Circuit Writer

Firefox and Windows .NET Framework 3.5

A very alert new DACS member tipped me off to a story about how Microsoft, using Windows Update, had installed a Firefox extension without telling anyone. And to add intrigue, the add-on cannot be removed! My initial reaction was that this rumor might not be true and could he point me to the source of this dastardly rumor. So where was his source? What it SlashDot? What about Geek.com? Maybe eWeek Rumor Central with Spenser F. Katt? No! It turned out that his source was an article in that bastion of technological news and rumor, The Washington Post! As he was describing this little piece of software, I opened the Add-ons dialog in Firefox on my laptop to see if this “trojan” actually existed on my computer, and there it was, grayed out Uninstall button and all! Naturally this applies only to Windows XP, Vista and Server 2003 and 2008. Don’t bother looking if you run Firefox on Linux or a Mac.

The Washington Post article turns out to be a blog by Brian Krebs called Security Fix; the May 29^th post is entitled “Microsoft Update Quietly Installs Firefox Extension”. In it, Krebs just as quietly describes the “component” called the Microsoft .NET Framework Assistant 1.0. The controversy comes from the fact that Microsoft slipped this into a non-Microsoft product as part of a “critical update” with no fanfare and using typical Microsoft logic, set it up so that the Uninstall button is inactive.

So what, exactly, is this mysterious bit of code? For that we turn to the Microsoft Knowledge Base and article KB963707 which describes an update to the original component. The add-on makes Firefox compatible with websites that use the .NET Framework 3.5 and a “ClickOnce” feature in that version of the Framework. If the add-on is not found in your Firefox, it is because you have not installed the service pack for version 3.5 of the .NET Framework. “ClickOnce” is one of those insidious Internet Explorer vulnerabilities that can be used by a website to install software on your computer.

If you do find the add-on on your computer and your reaction is “how dare they!” let me assure you that you invited Microsoft to install the component when you installed the .NET 3.5 Framework. In the end user license agreements for the Framework, Windows Update, and truly diabolical Microsoft Genuine Advantage, you authorized Microsoft, in its infinite wisdom, to install updates without your permission. Since all versions of the .NET Framework are optional, Microsoft’s case is pretty strong. Yes, the descriptions for an individual patch in Windows Update are very brief. Even the most critical updates point to a Knowledgebase article that has more information. I even looked in the SP1 readme and still found no mention of Firefox. If your blood is still near the boiling point, look at Brad Abrams’ MSDN blog for an explanation, such as it is, for why the uninstall button is grayed out.

Since many of us originally adopted Firefox as a way to avoid Microsoft-related vulnerabilities, how do we remove this affront to our sensibilities? The Washington Post blog references an article on the Annoyances.org website with instructions on how to remove the add-on by modifying the registry. If you would rather not go mucking in the registry, you will be surprised and pleased to learn that Microsoft has issued a fix for the fix that caused all this controversy. That’s what the Knowledgebase article mentioned above is all about. Read the KB article as the add-on must be enabled when this new patch is installed. There are versions for both 32- and 64-bit Windows; so download the appropriate “bitness” and run the install. You will note there is never a mention of Firefox even though that is the purpose of the fix. When you restart Firefox, the uninstall button will be enabled.

For now, the mere fact that I can, if I want, click that uninstall button is enough for me. I have the add-on enabled and have checked an option to ‘Prompt before running ClickOnce applications’. This way I’ll know if I ever encounter such an application even if it means that I must click twice. Whew! Potential disaster averted! Plus my add-on is now version 1.1, so how cool is that?

Did They Lie to Us? Are they still?

Since I am so late in completing my column for this month, I’ll jump on an article on page 1 of today’s New York Times about “E-Mail Surveillance Renews Concerns in Congress”. This, plus an article from Wired Magazine, “FBI Use of Patriot Act Authority Increased Dramatically in 2008”, should be enough to remind us that a slow economy will not slow down the FBI or the NSA as they stomp on our civil liberties. The article on email surveillance is about NSA programs that apparently are still secret while the Wired article is about the FBI’s increasing use of “national security letters” that bypass the FISA court. When you see this, it is not surprising that the FBI’s use of FISA warrants was down last year. Please read these articles and then remind your Congresspeople that you want the truth about domestic surveillance. Before moving on I’ll point out a related, but more political story about Judge Sotomayor and her possible leanings on this issue.

