Recently, I’ve been a guest presenter for “Doc’s Place Live”, hosted by my longtime friend Dave Dockery. “Doc’s Place Live” meets at the Tampa Bay Computer Society’s resource center in Largo, Florida every Friday morning from 10am to 12noon (Eastern time). Using their audio/video equipment, the presentation is streamed live for those who can’t be there in person. We’ve had some troubles with the live streaming on occasion, but this past presentation went very well and there is a recording available for on-demand viewing.

I have to admit, that the actual talk wasn’t as much about security as it was about how software – good and bad – gets on to our machines without us knowing, or inadvertently consenting to software we don’t want. I used an example of a simple Flash Video Player that also installs the Yahoo! Toolbar by default. While this particular installation program offers users the choice not to install the Yahoo! Toolbar, many don’t offer choices, or make it difficult to figure out what exactly is being put on your computer.

What’s insidious about this is that months later, when the computer starts to slow down from the weight of such programs, people have no idea what happened. “I never installed anything from Yahoo!,” a user might protest, and they would be correct. Some other installation program did, with no affiliation with Yahoo!. The toolbar is not a virus, nor is not spyware, and no Anti-virus tools will flag this, or protect the machine from software the user most likely does not want. After all, the user did consent to having it installed, probably without reading the End-User License Agreement or carefully reviewing options the setup program offers.

This is why I promote a concept of “active management” of your computer. Get familiar with the Windows tools that show you what is installed, and what is running. Learn how to uninstall programs you do not use or need. Most of the time you don’t need additional software; what’s built into Windows will work just fine. Too often, I hear of people saying “I downloaded this program to help me speed up my machine,” and my pat reply is “the cure for too much software is not more software.”

If your computer is running slowly, or you are having unexplained problems, go clean it up yourself – go to the Control Panel, choose “Programs” (Add/Remove Programs in Windows XP) and start uninstalling the applications you don’t use. Don’t worry – if you find you really need it, you can reinstall them later.

Another tip is to keep your desktop clean. Many applications (including some from Microsoft) put shortcuts to their programs or websites on the desktop in an effort to ensure you’ll see it. We get accustomed to these icons and over time, our desktop is filled with stuff. You can safely delete all the shortcuts on your desktop. That’s part of actively managing our computers and knowing what’s on it.

Finally, I showed two tools that help users understand what’s currently loaded and what’s automatically loaded. The first is Task Manager, and it’s a built in tool that you can access by right-clicking on the task bar and choosing “Start Task Manager.” You could also press CTRL+Shift+ESC to activate it.

The other tool is Autoruns, part of the Sysinternals tool kit, now distributed by Microsoft. This tool displays all the programs and components that are launched automatically, often without any indication to the user. I recommend turning on two options in this program: “Verify Code Signatures” to check which programs have a digital signature. Secondly, turn on the “Hide Signed Microsoft Entries” to prevent the display of the many internal pieces of Windows that need to be launched. By turning this on, you’ll only be presented with software that you’ve added that is not considered part of the base Windows operating system.

Map to TBCS Resource Center

Watch the presentation for more details and please send me your feedback and suggestions for future presentations.

Next week, Friday August 28, we’ll be presenting on Internet Search Tips and Tricks, showing how to make the most of your searches online. Join us at the TBCS Resource Center in person at 10am.

Follow us on Twitter:  @UserGroupDoc and @ChuckOp.

Was asked this question from a Tampa Bay Computer Society member:

“How do you embed a video in an email? Not a simple link to the video, but the actual video with an arrow to start it right there and then in the body of the email.”

