basically tech

43 A Cost Analysis of Windows Vista Content Protection

Wednesday 31st January, 2007

This is a real eye-opener, a detailed analysis of Vista's DRM infection. The article is quite long, so you might be tempted to think, "Ah, forget it!" Before you dismiss it, have a quick look at the more important section titles:

  • Disabling of Functionality
  • Indirect Disabling of Functionality
  • Decreased Playback Quality
  • Elimination of Open-source Hardware Support
  • Elimination of Unified Drivers
  • Denial-of-Service via Driver/Device Revocation
  • Decreased System Reliability
  • Increased Hardware Costs
  • Increased Cost due to Requirement to License Unnecessary Third-party IP
  • Unnecessary CPU Resource Consumption
  • Unnecessary Device Resource Consumption

Believe me, if you intend to purchase Vista, or a PC with Vista installed on it, this is well worth the read.


42 Amusing Vista security claims

Wednesday 31st January, 2007

This article has been prominent in technology section of the BBC News page.

Windows Vista is "dramatically more secure than any other operating system released", Microsoft founder Bill Gates has told BBC News.

When I first read that statement, I burst out laughing. It had to be a joke. OpenBSD sprang straight to mind. It couldn't be a serious claim. Further on, the article says:

Security analysts have praised the improved tools in Vista but many feel that holes in the operating system eventually will be exposed and that Microsoft will continue to need to update it through online patches.

Well, you know what? The first service pack is already being built! That means that there are known bugs. "How long before Vista SP1 is released" = "How long before known Vista bugs are patched". Well, here's a rough guideline for you; with Windows XP, it took 11 months.


41 Microsoft copies core BlueJ functionality, then applies for patent, then backs off

Monday 29th January, 2007

BlueJ is an educational IDE for teaching object-oriented programming and Java to beginners. The full article details how Microsoft knowingly copied core functionality from BlueJ and planned to patent it as their own "invention".

After blatantly copying BlueJ (without reference or attribution), Microsoft have now filed for patent for the functionality they knowingly copied from us.

Why? To sue us out of the market? To make us pay? Who knows. Sad fact is that this could destroy BlueJ.
BlueJ competes with Microsoft’s Visual Studio in the education market. Not ‘compete’ in a commercial sense from our point of view, since we ... do not make money from the distribution of BlueJ, but ‘compete’ in a business sense for Microsoft, since BlueJ adoption can theoretically mean lost sales for Redmond.

After the full glare of Internet publicity hit them, Microsoft claim that:

... the patent application was a mistake and one that should not have happened. To fix this, Microsoft will be removing the patent application in question.

A mistake? One wonders how many other such mistakes have been made and not noticed.


40 malicious code on websites

Wednesday 24th January, 2007

According to an article on the BBC News website, tech criminals are moving the focus of their activities from e-mail to the web. It appears that many spyware or trojan-infected e-mails are getting blocked before they reach the user, so instead "clean" e-mails containing links to websites which contain malicious down loaders are being used instead. The goal seems to be to try to gain access to corporate networks. This rather ties in with my previous article on the relative security of internet explorer and mozilla firefox.

This also seems a little at odds with an earlier report which implied that home PC users were the main target of tech criminals. Or it may be that that particular user base is nearing saturation as far as the aims of tech criminals are concerned.


39 2006 security status: Internet Explorer vs Mozilla Firefox

Monday 22nd January, 2007

The "Security Fix" blog on the Washington Post website compared the relative security of Internet Explorer and Mozilla Firefox during 2006:

... analysis found that for 284 days in 2006, bad guys were either exploiting critical, unpatched security holes in IE or blueprints for said instructions were published online for any criminals to use. In contrast, the data showed that there just nine days in 2006 in which exploit code was available for similarly serious, unpatched security holes in Mozilla's Firefox browser.

These statistics are shocking. There's not a lot more which can be said about them; one can only guess as to the reasons behind Microsoft's apparent lack of commitment to security for Internet Explorer. However, let me represent this data for you graphically:

Chart showing the relative security of Internet Explorer and Mozilla Firefox during 2006

It just seems unreal.


38 Open source is almost always the cheaper option

Thursday 18th January, 2007

This article from, and another from the BBC give accounts of how the European Commission has published a report (PDF format) saying that in "almost all cases" switching from proprietary to open source software could offer considerable savings to organisations with little effect on their business.


