Digital Choke Daynotes

 Sunday, January 2, 2005       mail    link   the story

New Year. But the same pleasurable Sunday. Start with church meetings, then home for family get-together and dinner.

Stacy is getting ready to go back to college (BYU-Idaho, in Rexburg). I'll be taking her to the airport tomorrow morning. It's been really nice to have her here for the holidays. Even though she spent some time at her sister's house, this place will be much quieter when she leaves.

Last day of my little holiday vacation tomorrow. After taking Stacy to the airport, I'll be doing some shopping for son Jason's birthday, which is tomorrow. There were a few things from his Christmas list that may be useful as ideas. Jason gets a bit busy on weekends with his music; you'll find some of his stuff on his web site (Manimatronic Records). All of it is original, and most is done on his computers. Quite good, even if I am a bit biased. And his yearly Christmas album from his "Yuletide Wranglers" is always a pleasure to get and listen to.

So, the new year starts. Should be interesting.

 Monday, January 3, 2005       mail    link   the story

Wandered over to Paul Thurnott's "Supersite for Windows", and read an article on "Giant AntiSpyware" from Giant Software Company. That's the company that Microsoft bought last month in order to put forth a Microsoft-branded anti-spyware program. MS has been working with this product for quite a while.

Mr. Thurnott indicates that Microsoft will be announcing details about their new product on Thursday (Jan 6), with beta availability by the end of January. No pricing details, but he thinks that it ought to be free, although he suspects that they will continue the yearly subscription fee model. He really likes the program, claiming that it is better than "Spybot Search and Destroy" and "Ad-Aware". His review is here. There are also some other interesting reports on that site, such as interviews with the XP SP2 team, and an analysis of the upcoming "Windows XP - Starter Edition".

Stacy's safe in Idaho, where it is lightly snowing. A nice but cold day today (not as cold as in John Dominik's neighborhood), with just some light rain. Lots of snow in the mountains, though. You regular readers (yes, you three in the back) might recall that our extended family has a cabin in the Sierra Nevada mountains in Strawberry, CA. It's at the 6000 foot level. Two weeks ago, there was no snow on the ground. Today's pictures (from a cabin neighbor's web camera) show a snow depth approaching 3 feet.

And then I looked at the extended weather forecast for my home here in Rocklin, CA, elevation about 300 feet. I note that it says "snow showers" for tomorrow and Wednesday (next week). That's a bit unusual for my neighborhood. I can hardly wait for the commute when I return to work tomorrow.

And, watching the news tonight, with video of former presidents Bush and Clinton along with the current president. Did you notice that Mr. Clinton was wearing a blue tie, while George the younger was wearing a red tie? The elder Mr. Bush had a grey tie. Not sure what that means. Got any ideas?

 Wednesday, January 5, 2005       mail    link   the story

Busy day at work, but nothing exciting. Just the usual stuff. Cold outside, but no snow. Looks like weather.com screwed up. Big storm forecast for this weekend, though. Lots of rain, and several feet of snow in the mountains.

Thinking of doing a work-related 'blog' for all the network admin types. There is some interest in this. Will probably use "Team Blogging" at Blogger. It will be a private area, but it may prove interesting and useful. The network admin types are spread throughout the City and the various departments, and there is sometimes difficulties in sharing information. We'll see how the participation goes after the initial startup.

This evening, I did a "Citizenship in the Community" class. Probably one of my favorites, since there is a lot of interesting history in this area. I kept it pretty fast-paced, and they all paid attention. I gave them some homework, and then we'll try to finish it up next week.

 Thursday, January 6, 2005       mail    link   the story

I worked a bit with the command line version of the GPG open source PGP encryption program. We have a need for that at work to sign and encrypt a file that is sent to an outside vendor. The folks in the computer operations area want to script the process, so a Windows interface won't work. (Although the Windows version of the commercial PGP program would be easier. And it can be integrated with our email system, allowing for a fairly easy process to sign, encrypt, and email the file.)

I also worked a bit with Blogger. Although it is easy to set up a blog there (and free), a publicly viewable blog is probably not a good idea. If the project is to continue, we'll have to set up something internally. Not sure what that will be, or how high it is on the priority list.

 Friday, January 7, 2005       mail    link   the story

First stop this morning was the doctor's office. We changed health plans at the beginning of the year, so it was time to get acquainted with the new doctor. I get to do the 'overnight fasting' blood test, which I'll probably do next week. And he set up a referral with a cardiologist so that we can discuss my atrial fibrillation problem. It's being managed fairly well with the Rythmol I've been on for a while. Haven't had any fibrillation episodes, but have had a few 'skip-a-beat' periods. Mostly it's been OK.

Then off to work, where I played with the "cheat sheet" I'm writing about the GPG encryption program. I've got all the basics down, but needed to test out the commands.