Another note on page 1 of today’s NYT touches another aspect of government control of the Internet. Iran places more limits on what its citizens can find on the Internet than any other country – even more than China. Of course there’s North Korea where no one has a telephone, let alone a computer so Internet control is less of an issue. Over the last few days, the U.S. State Department asked Twitter to delay scheduled maintenance of their world network. The downtime would have come at a critical time following the Iranian elections and text messaging is a major means of political communication in Iran. The State Department request shows the level of tech savvy in the current administration and how something as modern as social networking can affect a country so deeply mired in the ancient and so resistant to change.

China Wants All PCs to Have an Internet Filter

Now we’re talking real control here. China announced last week that it would require all PCs sold in that country after July 1^st to have a program similar to the filters used in some schools and public libraries. The official line is that the filter is to stop “unhealthy and vulgar” content such as pornography. Called Green Dam-Youth Escort, the software could allow the government to record and log every Internet search and every website visited and because it is installed on the local machine, it could report if the user tried to bypass government Internet limitations by using a proxy site. Such proxies have been used by people all over the world to achieve anonymity on the Internet – for good and bad. (See the Wikipedia article en.wikipedia.org/wiki/Proxy_server for more information.) Criticism of China’s edict both in and out f the country may have had some effect as there are now reports that China has said that use of the software would be optional and need not be preinstalled. We’ll see…

Less Doom and Gloom

If this column has you in new depths of depression, we will end this month with Microsoft Bing. Will Bing be the Microsoft Bob of search engines? Bing is billed as a “decision engine.” What does that mean? How is Bing different from the old Microsoft search engine, Live Search? All I can see so far is that Bing is very economical with colors. When using Bing in Firefox, the initial screen is multi-tone gray with small orange hilites. Microsoft must have spent thousands on focus groups to come up with that. Using IE6 the initial screen shows a picture with little hot spots that display hints about the picture when you roll the mouse over. I don’t have the energy at the moment to try Bing in Google Chrome. If you try it, let me know what you get. So far, a few sample searches seem to return the same results as Yahoo. Bing has a Wikipedia page, although I cannot fathom how it passes the relevance test.

The Healthcare System

As the news about coming changes to our nation’s healthcare system reaches a crescendo, I’ve been way too busy to listen. Even without listening I do know that the Obama administration plans to use information technology to bring needed savings. This means that providers will be installing electronic patient records systems. Would you be interested in learning about such systems? I don’t mean the big systems used at hospitals like what Ed Heere presented a couple years ago, but rather the systems used by your personal physician and similar providers to store your test results and medical history. These are the systems that will save (or not) the billions of dollars needed to save the healthcare system and hence, our economy. Let me know at jscheef@dacs.org. If there is sufficient interest, I’ll find vendors and doctors to do a general meeting presentation.

Are you Confickered?

The Conficker worm may be the most successful malware released to date, or the biggest failure. So far it’s hard to tell as the April 1^st doomsday has come and gone seemingly without consequence. Of course, that does not mean that it’s all over. The worm still infects millions of computers. Is your machine among them? The simplest test I have found is an “eye chart” prepared by a clever programmer at www.joestewart.org/cfeyechart.html. Take a look. If what you is that you don’t see what you are supposed to see, then check this eWeek article for some free tools to remove the worm.

Ultimate Zero-Day Attack

In an attack that will be hard to top for a long time to come, some almost too clever attackers pirated and infected a copy of Windows 7 release candidate with malware and started to build a botnet based on the installs. This may be the first case of infecting a version of Windows before it is released, in effect creating their own set of built-in vulnerabilities. Presumably the carrot for people dumb enough to install the hacked version was that the pirates had removed the expiration date from the release candidate, or at least claimed they had, and then seeded the RC on BitTorrent sites. Researchers at Damballa (damballa.com), an enterprise security firm that specializes in protection from botnets, were able to shutdown the command center. Dambella estimated that 27,000 copies were installed in just a couple of weeks. Beyond the piracy angle, this incident points out the dangers in testing pre-release versions of operating systems. To date there are no third-party antivirus or malware detectors that support Windows 7, plus the infection was made even more difficult by the fact that the trojan was “pre-installed”.

The theme is DMCA

Does the Digital Millennium Copyright Act affect you in your daily life? Not at all? Well hold on there, keyboard breath! Maybe you should reconsider that position. Ever want to copy a movie DVD to your hard drive so you can watch in on your iPhone or other device? Is the DVD you bought yours or not? Read this PCWorld article (tinyurl.com/q3ro5j) about why you should care about the DVD copying case now in Federal district court. The legal concept of Fair Use, part of copyright law from the very beginning, has been effectively eliminated for any electronic media or device by the DMCA.

