As if Internet users don’t have enough to worry about already, virtual worlds like Second Life have introduced yet another dimension into the world of privacy and security. If you haven’t experienced a virtual world yet, they involve the creation of an online identity generally known as an “avatar.” Once created, you use this identity to move through the world just as you would through the real one. Your avatar can interact with other inhabitants, hold chats in real time, manipulate objects within the world, and even hold a job or get married.

Money, of course, is a factor in these worlds. Linden Labs, owners of the Second Life universe, has set up “Linden Dollars” (generally known as “Lindens”) as its currency of preference. There’s even an online money exchange that allows you to buy and sell Lindens at a flexible rate (generally around $1 for every $280-300 Lindens). It’s this linkage between the real and virtual world that mandates some level of concern, since anyone who’s a paid member of Second Life must provide Linden Labs with a credit or debit account against which to bill membership and money exchange fees (you can also open a free account, but this means you can’t own virtual land or participate in certain activities).

Scams abound, but Linden Labs deploys its own security force to keep tabs on problematic users who attempt to swindle others. One popular scam involves the creation of an in-world type of pyramid scheme. Swindlers place small objects in public locations; these are programmed to attempt to take money from unwary users who pick up or otherwise touch the objects (often the items are labeled “touch me to make money”). Users can report these incidents to the Linden security force, which will then take actions against the offending inhabitant.

Some people are also making money in the real world via a Second Life business. It’s claimed several have made millions (that’s in US dollars) by buying and selling parcels of virtual land within the game. Others are opening shops online to advertise their real world businesses. I know one user who displays copies of her artwork at an online gallery, and allows customers to buy copies or even the original via a Second Life transaction. The real piece of art is then shipped to the buyer via traditional shipping methods. Art imitates life, so does virtual art imitate virtual life?

IBM, Dell Computer, Sears, and other large corporations are creating stores and meeting centers within Second Life and other virtual worlds in an attempt to capitalize on their popularity. You can view online representations of items, then be redirected to the company’s real Web store when you decide to purchase one. Some companies have invested millions (again, that’s in US dollars) in such a virtual presence.

Second Life isn’t “World Of Warcraft,” where reality and fantasy are clearly delineated. It’s a concept that blurs the line between the two worlds; thus it’s also necessary to recognize that security is a concern. Like any online experience, you shouldn’t reveal any personally identifying information without being absolutely certain who might see it. Typing your phone number into an online chat might result in it being seen by thousands of people from all across the globe. You should never reveal your password to anyone, especially if they represent themselves as Linden Labs personnel - the terms of service clearly state they will never ask for this information. The same applies to credit card or banking information.
It’s a virtual world, but thieves live there too. And they also exist outside the game.

RSS and Atom are technologies that allow users to subscribe to update notifications on Web sites; when an update occurs, the subscriber is notified of the availability of new content. They’re handy tools that largely eliminate the need to repeatedly visit a given site in order to check for new articles or other changes. However it’s now known that both protocols can also be used to deliver malware and viruses to user PCs, thus opening a new door in the war against hackers and data thieves. According to an article on ITSecurity, “feeds can also be used by hackers to surreptitiously transfer viruses, Trojan horses, worms and various other types of malware. That’s because feed suppliers often scoop up content automatically without giving thought to the code’s safety. As a result, data - both good and bad - is transferred directly to subscribers’ computers.”

The problem here is that many RSS based sites pull content from multiple sources, aggregating it into a single presentation for their users. This means that bad code, whether defective HTML or Javascript, or a surreptitiously installed virus resident on one of the many feeder nodes, could be inadvertently pulled into the RSS distribution. Anyone who receives the feed therefore has the potential of receiving the malware right along with it. And since virus scanners don’t monitor this avenue of attack, the malware can slip right through.

As the article notes, this isn’t a reason to abandon RSS and Atom; they’re good technologies, and are widely adopted because they work so well. However, the situation warrants a two pronged approach involving both users and feed providers. The former (that’s you, probably) should make sure to install the latest browser updates or separate RSS/Atom readers. More developers are providing quarantine and other services to help ensure bad data isn’t delivered via their reader products, and newer releases are more likely to include such safeguards. For instance, IE7 and Vista are likely to catch defective content and consign it to the “restricted zone,” thus diminishing its potential impact on a given PC.

