In a truly odd and somewhat sick incident, the Epilepsy Foundation was forced to shut down its online forum last week after unknown hackers exploited some “lax” JavaScript code and installed flashing images that can cause seizures in some epileptics. Certain sequences of images flashed at a certain pace can trigger pain, headaches, and other effects in epilepsy sufferers. The attackers must have known this, but the motive behind the attack is unclear.

Whoever perpetrated this attack “used JavaScript to redirect people to another site that hosted the graphic” according to an article on SecurityFocus. There was apparently no effort or desire on the part of the attackers (or, more accurately, vandals) to compromise private data or install malware on users’ PCs. The sole purpose of the vandalism seems to have been the effect it had on epileptics who viewed the images.

What kind of person gets off on this type of malicious activity? It seems to be the type of puerile shenanigans that teenage boys might indulge in simply to establish street cred or geek points in hacker circles. This type of defacement falls into the same category as nuking a Web site in order to replace all the HTML with “hackers were here” banners. If the guys who did this weren’t hiding behind a PC monitor, they’d be out torturing a cat or burning the wings off flies. The word “sociopath” fits nicely.

While no one yet knows who was behind the defacement, it’s my sincere hope they’re caught and jailed for assault. That’s what this was, after all. If someone’s actions are performed with an intent to cause harm to others, it constitutes assault. The epileptics who viewed these images experienced seizures, headaches, and other symptoms. That’s bodily harm. It makes no difference whether the attacker wielded a knife or a PC keyboard; the result is the same. The punishment should match the crime.

Today, users probably have a better selection of good operating systems to choose from than ever before. MacOS has a dedicated following, and is extremely user friendly. Windows is king of the hill in terms of overall market penetration and application availability. Ubuntu and other Linux derivatives are extremely cost effective and can run easily on nearly any available hardware (even older machines that won’t support any of the other options).

Thing is, many factors are involved when choosing an OS. It’s not just about price or features. The use that’ll be made of the machine is another factor that’s often overlooked. If you’re just planning to hit the Web and send mail, any OS will do. They all provide web browsers, can connect to any ISP via the standard TCP/IP suite, and mail clients are available to suit anyone’s taste.

Graphics people often gravitate toward the Mac, because it’s long been the darling of artists and designers. Many high end photo-enhancement and other heavy graphics packages were available for the Mac before they were ported to Windows. If you’re a photographer, you’ve probably noticed lots of high end editing and photo manipulation software is available from retailers like BH Photo Video, 47th Street Photo, and other retailers. There’s a reason for that.

Windows is, well, Windows. Everyone knows it, and most games are Windows based so it’s what gamers tend to use. You can find support anywhere, and software of nearly any type is available. Developers of Microsoft-centric software are, of course, forever enslaved to this OS. Visual Studio runs only on Windows. Things like C# and ASP were developed for Windows and probably will never be used elsewhere since free alternatives are available.

Linux is the rebel base for the disaffected users of the world who are tired of everyone else’s proprietary solution. Want free software? Linux is king, since thousands of applications can be downloaded and built for free on any Linux (or UNIX) environment. Many also work on Windows and Mac but got their start under UNIX. Linux, especially non-commercial distributions, is also wicked cheap or free (for that matter, a Red Hat 5 Workstation license is $80 including a year of online support). It might be a bit too geeky for some users, though this has improved dramatically in recent releases.

Pick your poison. In my experience, the OS that someone used first is probably the one they’ll favor over all others. That’s fine, but remember there’s more than one way to perform any task. One OS isn’t necessarily better than the other: it’s just more suited for a given application.

In a stunning reversal of earlier policies, Comcast announced today that it will stop “interfering” with users of file-sharing software by sending TCP/IP reset packets to throttle bandwidth consumption. The announcement came after they apparently held talks with representatives from BitTorrent (maker of a popular file-sharing application).

External pressure from other groups certainly had an effect. According to the article, “consumer and ‘Net Neutrality’ advocates have been equally vigorous in their attacks on the company, saying that by secretly blocking some connections between file-sharing computers, Comcast made itself a judge and gatekeeper for the Internet.” This also sets a precedent, since other providers have been experimenting with similar bandwidth-throttling techniques. I suspect, but obviously can’t prove, that Comcast received additional pressure from media companies that were worried about the effect of throttling on their own business models.

