling for a way to make ad elimination mainstream is the World Wide Web.

The problem with the WWW is that there are so many ways that ads can be embedded in to the requested content or otherwise forced on visitors that it seems as though there isn't a single solution for them all. And as far as I can tell, there isn't. With television and radio, advertising is a part of the content that is presented in a single threaded way. When the content is pre-recorded, you can skip it. Personally, I change the radio station or turn on a CD when it's commercial time on the radio. With the WWW, the problem is that so much information can be presented in a multi-threaded kind of way. The user dictates the pace at which content is presented, however the organization and presentation of that content is still controlled by someone else. Thus, advertising can take the form of images throughout the page, text and images presented in the middle of the requested content, overlays using Flash and Shockwave (*cough*ESPN.COM*cough*), pop-up or pop-under windows, or even (one of the most obnoxious ones ever devised) using clickthrough pages that randomly appear and force an extra page load and an extra click to get to the content you already thought you requested (IGN is notorious for this).

Of course, all this doesn't mean there aren't multiple, good methods for eliminating the vast majority of ads within the World Wide Web. I've been able to have a very pleasant and virtually ad-free experience for quite some time now by making one significant change to my Web browsing experience - I changed browsers.

<AWTY™ Diversion> - Are you getting the idea yet that these happen frequently and tend to be long? Here we go...Hi, my name's Doug and I'm a recovering Internet Explorer user that's been clean for 3 years (Hi, Doug). The first browser I remember using was Spry Mosaic that my Dad purchased (from an old Egghead store, IIRC). Anyone who's ever looked at the About box in IE knows that it says, "Based on NCSA Mosaic.". Naturally, that was where my web browsing progressed to.

I was first lured to Mozilla by the prospect of multi-tabbed browsing. Being a multi-tasker of the highest order when it comes to computers who was doomed to experience dial-up until about a year ago, I always had 5+ IE windows open. Being that my OS of choice is Windows 2000 and I can't stand XP's window grouping "feature" anyway, I soon got tired of the teeny windows in my taskbar since 75% of them were IE windows. I tried solutions that offered multitabs of IE, but was never satisfied with them. So, I tried out Mozilla after reading about it's 0.7 release on Slashdot.org (this was January 2001).

Well, this post is turning out much longer than intended so I'll pick it up a bit. </Diversion>

Mozilla did everything I wanted it to, but it was a resource hog, quite slow at starting up and switching tabs, and I didn't want to use its HTML composer or mail client (although I switched to the Mozilla Thunderbird mail client several months ago). These things never kept me away from the browser as I was quite happy with it in general. Prevailing web standards over the years has also made browsing a pleasant experience once again. I eventually migrated to the lean, mean, browsing machine brother of Mozilla called Firebird, which is what I use to this day. Through the Mozilla browser architecture in the form of Firebird, I have the ability to:

• Multi-tab browse (native functionality)
• Do quick browser actions without the keyboard using mouse gestures (a favorite of mine)
• Block pop-up windows (intelligently lets you allow certain ones - native functionality)
• Block images from servers (native functionality - handles some ads)
• Hide images where the path contains key terms using AdBlock (blocks majority of ads)
• Stop flash content from running unless I click it (no more Flash ads!)

The last piece of the puzzle for me is Java ads. I cannot stand Java ads. Nothing ticks me off more than having to wait 10 seconds for a page to load because the JVM needs to load on my machine. Satan himself would shoot the designers of Java ads and the webmasters that use them except he doesn't want them living down the street from him either.

My CNET news RSS feed informed me a little while ago that the offices of Sharman Networks, owners of the Kazaa peer-to-peer file sharing software, were raided in Australia. The article says the following about the offices that were raided:

In addition to the offices of Sharman Networks and Brilliant Digital Entertainment (BDE), MIPI raided the residences of Sharman Networks’ CEO Nikki Hemming, Brilliant Digital Entertainment Chief Executive Officer and President Kevin Burmeister and Phil Morle, Director of Technology at Sharman Networks. Monash University, the University of Queensland and the University of New South Wales were also raided, as well as four ISPs including Telstra.

The reason I find this so note worthy is WHO did the raiding. I'm not familiar with Australian law in any way, shape, or form, but according to the article, the Music Industry Piracy Investigations (MIPI) obtained what's called an "Anton Pillar" order (misspelled in the article with one 'l'). According to a posting on FreedomFight.ca, the order allows "an applicant" to enter and search the respondent's premises with intent of locating and SEIZING property and material that the applicant charges violates their legal rights to distribution or usage of said property. In other words, in this case, the MIPI was able to raid these offices themselves after creating a list of materials and documents they were in search of. They could then collect these items for the purpose of preserving evidence. Of course, all of this takes place after a judge approves the whole thing.