Summary: Don’t do it.  Email messages should not impose the will of the author on the reader.  Here are some random thoughts:

• Would have to use hand-crafted HTML and MIME
• Would have to construct the HTML to include an <object> tag
• The object tag would reference a specific media player. If that media player is not available on the machine, errors occur
• There is no way to package the player with the message (would be a massive security hole)
• Would only work on Windows machines
• Would likely not work with web email readers such as Hotmail, Gmail, etcetera
• Is possible, if not probable, that most Windows email clients will block such a message as being potentially unsafe
• Would be rude to the user as their preferred media application might not be invoked

I'm a fan of “inline disposition” which is something I worked on in the late 90's for Microsoft Exchange 2000 Unified Messaging features, but cut from the product before release. In this case however, with a user wanting to create the message, there are too many ways to screw it up.

The salient question is; why is the normal route – attaching a video file - not sufficient?

The Windows registry keeps track of all hardware devices that have been installed on the machine.  By default, the Device Manager only displays the hardware devices that are currently connected to the machine.  Hardware that is not currently connected, such as a USB device, or a Firewire hard disk is not shown.  Over time, a lot of devices can be registered, particularly if you connect the same device to different USB ports.

By using an environment variable, you can have the Device Manager display all the hardware that have  been installed on the machine.  Set the “devmgr_show_nonpresent_devices" environment variable to “1” using the System Properties dialog.  Alternatively, just type set devmgr_show_nonpresent_devices=1 at a command prompt.

Then using Device Manager, make sure the "Show hidden devices" option is set on the view menu.  Normally when "Show hidden devices" is set, only non-PnP devices are shown.  With the environment variable set, Device Manager also shows disconnected hardware using a semi-transparent icon.  You can then uninstall the device and all the associated drivers.

An easy way to load Device Manager is to type devmgmt.msc at the Run dialog or command prompt.  A quick way to get to System Properties is to press Win+Break.

[This posting is originally from my blog at http://weblogs.asp.net/chuckop/.  I’m trying to move the more useful postings over to my current blog host.]

• Live Search Gadget
• Traffic Gadget by Live Search

Good, technical discussion on what's going on behind the scenes on your laptop computer when you resume from standby.  Includes tips on how to get the resume time down to about 1-2 seconds.

Quote

Fast Resume, 6 years later

Recently I toured the Microsoft Home of the Future, which has been a 10+ year project to showcase technologies and their application in the home.  It would take dozens of posts to cover all the cool things, but one thing that was particularly interesting was a hanging mobile that had several illuminated balloons.  It looks like any other decorative hanging light, but occasionally a balloon would discreetly change color.

Our tour guide explained that each balloon represented a particular family member and that the display can indicate many things, an upcoming birthday or anniversary, or a waiting message.  I thought about the possibility that it could indicate distress - like if your child hasn't checked in or if black-box in Mom's new SUV recorded airbag deployment.  Things like that.

Well, industrial designer Mauricio Melo has come up with a Networked Emoticon Device that can display the mood of one person.  If you are at work, you can press each icon to update your mood and a paired device at home or your girlfriend's apartment will update to reflect your current status.

Now there that is nifty technology to display such things, all we need if some equally nifty software to automatically detect your mood...

Link to Mauricio Melo Design . Interactive

My dear friend and hetro-soulmate-4-life David Dockery has finally joined the 21st century and started blogging.  In typical fashion, one of his first posts is on Global Orgasm Day, December 22, 2006.  Nice of Doc to share the love.

Doc's Kindness Cafe

Interesting keyboard that looks and feels like a gaming controller.

Link to AlphaGrip AG-5 Handheld Keyboard Review at ExtremeTech

The majority of alpha characters are on the backside, manipulated by your figures using bi-directional buttons.  Your thumbs control various shift states and a trackball or joystick on the front.

Having been to many conferences dealing with technology and people with disabilities, I've seen many strange looking keyboard designed for people with various physical limitations.  A co-worker has one where there are two "wells" of keys so that your fingers don't have to move as far.  Looks weird, but works great for him.

I'm typing this posting on my Toshiba Tecra M4 laptop, and while the keyboard has reasonably sized keys, it's a straight keyboard and can be hard on my wrists - particularly the left wrist, which rests on the plastic case right above the hard drive - which usually operates at a temperature of 115-127 degrees Fahrenheit!  Ouch!