The other side of the coin is that sites providing RSS feeds need to take steps to ensure the safety and overall “cleanliness” of the data they’re pushing to subscribers. Rather than blindly accepting updates from outside sites, or even from their own internal content sources, they need to install scanners and filters that verify the accuracy and safety of the HTML and other code they’re about to publish to subscribers. This is apparently already happening, which is good news since a bad feed could potentially infect millions of machines in a matter of hours. This type of “push” technology (which also includes software management systems used by businesses to send software updates and new utilities to corporate PCs) can be fairly hazardous in this regard - unless the source is fully vetted and verified before being published, it’s possible to forcibly infect many machines in a very short period of time. Just imagine what would happen if an administrator accidentally pushed an infected application to every employee at a large company.

How many of you know that electronic mail is not an appropriate medium for the transmission of sensitive or personally identifying data? Please raise your hands.

It’s true. Currently, only a very small percentage of electronic mail is delivered in a secure manner, whether it’s sent across the Internet or within a corporate firewall. SMTP, the protocol used to deliver nearly all Internet mail, transmits in a basic, unencrypted ASCII format that allows it to be read during transmission by anyone with a packet sniffer, or who knows where to look on the receiving server. Even proprietary mail systems don’t use encryption by default, so mail sent within an organization is still exposed and readable by anyone who knows how to do so. In these cases, it’s most often the mail administrator who (often illegally and against corporate policy) is found to be reading other employees’ mail messages.

Another problem is that some companies take backups of their mail spool directories (the location where in-flight and undelivered mail is stored) for security and auditing purposes. Some companies actually flag in-transit messages for later review by security or audit personnel; this is legal because all data transmitted via corporate systems is the property of the corporation. What this also means is that all messages are available for later reading by anyone who can access the tape or other backup device, as Oliver North and other Federal officials discovered during the 1980s when their memos were brought into evidence during the Iran-Contra scandal. Other companies specifically refuse to back up the same directory tree because they don’t want to be held responsible for maintaining copies of old corporate messages.

In the case of ISPs, it’s generally a catch-as-catch can situation. Any mail administrator at any ISP could theoretically read mail traversing his or her servers. This is a clear privacy violation, but I suspect it happens more frequently than most users, not to mention ISPs, would like to guess.
What it all boils down to is: don’t send anything via email that you wouldn’t want someone other than the recipient to read. This means avoiding personally sensitive data such as Social Security and other non-public ID numbers, credit card and bank account data, medical information, access codes, passwords, and lots of other information. If someone ever asks you to mail them your password, refuse. If someone alleging to be a representative of a company with whom you’re doing business asks for your credit card number and expiration date via mail, say no. Insist on the use of a more secure transmission method, such as an SSL (Secure Socket Layer) browser form or even the telephone.

A more secure transmission channel for email is available via the use of available encryption technologies, but only a small percentage of Internet mail is transmitted while in an encrypted format. We’ll discuss encryption methods in more detail tomorrow.

For years, PC geeks and gamers of all types have played with CPU clock settings in the hope of teasing extra performance out of their machines. This practice, known as “overclocking,” is also a fast way to void the warranty on a machine and it’s not generally supported by manufacturers. If you return a dead machine under warranty, and it’s determined that it failed due to overclocking, the warranty won’t be honored (this also holds true for bare processors purchased through the parts market). The main problem is that the CPU’s clock rating is based on its heat dissipation capabilities; if you overclock, the CPU emits more heat and can literally cook itself pretty quickly. Most people who play with this tweak make use of high velocity CPU fans, special thermal transfer material to speed heat dissipation, and even liquid cooling systems that have become popular in the last few years.

I once read an article by some guys who overclocked a Pentium I 66MHZ machine to something approaching 250MHZ before it finally died from overheating. During their final tests they had the motherboard in a freezer, surrounded by chilled bottles of alcohol. This incident shows the length to which some aficionados of the practice will go to test the limits.

