firewall

Secure that public wi-fi with a low-tier, no-cost home VPN

Dave Farquhar security , , , , , , , ,

If you spend any time at all using unencrypted wi-fi networks at hotels and coffee shops, you need a VPN. Public connections are fine for reading news headlines and checking sports scores, but cannot be considered safe for e-mail, online banking, making purchases, or anything that involves a username and a password. A VPN, which encrypts that traffic from prying eyes, is the only way to make them safe.

Here’s how to set up a VPN that’s good enough for personal use. All you need is a home Internet connection, a computer at home, and the laptop you take on the road.

Of course corporations can set up VPNs that are much faster and much more robust, but this is something you can set up in a couple of hours on a weekend afternoon without spending anything.

Read more

Removing the Windows XP Repair scareware

Dave Farquhar security, Windows , , , , , , , , , , ,

Windows XP Repair is a fake system optimization and repair tool. It takes over the computer almost completely, and it’s a pain to remove. Worse yet, there’s at least one version floating around right now that standard no antivirus/antimalware tool I threw at it recognized.

Here’s how I removed it for someone.

Read more

A firewall to defeat Android location tracking

Dave Farquhar security , ,

That didn’t take long. If you want more control over Android location tracking, Whispermonitor is for you.

Basically, any time an application tries to hit the Internet, it tells you where it’s going and on what port, and you can allow it once, always, or until reboot. Or deny it entirely.

Read more

How to clean viruses off other people’s systems safely

Dave Farquhar security, Viruses, Windows , , , , , , ,

What should you do when someone hands you a computer, tells you they think it has a virus, and asks you to clean it?

Proceed carefully, that’s what. You don’t want to infect your other computers with whatever it has.

To get it gone safely and effectively, you really need two things: an antivirus live CD, and a spare router.
Read more

Fixing my b0rken WordPress installation

Dave Farquhar Linux, Servers and Networking, This weblog, Troubleshooting , , , , ,

A little over a week ago, WordPress started acting weird. First, it just got dog slow. Then my site stats page started freezing until I scrolled down and then back up again. Then I started seeing a WordPress.com logon screen on my site stats page. I had to look that account up. Thank goodness for Gmail. Then my Akismet spam filter quit working. Then my stats page stopped working entirely.

I lived with it for a couple of days. I figured maybe WordPress and Akismet had changed something. Or maybe my Linux distribution had. And maybe some update messed things up, and some other update would come along and fix it. No such luck. Read more

Buffer overflows explained

Dave Farquhar security , , , , , , , , , , ,

Buffer overflows are a common topic on a Security+ exam. The textbook explanation of them is confusing, perhaps even wrong. I’ve never seen buffer overflows explained well.

So I’m going to give a simplified example and explanation of a buffer overflow, similar to the one I gave to the instructor, and then to the class.

Read more

Why Firefox will probably always have mixed acceptance in corporate environments

Dave Farquhar Software , , , , , , ,

I saw an article in Information Week today about Firefox in the enterprise.

The fanboys on both sides took offense, of course.

I’m a longtime Firefox user and an IT professional, but yet I agree with the premise that Firefox will always have trouble in that environment.The biggest reason is inside the firewall, in the corporate intranet. Some commenters complained about lazy in-house design, but that’s not the whole story. Many web-based enterprise applications are designed for Internet Explorer and only Internet Explorer. One app that I support takes it a step further, and only works with IE 5.5 or IE 6. That’s going to be a problem when the order comes down to deploy IE 7. The product is discontinued, so at that point we’ll have to either migrate to something else, or have people connect to a terminal server so they can run IE 6.

I have another web-based application I support (but if I ever change jobs I’ll deny ever hearing about it) that works with IE 7, but if and only if an administrator logs on and manually registers some ActiveX controls. That product is called Microsoft Project Server 2003 Web Access.

Yes, you read that right. Even Microsoft can’t properly support its own web browsers.

Any corporate web-based app that uses ActiveX will never run on Firefox. Those that check for a specific IE version might run on a hacked version of Firefox, but if you ever have any problems, you’re on your own. Corporate suits don’t like that.

And since computers and applications tend to live almost forever once they’re deployed, IE’s stranglehold on those environments may not be measured in years. We may be talking a decade, or even more.

