Companies that sell antivirus or anti-spyware packages often sound like they’re using scare tactics to sell their wares. Selling based on fear is a common tactic, i.e. “buy a Foo Corp home alarm system or your family will be massacred!” This tactic is used to boost sales in many product lines. Thing is, it’s not always unwarranted fear. People do break into houses, residents are occasionally murdered in their beds (though not nearly as often as alarm companies want you to believe), and, yes, antivirus software does help keep the bad guys out.

Maybe no example of the need for such software is as clear as a recent one involving a family accused of peddling child porn via their PC. The one I’m referring to “involved Michael Fiola, a former investigator with the Massachusetts agency that oversees workers’ compensation. In 2007, Fiola’s bosses became suspicious after the Internet bill for his state-issued laptop showed that he used 4 1/2 times more data than his colleagues. A technician found child porn in the PC folder that stores images viewed online.”

Needless to say, Fiola was fired and prosecuted for these perceived offenses. He and his wife spent their life savings — about $250,000 — defending themselves against the charges. Eventually they had the system inspected by a computer forensics specialist. The scan “revealed the laptop was severely infected. It was programmed to visit as many as 40 child porn sites per minute — an inhuman feat. While Fiola and his wife were out to dinner one night, someone logged on to the computer and porn flowed in for an hour and a half.” [italics mine]

After a long fight, and using the forensics report as evidence, Fiola was finally exonerated. But the money is gone, along with his and his wife’s health. What’s worse is that “about 20 million of the estimated 1 billion Internet-connected PCs worldwide are infected with viruses that could give hackers full control, according to security software maker F-Secure Corp.”

Is your PC on that list? Could you suddenly find yourself at the receiving end of legal action? If you’re at all worried about this, and you should be, go buy (and maintain!) a good antivirus/anti-spyware/firewall package for your machines.

One of the big advantages of the Internet as a whole is that, to some degree, it puts the sum total of human knowledge at anyone’s fingertips. Rather than sifting through masses of paper and dusty books, you can run a search query from the right archive and probably will find what you want in short order.

I’m reminded of the Harvard professor who used to hand the same assignment to his freshman students every year. He knew which references they’d require, where they’d to look, and how long it should take to complete the work. The exercise was designed to teach them how to do research, use the libraries, and deal with source material.

In 1995 or so, he came to us and demanded that the university cut off student access to this “Internet” thing. Why? Because he’d given the assignment to his students again, and they’d finished it in a day. He was astounded, and asked how they’d done it. Guess what the answer was?

This said, there are dangers to having everything available only in digital form, like the big Google Books project. What if the scanned books include errors? What if certain “inconvenient” works (maybe controversial or little-known resources) aren’t made available? What happens if the main Google data center gets hit by an asteroid? Or, what if Google simply loses interest in the project sometime in the future? They’ve done it before, and could easily do so again.

Personally, I like books. Real, paper books. I hate reading long documents online, and usually print them out (the “paperless society” is a huge myth, incidentally). I like digging through huge libraries, since I never know what I’ll find next to the book I was looking at originally. Sure, this experience can be duplicated to some degree in a digital format. And yes, electronic documents make it easier for multiple people to read certain material simultaneously. But for me it’s just not the same.

Central data storage, whether of books, government documents, or medical records, is a good thing. But it shouldn’t be the only option. Decentralization means less disruption in cases of a major data center outage or other disaster. And keeping all ones’ eggs, or books, in a single basket is just asking for trouble.

The subject of Net Neutrality has been discuss among both lawmakers and technophiles over the last few years. If you’ve been living under a rock, the basic idea is this: ISPs should not be allowed to use “biasing” or other means to manipulate, block, or otherwise affect user traffic. Under the strict definition of “neutrality,” an ISP would not be permitted to, for instance, provide slower service to customers when they request a URL from a company with which the ISP didn’t have a special agreement.

If you think this sort of thing doesn’t happen, just look at search results from various online phone directories. Look up “auto repair” or some other service in your town. You’ll probably see certain businesses (those that have paid the directory service) show up first, while others are pushed to the bottom of the list if they appear at all. Some ISPs want to apply the same sort of rules to overall user network traffic. If Net Neutrality becomes a reality, they’ll be prohibited from engaging in these practices.

