Scot's Newsletter Blog
---------------------------
http://blog.scotsnewsletter.com/
Operating Systems. Broadband. Issues. Reviews. Info You Can Use.
April-August 2008 - Vol. 8, Issue No. 98
By Scot Finnie
In This Issue
--------------------
1. Where Has Scot's Newsletter Been?
- Recent Blog Posts
2. Scot's Newsletter's Security Scare -- Newsletter Exclusive!
3. A Note About Blog Performance
For subscription management, contact info, links, and other resources,
please see the end of the newsletter.
1. Where Has Scot's Newsletter Been?
-------------------------------------------------------------------
Some of you have been getting a little edgy about where the newsletter has been over the past several months. The last Scot's Newsletter Blog notification newsletter went out on March 27. Since then, a lot has been going on -- a good portion of it not good -- and for the last couple of months, I could not send out the newsletter. The good news is, we're back now, there's no longer something stopping me from mailing.
To put you fully in the picture of why the newsletter stopped mailing, here's a list of everything that played a role in making that more difficult:
1. The Scot's Newsletter sites were under security attack from May until about six weeks ago. You'll find a detailed report about the steps I took to combat that problem a little further down in this newsletter.
2. I have a job that bears a lot of responsibility. I love being editor-in-chief of Computerworld, but it takes a toll on me. It's also more of a management position than a research and writing job, so there's less overlap with what I do professionally and the newsletter than there was with previous jobs. Clearly, managing the strategic direction of the preeminent IT computer website and weekly magazine is a good thing. But it has had a significant effect on both my personal life and on Scot's Newsletter.
3. Speaking of my personal life, that's another important aspect of my life. I have young kids and I'm trying to spend more time with my wife and family. The job has taken me away more, and so I'm devoting more of my "free" time to them.
4. I'm a confirmed Macintosh user. Perhaps even more so after the latest detour into my own little security nightmare. Most SFNL readers are Windows users. I am still actively watching and using Windows, but my computing passion has switched allegiances. Until Windows 7 arrives, I have lost my ardor for Windows. I detest Windows Vista and there's not much more to say about Windows XP ... other than: Install Service Pack 3 and XP isn't going to last forever, so you should be thinking about your next move.
And by the way, since Windows 7 is looking more and more like Windows Vista SP3 with no major architectural changes, there's no reason to suspect that the underlying issues that keep me recommending against Vista will be addressed.
From an end-user perspective, I'm recommending the Mac, then Linux, then Windows, in that order. Of course, at work, few of us have the luxury to choose the operating system. At my company, thankfully, there is an option between the Mac and Windows, with the only gating factor being cost.
5. My other passion is automobiles -- an abiding interest that pre-dates computers by more than a decade. I have owned more than 50 cars in my lifetime, and I was rebuilding engines as a young teenager. I am especially obsessed with alternative fuels and fuel-efficient automotive technologies. As a result, with world demand for oil on the rise and gasoline prices up significantly, automobile technology and usage patterns are changing rapidly in the U.S. I have been blogging quite a bit on these subjects. I write about what moves me -- with no apology, but my supposition has been that most newsletter subscribers don't look to me for that content. So I didn't mail a newsletter for those topics.
Some loyal readers and newsletter subscribers have written to me wondering why I didn't send a newsletter to notify people about the automobile-oriented coverage in the blog. Others have agreed with me that the several posts I made in May and June about hybrid automobiles and oil prices weren't worthy of newsletter notification. I'm interested in the opinions of SFNL subscribers on this point. What do you think? Should I have sent a newsletter about automobile-oriented blog posts? Drop me an email to let me know. Choose the appropriate Yes or No response.
---------------
Poll Question: Should I have sent a newsletter notification automobile-oriented blog posts?
* Yes, Scot, you should have sent a newsletter anyway:
mailto:scot@scotsnewsletter.com?subject=Yes_Auto_Coverage
* No, Scot, it's best that you don't notify me about auto coverage:
mailto:scot@scotsnewsletter.com?subject=No_Auto_Coverage
---------------
To take you a step deeper into my thinking on this subject, I am deeply concerned about the state of our environment and our dwindling non-renewable resources. Having kids makes you a lot more aware of the mess we are all responsible for leaving behind. I'm also mindful of the economic and socio-political advances in the far east, which are likely to exacerbate the deterioration of the environment and rapidly increase the demand for non-renewable energy and other natural resources.