The lack of manufacturer support for overclocking made a recent PC World article all the more startling, since it revealed that Dell and some other companies are now selling factory overclocked machines targeted at the gamer market. Testing showed they ran at up to a 6.5% faster rate than non overclocked machines, which is a respectable performance gain if you’re trying to tease out a bit of extra speed. Some games, especially high end ones, put more stress on a system than nearly any other application (pure graphics rendering is probably even more stressful). Even a small performance boost can make a previously unplayable game much more enjoyable. As I’ve discussed in earlier articles, CPU speed isn’t the only measure of performance in terms of game play (memory, disk speed, and video card capabilities are also big factors) but every little bit helps.

These machines aren’t cheap: even the least expensive tested for this article weighed in at $3399. Given that you can now buy a decent desktop box for $500-750, gaming machines sell at premium prices. What they offer is the best possible combination of overall performance, upgradeability, and storage. The better machines include high end ventilation systems (necessary to ensure heat is extracted from the case as efficiently as possible) as well as extra drive bays and beefy power supplies. And, of course, most gaming PCs also offer internal lighting systems that bathe components in red, blue, or white light. I’ve never figured out the cachet of lighting systems, but many users really seem to enjoy them. If you’ve just spent $3000 or more on a PC in order to play games, I suppose you should expect something flashy. A gold plated case might be a nice touch.

While it’s somewhat far afield from our standard set of topics, I happened across an article today that proves how important and all encompassing the Internet has become as a vehicle for entrepreneurs and other ambitious individuals. We’ve all heard about success stories involving people with some technical skill and a penchant for innovation, like the Finnish Star Trek enthusiasts who wrote, developed, and produced a full length feature film with near studio quality animation sequences. All the graphics and rendering work was done on their own PCs, with stunning results that gathered worldwide attention. Then there were the Spiridellis brothers, who founded JibJab and attracted everyone’s attention with their online parodies and cartoons.

The latest story involves a voice-over artist who, upon moving to Los Angeles, was unable to find enough work to make a living. In desperation, he adapted some old 1980s “He-Man” cartoons to produce mashups featuring his voice talents. He then uploaded these to YouTube [just search for "The Skeletor Show" - you know you want to] and waited. They caught fire, and as a result he was offered numerous contracts. For at least the time being, he’s making a tidy living because of the Web. The article notes that the Internet is quickly becoming the place to be for people who desire fame, whether fleeting or long term. “It is easier than ever to get discovered. Web sites trying to develop into entertainment hubs are hungry for people to write, shoot or star in new content, so its representatives scan for talent in the piles of homemade videos on MySpace, YouTube, Revver and personal blogs.” So would a modern-day Marilyn Monroe need to sit down at a soda fountain at exactly the right time in order to be discovered, or could she simply post some videos on YouTube and wait for offers to roll in?

On a more serious note, it’s been noted that the current crop of presidential candidates are making a concerted effort to use the Web as an integral part of their campaign efforts. Not only did several candidates announce their candidacies online first, but their overall Web presence has become a major factor in the early portions of the race. A recent debate featured questions posed via YouTube, and was an effort to move away from the heavily scripted, rehearsed format of more traditional exchanges. Candidates have also established presences in Second Life. The virtual campaign headquarters for Obama, Clinton, and other contenders feature virtual stickers and T-shirts that supporters can wear and distribute, as well as appeals for campaign contributions and volunteer work. While the Howard Dean campaign in 2004 used flash mobs and loosely organized groups of technically competent enthusiasts, the upcoming presidential race will make a concerted, professional use of online resources to reach voters who might otherwise be unaware of various events.

The Internet is transforming our lives on a daily basis. We work, conduct business, meet friends and family, book vacations, and look for work using online resources. Reality TV shows use the ‘Net to allow viewers to cast votes for their favorite candidates, and at some point we’ll probably be able to vote in real elections online as well. No longer is it necessary to establish a massive, bricks and mortar presence or fly to a major city in order to be noticed. The Web is the great leveler, and provides the potential for anyone to have at least fifteen minutes of fame.