Happily, it seems the FCC might actually be ready to act. In a speech this week, the chairman proposed two new rules that would help ensure ISPs can’t bias traffic unfairly. Under the proposed rules, “carriers should not be allowed to favor certain types of content or applications over others and that they could not degrade traffic of Internet companies that offer services similar to those of the carriers.”

This is good news for users. The Internet was founded on the principle that information should be available equally to everyone. Today’s advertisers already push that envelope by offering location-based ads, biasing in favor of certain companies, and search-engine manipulation techniques that push certain results to the top of result lists. But advertisers aren’t common carriers — ISPs (and telecommunications companies in general) are. Common carriers aren’t supposed to examine, manipulate, or block traffic. ISPs demanded this status in the ’90s to protect them from being subpoenaed for aiding and abetting criminals who might use their services. They shouldn’t be allowed to change the rules now in order to improve their bottom line.

I usually like John Dvorak’s articles on PC Magazine. He’s been around the industry for years and is generally very level-headed. But recently he let loose a very odd commentary in which he said the idea of Net Neutrality (i.e. the concept that ISPs should not be able to “bias” access to one portion of the net or another, based on preferencing and other tricks) is “crap.” I can’t disagree more with this one, though I sort of understand where he’s coming from.

On several occasions in the past, various ISPs have either planned or tried to implement schemes in which they attempted to control, or at least manipulate, how users accessed various online resources. As John says, Net Neutrality “became a concern when a CEO of an ISP began to make noise about Google screwing his company over somehow, and how his company might have to charge Google to even come on the network. The fact is, this guy, who will remain nameless, was an idiot. OK?” But those scenarios are very plausible, and I think they’re predictable, unless Federal rules are established to prohibit them.

Think of it this way: let’s say you’re a Comcast customer, and you try to visit Google’s site…but maybe Comcast doesn’t have an agreement with Google, so your request gets routed to a different search engine altogether. Or you try to visit Amazon.com, only to find your requests being handled very slowly because Amazon hasn’t paid your ISP for “preferred” access to their network. Given the way telecommunications companies are trying to squeeze pennies out of consumers, I think it’s only a matter of time before someone tries this.

John seems to think it won’t happen, or that consumers will vote with their feet by moving to other ISPs who have “fair” access algorithms (this despite the fact that, in many areas today, consumers have no choice but to use one local provider).

He also throws out some serious straw man arguments by asking whether Net Neutrality is “really more important than the pressing issues of poor rural Internet access, DNS attacks, spam, bots, snooping, and virus writers?” I’m sorry, but those topics have nothing to do with fair network access or limiting ISPs from making “most favored nation” style treaties with various online retailers or other sites.

Net Neutrality may be a somewhat ill-defined concept at present, but that doesn’t mean it’s unimportant or a “crap” issue. And John should know better.

Microsoft has been barraging the market with ads for its new “Bing” search service. As anyone who hasn’t been living under a rock probably knows, Redmond is trying to steal thunder from Google and Yahoo in the lucrative search market.

As such, they’re billing Bing as a “decision engine” that can, among other things, help you figure out when the best time is to buy plane tickets and find the best deals on various other retail products. But after all that hype, not to mention millions in development and promotional costs, they’ve gained less than 1 percent in the marketplace. Was that gain worth the cost?

The other big question is how long the increase will last. In politics, candidates can expect what’s known as a “post-convention bounce” following their party’s national convention — their approval and expected-vote numbers jump a few percent. This is mainly due to all the convention hype, media coverage, and other hullabaloo. Is Bing’s .9 percent rise a similar phenomenon? Is it solely due to the media barrage and users testing the waters to see if they like the product? Or will it translate into real, long term gains? We’ll find out in a few months, once more people try it out.

Hype is a fine thing, and can help get any new venture off the ground. The real test comes when the hype wears off, the advertising budget shrinks, and customers get a serious taste of the product. Some people show up just for the novelty of the experience or product. Others, who are far more important from a business standpoint, actually decide they like it and come back for repeat business.

The proof in Bing’s pudding is whether those repeat customers start coming back. If they do, Google and Yahoo will lose some market share (along with other, small search engines like Ask). If not…if the numbers drop back to their pre-Bing level over time, then the service is yet another bust for Redmond. I expect we’ll know for certain by the end of 2009. If it fails, expect yet another offering with a different spin in a year or two. This market is too important to Microsoft…they won’t just walk away.