BitTorrent spokesmen agreed that “service providers have to manage their networks somehow, especially during peak times.” If they didn’t, parts of the Internet would slow to a crawl. Discriminating against file-sharing and streaming video users was the wrong way to go about this task. If consumption in a given area requires throttling of some type, it should affect all types of traffic and all users equally.

In fact, most underlying (on the wire) network protocols do this automatically. Ethernet networks use contention-based backoff algorithms to manage consumption. If two systems try to send packets simultaneously, one backs off for a random period before trying again. Only one machine on a given network segment can use the wire at any given time. Since Ethernet and its successors (Gigabit Ethernet, etc.) are largely responsible for local sections of the global Internet, there’s already a built-in system to limit bandwidth consumption.

I suspect the larger problem involves the rapid growth of online media resources in comparison with expansion of network infrastructure. I’d bet the amount of data traversing the net is growing faster than providers can expand their networks, so they’re desperate for solutions that’ll slow the pace somewhat.

Maybe media companies should pay up; they could help providers expand their networks in order to support large-scale streaming media applications. Hey, it’s just an idea.

There’s been more fallout following the revelation last autumn that Comcast was using TCP/IP reset packets to limit the throughput of file sharing users and some streaming video. A company in California has created a plug-in that allows users of its file-sharing application to tell if their ISP is using the packet-reset trick to limit their bandwidth. They’ve also instituted a petition to the FCC to force broadband ISPs to stop limiting access for file-sharing applications, and are encouraging users to testify.

This all makes a huge amount of sense. For nearly half a decade, media companies have been working on pushing more content to the Web. Big networks like NBC and CBS have created sites where users can stream in complete, unedited copies of “vintage” TV shows, as well as recent series like Lost and The Office. Movie companies are releasing increasingly popular trailers of upcoming attractions, like the new Indiana Jones movie due in May. All this could be jeopardized if ISPs are allowed to limit bandwidth for high volume users.

The new plug-in from Vuze at least allows users to tell if their ISP is using the TCP/IP reset trick. It won’t help with other, more subtle means of limiting bandwidth and isn’t useful for people who don’t use the Vuze application, but it’s a start. I suspect it’ll inspire other companies to create standalone applications that’ll help users better determine how their ISP is behaving.

The fact that Vuze has challenged the FCC to do something about the problem is also a good thing. If ISPs are allowed to get away with limiting bandwidth, they’ll probably also start charging differential prices for “high volume” data consumers. Such schemes have been discussed, and I previously reported on at least one ISP that’s implemented it as a “test.”

For a while, consumers have benefited from a price war that’s driven access costs down. If providers discover they can jack up monthly fees or charge by the packet, those low prices will vanish quicker than a politician’s promises after election day. Don’t let that happen. Get involved. Write your representatives, petition the FCC, and don’t let big corporations hold your data hostage in order to bloat their already obscene profit margins.

Yesterday the National Institute of Health announced that a laptop used by one of its researchers had been stolen from the user’s car trunk. Naturally, the device contained (in contravention of government directives, not to mention common sense) unencrypted data about 2500 individuals who were enrolled in a medical study at the Institute.

Why are we not surprised?

We’ve heard about a number of similar cases over the last few years. Probably the worst was the TJX breach from 2007, which involved millions of customers and the infiltration of the company’s network by persons unknown. That little problem has cost the company millions in lost goodwill, not to mention the price of ID theft protection for the involved customers.

However, the TJX case was somehow more acceptable from a technical standpoint, since it involved a malicious act by hackers. In the NIH case, not to mention the VA breach and similar cases, the culprit was simple stupidity. How obvious should it be that you shouldn’t be carrying personally identifying data for thousands of people around on an unsecured device?

Today you can buy software that’ll encrypt entire hard drives. Solutions like PGP and other file-encryption options would provide a measure of protection, and they’ve been around for years. The mere visibility of data theft incidents in the press should tell people they need to encrypt sensitive data. So why aren’t they doing it?

The problem, I suspect, involves a measure of fear. People already have too many passwords to keep track of. There might be a perception that losing the password used to encrypt data means there’s no way to recover it. This is an accurate perception if passwords are mismanaged (hint: keep a copy in a locked safe somewhere). But it’s no excuse when the privacy of thousands of people is at stake.