I still encounter people who are of the opinion that free software must either be spyware, a corporate plot to hook users before insisting on payment, or (the funniest response) total junk. I’ve heard people say, verbatim, “if it’s free, it can’t be any good.”

Nothing could be further from the truth. While some free software is pretty pathetic, and probably an attempt by a novice developer to score a major reputation by releasing an old school project, a large percentage is actually of excellent quality and very reliable. Remember that Linux is free, and was initially developed by Linus Torvalds and others with no corporate backing and no formal planning. Much of UNIX was developed by people who contributed their efforts to the overall OS. This process continues today, and many Windows developers also release excellent free applications.

You can find free software all over the Internet, but some repositories are more reliable and safer than others. For instance, CNET maintains an excellent site (now happily renamed back to its original moniker of www.download.com after several changes between the late 1990s and today) that’s chock full of applications ranging from system utilities to media and graphics goodies. There’s also Sourceforge, where you can find cutting edge applications as well as highly respected and well known free tools. You can also find free and trial versions of commercial software at sites such as these.

In another vein, PC World just published its list of 20 Fantastic Open Source Downloads, which discusses and rates each one while providing a link to its home page.

The nice thing is that official sites like CNET’s pre-test and screen new products to make sure they contain no malware and are sufficiently reliable before permitting users to download them. This makes the products found at these sites much safer than something you might find on a no-name Web server where a developer is advertising the “next killer application” for free. Given the propensity for today’s hackers and scam artists to use free downloads as spyware vectors, you need to be careful about what you install. Don’t blindly grab free utilities from any old site.

Many people ask why anyone would spend time and considerable labor to develop a great piece of code, only to offer it for free. The thing is, this is how many great applications have been developed in the past and it’s not uncommon for good developers to create new products simply because they’re passionate about what they do. I used to write and release lots of system utilities for the VAX/VMS operating system, because I knew other people who did the same thing. We shared our work, we helped each other isolate bugs and improve our code, and everyone benefited from the practice.

The short answer to the conundrum of free software is this: many people are motivated by intangible rewards, and aren’t concerned with being paid for everything they create. If you look around the ‘Net, you’ll also find sites filled with information on everything from automotive history to zoology. Many were created, and are maintained by, enthusiasts who receive no salary or other compensation for their efforts. Why, then, should it be so surprising that people also write software and give it away for free?

If you’ve always wondered why anyone would make a career from sending spam, you only need look at the life of a self-confessed “spam king” who recently retired after a half dozen years, citing an inability to “get a life” because of the type of work he did.

The individual, known as “SpammerX” though his real first name may be Ed, dropped out of school at age 17 and started sending spam for companies advertising the usual range of products one finds in such messages (everything from prescription drugs to sexual aids). Using a range of fake, disposable domain names and lists of email addresses purchased from who knows where, he started offering his services and soon found a lucrative market. According to an interview published by Infoworld, he “would ‘rent’ time on those computers from another group of hackers that specialized in creating botnets.”

“Ed’s” income was derived from clicks generated by the emails he sent, which included the typical links or images that are designed to entice users to visit the site of the retailer for whom he was advertising. He was able to see which email addresses were generating clicks by visiting a merchant site that provided appropriate statistics, and became troubled when “he noticed that the same people were buying different drugs each month. ‘These were addicts,’ he said.” But it’s hard to sympathize with his sudden realization when he also admitted that “He sent spam to recovering gambling addicts enticing them to gambling Web sites. He used e-mail addresses of people known to have bought antianxiety medication or antidepressants and targeted them with pharmaceutical spam.”

The spammer was paid via PayPal, E-Gold, or other online accounts and, by his own admission, made $480,000 during his last year in operation. He said that on occasion he’d see profits of $10-15,000 per week (yes, that’s “week”) and often withdrew money from his accounts in order to store stacks of $20 bills in boxes at his home. He’s now published a book on his activities, which is of interest to law enforcement officials who are trying to find ways to stop spam.