Copyright law has become so lopsided that even free speech is affected. Google, owner of YouTube, has filed a detailed submission about how many takedown notices are bogus. The filing is in New Zealand where a draconian version of the DMCA is under consideration but the statistics are the point.

“In its submission, Google notes that more than half (57%) of the takedown notices it has received under the US Digital Millennium Copyright Act 1998, were sent by business targeting competitors and over one third (37%) of notices were not valid copyright claims.”

A copyright holder can stifle speech on a website merely by making an accusation of infringement. This example of unintended consequences is not what Congress had in mind. Take another example of wiki operator, Sam Odio, who runs the site BluWiki.com as a hobby from his company OdioWorks. When some BluWiki users started a discussion about interfacing iPods and iPhones to software other than that available from Apple’s iTunes, Apple threatened legal action under the DMCA. OdioWorks took down the discussions but now, with support from the Electronic Frontier Foundation (eff.org), has filed suit against Apple to regain free speech. Read about this on the EFF website.

And finally, lest you think this only affects liberals, consider that the McCain presidential campaign complained to YouTube last October just before the election when the video site took down McCain campaign ads as a result of DMCA complaints from various news organizations. From the blog on the New York Times website:

“The commercials incorporated snippets of television news broadcasts. Using provisions of the Digital Millennium Copyright Act, the news organizations demanded that the commercials be removed from YouTube because they violated the organizations’ copyrights.”

Senator McCain voted for the DMCA, and opposes legislation to enforce network neutrality. The irony of it all! Oh, the irony!

Here are some additional articles related to the DMCA that I have not had time to write about:

• TechCrunch: Judge Tells UMG: No, You Cannot Sue Veoh’s Investors For Copyright Infringement
• Wired: It’s Time to Legalize Personal-Use DVD Copying
• PC Magazine: Studios: Real Worked to Defeat DMCA with RealDVD
• SlashDot: After Sweden's New Law, a Major Drop In Internet Traffic
• Ars Technica: Animal rights vs. rodeo DMCA takedown fight settled
• iLounge: Apple: Jailbreaking iPhones and iPod touches is illegal
• Ars Technica: Judge: 17,000 illegal downloads don't equal 17,000 lost sales

This is another month where there is just too much stuff to write about and not nearly enough time to do it justice.

The Economy, Immigration and H-1B Visas

As you may recall, H-1B visas are awarded from a pool of applicants who apply thru the U.S. Bureau of Citizenship and Immigration Services website. Last year when the lottery system was started, the entire allotment of 65,000 applicants with undergraduate degrees was filled the first day. eWeek reports (tinyurl.com/cqvu4m) that this year only half of that allotment has been requested more than a week after the process opened on April 1^st. Demand for the 20,000 slots for people with advanced degrees is faster with almost all of those filled by the date of the article. The drop in demand is attributed to the economy. [Gosh, ya think?] Regardless of the numbers, do such guest workers depress salaries for engineering and computer science graduates in the U.S.? I suspect this debate will abate for the next year while the economy and the job market remains depressed. My question is why are we allowing any H-1B visas at all while we are in this recession?

The New York Times published a series of about immigration and one of the articles (tinyurl.com/d9fekm) offers positions on H-1Bs from six people including several academics. As you would expect, the opinions range to both extremes. Where everyone agrees is that the program is broken and must be revised. One of the essays is entitled “Training Your Own Replacement” and could be taken from the experiences of several DACS members. I urge you to read the article and another at eWeek Careers (tinyurl.com/dhau3k).

The current H-1B program is bad for U.S. workers and actually even worse for the foreign-born guest workers who want to become permanent U.S. residents. Who wins? Well the employers, of course, in many ways the program amounts to indentured servitude against which U.S. worker cannot compete.

Healthcare and Medical Records Systems

If there is one initiative of the Obama Administration that started during the campaign that has always made sense to me, it is the “reform of the healthcare industry”. However those five words are so all encompassing that few can even agree on what they mean. Besides, that topic is way beyond the scope of this column even when I stretch things a bit. What does fit is medical records systems. President Obama’s budget and proposed programs count on large savings from new and expanded information technology in the healthcare industry.

The first article to read is “Dossia Versus the Healthcare Monster” from CIO Insight Magazine. Dossia is a non-profit consortium organized by a group of large companies that intends to provide electronic records to the employees of the member companies. Whether you think having your health records in “the cloud” is a good idea or not, the system is already available to some Walmart employees. Other companies will follow if the pilot is successful. Personally I think the concept of having access to my medical records on the Web is a great idea. If the Dossia article leaves your thirsting for more, take a look at “Interoperability Comes to Healthcare” (tinyurl.com/cwss9g) and “Sun Software Key to Electronic Medical Records Network”, both from eWeek.

