Main Line Computer Users Group


February 2004 Issue 261

VILLANOVA UNIVERSITY, ST. AUGUSTINE CENTER, ROOM 110

MEETING STARTS - 09:30 - FEB 14 th


THIS MONTH'S CONTENTS
UPCOMING MEETING:

As usual, we'll start off the meeting with some announcements and a bit of round-table talking on news and problems. Come early and stay late!

From presenter, John Deker: for February we'll continue our look at anti-pestware. Specifically, we'll finish up on SpyBot and its associated program, Spyware Blaster. Spyware Blaster prevents the installation of ActiveX programs, which are considered to be pestware, or worse.

ActiveX programs are programs imported by your browser to execute certain functions on your computer. Microsoft created an authentication process for such programs, but the authentication process does not guarantee that the program is not malicious in some way. For further information about ActiveX problems and risk, please refer to an article from Byte magazine at:

http://www.byte.com/art/9611/sec3/art8.htm

We'll finish the formal presentation on the anti-pestware software with a review of the three programs presented last month, namely; PestPatrol, SpyBot, and Ad-Aware, and make a general recommendation as to which is best and why we think so.

To end the presentation, we'll discuss the potential risks of using these programs and how you might handle those risks, if you decide to use them. To be honest, I consider the risks relatively minimal, but since these programs sometimes mess with the registry when trying to remove pestware, there is still some risk...


JANUARY'S SPYWARE PROGRAM by John Deker

During our January meeting presentation we pretty much stuck to our agenda by reviewing what pestware is and then looking at 3 anti-pestware programs - PestPatrol, SpyBot, and Ad-Aware. [cont.]

#######################################
ANNOUNCEMENTS & COMMENTS
#######################################

WELCOME - to our most recent new members: Robert & Heidi Bulitta of Downingtown, David Raines of Birchleaf VA (yes, Virginia!), Bill & Heather Uster of West Chester and Frank Walder of Upper Darby!! With all these additions, we can now boast of some 39 members. For the first time in many years, we have had an increase in members from the previous year!! So, we hope that all of these new, members will find value in the group, will hang in there for the future and try to find other users who could also benefit from being a part of the MLCUG!

OUR NEW WEBSITE - just a reminder that thru the good offices of Mr. Rich Goldberg, operator of the Bee.net local ISP, the club has been provided with a new website host and a new (we hope, easy-to-remember) domain name - mlcug.org! So, now we can be found on the web at: http://mlcug.org

Remember to check it out regularly. Last minute meeting items may be posted there, in addition to coming to you via the MLCUG listserv.

Oh yes, our faithful webmaster, Pete Whinnery, will be most appreciative of ideas to improve the useability and value of this website; so don't hesitate to suggest (he tells us he is still learning!).

REGULAR REMINDERS:

1) our email mailing list is run for the member's benefit; so please do not hesitate to post notices or problems to it. If we can't solve the problem remotely, we can be alerted to it ahead of a meeting where hands-on may do the job.

2) attendees know that we have a very fast internet connection from the VU meeting room (last month we hit 800+ KBps, now that's really moving - tho past performance is no guarantee of the future!). So, if you have a very large download, you can bring along a zip disk (or a CD-R/RW) and get it done there, either before or after the main meeting.

3) a half dozen or so of the regular attendees usually partake of lunch at the Villanova Diner after the meeting. Why not join us? It is a good time to get a little more help (or give it) and just to have fun talking about our common interests. The food is quite good, too!

***************************************
WELL ANOTHER ONE !!!

Last time we mentioned the bug in Internet Explorer that allows for URLs that invisibly take you to a website that is not what you see on your screen - making for lots of folks giving out private info while believing they are contacting a reputable and trusted website!

Remember last August where we had a couple of potent bits of malware a week apart? Well, last week did that one better(?) with a new worm (Beagle.A) appearing on Monday, followed by another (MyDoom.A) a day or so later, then a third (MyDoom.B) on Thursday. Symantec had to update their virus definitions three times in four days, rather than once in a week!!

Both Beagle and MyDoom are mass-mailing worms which means that, once they are activated on your computer, they search thru your files seeking email addresses and mailing copies of themselves to those addresses. MyDoom.A is now the record-holder as the "most successful" worm yet! Some success!!