There’s also the laziness factor to consider. If you encrypt on a file-by-file basis, you’re stuck decrypting each file before you use it. Then it has to be re-encrypted again after you’re done making changes. But this isn’t necessary for whole-disk encryption schemes.

Anyone who stores sensitive data on a mobile device should use whole-disk encryption. No excuse is good enough to avoid this simple fact.

One of the problems with today’s World Wide Web is that it’s become overly commercialized. Whereas the Internet of the 1990s was mostly about information sharing, today’s Web is largely about commerce. Everyone’s selling, everyone’s looking for ways to increase their site’s traffic in order to build market share and make money.

Thus it’s not surprising to learn that some software rating companies are apparently giving out “awards” solely for the purpose of generating “buzz.” They’re rating freeware and shareware packages without ever actually testing them, apparently in the hope that this will result in more traffic for their own sites. The guy who created some fake shareware that did absolutely nothing at all theorizes that “software sites award their top rating to everything submitted, in hopes that the software authors will boast of the awards on their own sites and link back to the aggregator sites — thus, raising the aggregator site’s rankings in search engines.”

In other words, these sites are automatically generating ratings in order to increase their own visibility on the Web. Most people don’t know this, but search engines generally return high traffic sites at the top of search results. If you search for a given term or phrase, a site with heavier traffic ratings for that search term will be at the top of the list. This means some companies will do nearly anything to make it to that position.

It’s a lot like the old days of phone books, when companies would pick names like ‘AAAAA Auto Body” in order to ensure they appeared at the very front of the book. Why? Because most people simply pick the first result from a list. Generally, they don’t bother to look more closely before picking up the phone or clicking on a link.

Keep this in mind when searching on Google or other search engine sites. The site at the top of the list may not be the best choice. More than likely,  it’s the one whose owners have been most successful at faking their way to the top.

Rule number one: email is not secure. If you’ve been sending credit card details or other private data over email, just stop. You’re endangering your financial health. Without encryption, everything you send across the wire is visible and readable by anyone who runs a packet sniffer.

You should also be concerned about the origins of mail messages purporting to be from friends or business associates, since it’s pretty darned easy to forge mail with valid-looking “from” headers. Spammers do it millions of times every day. This is nothing new, since anyone can forge your signature on a piece of paper, put it in an envelope with your return address on it, and pop it into the mail. Stuff like this has been happening since people started writing to one another.

Happily, there are solutions to this problem. You can digitally sign your mail using a certificate obtained from Thawte or Comodo (the latter also provide a highly rated and completely free firewall application, incidentally). Once you obtain the certificate, you configure your email client to use it (usually by importing the certificate). Then you can digitally sign any messages you send. This allows recipients to verify they really did come from you (presuming you’ve kept control of your private key). This at least makes mail more valid as a communications tool. You don’t have to worry every message might be a forgery.

The next step, of course, is encryption. It adds a new wrinkle, since you have to give the recipients of any messages you send a copy of your public key. Without this, they can’t decrypt the messages you send. Think of it as sending someone a letter written in code, but forgetting to give them instructions on how to decode the contents. This means you need to give your public (not private!) key to friends, family, and business associates. You can send it via email, but this probably isn’t the most secure method since someone could theoretically steal it while it’s in transit.

Some people actually host “key exchange parties” where friends exchange public keys, either on diskette (old school!) or maybe via thumb drive. It’s a good excuse to get together and have a beer, and the advantage is that you’re also handing over the keys in person. Security involves numerous components, and one of them is authentication. Receiving a key from someone in person is a form of authentication, since you (hopefully) know them by sight and can be sure they’re who they claim to be.

This may all sound overly paranoid, but it’s a good idea if you use email for more than casual messaging.

A while back I talked about the probability that, over time, cell phones and PDAs will vanish as they morph into multipurpose devices. Why carry a phone, PDA, laptop, and who knows how many other devices when you can do it all with one pocket-sized unit? Of course, anyone who likes wearing a “Bat utility belt” or admires Techno Bill is more than welcome to continue wearing such an array of paraphernalia. Have fun at airport security.