The thing that disturbs me is that it is the organization ITSELF that does that raiding! In my opinion, that just opens up a large can of worms that is completely unneccessary. You're letting what is basically the accuser perform the search and seizure, which introduces a level of bias and probably vindictiveness that shouldn't be present during these types of actions. While many people already don't trust their governments or organzations tasked with carrying out these types of (in the USA) governmental duties (such as the FBI), one would think there's a level of neutrality and sense of duty present in how they conduct themselves. The animosity on display by the RIAA and the music industry at large towards groups such as Sharman Networks would lead me to believe that the entire process has a decided favor towards those conducting the raid.

To put it in to context a bit better, the offices of CryTek in Germany (makers of the upcoming game Far Cry) were recently raided by the German police. The story goes that a disgruntled ex-intern tipped them off that CryTek was using pirated software during development of the game; more specifically that they were using more copies of software than they had purchased licenses for. Now, for the sake of comparison here, imagine if the software in question was Microsoft's Visual Studio software, an IDE, which was used for coding the game. What if MICROSOFT had the ability to conduct this search themselves?

Chew on that one for a while while you ponder the fate of Sharman Networks after being personally raided by the recording industry goons...

The RSS feed for the Anandtech News Channel just came across with an interesting article that I had to check out. According to an article on Computerworld, Microsoft's upcoming release of Windows XP SP2 (that's Service Pack 2 for those of you who never use Windows Update - shame on you!) could break some existing applications.

Blasphemy, you say?! Maybe to the hardcore zealots out there that have nothing positive to say about Microsoft in the first place. But for those out there will bother to RTFA, you'll find that Microsoft has chosen to eschew some backwards compatibility in taking a step towards making Windows a more secure platform. Regardless of your feelings towards Microsoft, it's difficult to argue against the fact that backwards compatibility has certainly bogged down the Windows code base over the years. Despite the fact that Microsoft's most popular consumer OS is based on NT, let's not forget that Windows NT 4.0 (the predecessor of Windows 2000 and step-father of XP) was released in 1996. Do you remember computers in 1996? The world of computers was much different 8 years ago.

Fear not, fellow computer user. Microsoft's decision to favor security in circumstances where backwards compatibility becomes an issue arises only out of certain circumstances: when an application was coded without consideration of security. That's certainly a pretty vague statement to make which is open to broad interpretation. Does this mean that Windows will attempt to prevent buffer overruns from occurring that would compromise a user's system (as a co-worker put it, if that's the case, will IIS even run?). Who knows? Kudos to Microsoft for getting the word out so early and organizing support materials and training to assist major vendors in ensuring their products are safe and secure under Windows XP SP2.

The Microsoft product manager quoted in the article does make a good point - developers need to be aware of and involved in the process of security as well. As the saying goes, security is not something you buy; it's something you do. It's a process that requires attention at all levels of the computing process. It certainly starts with the hardware and core software processes that comprise the platform of your choice as these are the things that the end-user has the least control over. However, complete security means using and deploying applications from vendors you respect and trust. It means understanding enough about how you use your computer to ensure its safety. It's no different than locking the doors to your house or car except we all understand how a door and lock works The computer is a powerful tool, especially when connected to the Internet. There are certainly things that the major software vendors can do to ease this strain on an uninformed and (relatively) uninterested computing public. But that does not excuse you from your own personal responsibility over your computer and it's use.

Nick Bradbury has a funny entry in his blog covering what he calls past incidents of Freudian typos. Most people are familiar with Sigmund Freud and his line of work. People sometimes refer to Freudian slips where something unintended takes place or is said, but a reasonable explanation might be available for why its occurrence might subconsciously have been done on purpose. The obvious question is was it really a mistake at all? Freud believed that all of these things, intended or unintended, revealed information about the person and their subconcious.

One of my professors in college that taught me assembly programming (and a joke of a database class) was named Treu (pronounced troy). He was generally regarded as an evil man that delighted in the suffering of his students buried under the mounds of reports and code assigned to them. At a decidedly technology oriented university, this was a man that insisted on printing everything out and handing it to students. Back in 4th grade, that worked well for studying and reviewing your 20 word spelling list. However, when you're handed 40 pages of code that wraps on to new lines and cannot be searched or compiled, the word excessive comes to mind. Most people that survived his classes quickly pushed him from their minds to prevent further mental trauma.