MyDoom.B was apparently sent out to reduce folks ability to stop the worms by preventing computers from accessing websites that can provide updated virus signatures for anti-virus software (like Symantec, McAfee, F-Secure). It apparently did not propagate as quickly as the A variant, but nevertheless added to the net mess.

An extra "feature" of the MyDoom worm is that it plants a little utility on your computer so that on February 1st, your computer will connect to the net and start sending attention requests to the web server of SCO (the Unix folks). This technique, called a denial-of-service (DoS) attack, is designed to completely overwhelm a web server with so many requests for attention that it will crash and go out of service. Since the worm circulated world-wide, it planted these little time bombs all over the planet - but how many was not known.

And, sure enough, starting late on the 31st, the requests began to roll in to the SCO website (www.sco.com) and increased in volume as the hours rolled by. The SCO website was brought down by these requests early on the 1st, as the hacker had hoped and planned for! So, it's clear that he succeeeded in planting his time bombs pretty extensively. As most of you know, there is no really good, quick way of stopping a DoS attack (one of which brought down some Microsoft servers last year!); so SCO is out of commission for some unknown amount of time...

The point of all this story - make sure that YOU: 1) have your anti-virus software installed, 2) keep it up-to-date and 3) have installed and running a good 2-way firewall and 4) better, if feasible have a hardware firewall in place. This way, you'll be protected and will not be a partner to DoS attacks!

We can delve further into these guidelines at our next meeting discussion. Watch the listserv, too.

***************************************
SYMANTEC/NORTON PRODUCTS

A recent column by Reid Goldsborough, in the Inquirer, carries another trouble message re the 2004 versions of Norton Anti-virus 2004 and Norton Internet Security 2004.

On the off-chance that folks might be interested, I took a flyer and made a bulk order of: Norton Anti-Virus 2003. These were OEM CDs and I sold them at my cost of $10 each. This was cheaper than extending one's AV subscription for Norton - which is now around $20 (actually, one person told me it cost them $25!).

Because Inquirer columnists, John Fried and Reid Goldsborough, have reported problems with the 2004 versions of the Norton products, AV and internet security suite. It look like a good idea to refrain from them, until we get evidence that the problems have been corrected. If anyone hears news on the products, please let us know. [Emil]

***************************************
MLCUG LISTSERV

MLCUGers: note the format of the "Subject:" header of this message. All messages from this list will now include "[MLCUG]" automatically in the subject header to make it easier to identify. This should provide assurance to our members that the messages are safe to open.

Your humble list keeper. [Peter Whinnery]

***************************************
LAST MONTH'S MEETING

We had quite a crowd at the January meeting, with 21 attendees, including some first time members - new faces! Hopefully, the latter found the meeting interesting enough to return!!

More info on the meeting will follow, but for those who did not make it, the program was Part I on "Pestware". Our presenter, John Deker, discussed pestware (adware, spyware and such-like).

In the course of the demo, he downloaded and installed three products:

Each was used to scan the club computer for pestware and the results of each were compared. As John had previously noted, these programs interpret stuff differently and the results of the scan confirmed that, as each gave a different report of the "potentially bad stuff".

Next time, we'll spend more time on Spy-Bot and a companion program Spy Blaster. We hope that you'll all be able to make it.

***************************************
Of all things!

The eMachines folks, not exactly noted for bleeding edge computers have announced a $1300 (at Best Buy), high end system (model T6000).

Here are the stats: Athlon 64-bit CPU, at 2 GHz, 512 MB of RAM, 160 GB hard drive, 128 MB video card, 8-in-1 media card reader, CD burner, DVD drive, ethernet, USB 2 and Firewire ports!

I guess they must be doing something right. Just a few days ago, Gateway computers announced that they were merging with eMachines, in a straight buyout. This move will nearly double Gateway's sales - but still leave them in a fairly distant #3 position, after #1 Dell and #2 HP. Gateway has not been making money, tho eMachines has. Hopefully for them both, the merged company will survive and make a decent profit. A two-company duopoly is not a heck of a lot better than the oneopoly we have with Microsoft; so 3 may be!