So, even though we're in a recession that's spreading out globally and which is expected to slow down the rise in demand for oil worldwide, that will be a temporary phenomenon. I'm not blaming this on the Chinese, whose economic rise is a good thing in many ways. But China represents a huge chunk of the world's population, and as it continues to modernize, it will change the balance of trade and world economy. Perhaps worst of all, it will accelerate the world's environmental woes.
The problem starts right here in North America, though. The U.S. consumes a whopping 25% of the electricity produced globally. We need to be a big part of the solution, whatever it is.
-- Recent Blog Posts --
So, those are the reasons I haven't sent a newsletter. I haven't been able to send one for the last several months and before that, I didn't feel there was enough of value on the site to send one. Add one more reason, I took a break after I delivered the Best Firewall Software of 2008. That piece was 18 months in the making, and I needed some time away.
That said, here are the links to what I have written since March in reverse-chronological order:
Online Armor 3 Beta Supports Vista
http://blog.scotsnewsletter.com/2008/08/05/online-armor-version-3-beta-supports-vista/
Scot's Newsletter Forums Open for Business
http://blog.scotsnewsletter.com/2008/07/27/scots-newsletter-forums-open-for-business/
And ... We're Back
http://blog.scotsnewsletter.com/2008/07/23/and-were-back/
What's Up at the Scot's Newsletter Sites
http://blog.scotsnewsletter.com/2008/07/06/whats-up-at-the-scots-newsletters-sites/
Hybrid Closure: Buying a Second Toyota Highlander Hybrid
http://blog.scotsnewsletter.com/2008/06/20/hybrid-closure-bought-a-second-highlander-hybrid/
More Scuttlebutt on the 2009 Toyota Prius
http://blog.scotsnewsletter.com/2008/06/06/more-scuttlebutt-on-the-2009-prius/
Toyota's Next-Gen Hybrid Tech and 2009 Prius
http://blog.scotsnewsletter.com/2008/05/25/toyotas-next-gen-hybrid-tech-and-2009-prius/
An Increasing Priority: Fuel-Efficient Automobiles
http://blog.scotsnewsletter.com/2008/05/23/an-increasing-priority-fuel-efficient-automobiles/
30 Days of Apple's MacBook Air
http://blog.scotsnewsletter.com/2008/05/17/30-days-of-apples-macbook-air/
MacBook Air: Using Is Believing
http://blog.scotsnewsletter.com/2008/04/21/macbook-air-using-is-believing/
USB Drive Wrap-Up: The IronKey Rocks for Security
http://blog.scotsnewsletter.com/2008/04/21/usb-drive-wrap-up-the-ironkey-rocks-for-security/
The Best Firewall Software of 2008: Online Armor
http://blog.scotsnewsletter.com/2008/03/24/the-best-firewall-software-of-2008-online-armor/
What to Do about Vista Service Pack 1
http://blog.scotsnewsletter.com/2008/03/22/what-to-do-about-vista-service-pack-1/
2. Scot's Newsletter's Security Scare -- Newsletter Exclusive
-------------------------------------------------------------------
Sometime in May (and possibly earlier than that), the Scot's Newsletter websites were penetrated by hackers based in China, Russia, Estonia, South America, New Jersey, New York City, and elsewhere. Somehow the bad guys gained FTP access to my site -- even though the only people who had access were Cyndy and myself. My webhost at the time, IX Webhosting, was so clueless and ineffectual about handling this problem that I immediately set in motion plans to move to a new webhost.
But before I could get to the fixing part, I needed to do a security assessment. In desperation, I reached out to Paul Laudanski, previously of the Castle Cops forums and now an Internet Safety Investigator at Microsoft. Paul has been through this himself at Castle Cops, and he's very well connected in the security industry. He's also a generous guy who immediately called a team of people he's worked with in past. Lawrence Baldwin of MyNetWatchman.com and another expert who asked to remain anonymous answered the call. These truly selfless individuals spent hours working with me to assess the state of the security of my networks, hardware, and software -- as well as the software and data on the websites. I owe a debt of gratitude to Paul, Lawrence, and especially to the fellow who requested anonymity.
Castle Cops:
http://www.castlecops.com/
MyNetWatchman:
http://www.mynetwatchman.com/
In moving to a new webhost, my number one priority was to avoid bringing the vulnerability and bad guys with me. I also needed to update the server applications running on my websites and to bolster security there. My new webhost, whose identity I'm withholding temporarily, offers a much higher degree of both performance and security. I've been very happy with my new webhost, by the way, and I will be writing about my experiences with the company once a little more time has gone by.