Unfortunately, I will never forget this man. Every time I set a boolean value to TRUE and transpose the the 'u' and 'e', I am reminded of good ole Professor Treu.

Now excuse me while I go call my therapist.

I've been using the same notebook computer since 2000, when my parents bought me a Sony VAIO notebook for my final two years of college. My college had implemented a "technology package program" my 2nd year in college, which meant that all new students from that year on purchased a notebook computer through the school (with $2000 added to their annual tuition, of course). Existing students could also "buy-in" to the program as well. After 2 years, you exchanged your existing notebook for a new one. At the end of 4 years, you got to keep your 2 year-old notebook (with a clean hard drive, of course). Considering this huge change in computer infrastructure on campus and the fact that I had gotten married that summer and was now a commuter, owning a notebook computer became a necessity in order for me to get work done.

Long story short - the VAIO did its job, but I lost all respect for Sony as a company during that time. Over the next 5 years of owning this notebook:

1. Sony refused to provide download links for Windows 2000 drivers for the notebook even though they shipped the exact same notebook with Windows 2000 pre-installed on it. Several years after the Windows 2000 release, their web site eventually contained the necessary driver downloads.
2. The screen died 2 weeks before school started my senior year. Fortunately, it was still under the CompUSA extended warranty. Unfortunately, it had to be shipped to Sony to get fixed and took a month for me to get the notebook back. When I did get it back, the hard drive had been wiped and re-imaged. For a screen replacement.
3. The battery was useless after year 1.
4. The DVD drive died at year 3.

So, the joke's on you Sony. Not only did this hopefully addicted gaming addict not buy a PlayStation 2, but you've missed out on me as a customer for many big ticket consumer electronics items since then. Digital camcorder? Check (Thank you, JVC). Digital camera? Check (Thank you, Kodak). Big screen television? Check (Thank you again, JVC). And now, a new notebook computer to replace the aging and decrepit VAIO (Thank you, Compaq. Er, HP).

My employer uses all Dells for our computers. i haven't been satisfied with my Dell notebook for a while now, so I ruled Dell out. Besides, I like to buy AMD processors (both desktops at home are AMD) and Dell only sells Intel. Thankfully, my Dad is about as well-tuned in of a technical consumer as you could ever hope for. He tipped me off to a great deal on a Compaq notebook at Office Depot.

It's a Compaq Presario R4000. The basic setup was an AMD Sempron 3000+ with 256 MB RAM, 40 GB HDD, DVD-ROM/CDRW combo, and 15.4" WXGA. After rebates, the grand total was $429.99. Oh, and that included an HP 3847 printer. They had some great deals on upgrades, so I spent $75 to upgrade to an AMD Athlon 64 3200+, (which included an upgrade to a 128MB ATI Radeon graphics card) and $30 for integrated wireless. Grand total on this beast after mail-in rebates? About $650, which includes tax and shipping (about $45 for each of those). Considering this notebook was sitting in Shanghai, China at 9:30pm on Sunday night and the FedEx man knocked on my door at 8:30am this morning to deliver the notebook, I don't mind the shipping cost.

All R4000's are custom built notebooks. I was told 10 business days for manufacturing and another 5 business days to ship. In actuality, the notebook was built in 5 business days and took 2 business days to ship. Seven business days from time of order to time of delivery. Not bad for a custom-built notebook, huh?

Now, I've just gotta wipe the hard drive, get a virgin install of the OS on it, and put some more RAM in to this beast. I love being a geek.

I've had a Series 2 TiVo for several years now and have enjoyed every minute of it. From the moment I first tried the TiVo in my parents' DirecTV satellite unit, I knew I wanted one. Now, a hundred episodes of Good Eats later, I haven't regretted the purchase. It's probably one of the few electronic devices in our home that my wife gets more use out of than me.

But there are still some terrible annoyances to my TiVo that drive me nuts.

As soon as I could, I added my TiVo to my home network via a wireless adapter. A networked TiVo adds TiVoToGo support (so recorded shows can be streamed to other networked devices), allows the device to receive scheduled recordings through the Web more frequently, and more recently allows usage of the Amazon Unbox service (something I'm looking forward to trying out soon).

However, getting my TiVo networked took longer than I would have hoped since TiVo was pretty slow to add 802.11g support to their unit and I wasn't going to buy an obsolete wireless adapter. Since then however, every TiVo service update is a roller coaster ride of compatibly cross your fingers. Will this update break my network settings or won't it?