I’ll submit the refrigerator-sized VAX systems I walk past nearly every day in the server room as evidence of the longevity of some systems. The computers themselves may not be quite 20 years old, but the applications they’re running are at least that old.

Firefox also tends to go against corporate culture in other ways. One of the first questions a corporate suit will ask is who they can sue if it breaks. Never mind that if a Microsoft product breaks, they probably waived all legal rights as part of the EULA. The guys in corner offices who wear ties know more about that than anyone who works on computers. A wave of the hand makes that problem go away.

Yeah, right. But don’t bother trying to tell them that.

A second problem is that many IT decisions are made, or approved, by people who admire Bill Gates’ wealth. Since Bill Gates became the world’s richest man by selling computer software, his computer software must be the best, period, end of story.

Many of the books decision-makers read perpetuate this belief. One example is the highly popular and influential book Naked Economics by Charles Wheelan. In many circles, this book is a must-read. I have to admit I’m getting as much out of this $11 book than I got out of my college economics class, if not more. But Wheelan trots Gates out again and again as a master visionary, a master programmer, and lots of other things that he clearly isn’t. The examples serve to make Wheelan’s point, which is the most important thing, but they also perpetuate the myth that Bill Gates is the greatest computer scientist and visionary of all time, when the fact is he’s an astute and ruthless businessman who happened to find himself in the computer industry. His track record as a programmer and visionary isn’t all that great.

But because of this myth, spread largely outside of the computer industry proper, many influential people will insist on using the Microsoft product any time there’s a choice. They’re not interested in Wordperfect or Quicken or Dreamweaver or Firefox any other product not made by Microsoft, as long as Microsoft makes something that competes with it.

The Millionaire Mind by Thomas Stanley explains this mentality somewhat. When a person’s job is to make money, they don’t want to do product research and they don’t want to take chances. When they buy tires, a dishwasher, or a refrigerator, they walk into the store and buy the most expensive one, because the most expensive one must be the best. They don’t want to spend time doing market research because they could spend that time making money. And they want something they believe won’t break, because time spent dealing with broken stuff is time they can’t spend making money.

Basically, any time spent discussing or researching a purchase is time that can’t be spent making money. So in the mind of a bean-counter or an executive type, it’s much cheaper in the long run to just choose the Microsoft product and forget about it.

The logic is completely faulty–it’s an excellent example of a red herring logical fallacy, as Bill Gates’ wealth has nothing to do with the quality of his competitors’ products–but arguing that point isn’t likely to get you anywhere. Even if the decision maker is wrong, the time spent arguing about it is probably worth more than the potential savings by going with a different product.

At home, none of this matters. And at home, I’ll keep using Firefox. I’ve been using Firefox since 2002 when it was an obscure project called Phoenix, so I think you can call me a longtime fan.

Firefox made remarkable progress from 2002 to now, while IE has gone from IE 6 to IE 7 in the same timeframe.

But in the corporate world, very little of that matters. Incumbency has its advantages. Some companies will embrace it because of its many advantages. In other companies, users will sneak it in the door, the same way they snuck in PCs in the 1980s and 1990s while the mainframe-centric IT staff wasn’t looking. But in the majority of companies, it’s likely to stay shut out, perhaps because something important requires IE, but if not, the mere absence of Microsoft’s name on the product will be enough to keep it out of some doors.

I don’t expect to ever have Firefox on my PC at my current job. It’s my employer’s loss, but it’s not my decision.

Improve your Internet connection speed by adjusting your MTU

Dave Farquhar Windows

Way back when the majority of people used 56K modems to access the Internet and I was writing my book on system performance, a favorite computer enthusiast’s tweak was the MTU.

Don’t make the mistake I made though, and assume MTU adjustments are just for people with modems. They aren’t. I just adjusted the MTU on two of my Windows boxes and the speed improvement was dramatic.
I’ve had to adjust the MTU on my Web server to deal with a weird connectivity issue some people were having, but it never occurred to me that my workstations would benefit from a similar adjustment.

Figuring out the optimal MTU and then digging out the place to make the change can be a difficult process. It’s much faster and easier to use a utility that does the job for you. Visit TinyApps, one of my all-time favorite web sites, and scroll down to “Other Network Tools.” There you’ll find TCP Optimizer. It’s a 400K download so it’ll go pretty fast. You’ll be able to download it and run it much faster than you’d be able to read about the process.