The whole “unified” device idea got a boost recently, when an IBM VP said that traditional desktop devices, phones, and other “unitasker” (thanks, Alton Brown) bits of equipment are destined for the technological dustbin. He predicted that “laptops with voice and video embedded will become all that workers need to support their business needs.” This is good news for road warriors who spend way too much time in airport lounges, Starbucks shops, and cheap hotels. Been there, done that, have the T-shirt to prove it.

To make this happens, though, we need “unified communications infrastructure and interoperability” standards. All devices will need to speak the same language and use the same protocol (Microsoft, take note) before discrete-use equipment will fall by the wayside. The IBM speaker likened this to the ubiquity of TCP/IP, which is the de facto standard for networking technology today. Other, earlier protocols have largely died off, or become subsumed into the TCP/IP world (think of tunneling various protocols, like Appletalk and NETBIOS, over TCP-based networks).

The change will probably take a decade or more, but eventually things will settle out. Some protocol will become the TCP/IP of the audio/video world, supplanting all others. It’ll be like the VHS vs. Betamax wars of the 1980s or the Blu-Ray vs HD DVD conflict of the last few years. Hopefully this time the better technology will win.

Our old friends at the so-called Russian Business Network have been hard at work, apparently. According to a blog by security consultant Dancho Danchev, the RBN (a shadowy group of IT providers who offer services to spammers, hackers, phishers, and other denizens of the underworld) is also offering fake malware scanners.

The RBN offers “bullet proof” hosting to its customers, who apparently enjoy offering cute little applications that allege to be malware scanners. Actually they’re malware masquerading as a scanner, and Dancho’s blog entry provides a short list of known variants.

Effectively the RBN sells services to known cyber-criminals. It holds several blocks of IP addresses in the space allocated to Chinese networks (which most ISPs attempt to block). If you’re running any sort of firewall, and you’d have to be stupid not to be running one these days, you should add the known RBN netblocks to your filtering list. Obviously they can change at any time, but at least you can block the known list.

There’s another article about the RBN at the Washington Post that describes their activities in more detail. It notes that “groups operating through the company’s computers are thought to be responsible for about half of last year’s incidents of ‘phishing’ — ID-theft scams in which cybercrooks use e-mail to lure people into entering personal and financial data at fake commerce and banking sites.”

These are not nice people, and you shouldn’t feel bad about blocking access to their networks. They’re known to operate a huge (possibly in the millions of machines) network of zombie PCs that send spam and perform other tasks.  At least some of their activities are coordinated from within the US, so I really hope law enforcement services are actively pursuing the perpetrators.

The IP address blocks currently owned by the RBN are contained in the article, so feel free to add them to your list of blocked IP ranges. It’s just a good idea.

“Green” is the new trend in an increasingly energy conscious world, and it really is a good idea. Even if you don’t accept that global warming is being caused by humans, saving energy (most of which is, of course, still derived from fossil fuels) makes good economic sense. It’s no surprise that “green” PCs are starting to appear in larger numbers on today’s market.

Before you scoff at the idea, remember that buying more energy efficient toys puts money in your pocket over the long run. Even if an Energy Star device costs slightly more up front, you’ll probably save that and more over the device’s lifetime. The guys at PC Magazine just ran an article that shows how this works.

Figure it this way: if your PC is up and running all the time, it’s using (given a 250 watt power supply) about as much juice as 4 standard light bulbs. That makes the electric meter spin faster for not one, but two reasons. First, there’s the PC’s direct power consumption. Then, there’s the added cost (at least during warmer months) of removing the excess heat from your house. In other words, running a PC puts more load on your air conditioning system, if you have one. In the winter the extra heat takes some load off your furnace, so there’s a bit of a trade off involved.

With electricity costing “an average of 10.9 cents per kilowatt-hour (according to the U.S. Energy Information Administration), even when a PC is using just 400W, it will expend over $300 in energy each year.” Cut that consumption to 200W, and you save $150 in the first year alone. That’s not an insignificant amount of cash. The more “green” appliances you use, the more you save.

There’s another good reason to cut your PC’s appetite. Heat accelerates aging in mechanical and electronic components (there’s a reason your car’s engine needs coolant). Cool running machinery generally lasts longer and is more reliable. The hotter your PC’s case is, the more likely it is to suffer a “catastrophic failure” sometime during its life. How are your backups?

No matter what you think about global warming, going green isn’t a bad idea. Maybe you can buy a new machine a few months sooner with all the money you’ll save.