In addition to moving to a new webhost, I needed to change some practices, such as using secure file-transfer methods to and from the website. At home, I upgraded my hardware firewall and went through a rigorous battery of tests on every computer and virtual machine. I also changed the way I manage the security of my home PCs and several security procedures. Since I discovered the problem, I've spent over 100 hours and three months on it and I'm still not done. In fact, my new security stance means that I will never be done. It's a never-ending process.
At some point I intend to write a detailed blog post about security takeaways from this experience. This newsletter article is an exclusive for subscribers. It's a small way to say thank you to my many loyal newsletter subscribers who've been waiting a long time for an update.
-- Managing Web Server Security --
I had a real battle on my hands on my shared webhost's server. IX Webhosting is very lax about security. My expert advisors were able to help me identify several vulnerabilities in IX's configuration and security policies. Also, though, I had not kept my two most vulnerable server applications -- WordPress and Invision Power Board (forums) -- fully up to date. You could say both IX and I were at fault.
One of the biggest problems was that IX didn't offer secure FTP (SFTP) or secure shell (SSH) access. As a result, I was sending FTP passwords in the clear every time I logged in with my FTP client. Although I could change my FTP password with an SSL-based login in IX's control panel, there wasn't much point in doing that if my actual connections could be sniffed. Bottom line: The bad guys were getting in at will. I began changing the FTP password every day, even when I wasn't logging in. But it had no effect on their access. They were still getting in. In the end, it became clear to me that either IX's SSL-based password-changing process had been compromised or even more ominously, IX was compromised from within. Since I'm not the only IX customer who has had this exact problem, it was clear to me that whatever the cause, getting out of Dodge was imperative.
I won't go into detail here about everything I did, but it started with downloading all the files for all of my websites and then going over each and every directory and file looking for anomalies. I took several approaches to that process, including full-text search. I also selected my new webhost and learned everything I needed to learn about upgrading my server applications to their latest, more secure versions. All the while the forums was temporarily shutdown and the blog was closed to comments and registrations.
In the end, the process of upgrading both WordPress and Invision Power Board was easier than I had anticipated. I ran into some things here and there that needed to be figured out, but with the help of two of Scot's Newsletter Forums admins, LilBambi and Bruno, I got through the whole process. I'd like to thank these two for the tireless support and help in researching problems and solutions. They are true friends as well as really smart and generous people. Scot's Newsletter Forums is a great place to get help on Linux, Windows, and many other topics because of those two, as well as several other volunteer admins and moderators who make the place go. Best of all, it's a friendly place where malicious negativity isn't tolerated:
Scot's Newsletter Forums:
http://forums.scotsnewsletter.com/
Finding my new webhost was much more difficult than the actual migration to its services. The new server is secure in several ways that I've never experienced before, something I'll address when I write about the company more openly. My new webhost's customer service and tech support is better than I hoped for (my first trouble ticket was answered in two minutes), and there have been no FTP penetrations. Site performance has also been snappy (at least it was prior to sending this newsletter, we'll see how the new server holds up now). I could not be more satisfied so far. I'll reveal the name of the webhost in the near future. At this point, I don't want a bunch of you switching to it until I know for sure it's the right choice. Time will tell, but so far, so very good. I've never been happier with a webhost during the first couple of months. In fact, I have no complaints whatsoever so far, and I'm somewhat in awe of the services and support I'm receiving.
-- Security Starts at Home --
Although it was not the most likely scenario, I could not ignore the possibility that my home network might have been penetrated or login information might have been sniffed on my network. My wireless security was up to snuff, as it were, but my hardware firewall needed to permanently visit the garbage can. Its service life had expired two or three years earlier, so it was no longer receiving security firmware updates.
The truly labor-intensive aspect of hardening my home security was reviewing the many Windows PCs and Windows virtual machines I maintain. I also scanned all my Mac computers. (I had only a few weeks earlier retired my sole Linux machine.) The Macs got a very simple test suite and all of them turned in flying colors. My far more numerous Windows installations all received a very rigorous going over with a battery of tests that included antivirus/anti-malware, Microsoft Baseline Security Analyzer, Secunia PSI, several rootkit detectors, and other products. In a nutshell, each machine was put through about 7 to 10 hours of analysis, reconfiguration, and security testing which was repeated until all tests ran clean.