I like this tool because it’s small and you can just download and run it, without installing it or anything. When you’re done with it, you can keep it in case you think you might ever need it again, or you can just delete it and not have any leftover mung clogging up your PC.

The default settings for Windows assume an Ethernet connection, but they don’t take any overhead into account. If you have DSL and your ISP uses PPPoE authentication (which most do), that takes overhead. If you’re using a router to firewall your network and share your cable or DSL connection between multiple PCs (which you should do), that takes overhead.

That’s what makes a tool like this nice. It eliminates the trial and error. You run it, make the changes it says, and then you have a faster Internet connection. And it’s one more thing you can do when you think you need a faster computer. In this case, having the faster computer probably wouldn’t have made much difference at all.

The best way to optimize your firewall: Use hardware

Dave Farquhar Windows , , , , , , , , ,

Let’s get back to talking about utility replacements. We last talked about antivirus programs, but what about the other component of what’s commonly now called a “security suite,” the firewall?

The answer is, don’t use firewall software if at all possible–which means every man, woman and child who has a cable or DSL connection. Use a separate device.There are several good reasons for this. First, there’s the fundamental problem with running your security on the same system you’re trying to protect. If your firewall software goes haywire and crashes, you run the risk of being unprotected. It’s much safer to rely on an external device that doesn’t have an Intel or AMD processor in it and isn’t running Windows. So when someone tries to send a Windows exploit or virus to it, it bounces off because the device just doesn’t understand.

The second reason is price. A plain no-frills cable/DSL router/firewall costs about $20 at Newegg today. The unit I generally recommend is the Linksys WRT54G, which sells for about $50 new or as little as $25 used and adds wireless capability. That’s about the same as the retail price of a software firewall anyway, and it gives you better protection without robbing your system of performance.

A cheaper alternative, which was what I used to do when these devices cost $200, was to take an obsolete PC, put in a couple of cheap network cards, and run Freesco on it. It will run on any PC with a 386 processor or better (I recommend a Pentium with PCI slots for ease of setup). A 100 MHz Pentium is more than powerful enough and if you don’t already have an obsolete PC to run it on, you probably won’t have to ask around very long before finding one for a very low price or free. Today I prefer a Linksys-type box though, since they take less space, consume less electricity, generate less heat and noise, and take less time to set up.

Performance is the third reason. Two years ago I was working at a large broadband ISP that will remain nameless. It provides a “high speed security suite” as part of the subscription price. The system requirements for this suite are ridiculous–the suite itself needs anywhere from 128 to 192 megabytes of RAM all to itself to function. Basically, if you have a PC with 256 megs of RAM (which is what a fair number of PCs out there still have), loading this security suite on it will bring it to its knees. But if your firewall is running on a separate device, 256 megs of RAM is a comfortable amount of memory to run Windows XP or 2000 and basic applications.

Reliability is the fourth reason. Every high-speed security suite I’ve ever dealt with, be it a freebie provided by your ISP, or an off-the-shelf suite, hooks itself into winsock.dll. Three of the last four computer problems I’ve fixed have been related to this problem, and the symptoms are difficult to diagnose unless you’ve seen the problem before. Basically the computer loses any and all ability to do any networking, but when you call tech support, enough things work that tech support will probably tell you to reload your operating system. Unfortunately, the WinSockFix utility doesn’t seem to be well-known at ISPs.

If messing around with your Winsock isn’t bad enough, the security suite my former employer provided was overly paranoid about piracy. If you did any number of things, including but not limited to trying to install it on a second PC without getting a second key from the ISP, it would disable itself and not necessarily warn the user that it had left the PC unprotected. It was my job, when I was working there, to go through all of the disabled accounts by hand. It wasn’t an automated process. So if the security suite decided to go jump off a cliff sometime on Friday after I’d pulled the current report, it would be sometime on Monday before I would even be aware of the problem. Given that it usually takes about 20 minutes for some exploit to find an unprotected Windows box sitting on the Internet, that 48-72 hour window that you could be sitting unprotected is anything but ideal.

Things may have changed since I left that employer in November 2005, but if it’s my PC, I’m not willing to risk it. I’d much rather spend $20-$50 on a cable/DSL router to give myself firewall protection that I know I can just set up once and then ignore for a few years and won’t cause my PC to constantly fall behind on the upgrade treadmill.

