By Jin Nan Goto

The difficulty with choosing a strong, secure password is remembering that password in the future. Many people overcome the difficulty and inconvenience of remembering by choosing short and easy passwords.  It’s not all that surprising that the most commonly used passwords are ‘123456’ and ‘password’.  Other bad passwords include simple patterns ‘qwerty’, names ‘michael’, common words ‘monkey’ and sports team names ‘redskins’. Before choosing a password you may want to consider checking the list linked below to make sure your password is not one of the “500 worst passwords”. Note: some people think they are very clever when picking crude and inappropriate words as their bad passwords, so don’t follow the link if you are offended by that kind of language.

http://www.whatsmypass.com/category/password-info

The second thing people do to overcome the inconvenience of remembering long passwords is to reuse the password for multiple sites. If your password is compromised on one site, then it is compromised on every other site the password is used.  One of the key vulnerablilties in the recent twitter hack was a actually not a “hack” but a Twitter employee who reused their password.

The Solution:

“It’s ok to write down your passwords”. While you can simply keep a text file with all your passwords on your computer, there is also software that can remember those super-strong passwords for you.  They range from the open source keepass (http://keepass.info/) to commercial solutions such as RoboForm (http://www.roboform.com/) and every modern browser will offer to remember passwords.

By Jin Nan Goto

Microsoft announced today that it will discontinue the sale of it’s Windows Live OneCare suite on June 30, 2009.  Live OneCare is a commercial all-in-one anti-malware/security/backup/network management/kitchen sink application, and it will be replaced by a free downloadable anti-virus application code-named “Morro”.

Code-named “Morro,” this streamlined solution will be available in the second half of 2009 and will provide comprehensive protection from malware including viruses, spyware, rootkits and trojans. This new solution, to be offered at no charge to consumers, will be architected for a smaller footprint that will use fewer computing resources, making it ideal for low-bandwidth scenarios or less powerful PCs. As part of Microsoft’s move to focus on this simplified offering, the company also announced today that it will discontinue retail sales of its Windows Live OneCare subscription service effective June 30, 2009.

Morro essentially branches off the anti-virus and anti-spyware portions of OneCare into a separate but free product.  From the press release it’s not clear what the future relationship Morro will have with Microsoft’s other anti-malware program, Windows Defender.  Will they ship as two separate applications or will the be combined. Also OneCare had other features other than Anti-malware and it’s not clear how those features will be replaced. While Microsoft hasn’t said so publicly, there is another Microsoft product that is also expected in the second half of 2009.  That product is Windows 7.  Coincidence? 

This move seems to fit with Microsoft’s plans to move a lot of bundled applications off Windows 7 and into the Windows Live Suite.  Bloggers have for years pointed to Windows Movie Maker as evidence of how bloated Windows had become. In Windows 7 Movie Maker will no longer be bundled with Windows and will be offered as a free downloadable program. Offering Morro as a free download rather than bundling it with Windows also has the advantage that it makes it much less likely that Microsoft will face the same kind of legal issues from the US Justice Department and the EU than it faced with its bundling of Internet Explorer and Window Media Player.

Links:

Microsoft Press Release
http://www.microsoft.com/Presspass/press/2008/nov08/11-18NoCostSecurityPR.mspx

OneCare Blog Entry
http://windowsonecare.spaces.live.com/blog/cns!C29701F38A601141!10418.entry

By Jin Nan Goto

I wasn’t planning on writing another post about the Engineering Windows 7 blog since I already mentioned it last week. But this latest post from the E7 blog is about User Account Control and I couldn’t resist.  Bottom line is UAC is coming to Windows 7.  This is probably disappointing news for many who considered UAC to be too obtrusive and obnoxious (although I don’t think anyone thought UAC wasn’t coming back).  Still, the Windows 7 people are working to improve it and lower its annoyingness.

Now that we have the data and feedback, we can look ahead at how UAC will evolve—we continue to feel the goal we have for UAC is a good one and so it is our job to find a solution that does not abandon this goal. UAC was created with the intention of putting you in control of your system, reducing cost of ownership over time, and improving the software ecosystem. What we’ve learned is that we only got part of the way there in Vista and some folks think we accomplished the opposite.

Based on what we’ve learned from our data and feedback we need to address several key issues in Windows 7:

• Reduce unnecessary or duplicated prompts in Windows and the ecosystem, such that critical prompts can be more easily identified.
• Enable our customers to be more confident that they are in control of their systems.
• Make prompts informative such that people can make more confident choices.
• Provide better and more obvious control over the mechanism.

Excerpt from Engineering Windows 7 Blog

Designed out of a desire to make Vista the “most secure version of Windows ever” UAC has done a lot to change a very destructive aspect of Windows, which is that everyone ran Windows as an Administrator.  UAC has not only helped by warning users when installing software(or malware), it has also helped developers create better software that was more conducive to allowing users to run as a limited user and improve security. Malware is generally not able to install itself without permission when running as a limited user.

The older versions of Windows (Win95, Win98, WinMe) were all single user operating systems. This is where the user had full control over modifying the system.  The newer versions of windows (Windows 2000 and later) were multiuser capable, This allowed the for limited user accounts as well as administrator accounts. The data from Microsoft’s Windows Feedback Program showed that around 75% of computers have only one user account Which defaults to the Administrator account.   In the past many software developers made assumptions that the computer would have full access to be able to modify the system.  The E7 blog admits that even some developers at Microsoft made those assumptions as well.  This really made running Windows XP as a limited user incredibly difficult.