Data breaches, a term few people had ever heard of before half a decade ago, are now fairly common. Over the years we’ve seen numerous news stories, many of which read like a Who’s Who list of major retail companies. TJX, Marshalls, several large grocery chains, and others have been the subject of data breaches that compromised millions of credit card numbers.

Now it turns out that allegedly, many of these were orchestrated by one guy in the States, with the cooperation of two unnamed Russians whose whereabouts are unknown. Over about a three year period, this three-man mob is alleged to have hijacked numerous large sites through various means. They are said to have cased the systems by exploring websites, after which they exploited vulnerabilities in order to grab credit card data.

Then they sold this data to users all over the world, who then made fraudulent purchases. This is massive, and it’s unbelievable that all these incidents were perpetrated by such a small group. In the past, a “heist” of this magnitude would usually require a large gang. Now it’s just a matter of a couple of guys sitting in Internet cafes or their homes, poking around until they find something worth compromising.

The worst of it is that so many major sites were open to apparently easy penetration. But I’m not surprised since I’ve seen some very badly designed sites, and I’m sure that behind some of those ultra-slick user interfaces there lurks horrendously insecure code that’s just waiting to be broken. Today, many corporations hire UI designers, not seasoned developers, and seem to use lots of automated source code generation systems when creating their websites. I doubt that many actually perform serious penetration testing, or hire vendors who care enough to include serious security in their software.

Companies generally want slick, well-received sites they can produce quickly and maintain easily. Sadly, design using this paradigm doesn’t always translate to good security. Hackers love it, though. 130 million compromised identities and $400 million in damages say it all.

Tweeting on the popular social networking site Twitter came to an unexpected halt on Thursday, when unknown hackers launched a massive DDoS (Distributed Denial of Service) attack that crippled the popular service for several hours. Facebook was also affected, but not as severely. Twitter’s rapid growth in popularity over the last year probably was a factor in the attack. On the Internet, visibility usually translates to vulnerability.

Details are still sketchy, but some suggest that the attack was launched from one of several well known, massive illegal botnets scattered around the globe. These are composed of millions of infected “zombie” PCs running botnet client software — and in most cases, the owners of these compromised machines are probably unaware they’re being used to conduct criminal activities. Some indications are that the attack was political in nature. According to an initial analysis, it “may have been related to the ongoing political conflict between Russia and Georgia.” The attack “started with hackers using a botnet to send a flurry of spam e-mail messages that contained links to pages on Twitter, Facebook and other sites written by a single pro-Abkhazia activist.”

The question is which side the hackers were on. As one researcher noted, “it’s hard to immediately tell whether it was a case of hackers trying to punish the sites for publishing views they disagree with, or if they were directing traffic to the sites out of sympathy for the activist’s message.”

While I’m not one to point fingers, I will suggest that anyone who found frustration in this event might want to consider their own possible role in it. Anyone who’s running an unpatched, unprotected system lacking current antivirus/anti-malware software and a decent firewall could be the not-so-proud owner of a zombie PC. Thus, your own machine may have been participating in the DDoS attack even as you were complaining about Twitter’s unavailability.

Patch your systems. Protect them properly. Spend the $50 for a decent malware detection tool and signature subscription. Otherwise, you might be helping take down the very sites you enjoy using. Think about it.

Finally, after a year or more of wrangling and corporate soul-searching, Yahoo and Microsoft have inked a deal. Given, it’s not a done deal yet since it has to pass government anti-trust scrutiny. But the final outcome, if it’s approved, will probably be a major change in the search landscape.

Search has been around since the early days of the Web. Once sites started proliferating, various people established “link lists” and published them on their own home pages. The lists grew. Other people started asking to be included, in order to increase the visibility of their own site (which, at that point, was probably little more than a personal page and maybe some research papers they’d written). Then it all mushroomed once someone wrote the first web crawler (spider). This is just software that starts at a given page, finds embedded links on that page, then follows them. It feeds its results into a database, and voila! the search engine was born.

Over the years, search companies have sometimes relied on outside vendors to manage their actual search function. This is due to the serious increase in volume and the number of sites that need indexing; it’s difficult, if not impossible, to index everything on the web by yourself. In fact Yahoo outsourced some of their work in this area to these geeky Google guys back in 2000, and to Inktomi later on. Lot of good either did them. Most people just moved off to Google and didn’t come back.