One of my most important and difficult takeaways was the decision to downsize my inventory of home computers. Interestingly, I had actually started down that path a couple months before these problems cropped up. I gave away every non-portable computer I owned (some seven or eight machines) to relatives and friends. (It should be noted that all those machines were wiped and scanned before I sent them off.) I had planned to keep the notebooks. But as a direct result of this security scare, I've decided to reduce my number of overall machines considerably. I still need enough Windows PCs and Macs to allow me to conveniently test new products, plus the machines that are used by Cyndy and the kids. But I want the total number to be seven or eight, max., and fewer would be better.
Why am I eliminating computers? It boils down to this: the fewer machines I have to support, the better my security support will be and the easier it will be to take action when any sort of security incursion is detected. Only a few months ago I was managing over 20 machines in my home, many of which were rarely turned on -- but all of them could have been harboring vulnerabilities and threats.
To date, I have eliminated two of my remaining six Windows notebooks, and I expect to dispose of at least one and probably two more. I'll probably buy a new Windows notebook when Windows 7 comes out. Most of my Macs also contain Parallels-based Windows XP virtual machines, which are just as vulnerable as any other Windows machine. I recently renewed my NOD32 2.7 site license. Every one of these machines has NOD32 installed on it. For those of you wondering, I don't have Online Armor or Comodo running on every machine. Some of them are more likely to need this extra help than others and they're the ones that HIPS-based software firewalls running on.
Finally, if there's one thing I'd like to impress upon all of my readers, it's that application security is a lot more important than most of us realized -- worse, it's often overlooked. I was guilty of this myself. My operating system updates were up to date; but I had ancient versions of the Java VM installed on a couple of Windows machines (especially critical right now with the GIFAR vulnerability), old browsers, and many well out of date applications and utilities from Microsoft and a variety of other software makers -- some of which have glaring vulnerabilities. Using a product like the free Secunia PSI to help you scan and keep track of application vulnerabilities is an important step.
Secunia PSI RC-3:
https://psi.secunia.com/
To give you a sense of some of the things I've completely changed my mind about since coming through this security experience:
- IE7, a browser I wrote was "souless," is now installed on every Windows machine and Windows VM I own or manage. I have uninstalled Safari from all Windows installations. Firefox has been updated to the latest 3.0x increment on all Windows machines, and it's the browser I have urged my "users" (my mother, wife, children, and friends) to use. In my son's and mother's cases, it's a bit more than a recommendation. Cyndy, of course, has been using Firefox almost from the beginning.
- I have accepted all forms of Microsoft's WGA on every Windows XP installation I own or manage. (Vista users have no choice in this, it's required.) This is necessary in order to have full and convenient access to all Microsoft downloads, including application updates. I'm on record as being against WGA. I'm still against it in principle. However, I strongly urge all Scot's Newsletter readers to allow WGA Validation to be installed (absolutely requisite to fully accessing Microsoft downloads) via Windows Update or Microsoft Update. My decision to accept WGA Notifications on all machines is a little more controversial. The only real purpose of WGA Notifications is to create a "nag" experience on your XP machines if one of your machines is deemed to be "pirated," something that WPA (Windows Product Activation) and WGA Validation determine. WGA Notification doesn't have a serious downside, folks. The one situation that concerns me is the fact that WGA Validation has been known to make mistakes. Occurrences are rare, but the product isn't perfect. My personal experience has been that it's a non-issue. But I have heard from experienced users who have had problems with WGA.
This may sound extreme, but this is my feeling: If you're someone who is fighting Windows XP's anti-piracy scheme (WPA, WGA Validation, and WGA Notification), you should ask yourself whether it isn't time to consider switching to the Mac or Linux. Microsoft has made a decision to go after dead-beat Windows users, even if it comes at the expense of honest, paying customers. If you're incensed by that move, rid yourself of Windows and embrace another platform. It's not worth the angst and frustration. The Mac is the easiest move, especially for people who either prefer a deeply integrated GUI or who want to spend less time futzing with their OS and application environment. If you love the command line (and maybe miss DOS or Windows 3.x?), you're almost certainly going to love Linux once you get to know it. Linux is much, much better than DOS or Win 3.x, and there are applications that are worthy alternatives. Both the Mac and Linux make keeping Windows around in a virtual machine or separate partition a very easy proposition.
- I have upgraded Windows Update to Microsoft Update on every machine I own so that Microsoft Office and other apps will be security patched automatically. I also routinely check Microsoft Update manually.
- I have moved my kids to a Mac. Cyndy has also agreed to move to a Mac at home. (This doesn't instantly convey security perfection, mind you, but it's not a bad step. Moving to Linux would be at least as good too.)