***************************************
PESTWARE PROGRAM - I

by John Deker, continued from p.1

Most of information about pestware came from the PestPatrol research center websites at:

Since we were getting our pestware overview from the PestPatrol website, we also did our first anti-pestware download from that site. In this case, the download was demoware, since PestPatrol is commercial software. The PestPatrol demoware will detect pestware, but not remove it. The evaluation version of PestPatrol can be found here:

http://www.pestpatrol.com/downloads/eval/ download.asp

With the download completed, we installed the software, ran an update check, and then performed a scan for pestware. When the scan was complete, we looked at some of the detected pests and showed how one can get additional information about those pests. We also spent a bit of time on some of the features of the software.

With PestPatrol behind us, we then turned our focus on Lavasoft's Ad-aware. Since Ad-aware is freeware we were able to download and install the full functional version from:

http://www.lavasoftusa.com/support/download/

The download links to several download sites can be found at the bottom of the web page. In a fashion similar to PestPatrol, we updated the software and ran it thru its paces.

The last part of our January presentation was spent downloading and installing Spybot. Spybot is donationware and can be downloaded from a link at the bottom of this web page:

http://www.safer-networking.org/index.php?page=download

We only spent a few moments looking at Spybot. So, we'll finish our review of this program and an associated program, Spyware Blaster, in February. See the agenda for February elsewhere.

***************************************
Good Pest Overview Reference

Reminder of a good reference on the ins and outs of the pestware genre:

http://www.pestpatrol.com/pestinfo/

[by John Deker]

***************************************
Pestware Test Report

Following the January meeting, I re-ran the three pestware utilities on the club computer and got the following results:

Ad-Aware found		        2
Pest Patrol found		1 
  (same as 1 from Ad-Aware)
SpyBot found    		9 
  (incl the 2 of Ad-Aware)

Of these, only 1 - a non-cookie, which all three programs found - appears interesting or possibly worrisome. No way to tell for an amateur like me.

During the next session, we'll aim for a way for folks to evaluate the results of a such a scan to help them decide what to do. Here, of course, I did nothing, just ran them, as a benchmark prior to the part 2 meeting. [Emil Volcheck]

NOTE: in the program planned for February, John Deker will give his take on this subject - with some recommendations on how to deal with such results.

***************************************
Old Windows to get a little older!!

Gad! Talk about being upstaged! Last month, I had an article about the impending doom of Microsoft's support for Windows 98/98 SE - on January 16th. But, the issue barely got to press before Microsoft relented and announced that the support would be extended for an additional 2.5 years - to June 2006. They also noted that support for Windows Me would end at the same time, tho it is a year younger than Windows 98 SE.

I confirmed, at a computer meeting on the 15th that the word had been posted on the Microsoft website. The following article is a nice summation of the situation, and an assessment of potential motives for the change:

Microsoft extends Win98 support to June '06
[By Ed Scannell January 12, 2004]

Doing an about-face at the 11th hour, Microsoft, on Monday, decided to extend its support of Windows 98, Windows 98 SE and Windows Millennium until June 30, 2006 -- support that was scheduled to be phased out starting this Friday.

According to a company spokesman, the company rethought its position on Windows 98 late last week in response to "customer need," and because the company wanted to bring Windows 98 SE into compliance with the company's current life cycle policy for new products, which provides support for seven years instead of the original four, according to the company.

"The first [reason] was in response to customer needs. Microsoft made this decision to accommodate customers worldwide who are still dependent upon these operating systems and to provide Microsoft more time to communicate its product life cycle support guidelines in a handful of markets - particularly smaller and emerging markets," said Frank Kane, an MS spokesman.

The decision to lengthen support for Win 98 and Win Me customers through the same date provides a "clear and consistent date for support conclusion for all of these older products," Kane said.

During this time, Microsoft will continue to offer paid phone support and will continue to review critical security issues, taking appropriate steps.

According to recent numbers from IDC, as of year end 2003, there were still 58 million Windows 98 users, 21 million Windows 95 users, and 25 million Windows Millennium users. The company said the installed base of desktop operating systems users now totals 380 million. [ejv note: the article does not say if this is the Windows installed base, or includes other OSes].

Besides doing a better job of listening to the financial and technical needs of their customers, the move may also have to do with Microsoft protecting its mammoth installed base against the surging tide of Linux-based distributors led by Red Hat and SuSE Linux.