And finally, the fifth reason to use a hardware firewall is apathy. Software firewalls tend to throw a lot of popups at the user, warning the user that this or that is trying to access the Internet, or come in, or whatever. Most users are likely to do one of two things: either allow everything or deny everything. The result is either a PC on which nothing works, or whose firewall is full of so many holes there might as well not be one. It’s much better to have a hardware firewall that just does its job. If you’re worried about unauthorized applications hitting the Internet, that’s the job of antivirus and antispyware software, not the firewall.

Replace your Antivirus software with this freebie and regain your performance

Dave Farquhar Windows , , , , ,

Antivirus software is the worst culprit in PC slowdowns. I am not alone in this belief. I don’t suggest going without (not completely) but it’s certainly possible to save lots of money, eliminate subscriptions, eliminate most of the overhead, and still practice (relatively) safe computing while running Windows.

Use Clamwin, the Windows version of ClamAV, and don’t engage in risky behavior (more on that later).Clamwin is free, GPL software, meaning you never have to pay for or renew it. It lacks a realtime scanner, which is the main resource hog for PCs. This may leave you vulnerable to infections, but think about where the majority of infections come from: E-mail, downloads, and drive-by installations. Clamwin comes with hooks into Outlook to scan e-mail attachments for you, and Clamglue is a plugin for Firefox that automatically scans all downloaded files. Of course you’re using Firefox, right? Using a non-Internet Explorer browser is the most effective way to prevent drive-by installations. I don’t use IE on my personal PCs for anything other than running Windows update.

Realtime protection made lots of sense when the main distribution point for viruses was infected floppies, but those days are long gone. This approach protects you against modern viruses without making your multi-gigahertz computer run like a Pentium-75.

I do suggest periodically scanning your system, something that even antivirus packages with realtime protection do. It makes you wonder how much confidence they have in that resource-hogging realtime protection, doesn’t it? Weekly scans are usually adequate; daily scans are better if you suspect some users of your computer engage in risky behavior.

Risky computer behavior

The last virus that ever hit any computer I was using was LoveLetter, which was way back in May 2000. The only reason I got that one was because I had a client who got infected and she just happened to have me in her address book. I don’t know the last time I got a virus before that.

It’s not because I’m lucky, it’s because I’m careful. There are lots of things I don’t do with my computers.

I stay off filesharing networks. Not everything on your favorite MP3-sharing site is what it claims to be, and there are people who believe that if you’re downloading music without paying them for it, they are entirely justified in doing anything they want to you, such as infecting you with a computer virus.

I don’t open e-mail attachments from strangers, or unexpected e-mail attachments from people I know. For that matter, if I don’t recognize the sender of an e-mail message, I probably won’t open it at all, attachment or no attachment.

I don’t run Internet Explorer if I can possibly avoid it. Internet Explorer’s tight integration into the operating system makes it far too easy for people to run software on your computer if you so much as visit a web page. Google tries to identify web pages that might be trying to do this, but a safer option is to use a different web browser that doesn’t understand ActiveX and doesn’t have ties into your underlying operating system.

I don’t install a lot of software downloaded from the Internet. A good rule is not to install any “free” software whatsoever unless it’s licensed under the GNU GPL or another similar open-source license. If you don’t know what that means, learn. Open source means the computer code behind the program is freely available and outside programmers can examine it. If a program distributed that way does anything malicious, someone’s going to figure it out really fast. If I’m going to download and install something that isn’t open source, I only do so when somebody I trust (be it a trusted colleague, a magazine columnist, etc.) recommends it.

I don’t rely on software firewalls. I have a separate cable/DSL router that acts as a firewall and sits between my computers and the Internet. So when the random virus comes around looking for a computer to infect, my firewall doesn’t even speak their language (it doesn’t run Windows and doesn’t have an Intel or AMD processor inside), so the potential infection just bounces right off.

Use a web-based e-mail service instead of a program like Outlook or Outlook Express if you can. If you use something like Yahoo Mail or Hotmail, that company’s servers scan your incoming and outgoing e-mail for viruses, so if someone sends a virus to your Yahoo account, you won’t get it. Does your ISP scan your e-mail for you? If you don’t know, you probably should consider getting your e-mail from someone else. Your antivirus should catch it, of course, but it never hurts to have someone else looking out for you too.

If you avoid these practices, you can join me in throwing out your commercial, for-pay antivirus software and reclaim a lot of computer performance too.