-- Putting a Fine Point on It --
Since I instituted these and other security changes, both at home and on the Web sites, I've seen no sign of trouble. That's why I'm sending out the newsletter. It is, perhaps, the last step in Scot's Newsletter's return to normality. Of course, there's no guarantee. And that's perhaps the most important takeaway: There's no silver bullet and you can never let down your guard.
3. Note About Blog Performance
-------------------------------------------------------------------
There's good news and bad news about performance of the blog site in handling the multiple simultaneous connections that occur whenever I send the newsletter. The good news:
1. My new webhost promises better PHP and MySQL performance than we've had in the past. My experience with this new host has been so incredibly positive so far that I've come to believe this could be true. However, I don't think that means that everyone will see perfection in the few hours right after a newsletter mails. There are 42K Scot's Newsletter subscribers. No way can any shared webhost serve even 20% of that many people simultaneously. When they're all attempting access the same blog page. Multiple people attempting to post comments is also choke point.
2. I have found a new caching plug-in for WordPress that works much better than the one I was using before.
3. My new webhost has a security process that adds a layer of protection to application folders that expect 777 folder permissions for cache folders and image uploads. My folders have a stronger security setting, and yet they continue to work as the applications expect.
Now for the bad news:
1. I don't currently have the new caching plug-in installed because the old one was one of the points of entry for the bad guys at my old webhost. For the first couple of newsletter issues I'm leaving the caching tool turned off.
2. I need to understand the baseline condition at the new host when multiple newsletter readers are hitting the blog site simultaneously. But notice that I'm mailing this first issue on a holiday weekend in the U.S. That should spread out the impact on the server.
So, fair warning, OK? If you can't get into the blog site, please bear with me and try again an hour or so later. Most blogs don't have to put up with this kind of peak demand, because very few have newsletters. If your experience is either very good or very bad, please let me know about. And please note the date and time that you visited the blog site.
mailto:scot@scotsnewsletter.com?subject=Blog_Perf_8-2008
Scot's Newsletter Blog:
http://blog.scotsnewsletter.com/
Subscribe, Unsubscribe, Change Email Address
-------------------------------------------------------------------
You can unsubscribe at any time; I don't believe in captive audiences.
Use the website subscription center to manage your Scot's Newsletter
subscription. Changes take only a minute or two:
http://blog.scotsnewsletter.com/subscribe/
Tell a Friend
-------------------------------------------------------------------
If you like Scot's Newsletter Blog, share it with friends and co-workers,
and encourage them to sign up! It's free.
http://blog.scotsnewsletter.com/recommend.htm
Scot's Newsletter Blog Resources
-------------------------------------------------------------------
Sites:
- Blog: http://blog.scotsnewsletter.com/
- Forums: http://forums.scotsnewsletter.com/
- Linux Clues: http://www.linuxclues.com/
Best Of:
- Reviews: http://www.scotsnewsletter.com/reviews.htm
- Best Of: http://www.scotsnewsletter.com/best_of/
- Mac A-List: http://www.scotsnewsletter.com/best_of/mac_a-list.htm
Archives:
- Blog Archive, 2008: http://blog.scotsnewsletter.com/2008/
- Blog Archive, 2007: http://blog.scotsnewsletter.com/2007/
- Older Newsletter Archives: http://www.scotsnewsletter.com/backissu.htm
Site Tools and Info:
- Email Subscriptions: http://blog.scotsnewsletter.com/subscribe/
- Tell a Friend: http://blog.scotsnewsletter.com/recommend.htm
Contributions -- I Could Use Your Help!
-------------------------------------------------------------------
To help with the cost of creating and distributing the newsletter, I
accept contributions via PayPal and by check via conventional letter
mail. For more information on donations:
Use this link if you want to sign up for PayPal:
https://www.paypal.com/refer/pal=R5SJ7BMUN3JK8
Option #2: Donate via Letter Mail:
http://www.scotsnewsletter.com/donate.txt
Contact
-------------------------------------------------------------------
Send comments, suggestions, or questions about Scot's Newsletter Blog
directly to me. Don't be bashful about telling me what you like or
don't like! Click this link to send an email:
mailto:scot@scotsnewsletter.com?subject=Comments_Aug-2008
Or paste this into the "To" field: scot@scotsnewsletter.com
Please note: Scot's Newsletter no longer accepts newsletter advertising.
-------------------------------------------------------------------
Copyright (c) 2001-2008 Scot Finnie. All Rights Reserved.
http://blog.scotsnewsletter.com/
You are subscribed to Scot's Newsletter as: ram133.0010@blogger.com
Choose from 2 great plans: 