"Some reasons have to do with users needing continued support and not being able to move for one reason or another. The other is if they left people orphaned, the open source community would swoop in to say, 'hey, we can help you'. Considering the competitive nature of the market in general, some very big companies could end up walking into the arms of Red Hat and SuSE," said Dan Kusnetzky, vice president in charge of operating system research at IDC.

Kusnetzky added, however, that in the context of other operating systems suppliers Microsoft is actually more generous than other providers that often discontinue support of older systems about a year after its replacement comes out.

"In terms of support [Microsoft] is already generous. Most OS suppliers support their product for no more than a year after the replacement has come out. So there are both sides to that," said Kusnetzky.

Updated details about the new extended support period for these products will be posted Jan. 15 at http://support.microsoft.com/lifecycle, Microsoft said. [Note: ejv confirmed it on January 15th]

***************************************
The Empire Strikes Back: Win XP SP2

Microsoft may have been planning a 2nd Windows XP Service Pack before the massive virus and worm invasions of last summer, but it's clear the attacks gave a new urgency to fixing the major weaknesses that made them possible.

"Some of the events may have been a catalyst for bringing SP2 out at this time," says Amy Carroll, director of Microsoft's Security Business Unit.

SP2 will address security on several fronts. First and foremost, the update will turn the OS's built-in firewall on by default--while making it compatible with functions that users expect to work regardless of firewall settings, such as file and printer sharing (which currently don't work with the firewall on). Two technologies that enable communication between networked PCs and that were exploited by worms--RPC (the remote procedure call) and DCOM (the Distributed Component Object Model)--will be reworked to make them less easily accessible by outsiders.

Microsoft is revamping core Windows components to prevent so-called buffer overruns--attacks that cripple PCs by writing too much data into software-allocated areas of memory. Also, the company is working with CPU vendors to enable Windows to support no-execute (NX) technology, in which the CPU prevents execution of code that a worm or virus has inserted in a memory area assigned for data only.

SP2 will change default settings for Outlook Express and Windows Messenger to make them more secure. It will also isolate e-mail and instant message attachments to keep them from damaging other parts of the system. Finally, SP2 will shore up IE's defenses against malicious Web content--for example, giving users better controls to keep ActiveX and other software from running on their PCs without their consent.

SP2 should be in limited beta as you read this and should ship by mid-2004. When it does, it could be a very big download: Microsoft says it will include all of SP1 (a 145MB download) plus all updates issued since SP1's release over a year ago. [Yardena Arar].

DIRECTIONS FOR ST. AUGUSTINE CENTER MEETING ROOM

Meetings are in the St. Augustine Center at Villanova University. The regular monthly sessions meet in Room 110.

[Map goes here]

Enter from the ITHAN AVENUE main gate, then proceed to the upper level of the 2-level parking building adjacent to the St. Augustine Center, on the Ithan Avenue side of the building.

NOTE: maps on our webpage - http://www.mlcug.org/


PC/128/64 Meetings  2004  Steering Committee Meetings

			February 14			February 18 **
			March 13			March 17 **
			April 10 			April 21 **

	* = FOURTH Wednesday	** = THIRD Wednesday at Tom Johnson's home
*********************************************************************************EDITOR:  Emil J. Volcheck, Jr.   1046 General Allen Lane    West Chester, PA 19382-8030
(Produced on a home-built PC: 233 MHz Pentium, 128 MB RAM, 20 GB hard drive, Epson Stylus Color 740 printer, HP Scanjet 6300C, CD-RW drive, DVD-ROM drive and 250 MB Zip drive, using Appleworks 5.0.3)

          MLCUG LISTSERV: for members only...
                     WWW: http://www.mlcug.org/
               PUBLICITY: Robyn Josephs 610-565-4058
       VILLANOVA SPONSOR: Prof. Frank Maloney, Dept. of Astronomy

MLCUG STEERING COMMITTEE:

PRESIDENT: Emil Volcheck    610-388-1581  SECRETARY: Charles Curran 610-446-5239
TREASURER: Dewitt Stewart   610-623-5145  AMIGASIG: John Deker      610-828-7897
WEBMASTER: Peter Whinnery   610-284-5234  DATABASE: Layton Fireng   610-688-2080
AT LARGE:  Tom Johnson      610-525-3440  AT LARGE: John Murphy     610-935-4398