The Dossia system sounds like competition for the Microsoft HealthVault. Launched in October, 2007, to some fanfare, I signed up for HealthVault as soon as I learned about it. Unfortunately I still have nothing in my “vault” – maybe someday… To learn about Microsoft HealthVault, I suggest that you use your favorite search engine and follow what looks interesting from there. There is a lot of information that explains the concept but nothing about the actual implementation.

Windows Desktop Search and Office 2007

Last, a short note about my personal computing. I finally upgraded to Office 2007. First I tried Outlook 2007 on another machine and it is great. I like the integration with OneNote 2007 so I decided to install them on my main computer. During the install I misunderstood the installation program and also installed the rest of Office Enterprise by mistake. Don’t laugh, it isn’t funny. Well, I’m starting to get used to the user interface in Word and Excel although the consumption of screen realestate is egregious and unnecessary. That ribbon menu makes Office 2007 impossible to use on a machine with restricted screen space like a netbook. Once I started using Outlook 2007 regularly, it kept telling me to install Windows Search 4.0. I have resisted any global search products out of fear of reduced performance, but I left my machine running overnite so the indexing process could complete at full speed.

Now I wonder why I waited so long! It is amazing how quickly I can find things – like that column with the reference to HealthVault. I would have clicked a poked for some time to find that article, but Desktop Search found it as quickly as I could type (which is less than lightning, but way faster than poking). This new search (well, new to me) may be the best part of my Office Experience.

Let’s skip right past the economy and look at something lurking in the shadows, ready to pounce at the worst possible moment.

Cyber War

Publishing deadlines often create strange interactions. A few months back a new (to me, at least) magazine began to appear in my mailbox. SC Magazine is oriented to computer security professionals but has articles of (relatively speaking) general interest as well as reviews of enterprise-level security products. One of their regular features is a summary of current threats and cyber criminal activity around the world. Today I noticed an item in the March issue saying that computers in Russia are believed to be the source of DDoS (distributed denial of service) attacks against what amounts to the entire country of Kyrgyzstan. Now why is this interesting? Because at about the same time that SC Magazine was writing that item, the New York Times was writing about how the Kyrgyzstan government would not renew the lease on “our” Air Force base located near their capital. Ordinarily no one would care, but this happens to be the main air base used to supply the war in Afghanistan. 

So, conspiracy theorists, rather than summarize the geopolitical implications, I jump right to the question: were these DDoS attacks set up by the Russian government to pressure Kyrgyzstan? For some input, please read Rob Enderle’s blog on Dark Reading. Did a vindictive Vladimir Putin order the DDoS attacks? It’s hard for me to imagine a gang of BOT pharmers attacking a central Asian country. What would they gain? To keep you thinking on this, here’s a report from 2007 about China “probing” the Department of Defense. If cyber warfare is a real possibility, are we prepared?

Where is the cloud today?

Now that we’re all confident about the security of the Internet as part of our national infrastructure, let’s go back to the cloud for a final episode. In his article “In The Clouds -- Part 3”, John Patrick applies his Internet criteria to the cloud as it is available to real people today. After all, how large corporation uses the cloud is nice, but the final analysis is how you and I can use the it that really matters. I will not try to summarize John’s article, but my hangup on adopting the cloud has always been the difficulty of integrating the pieces. This is becoming easier as many of cloud services, like Zoho Apps and Google Docs, offer space for storing files. After all, what good are your files on iDrive if you must download them to a strange computer before you can edit the document you need? So iDrive is for backups and other places are for work in progress.

I urge you to read John’s article. In fairness, he wrote it last December (just after his DACS presentation) so some things have changed. Google Docs is now better than what he describes and on the other hand, some cloud companies have succumbed to the economy. There will be no dotcom boom to fuel cloud computing for the masses. If this is the future of computing, it must provide us value that we can afford with security and privacy. I agree with John that it is worth a look if only for the convenience of access to your computing environment from anywhere.