With Vista and UAC, developers had to take a hard look at the programs that required Administrator rights and whether they could (or should) change them to not require elevation.  If they did require elevated privileges the secure desktop popped up and the user had to explicitly allow it.

We also found that there were many cases in previous versions of Windows where we had lumped things together when instead only part of the task really should have required the user to be an administrator.  For example, in Windows XP you had to be an administrator in order to change the time or the time zone of the system. The reason that time functions are usually restricted is that you can do some pretty sneaky things if you can change the system time — like trick system logs or backdate emails.  But as it turns out, changing the time zone of the machine so that a business traveler based on the West Coast goes to their meetings at the right time when they are visiting New York really doesn’t need to be protected — so in Windows Vista, we split that out and now allow a standard user to change the time zone.

Excerpt from Windows Vista Blog

Vista has been incredibly effective in reducing the number of programs that require full administrator privileges, and this is only improving as time passes.

However the implementation of UAC in Vista is far from perfect.  While you want to warn users against doing things that are dangerous (installing un-trusted software or messing with the registry/or device manager) the frequency of prompts runs the risk of the user ignoring them and always approving.  The darkened screen of the secure desktop is somewhat alarming and unfriendly to users.  Also, in Vista even an administrator is not “really” an administrator.  They run as a standard user unless they need to approve an action.  This upsets experienced users who know what they are doing and want full control over their computer.  Still an improved version of UAC is a really important addition to the future Windows 7.

External Links:

Engineering Windows 7 Blog
http://blogs.msdn.com/e7/archive/2008/10/08/user-account-control.aspx

Windows Vista Blog
http://windowsvistablog.com/blogs/windowsvista/archive/2007/01/23/security-features-vs-convenience.aspx

By Jin Nan Goto

On June 30, 2008 Microsoft ended retail sales of the venerable Windows XP.  There are still loopholes where  people are still able to get computers with XP.  Downgrades, for instance.  The question is, when you buy a new computer what Operating System should it run XP or Vista.  The truth is that they both can do many of the same things equally well and there is no pressing reason to upgrade existing machines.  Still When the time comes to buy a new computer, here are 3 reasons why Vista is a better buy.

Reason 1. Vista is more secure than XP

UAC (user account control) is a misunderstood aspect of Vista.  The user is generally the weakest link in a computers security.  UAC limits what the user can do to modify the system and will prompt them for a password if a change to the system needs to be made.  Microsoft’s competitors Apple OS X both have similar features.  Although An argument can be made that Vista’s implementation is too strict.  While The pop-ups of UAC are annoying, they protect the users from themselves and Vista is more secure because of it.

There are other smaller security features in Vista that are worth mentioning.  For users of Vista Business and Ultimate, there is bitlocker drive encryption to protect your data.  There is also better protection of memory such as ASLR (Address Space Layout Randomization) which randomizes the position of windows files to protect against buffer overflows.

Reason 2. Better Hardware Support

When Vista was released it was plagued by incompatibilities, both hardware and software.  For some of the incompatible software and hardware, their vendors have not yet (and likely never will) released fixes.  This is especially true for older hardware and software.  However many of the problems with incompatibility have been fixed and all recent hardware supports Vista.  Generally most hardware and software should work with Vista and will continue to support Vista in the future.  A year and a half after Vista’s release and compatibility is where it should be.  Here is a Microsoft website with compatibility information about Vista.

http://www.microsoft.com/windows/compatibility/

There is an exception, if you have mission critical device or software that you know is not compatible with Vista then of course XP is the way to go.  If the VPN client that you rely on to communicate with your office does not run on Vista then you need to stay with XP

Reason 3. Vista is more convenient

I have had Vista since it was released and I have never had to run the disk defragmenter.  Vista automatically schedules the defragmenter to run every week.  That is just plain convenient  because I won’t have to deal with a sluggish computer if I forget to defrag.

Networking in Vista is also significantly improved.  It is much easier and simpler to set up tasks like printer sharing in Vista than it was in XP.

Then there is Vista’s instant search box which is built into the start menu.  Just type the first few letters of the file or program and it finds it for you.  Every time I use a computer running XP I always miss the feature a lot.

I recently installed Adobe Photoshop Elements on to my computer to assist with things like graphics and screenshots for my site.  However along with Photoshop, Adobe also downloaded a little program called Adobe Photo Downloader.  Its a relatively harmless bit of software meant to assist  with downloading photos from a digital camera.  Still its something I don’t use and I don’t want programs I don’t use to be running in the background and taking up resources.

I’m going to show how to disable the startup programs using Windows Defender.  Previously with Windows XP you would do this by running a utility in windows called msconfig.exe (msconfig is still present in Vista and you can run it by typing “msconfig” in search bar built into your start menu)

Step 1. Open up Windows Defender

You can find Windows Defender by opening the control panel and clink on “Security”.  Windows Defender is one of the options in the next screen.  Or you could simply type in “Defender” or “Windows Defender” in Vista’s start menu search.

Step 2. Open up Software Explorer

Windows Defenders main purpose is an Antispyware program so this screen is mostly related to that.  Click on “tools”.

Select “Software Explorer”.  From here you will be able to manage the startup programs.

Step 3. Show for all users

If you are running as an limited user you will not be able to make any changes to the startup programs.  So in order to disable startup programs you will need to push the “Show for all users” button.  This will trigger a UAC prompt.  This will also apply the setting to all other accounts.  Often you will need to push the button as an administrator (because as we all know running as an admin on Vista is not really running as an admin).

Step 4. Disable Programs

Go down the list and disable all the programs you don’t want to run at startup.  Be sure that “Startup Programs” is the selected category.