I greatly prefer curved, or "natural" keyboards, that Microsoft popularized nearly 10 years ago.  My current favorite is the Natural Ergonomic Keyboard 4000 that I use at home and work.

Of course, I'm still waiting for the curved version of the Das Keyboard.

A friend asked me about my thoughts on the Motorola Q phone that uses Windows Mobile 5. Figured others may want to see it as well.

Pros:

• Thin and light. Fits into shirt pocket easily.
• Bright, large screen.
• Love the thumbwheel on the side, UI is optimized for scroll up/down and press for Enter. There is another side button just below for Escape/Back. Can do many things with just your right thumb.
• Keyboard is sensible and very usable.
• Built in Camera is acceptable, and even does videos (although I need a method to convert video from its format into MPEG, AVI or WMV).
• Bluetooth reception/experience better than my previous PPC, the Samsung i730
• The included hard-plastic belt clip/screen cover is robust and quite sufficient, no need for a fancy leather model
• If you get it, install the Windows Live Local Mobile client, very cool maps, directions, traffic and searching

Cons:

• If you talk a lot, I think the default battery would likely not last an entire day. I have a charger at work, home and in the car, so it's not a big problem, but I haven't gone traveling with it yet. There is a longer life battery available, but I don't know if it adds weight and cost.
• The IT imposed device lockout is a real pain. You have to press Unlock first, then press the ALT key twice (to turn on the number pad), put in your PIN and then hit Enter. You can answer calls and use the built-in speech recognition,
• Occasionally, the phone will think I've hit the button on my Jabra Bluetooth headset and prompt me for a speech command, even though I haven't touched it. Haven't figured that out yet. I am planning on replacing it with the Voice Command bits at some point.

This is a test post that I created from Microsoft Word 2007. While I like Windows Live Writer, it doesn't have the in-line grammar and spell checking that Word has. When I'm writing to a very large audience, I like the idea of having safety net that looks over my grammar. In the past, I could just write in Word and copy and paste into the blog, but that's a two step process.

It looks like Word 2007 has a Blog Post ribbon that allows me to edit existing posts, and can handle multiple blog accounts. Woo hoo!

I'm in Pittsburgh this week, attending the InterSpeech 2006 conference.  Actually, I shouldn't say I'm attending it; I'm just staffing the Microsoft booth, giving demonstrations of Windows Speech Recognition.  This is an academic conference, mainly for speech scientists and researchers to present their published papers.  For example, one of the poster sessions is entitled "A Novel Framework of Text-Independent Speaker Verification Based on Utterance Transform and Iterative Cohort Modeling" which has Microsoft's own Zhengyou Zhang as one of the authors.  The poster sessions which remind me of some early science fair projects because it's posted on a wall, with the research data and conclusions neatly shown.

Since Microsoft Research is one of the sponsors, they get a booth in which to demonstrate technology and products.  A week ago, the Speech Research Group asked my group, Speech Components, if one of the program managers could come out and give demonstrations.  I volunteered.  The demos went well, and for the most part were trouble-free.  I choose to use the Release Candidate 1 of Windows Vista for the demo machines, because I didn't want to risk problems with an unknown, random build.  There was a small issue with the audio gain on the microphone that would set the gain at the maximum after the computer resumed from standby, or the USB headset unplugged and plugged back in.  The gain is supposed to be set at 15, so when it went to a 100, recognition accuracy would plummet, but not too badly.

Usually, it was difficult at times to show the correction dialog, used when some phrase was dictated incorrectly.  Even when there were hundreds of people milling about the vendor booths, and the ambient noise level very high, the system did very well.

The most often comment was similar to "this is a amazing".

I'm writing this Thursday night from my hotel room in Pittsburgh, in response to a friend who remarked that I don't update my blog often enough.  Hope your happy A!