You only have to look at the profits derived by this individual if you’re wondering why spam is still so popular, and is in fact growing in severity. I find it unsurprising that people apparently avail themselves of products advertised in this manner; far too many of our fellow citizens are indeed that gullible (or desperate, in the case of drug addicts). It’s reprehensible that spammers intentionally target vulnerable groups, but in some ways it’s not all that different from any other form of targeted advertising. However the biggest problem, as verified by the spammer himself, is that “‘the product is always counterfeit to some degree. If you’re lucky, sometimes it’s a diluted version of the real thing,’ he said. Viagra is cut with amphetamines, and homemade pills are common from sketchy labs in countries such as China, India, and Fiji.”

Shady advertising practices, botnets, and defective products. Such is the nature of the underground online marketplace.

Yesterday, a new hack hit several corporate and government users in an attempt to steal private data, as reported on Yahoo’s technology news site. The methodology and overall strategy used by the infiltrators involved e-mail containing links to infected Web sites which then attempted to install malware on employee PCs within selected organizations. The bait: “seducing employees with fake job-listings on advertisements and e-mail” according to the article. This strategy fits well with the latest hacking techniques, which blend social engineering (enticing people with job listings in this case) with extremely subtle technical attacks that make use of the tendency for users to log in as Administrators while performing normal work.
Probably the most frightening aspect of this incident is that the malware wasn’t flagged by security scanners and anti-spyware software; instead it was able to slip past the defenses set up by all these organizations. This is worrisome, because it shows that botnet operators and other thieves have yet again increased the sophistication of their attacks. If such sophistication is becoming commonplace, security firms will have a difficult time keeping up with new attack vectors. It may take much longer for certain malware infestations to become apparent, and the chance of serious data loss due to theft increases the longer such software goes undetected and remains installed on infected PCs.

One problem noted in the Yahoo article is that some companies still take a loose stance regarding programs that are permitted to run inside their networks. Rather than allowing only an explicit list of known, safe applications to run on managed PCs, these companies instead attempt to exclude only those already known to be malicious. This is an effort to strike a balance between usability and security, but it may lean too far toward usability. The problem is that it’s nearly impossible to keep up with the list of illicit programs since more appear each day; it’s far easier and safer to generate a finite list of known, trusted programs. An analogy in the real world might involve access to a secure building. Which is safer: excluding people who are known to have criminal records, or permitting access only to a list of those whose credentials have already been screened and verified? The answer is obvious. The problem is that the latter is more of a management nightmare for I.T. departments, so looser controls are far more common.

Another comment in this article worries me even more. It’s that “hackers use security tools to help them determine whether their malware will be able to get past corporate and government defenses. For example, a Web site called virustotal.com lets users upload files to see if they are safe. Hackers use it to see if their malware will make it past security systems.” This probably means the hackers are also running MacAfee, Symantec, Zone Alarm, and other detection systems on their development networks in order to check new virus and malware applications against the most common security suites, and that they’re aware of any weaknesses inherent in all these packages. This is yet another reason to use layered defenses when setting up your security architecture: if one defense doesn’t catch the malware, another one might.

For the second time in at least a year, someone has managed to crack Microsoft’s Digital Rights Management (DRM) encoding under Media Player. The crack, announced on several news services as well as the Doom9 Web site, allows users to strip the rights management bits from media files managed by Microsoft’s DRM scheme. This applies also to the Zune portable device (their answer to the iPod), so right now it appears much of this content is free for the taking.

This isn’t surprising, since users have long despised DRM as an overly restrictive paradigm forced upon the market by music companies desperate to control the distribution of music and video. The funny thing about it is that, while the Internet has exacerbated the problem by making copying much simpler and more efficient than ever before, the problem of alleged piracy has existed since portable recording devices became available to the masses. People have long recorded songs and other programming directly from the radio (companies even sold combination tuner/amplifier/tape recorder devices specifically configured to permit such recording). After cassette tape players became common, the creation of “mixed tapes” composed of favorite songs by various artists became a popular pastime. The advent of the VCR meant we could also record and store programming for later viewing and archival purposes.

Such schemes were either winked at by the legal system, not to mention music companies, as long as recording was conducted for the explicit purpose of personal use. Indeed, “fair use” laws stated this was perfectly legal. However, if you started selling copies of recorded music or TV programming (AKA “bootleg copies”) then you could be fined and jailed.

