Recently a friend forwarded a question posed by one of his own acquaintances, to wit: “what are your thoughts on antivirus protection (etc) for a regular ole homeowner on DSL? Any particular ones you think are better than others?” That’s a pretty good question, and it’s important since there are many misconceptions about this subject. Here’s a basic rundown.

Many antivirus packages are available these days. Symantec, Zone Alarm, McAfee, and AVG (a free option) come to mind as popular options, and all are pretty good. The main thing to remember is that simple virus protection in email isn’t enough: you also need to lock down your browser and manage your PC’s network access. Malware authors now know more people run email scanners to catch viruses before they’re delivered to a user’s inbox, so they’re trying other delivery methods. They’ll attempt to connect to open but unused network ports on your PC. They’ll put spyware on websites in the hope you click on an interesting looking button (whole bogus websites are being set up to trap unwary web-surfers). None of these are covered by a “traditional” antivirus package.

I’ve been using the Zone Alarm suite for several years. While it’s brought some annoyances to the party (occasionally raising alarms when visiting well-known eBay URLs, for instance) it’s been very stable and consumes few system resources. I discarded Norton in 2006 because it had become too intrusive, and had a vicious memory leak they refused to acknowledge. Your mileage may vary. AVG is excellent as well. I’ve never used F-Prot, so I can’t comment on it.

Whichever package you buy, remember that you have to (a) run it, and (b) keep it up to date. A few years back a family member had a machine covered in viruses because she’d bought and installed a package, but never activated it. She thought having it installed was enough, and didn’t know you needed a subscription in order to obtain new virus signatures.

As an aside, I also recommend discarding Internet Explorer and Outlook in favor of, well, any other option. Firefox and Thunderbird are generally better in terms of security, and are less open to attack by script-kiddie hacks. You can get add-ons like NoScript and Ad Block Plus for Firefox, which extend its security features, for free. I also find Thunderbird is pretty good at catching potential spam and routing it to a junk folder.

Migrating to non-Microsoft solutions might take a bit of effort, but you’ll be less exposed to threats and the software just generally works better. All IMO, of course.

One of the consequences of the Internet revolution is social networking sites like Facebook and MySpace, where users can share huge amounts of (often highly personal) data. Unlike old-style “personal web sites” where users were in complete control of their own content, social networking sites are hosted by third parties who deal with things like backups, archiving of data, and so forth. One of the most obvious questions about such sites is: do you still own the data after you’ve posted it, or does it become the property of the site?

In general, the first question is answered by the Terms of Service (ToS) agreement you probably ignored when you signed up for the site. Most social networking sites state pretty explicitly that users continue to own data they’ve posted and don’t surrender any rights by making the information public. Thus it was interesting last week when a storm of outrage erupted over Facebook’s recent change to its ToS agreement.

The problem appears to have been the legalese phrasing of the new terms, which seemed to indicate that Facebook was taking ownership of any data posted to the site. As you can imagine, users took serious exception to this and apparently bombarded the site with complaints. No one apparently noticed the change (does anyone ever read ToS agreements that are more than 10 words long?) until a blog called The Consumerist broke the story with a posting entitled “Facebook’s New Terms Of Service: ‘We Can Do Anything We Want With Your Content. Forever.’”

Needless to say, Facebook has since backtracked on its position and is reverting to its older (and apparently less legalese-infected) ToS.

Personally, I doubt the company ever intended to claim ownership of user data. Given today’s intellectual property rights debates, attempting to do so probably would have driven away a huge percentage of its user base. And just why would any company want to assert ownership over users’ vacation photos, personal musings, and diary entries? What would be the point?

This said, it might be a good idea to read those ToS agreements before signing up blindly for access to any site. Unless you do, you’ve no idea what rights you might be signing away.

In a move that’s sure to please business travelers everywhere, several airlines have started offering in-flight Internet access for laptops, PDAs, and other devices. It’s about time. There was no real technological barrier to this type of access, but nonetheless it’s taken years to appear. I suspect it’ll give early-adopter airlines like Delta a temporary competitive advantage over other companies that are lagging behind.

Access, which is provided through a service called Gogo Inflight Internet service from Aircell LLC, is managed like any other cafe-style provider. Users pay a flat fee of $12.95 for flights over 3 hours, or $9.95 for shorter hops. Delta just started the service this week and provides it on a limited number of flights, but “says that the service will be offered on five more flights by the end of the month and that it will be available on as many as 300 planes by the end of 2009.” American and Virgin America have been offering it for a few months now. Other carriers have deployment plans over the next year or so.