• Richard Sprague WebLog
• GotSpeech.net

"The combination of the new, improved hardware, plus Front Row, makes the iMac G5 the best consumer desktop you can buy this holiday season, period. For mainstream consumers doing typical tasks -- Web surfing, email, office productivity, photos, music, home videos, etc. -- it's the finest desktop PC on the market, at any price. Hard-core game players, stock-market day traders, serious video producers and some other niche users should look for other computers. But, for most people, the new iMac G5 is the best choice.”

Tablet PC:   I understand. It depends on what tools you have. It's not your fault. You can still be proud of who you are.
Mac:            I am.
Tablet PC:   (Trying to be positive) You know, you can always dual boot to Windows if you feel left out.

• Introducing Microsoft Speech Server 2007 Beta
• Using Speech For Search
• How do I set TTS volume and speed?

 Here's a link to overhead image of the building I work in currently.

Kevin Mitnick, the computer 'hacker' who was jailed for computer piracy in the late 1990's said "Open source would be easier [to hack], It's less work," in a interview published by TECTONIC.

This is something I've been saying for years, and is supported by the higher number of security vulnerabilities in Linux vs. Windows.  To me, it's obvious - if you have the road map in front of you, you can poke around for security holes or use automated tools to look for buffer overruns and other insecure coding practices.

“On the face of it, open source software is more secure,” says Mitnick. “A lot of eyes are looking at the code. You'd think that with OSS, with more people looking at the code, you're more apt at finding security holes. But are enough people really interested?”

For 2005, the United States Computer Emergency Readiness Team (CERT) reported 812 vulnerabilities for Windows and 2,328 for Unix operating systems, including Linux.  Many of the problems with Unix/Linux range from the mundane to the very serious, but because Windows is so much more common, the Windows problems generate much more attention and problems.  Few security holes in Linux have self-propagating exploits, because it's simply not worth the time for the benefit.

To me, this is evidence that the open source model doesn't scale.  Imagine if, magically, all the Windows machines became Linux machines and vice-versa. Now with millions of potential victims you'd have the incentive to hack Linux and create exploits to spam computers and install adware, etc.

By having the source code in hand, it would be easier to find the holes to exploit.  Currently, the open source community fixes the problems, but testing of such fixes is ad-hoc.  While a patch works for the configuration of the shop where it was created, it may not work in all the possible cases.  Open source advocates often point to the quick availability of patches for security problems and they contrast that with the relative slowness of the availability of fixes from Microsoft.  But that doesn't take into account testing of the fix.  Microsoft cannot afford to just send out a patch without testing it on a wide variety of machines that are using Windows.

I'm not anti-open source, in fact, like most developers, I like to have the code in front of me when working with something complex.  Rather, I disagree with those who state that open source software is inherently more secure and promotes faster resolution.  Rather, its my opinion that open source software is easier to exploit, contains more coding errors initially, doesn't have a scalable testing infrastructure and is harder to update the general user population.

TECTONIC: OSS is an easier hack: Mitnick

Slashdot has an excellent Q&A on secuirty issues facing Microsoft and what the company is doing about it. They are answered in a no-nonesense by VP of Security Mike Nash  Here are the questions to help you decide to read the full article.  In some cases, I've re-worded the question title for clairty.

1. What has changed?
2. Secuirty vs. User-friendliness
3. What are the Top Priorities for Secuirty in 2006?
4. Outside Influcences on Secuirty
5. What is the basic approach to Microsoft secuirty?
6. Why DRM?  Also, why not decouple IE?
7. Do you ever spend time with "average users?"
8. Windows updates to unregistered machines?
9. MSFT employee here - [very insightful!]
10. Why no AES in SSL?
11. Do Vista ussers still need to be administrators?
12. Is OpenBSD a good example?
13. Differences between Microsoft and other employers

Slashdot | MS Security VP Mike Nash Replies