So I fired up vmWare and set up a fresh virtual installation of Windows XP with the SP2 patch. I let the installation trundle along for a while until it was done. A pretty easy installation; just had to answer a few questions along the way. When all was installed, I downloaded a fresh copy of GPG into that partition, un-zipped the file with the integrated Windows unzipper, and then opened up a command prompt. I typed in the various commands to make a couple of public/private key pairs, and encrypt a file. A few minor edits of the cheat sheet, and that project is about done. All that is needed is to package my cheat sheet, the "quick start" guide, and the GPG zip file, and I can send it off to the project team member so they can try it out. I might even post it here.

In security news, I notice two things from the folks at Securnia. One is that they have raised the threat level for the IE "Help" vulnerability, which does occur in WinXP/SP2. And the other is that there is a less critical vuln found in Firefox (version 1.0). That prompted this message that I sent off to Dr. Pournelle, who has a few (!) more readers than me.

Using an alternative browser (Firefox,etc) instead of Internet Explorer does not mean that you are immune to exploits. A new vulnerability to Firefox version 1.0 was announced on Jan 4, 05 by Securnia (they keep track of all the bugs in all programs). (Link is here.) Securnia rates this as "Less Critical" (a rating level of 2 out of 5, with 5 highest).

"Secunia Research has discovered a vulnerability in Mozilla / Mozilla Firefox, which can be exploited by malicious people to spoof the source displayed in the Download Dialog box."

And their recommendation is "Do not follow download links from untrusted sources."

If you look at the vuln list for Firefox 1.0 (here), you will see that even Firefox has four vulns, dating back to Aug 30, 2004. That is five months ago. (A five-month-old bug in Windows will cause a great hue and cry among open-source advocates, who claim that open source is better since bugs get fixed faster.)

The point here is that *no* software is immune to bugs, and users have to be careful in all cases. And that even 'open source' software has problems fixing things in a timely manner. (Note to those readying a 'flame' response -- the number or severity of the other Firefox vulns is not the point I am trying to make.)

A separate report from Securnia on the Firefox vuln is here. Note the timeline of this bug (I changed the dates to a non-European format):

24/Nov/2004 - Vulnerability reported to vendor.
  20/Dec/2004 - The vendor published a public Bugzilla report regarding this vulnerability.
  04/Jan/2005 - Public disclosure.

All the open source fanatics are saying that the Firefox vuln is not a big deal. But there seems to be a bit of 'spin' on this. If the same vuln was in Windows/IE, you'd see a lot of gleeful posts about IE being such a security risk. But a vuln in Firefox is "not a big deal". The 'evil empire' is bad in anything they do, while the open source gang can do no wrong.

I'm not saying that there aren't problems in IE. There are vulns, and there is an active exploit for the IE "Help" window bug. (See the Securina report here, which includes a benign demonstration.) And it does take a bit longer for MS to release a patch for vulns; they do a lot of testing of vuln fixes before they release things. This quote from a Microsoft spokesperson, found in a story here about the vuln on the cNet site.

"It's important to note that security response requires a balance between time and testing, and Microsoft will only release an update that is as well engineered and thoroughly tested as possible--whether that is a day, week, month or longer," a Microsoft representative said. "In security response, an incomplete security update can be worse than no patch at all if it only serves to alert malicious hackers to a new issue."

So, I repeat myself (I do that a lot):

The point here is that *no* software is immune to bugs, and users have to be careful in all cases.

Enough of that (for now).

I stopped by Lowe's on the way home tonight to pick up a few things for a minor project here. And then a stop at the Circuit City next door. I've mentioned the need to upgrade the office computer. The current plan is to get a new hard drive, install it as the C drive, then move programs and data over to it. I saw that they had a 200GB Western Digital drive on sale for $149, with $70 in rebates and discounts. That looks like a good deal, so I may get that with some leftover Christmas present money.

I also looked at scanners. We've got a lot of pictures that should be scanned and stored on CDs. Some of them are getting old (as I am) and starting to fade (as I am). So I'm thinking that would be a good project. Not sure which scanner to get; they had HP and Epson's there. More research is needed on that subject.

Tomorrow morning, I'm helping the Church Boy Scout group pick up Christmas trees as a fund raiser. So I grabbed the big Ford F-250 from my mother-in-law to help out with the transport of the trees to the recycler. The plan is that I drive, and the boys will handle the tree-loading job. The truck has a super cab, so there will be room for them inside, with lots of room for the trees.

The only worry is the weather. Big storm blew in today. Lots of rain forecast for here, and lots of snow for the mountains. They are forecasting 5-8 feet of new snow up there. As I write this, I-80 is closed in both directions due to the snow. Which means that the top story on the news tonight will be the storm. There will be the new news kid up in the mountains (Blue Canyon, at 5,000 feet), the almost-new reporter somewhere down in Sacramento in the rain, and the main weather person (safely in the studio) showing off all the Doppler pictures. Those news guys really get excited about weather, which is a big ratings draw.

And that's enough for tonight. Stay warm, well, and safe.