Users get the same access they’d find at Starbucks or in a hotel — text messaging, standard Internet access, and the ability to connect to corporate VPNs. This means all those hours passengers formerly spent operating in disconnected mode can now be more productive, which is both good and bad depending on your point of view. No more “I couldn’t connect to the server because I was in the air” excuses will be accepted by in-the-know bosses, I suspect.

Some things you still can’t do. For instance, “cell phone and Voice over Internet Protocol (VoIP) services, such as Skype, are not available due to FAA restrictions.” I can, to some degree, understand prohibiting cell service and would hate it if 95% of my fellow passengers spent the entire flight yapping on their CrackBerries, but why VoIP? It’s just another service running over the net, after all. Why prohibit it?

For myself, I’ll be happy if I can watch movies on Hulu during a long and boring flight. But I suspect I’ll have to bring my own popcorn.

Many of us use public machines, whether in Internet cafes, schools, or other locations. Few think about the danger involved, and I’d bet most users just presume the systems are kept fastidiously clean of malware. Sadly, that’s not always the case. A recent study conducted on 300 machines located in wire-transfer shops in the LA area found 60% were infected with malware of various types.

That’s just bad. Here you have machines that are used daily by people conducting financial transactions of all types, and over half are infested with viruses that include (of all things) keyloggers. That means that criminals in various locations are receiving personally identifying information from hundreds, if not thousands of unsuspecting users every business day. An audit of these machines found that “some infected machines held troves of private data, from Social Security numbers to credit card numbers to tax documents.” Is it any wonder that identity theft is on the rise, given this pathetic situation?

According to a representative of the wire transfer agencies that run these shops, “most transactions are for less than $300, which makes the hassle of intercepting a transfer and forging an ID and getting someone in place to steal the delivery potentially more costly than the crime is worth.” It’s still a problem, and $300 is a lot of money for most people. The amount isn’t really the issue, though. If SSN and credit card numbers, not to mention tax information, is being stolen, it means criminals have enough information to steal an individual’s identity. That spells a whole lot more trouble than $300, if someone decides to act on that information.

The lesson is clear: don’t trust any public machine, since you have no idea how well it’s maintained or protected. Assume the worst, i.e. that the last user probably surfed to unsafe locations and the machine is filled with malware. Don’t enter private data, since a keylogger could be waiting to snare your password or other sensitive information.

Some public machines are well maintained and can be reloaded at will using a known good OS image that’s free of viruses, but you should presume otherwise unless you’re certain you’re the first user since the last rebuild.

For years the Open Source community has derided Microsoft, and especially Internet Explorer, as being overly bug-ridden and thus prone to infection by malware. Now, with the rapid rise in Firefox’s popularity, the shoe is on the other foot.

Recently the “Greasemonkey” malware attack, which targets Firefox explicitly, made the news on Slashdot. It’s a clever hack, since it’s both a technical and a social engineering attack. Technically it uses Firefox’s built-in extension capability, and conducts its attack by installing itself “in Firefox’s add-ons folder, registering itself as ‘Greasemonkey,’ the well-known collection of scripts that add functionality to Web pages rendered by Firefox.”

The purpose behind the malware is obvious: it sits there behind the scenes, looking for users to visit login pages at a variety of financial institutions, including banks and even PayPal. When it sees activity directed at one of the known institutions, it records the user’s login ID and password. These are then sent to a server in (where else) Russia. The rest you can guess.

How do you get it? The usual vectors apply. “Trojan infection can occur via drive-by download or download duping.” The software has already been identified and classified, so expect to see it in antivirus/anti-malware signature updates in the near future.

This is, to my knowledge, the first time Firefox has been targeted this explicitly. It also shows that the absence of malware targeting Open Source applications might be related more closely to market share than their allegedly higher built-in security. This means Open Source users should start taking more care when installing extensions and plugins. Be sure you know who’s providing them, that they’re legitimate copies, and don’t automatically say “OK” when one asks to install itself. The safest bet is to obtain plugins and extensions directly from Mozilla’s servers, not from third parties.