37 Solaris 8: NIS installation and configuration

Monday 15th January, 2007

(This article has been redrafted to include Solaris 10-specific commands and entries, as well as retaining the original Solaris 8 commands. In addition a couple of typos have been fixed and an extra note about changing the NIS Makefile has been added. This original article has not been altered, so follow the link above if you want to see the redrafted article.)

This is a step-by-step account of the method I used recently to install and configure a NIS master and slaves on servers running Solaris 8. The steps detailed should work fine on other versions of Solaris, but as I have not explicitly tested other versions (except as clients) you may encounter issues. The clients used with this setup ranged from Solaris 7 to Solaris 10. The installation was in a medium-sized Solaris-only farm (100+ hosts).

Configuring NIS on Solaris is not quite as straightforward as it is on other OSes (such as some Linux distros). This didn't really surprise me, even though NIS is Sun's product. What this does allow is a more tailored end product.

There are three points I'd like to emphasise concerning this article:

  • This article is not an definitive how-to; there is more than one way to implement NIS. This way works, it's relatively straightforward, and is more secure than a default NIS installation.
  • This article is not an endorsement of NIS over other naming systems. My recommendation to the client was to use LDAP, but NIS had been used before, they were more or less happy with it *, and it did what they wanted it to. Having said that NIS is still used on many sites, it's versatile, it's easy to set up and maintain, and it can be made more secure without too much extra effort.
  • This article describes the set up of NIS only. Administration is another matter altogether.

(* The client's existing NIS setup was very old and exhibited quirky behaviour on some rare occasions. In addition, it had allowed encoded password values to be seen when running ypcat passwd. This was not acceptable.)

36 NSA involvement with Microsoft Vista

Sunday 14th January, 2007

It's interesting looking back on this in light of the Snowdon revelations. And were the NSA involved in "helping Microsoft" with more recent versions of Windows?
Rob. April 2015.

On the face of it, getting the NSA to help with Vista security seems like a pretty good idea. So good, in fact that Microsoft are willing to surreptitiously advertise this fact (in the full knowledge that once the news gets out, it will be broadcast all over the Web in a matter of days) as yet another reason why Vista is going to be so secure.

Microsoft also admit that this is not the first time it has sought help from the NSA. Apparently the NSA has helped with security aspects for the consumer version of Windows XP and Windows Server 2003.

What they don't acknowledge is the nearly forgotten news that the NSA seems to have had significant input in every version of Windows since the second release of Windows 95. So significant in fact, that some researchers believe that the NSA were allowed to plant back doors in these operating systems.

So now when you read that Microsoft is and has been repeated involved with the NSA, for "security enhancement", does it make you feel more, or less secure?


35 UK schools at risk of Microsoft lock-in

Friday 12th January, 2007

An article on Computer Business Review Online reports:

UK schools and colleges that have signed up to Microsoft Corp's academic licensing programs face the 'significant potential' of being locked in to the company's software, according to an interim review by the UK government agency responsible for technology in education.

The article goes on to state:

The British Educational Communications and Technology Agency (Becta) report also states that most establishments surveyed do not believe that Microsoft's licensing agreements provide value for money, while a separate review has recommended against the deployment of Vista and Office 2007.

No, really? Isn't vendor lock-in one of Microsoft's main strategies? Have a look at these excerpts from an internal Microsoft memo, drafted for Bill Gates (see the Wikipedia article on "vendor lock-in" for more details):

"The Windows API is so broad, so deep, and so functional that most ISVs would be crazy not to use it. And it is so deeply embedded in the source code of many Windows apps that there is a huge switching cost to using a different operating system instead...

"It is this switching cost that has given the customers the patience to stick with Windows through all our mistakes, our buggy drivers, our high TCO, our lack of a sexy vision at times, and many other difficulties [...] Customers constantly evaluate other desktop platforms, [but] it would be so much work to move over that they hope we just improve Windows rather than force them to move.

"In short, without this exclusive franchise called the Windows API, we would have been dead a long time ago."

Well, duh, all those crazy Open Source fanboys were right after all. Too late, you're stuck now. Probably.


34 Who's in charge of your PC? (2)

Monday 8th January, 2007

Following on a from an earlier post, which only hinted at future plans to monitor (Windows) PC users, here is a truly frightening story about an ActiveX control which seems to have been installed on all Acer laptops since 1998. This particular program which has been marked "safe for scripting" appears to allow any web page to run any command on your (Acer) laptop. The link provides more details, as well as a test for those who are concerned.

The two questions which spring to my mind are: "What exactly are Acer up to?", and "Who else is doing this?" All this has been going on unnoticed for eight years.