Now this latest deal will put Yahoo in Microsoft’s tender little hands in terms of search experience and management. It also puts most of Yahoo’s assets under Microsoft’s control. Redmond wants blood. Blood in the form of biting off a big hunk of Yahoo’s user base that might help it compete with Google in terms of market share. It might work. It really might. The problem is, Microsoft has never had a successful search product. Their online ventures have never really panned out all that well (witness Windows Live). They’re better in the traditional boxed software market space.

So, will the new alliance bring in more search users? Will the presence of Microsoft drive off die-hard Yahoo users (probably into Google’s arms), thus destroying the whole objective of the deal? Or will it actually work…can the new alliance offer some product that will both work properly and lure users away from Google? I doubt the latter will happen. Bing has some cool features, but Google has been doing this a long time and is probably already ahead of the Bing curve. If they’re not, give them six months. Tops.

One thing’s for sure. The game just changed, and might get exciting again for a while. Will we see Yahoo go belly-up after making a deal with the devil? Will Microsoft be driven from the market completely, in favor of any other search engine on the planet? Can their service even deliver at high volume, i.e. millions of searches per minute? Let’s wait and see.

Over the July 4th weekend, a major DDoS (Distributed Denial of Service) attack was launched against numerous US and South Korean government websites. In some cases, the attack was severe enough to take whole agencies (like the US Department of Transportation) offline completely. The size, complexity, and duration of the attack, which lasted for several days, indicates massive organization and a high level of planning.

Is this the first case of full-blown cyber warfare conducted by a government, or a well planned deception intended to lay blame on that government?

According to various news reports issued on July 8th, US and Korean officials are hinting that North Korea might be to blame for the attack. Apparently various IP addresses have been traced back to the North Korean address space, but such reports must be treated with caution since “while Internet addresses have been traced to North Korea, that does not necessarily mean the attack involved the Pyongyang government.”

As we all know, botnets and virus distribution centers can be run through a number of proxy addresses designed to hide a malefactor’s true location. A virus might look like it’s originating in Russia, but the malware’s authors and distributors may simply be hijacking machines far from their actual location in order to confuse authorities. Thus, the DDoS attack may have been launched by nearly anyone. It will take time to find out exactly where it originated, who launched it, and why.

In the meantime, government officials in both nations should take a serious look at security precautions in all affected agencies. If nothing else, this attack showed that security planning is spotty at best. Some agencies (the Pentagon, for example) barely noticed the attack, while the DoT was taken completely offline for several days — apparently due to a lack of planning and appropriate response measures.

It sounds like the US government needs a security ‘hit squad’ it can send to various agencies in order to measure their level of attack protection and response. These resources are too critical to everyday life to leave them unprotected, or managed by people who are unaware of the magnitude of threat present in today’s worldwide networks.

I knew a new release of Firefox was due on the virtual shelves sometime soon, but it came as a shock today when I ran across an announcement for version 3.5’s impending release. This is really good news, and initial reviews indicate it’s a worthwhile upgrade for several reasons.

First, there’s performance. The current claim is that 3.5 is “eight times faster at JavaScript performance than Firefox 3.0.” That’s critical, since JavaScript is the core of AJAX and other Web 2.0 features. The faster it runs, the better. Then there’s “integrated support for Ogg Theora video.” More internal support for various video formats translates to less need for external viewers, and a lower hassle factor when visiting various websites.

Many of the other new features are security related. One of the coolest is private browsing, which is already available in Chrome. Some may consider it a hassle because all cookies and other private data are discarded when you close a session, but that’s the price you pay for better privacy management. It’s also easier to leave your house, car, and desk unlocked…but it’s a whole lot less secure, too. This is also a bonus if you’re using Firefox on a public machine, since it (probably) means you don’t need to flush the cache and other data before logging off.

You can also tell 3.5 to “forget” any particular site on its history list. Very handy if you’ve a need to visit a site once and don’t want it showing up in the history list for weeks afterward…or if you’re banking from a work PC and don’t want your boss to see the visited URL.

Maybe the least useful new feature is the “location finder” that can, sometimes at least, pinpoint your location using your PC’s IP address and any nearby WiFi networks. It’s an interesting toy, but it can be inaccurate (one user reported that Firefox’s estimate of his location was off by 1000 miles) and is a possible security issue.

In all, Firefox 3.5 looks like a nice new release. Anything that boasts better performance and security is all right by me, especially if it’s a free product and Open Source. I’ll be downloading my copy soon.