Many in the security community have surmised that the number of such incidents will increase as applications like Firefox, Thunderbird, and others grow in popularity. Until now, their small user base (in comparison with IE and Outlook) has left them as low value targets. That day may be ending. As these applications rise above the noise level and into the limelight, they’ll be just as heavily targeted as built-in programs like Outlook.

Fame has its price.

With the US presidential elections just around the corner, many of us are scrambling for information that will help us choose who to vote for. The candidates themselves certainly aren’t providing unbiased information (they’re politicians, after all). The major news media seem incapable of researching stories clearly, and are more concerned with “scooping” the competition than with presenting accurate reports.

So where should we turn? Why, the Internet of course!

That’s not to say every site is unbiased. Far from it. Various PACs (Political Action Committees) run sites that present little more than their own biased view of a given topic. Trusting a PAC site, whether it’s MoveOn or the PNAC group, are just pushing their own agenda. Asking one of these groups for unbiased information is like asking Philip Morris whether cigarettes are dangerous.

However, it’s also not that hard to find independent sites that present both sides of a given argument. One of the best is probably FactCheck.org, which analyzes political claims and presents the reality behind the hype. You can also check up on what Congress is doing at FedSpending.org, which monitors what all those folk are up to and how they’re using your hard-earned tax dollars.

For even more Congressional information, check OpenCongress.org. It keeps track of the progress of bills through the various houses and reports on voting, committees, and other events.

If you’re an election watcher like me, a site like PolitiFact might tickle your fancy. It rates various claims on its patented “Truth-o-Meter” and provides graphic detail about who’s fibbing and who isn’t. It also tracks claims made by outside organizations, which is very handy. Needless to say,the gauge swings wildly depending on which organization is involved!

Campaign finance information can be found at the fabled OpenSecrets.org site, where Congressional spending habits and other data are maintained. Here you can also find out who’s getting money from whom, how much they make, what their tax forms look like, and other interesting things.

Be informed. Find your own information, learn what’s going on in the political world, and make rational decisions based on that information. The Internet isn’t perfect by any means, but it puts a lot of good data at your fingertips.

Associated Press is reporting a recent incident involving a badly executed case of automatic web document tagging that caused considerable embarrassment for Yahoo. What happened is that the phrase “underage girls” was accidentally tagged as a term by Yahoo’s much-ballyhooed “Shortcuts” application. It guided users to photos of scantily clad and potentially under 18 women, causing justifiable consternation across the Net.

The problem is the practice of “automatic tagging” of documents, which has become popular due to the massive volume of content that’s added to various sites every day. These tagging engines “leverage a combination of algorithmic and editorial processes to identify current, relevant and popular terms,” then tag these terms in newly added documents.

The term “underage girls” has since been added to Yahoo’s list of “phrases we should never, ever use when tagging documents,” but the incident shows how out of control this could be in the wrong hands. Since tagging is based on “relevant and popular terms,” how hard would it be for some hacker to design a method to artificially boost some popular phrase?

The other hard question is how the phrase “underage girls” made it into the list of popular terms in the first place. These things are based on frequency of search queries on Yahoo itself…which probably means a lot of users are typing in this phrase. Is it really true that the Internet’s biggest audience is surfing for online porn? And illicit porn at that? I doubt it, but there are certainly hard core groups who could artificially inflate the relative importance of a given phrase.

This is the problem with automating data management. Exceptions to rules or other unintended consequences (in programming we generally call them “side effects”) can be hard to predict. Sometimes you just can’t plan for all possible cases, which means we’ll probably see even more embarrassing gaffes like this one over time. What will the next one be?

Many of us are concerned about privacy on the Internet, and are often justifiably worried about who might be snooping into our web histories. Thus I was intrigued when I discovered XeroBank, which purports to be a privacy protection system that totally anonymizes your activity.

According to their site, XeroBank “protects your identity, internet connection, files, and emails from eavesdropping, theft, and loss.” They provide data storage, encryption, and access to their “onion” networks located in Canada and the Netherlands. The “onion” (which may be a form of Tor network, but I don’t know the details) is a means of creating anonymous channels on the Internet to prevent traffic from being traced.

The software can be installed on a USB drive, so you can access your account via any online computer. Also, your account is Swiss-bank style anonymous, with payments through Dalpay in Iceland, so not even Xerobank knows who you are. This means you can walk into any Internet cafe and surf without worrying whether their security is sufficient to cover your tracks from snoopers and identity thieves. It sounds ideal for traveling users.