Then CD recorders arrived, along with the MP3 format and the Internet. Suddenly, it became possible to store and record high quality copies of songs and, eventually, video. File sharing services like the original Napster became massively popular, and music companies saw their revenues decline steeply. The correlation between the two phenomena is still debatable and highly circumstantial, somewhat like the mythical link between rain and washing your car. It may well be true that file sharing services damaged the bottom line of RIAA member companies who cried foul. It may also simply be the case that musical tastes were changing, or that more users became enamored of independent bands than of mass-marketed commercial groups. In any case, DRM became the clarion call of companies demanding the re-establishment of their profit margins.

And after the pain, the lawsuits, and the massive amount of software development that accompanied the creation of DRM, it may be on its way to the scrap heap. An article on Yahoo’s site notes that “the music industry has in any case been slowly moving away from the use of DRM, which many users see as overly restrictive. In April, Apple - proprietor of the iTunes music store - and EMI announced that they would henceforth be making music tracks available without copy protection, for a price.” This crack, along with the Sony rootkit faux pas of 2006 (in which hidden DRM software played havoc with users’ computers, causing massive damage in some cases), may be the death knell for the DRM scheme. Apple, iTunes, and other services have shown that users are perfectly willing to pay for downloadable music. With luck, the RIAA and other groups have seen the writing on the wall and will consign DRM to the dustbin, along with DivX and other ill-conceived protection schemes.

Now that six months have elapsed since Microsoft Vista’s initial release, pundits and reviewers are offering “report cards” regarding its acceptance rate, stability, and overall performance. One such report was highlighted in an article on Yahoo; the basic conclusion at this point is that the OS is relatively successful, but with lots of caveats.

The biggest problem, apparently, is that Vista changed many prior Windows behaviors and device interfaces. As a result, many people with older peripherals (everything from printers to scanners and modems) are out of luck. Their old drivers won’t work under Vista, and some companies are opting to abandon these old devices rather than issuing new driver releases that’ll correct Vista-related problems. At least one tech-savvy early adopter circumvented this problem by running a copy of XP in a VMware virtual machine. Another abandoned Vista altogether and “upgraded” back to XP.

Another major complaint involves the UAC, or user account control. Some users grew tired of the UAC’s constant barrage of warnings, so they disabled it only to find Vista now offered a new barrage of warnings about the hazard of disabling the UAC. It’s this type of overly intrusive “nanny” behavior that turns users off to new features.

Sales of the new OS have been steady, but aren’t meeting the levels set by prior releases such as Windows 98. Some reviewers think this is due to a combination of low enthusiasm (because no other major technical event accompanied the release) and consumer wariness over the hazards of immediately adopting what’s essentially a major new OS. Vista “interacts differently with programs and peripherals than previous versions of Windows” and thus it’s a more hazardous upgrade than, say, the change from Windows 2000 to XP. Major companies can’t afford to spend time installing a new OS only to find it’s incompatible with major portions of their installed application and hardware base, so they’re watching and waiting. An old rule in I.T. management states that “point 0″ releases, like 2.0, 3.0 and so forth, are inherently less stable since they involve major new components and options. Many I.T. managers automatically ignore such releases, and wait for the first “minor” or “point 1″ version to appear before rolling the new application or OS into their upgrade schedule.

Another factor in the slow adoption rate may involve the cyclical nature of major I.T. hardware purchases. Many companies choose to buy new machines in bulk in order to receive lower pricing while installing a crop of identical machines throughout their enterprise. Commonality of hardware translates to lower total cost of ownership since fewer hardware variants make management simpler. It’s possible Vista’s introduction occurred during the low end of a purchasing cycle, though I’ve no data to support this.

Eventually, Microsoft will release a service pack that’ll address the more serious issues, and new hardware purchases will include pre-installed copies of Vista. Adoption will pick up as a result, and eventually more of the installed XP base will move to Vista. As an alternative, more users may choose to adopt Linux instead. Software vendors are offering more applications for this UNIX variant, which is making it more appealing to both home and business users. I hope to make XP the last version of Windows I own, in fact. More users may adopt similar plans, but only time will tell.