A couple years ago, I was in need of a new set of speakers for my computer. The Cambridge Soundworks speakers I was using (purchased well before their assimilation by Creative Labs) had been going strong for many years. However, they had required a repair the year before (blown capacitor in the subwoofer) and the volume control was becoming a touchy beast. If the control was bumped, it could cause all sound to be lost in one of the channels. Thus began a frustrating exercise of tapping the control with one finger until full stereo sound was once again achieved.

At the recommendation of several people whose opinions I value, I looked in to the Klipsch line of computer speakers. I narrowed the choices down to the Klipsch ProMedia 2.1 and the ProMedia GMX A-2.1. The price was the same for both units. Not being much of an audiophile myself, the difference in specifications between the two models meant very little. Therefore, I settled on the ProMedia 2.1's for two reasons: 1) more aesthetically pleasing - the industrial look of the GMX's was a little much for me, and 2) I couldn't find the GMX speakers anywhere in a store to listen to them, whereas the ProMedia 2.1's were everywhere.

The ProMedia 2.1 speakers have been a great investment. The bass is solid, strong, and deep. The highs are crisp and sound natural to my amateur ears. But like most things technological, they are not without their gripes either.

One of my favorite parts about working in the tech industry is the opportunity to learn new things on an almost daily basis. For me, there are fewer things that I enjoy more than learning something new. It's really easy to get caught up in the fast lane and blow through every day like it's a race to the finish line. The problem with this mentality is that you miss out on a lot of cool and interesting things.

While researching a project I was working on, my research began to take me towards more resources focused on SQL injection attacks. In a nut shell, a SQL injection attack involves providing specially crafted user input to an application that uses that input to construct a SQL statement in order to get additional SQL commands executed during the normal course of operation. The severity of a SQL injection attack depends upon the level of input validation present in the application and how well secured the database server is configured.

I'm not going to say much more about how an attack is done as there's lots of resources out there that go in to much better detail than I care to right here. Start with the Wikipedia article I linked above. Here's another good article that starts with the basics and builds upon that until the full capability of this style of attack is made clear to you.

If the information above makes sense to you (or frightens you), then this next one is going to blow your mind. This video lays it all out in front of you with a real-world example demonstrated in real-time. In the video, a hypothetical web-based business is the target of the attack. As a web-based business, their credit card transactions are processed electronically. This processing is done on a computer with no direct interface to the Internet. Sounds "safe," right?

As you'll see in the video, it's only as safe as the code that makes it all possible. Exploiting the weak user input verification present on the company's web site (and a poorly configured DB server), he shows how a hacker can:

• Build a binary copy of the data contained in the database.
• Snoop around the computer using directory listings.
• Transfer files to and from the targeted machine using TFTP (check your Windows system32 directory - unless you're running Vista, you probably have it).

The end result is that the hacker can use the company's web site to perform just about any action he desires. The interface through which it's done might seem cumbersome, but if you're a hacker, it's a small price to pay when you're got the keys to the kingdom.

Scary stuff, right?

A couple weeks ago, I wrote about my broken Klipsch ProMedia 2.1 speakers. The flimsy, cheap DIN plug was no longer making a solid connection with the subwoofer. The Klipsch web site continued to show replacement controls pods as unavailable, so I elected to fix them myself instead.

For those that are looking to do the same thing, here's the parts list:

• Broken Klipsch ProMedia 2.1 speakers
• Replacement 5-pin DIN plug (scavenged from a 6ft. MIDI cable)
• Klipsch DIN plug wiring diagram
• A digital multimeter (highly recommended)
• Soldering iron & solder
• Wire strippers
• Electrical tape

It's always been a pet peeve of mine when software installers (and uninstallers, for that matter) treat a user's desktop and registry as their own personal playground. As far as I'm concerned, I'm leasing that space out to an application until further notice. It's a temporary home, not a permanent one. As such, an application would do well to not make any assumptions about where it's okay for them place shortcuts on my computer. If it's going to ask me what directory and program group I want it installed in, it's not a stretch of the imagination to believe that I'll also want to dictate whether or not the application is worthy of acquiring a piece of the the limited (and valuable) real estate afforded by the quick launch toolbar and system tray.

But of course, not every company out there sees it my way. One of the worst offenders of this dictum has always been Apple. It's difficult to enjoy all the media offered on the Internet without installing Apple's QuickTime media player. As an iPod owner, it's virtually impossible to go without installing iTunes, which requires installation of QuickTime as well.