Effectively all your traffic — email and whatever else — goes through XeroBank’s network. “With XeroBank, your computer talks directly to our network in an unbreakable secret code. We then speak to the internet on your behalf, so nobody knows your identity.”

Could this be misused by real thieves, terrorists, or other evildoers? Sure it could, but so could any other technology that’s out there. Thieves also use cell phones, laptops, and other high tech gear. For some reason many people (including various governments) assume that anyone who’s trying to hide their tracks is up to no good. That’s a ridiculous attitude. Some people just don’t like having prying eyes searching through their browsing history or reading their email.

I own a shredder. It doesn’t mean I’m doing Watergate-style document shredding or hiding something illegal. I just want to keep people away from my personal information and financial data. It’s a good idea for so many reasons (most of them measured in dollars).

If you’re worried about Internet privacy, you might want to consider a system like XeroBank.

Recently I’ve decided I’m tired of commercial search engines. I know too much about the ways they manipulate results; the guys who pay them lots of cash appear at the top of the result set. What you get isn’t necessarily the best match for your search terms. Results are also manipulated by page authors, who use SEO (”search engine optimization”) techniques to skew results in favor of their pages. In other words, search engines are no longer the honest information brokers they once were.

Thus, I’m looking for other ways to find information on the Net. So far I haven’t located a magic bullet (I may end up writing one), but I did encounter a commercial product called Subject Search Spider (SSSpider). For $49, you get a product that completely bypasses the biased commercial search engines. Instead, it connects to other sites that run web crawlers of their own and retrieves results based your exact search terms. I like the sound of this.

According to the developers, the results you get from this product include “no adverts or ’sponsored links’, no irrelevant information, high performance and accuracy of search results which go down to the quotation level.” Now, I really like the sound of “no sponsored links” since, in my opinion, they’re the bane of commercial search engines. Sponsorship basically breaks down to “we don’t care if we’re relevant to what the user is searching for, we want our product displayed at the top of the result set.” It’s like having a salesperson in a book store try to sell you travel insurance…totally irrelevant to the reason you walked into the store in the first place.

Other nice features the product offers include Unicode and multi-language support, the ability to store favorite searches for later use, and what appears to be a pretty slick user interface. It’ll also search non-HTML documents like RTF, PDF, Excel, and Powerpoint. Most good search engines also handle these formats, as do many web crawlers themselves.

This appears to be a nice little product that should help users find what they’re after without sorting through loads of what is effectively junk. It’s the way search engines worked before they became overly commercialized.

If you’ve never heard of a “typo-squatter,” it’s a domain that was established solely for the purpose of catching users who mis-type the name of another domain. I happened across one several years back, when I mistyped a letter in “ebay” and ended up…well, somewhere I didn’t really intend. Just don’t try to guess.

These sites are problematic for a number of reasons. First and foremost, they’re often used to dispense spyware and other forms of malicious software. They can be dolled up to look like the “real” site, and some users won’t even suspect they’ve typed the wrong URL. You can imagine the consequences.

Second, they can be used for identity theft. The same rules apply. Someone mistypes the name of their bank, ends up on a typo-squatter site, and discloses their account information. Not a good situation overall, and I’ll bet incidents like these account for a fair number of ID theft problems.

Last (of the big three) there’s the problem of kids on the Web. If adults are bad spellers and typists, many kids are far worse. How hard would it be for someone to typo-squat on “barny.com” in the hope that kids looking for barney.com will stumble across it? What if the bogus site dispenses porn or some other inappropriate material? These are legitimate concerns.

Microsoft has a solution called Strider that’s designed to help intercept and avoid typos that will lead someone to an inappropriate site. It’s also supposed to help with the problem of 3rd-party redirection by an allegedly legitimate site to something the user didn’t intend.

And don’t feel bad about avoiding these sites, either. According to one source, the majority of typo-squatting sites are simply there to make money off syndicated advertising. They don’t sell anything real, and are just parked there to catch the unwary or spelling-deficient. “The typo domain makes its money from syndicated advertising such as Google’s AdSense program. The typo-squatter simply parks the domain and the only content on the site ends up being the ads served from a syndicated advertising program.”

Strider is a good idea. Hopefully it and programs like it will make some sort of dent in this problem.