Apple has claimed that “jailbreaking” an iPhone infringes on their copyright of the iPhone software and thus violates the Digital Millennium Copyright Act. Jailbreaking is the term used to describe the process of unlocking (ok, call it hacking) an iPhone so that applications can be installed from sources other than the iPhone Store and it can be used on a cell phone service other than AT&T. According to a story on CNET the Electronic Frontier Foundation has asked that the U.S. Copyright office grant an exemption to iPhone owners who have unlocked their iPhones. EFF argues that jailbreaking an iPhone is a “fair-use”, and the Copyright Office should grant an exemption because "the culture of tinkering (or hacking, if you prefer) is an important part of our innovation economy." Apple counters that few users actually jailbreak it themselves. They do so by downloading software tools created by other parties to make the modification

Now I do not own an iPhone and I would like to get comments about this from those who do. It’s interesting because of the open software aspect. The article implies that many users jailbreak their iPhone solely to free it from the Apple App Store (or I read this into it). This opens the device to applications that have not gone thru Apple’s vetting and may not exactly play by Apple’s rules. In other words, they explore new ways of doing things and… innovate. Isn’t innovation a key part of “Truth, Justice and The American Way”? A great example is OpenClip that works around the iPhone SDK (software development kit) agreement to implement copy and paste between iPhone apps – something that I would have assumed was baked in from the beginning. Access to the UNIX that underlies the iPhone user interface is another good reason to jailbreak your iPhone or iPod Touch. All you command line gurus out there, wouldn’t a term window be cool on an iPhone? The alternative iPhones app source I found first is appleiphoneapps.com. There is no Apple logo and at the bottom of each page the copyright notice includes: “Not affiliated with Apple Inc.” 

From the release of the original iPhone, Apple has battled to prevent hackers from unlocking any aspect of the iPhone. Since the iPhone license agreement allows Apple to update the iPhone software without the user’s express permission (you gave it when activating the phone), Apple has updated the OS (operating system) to block each new jailbreaking tool. With the opening of the App Store where users could legally install applications, Apple eased off this cat and mouse game. Now I read in Tom Yager’s InfoWorld column from 8/8/08 (ok, I’m not up to the minute on iPhone issues) that the 2.0.1 firmware update for iPhone, iPhone 3G, and iPod touch disables any alternative to Apple's App Store. Read the entire article for a good incite to the issue and a link to InfoWorld’s special report on iPhone issues. 

Remember the EFF from the start of this section? Many times (dacs.org/archive/0402/presidents_message.htm) I have urged you to visit EFF.org or even become an EFF member to support them in protecting your digital rights. No matter your position on the iPhone, there are many other issues that matter, so now is the time to support the EFF. 

Dr. Dobbs no longer a print publication 

Dr. Dobbs Journal, perhaps the longest running computer magazine on the planet ceased publication this past month as a separate printed publication. The web- and email-based editions will continue. What first began as a Xeroxed newsletter entitled Dr. Dobb's Journal of Tiny BASIC Calisthenics & Orthodontia (subtitled Running Light without Overbyte) has morphed several times over the years to become the highly respected DDJ now published in the U.S. by CMP Technology which also publishes InformationWeek. Bob Albrect of People’s Computer Company fame, started DDJ in 1976 following a flood of requests for a publication about microcomputer software. Early content was from volunteer contributors including Steve Wozniak, Gary Killdall and Jeff Jaskin. Read about this on Wikipedia and, of course, on the DDJ Portal. 

When Robots Attack 

There is a new book out called Wired For War: The Robotics Revolution And Conflict In The 21st Century by P. W. Singer. It is not about robots like in the movie “I, Robot” but about the use of robotics on the battlefield of today. I found this in a Mitch Wagner column in InformationWeek, 2/16/09 and it is a topic ripe for discussion. For instance, there are now 7000 drone air systems in use by our military – from mere dozens just a few years ago. Initially ground-based robots were used for surveillance and rescue; but they are rapidly becoming deadly and the same goes for the much larger aircraft drones. Now I’m all for not getting our solders or pilots killed, but the video recorded by these drones (when do we start calling them droids?) is appearing on YouTube as entertainment set to music and that cannot be good. The current systems are the Model T’s of battlefield robots; there is little or no autonomy. Naturally that will change, but how long before “strong” artificial intelligence (AI) becomes a reality and robots really do become droids? The debate about stem cell research is loud and clear. However there are other issues that need to see the light of day and before an army of autonomous droids is created to fight an army of clones. Are we headed toward Commander Data or his brother Lore? Isaac Asimov, where are you when we need you? 

Another for the “I Told You So” department 

You have got to read this article on Dark Reading. Our personal privacy and security should not be treated as a trade-off, because giving up one will likely reduce the other rather than what is intended. Case in point is the RFID chip in the new U.S. passports issued by the Department of Homeland Security. A researcher has demonstrated a drive-by attack that can clone “a half-dozen passports within an hour”. Chris Paget is scheduled to demonstrate the technique at the February Shmoocon hacker conference in Washington, D.C. Paget developed the technique using “affordable” equipment and can read passports from twenty feet in a moving car. Read the article.