Monday, July 31, 2006

Freedom Of Speech Is Not Exercised When You Mislead People

The Adam Walsh Child Protection and Safety Act of 2006 was passed into law this week by the US Congress. The law is aimed at protecting children from online predators and specifies how hyperlinks and domain names leading to sexual content should be presented. It prohibits "misleading" domain names and links. But so many people are complaining that this is taking away their freedom of speech? Since when is misleading people freedom of speech?

I have the right and the freedom to choose with what I want to be associated with and what not. If you mislead me to view pictures I don’t want to be associated with, then you are taking away that freedom. If you are using freedom of speech to take away that freedom, how can you still call it freedom of speech? One right to freedom should not take away another. But this is exactly the problem we have with all these freedom rights. Criminals and predators are striving on these rights and law-abiding citizens have to suffer because of them. Freedom and human rights only seem to be applicable to those people against whom we were supposed to be protected in the first place by these exact same rights.

People are more concerned about the fact that they no longer can use prank links, than the safety of our children on the web. I don’t think prank links to obscene and offensive content are funny at all. You are forcing junk down everybody’s throats. It is not only children who are at stake here, but adults who are sensitive to this material are also affected. This debate is heating up all over the world on blogs and forums. But the debates are doing the goal of this law no good. These discussions are filled with links to prank and indecent sites, with the excuse that they are used for illustrative purposes. I don’t understand why the owners of these blogs don’t moderate these comments, because they are only promoting these indecent websites by including their links in the posts.

If this law is enforced and applied correctly, the Internet will not only be a safer place for our children, but it will become a safer environment for every Internet user. We should also see a decline in spyware and spam related problems, because most pornographic websites install spyware on your computer and steal your e-mail address to spam you with junk e-mails. Just download a program like Spybot and have a look at the number of adult related sites that are blocked by this program. The worst-case scenario is where your children click on these misleading links, get exposed to the harmful content on the site and have spyware installed on your home computer. These malicious programs periodically redirect users to indecent sites, so your children get exposed over and over again, your computer becomes a host for several spyware programs and indirectly helps with the promotion of these sites. In the end you walk the risk of becoming an accomplice in child pornography, unknowingly and all this because of a misleading link. This is not freedom of speech at all, it is an infringement of so many rights that it is impossible to list them all here. You will never like it when a stranger walks up to your children in the park and shows them pornographic pictures and plants a spying device on them, so why don’t you mind strangers on the Internet misleading not only your children but also everybody else.

Coenraad de Beer - Platinum Author

Cyber Top Cops - The Cyber Security Specialists Platinum Author

Wednesday, July 26, 2006

Making The Move From Microsoft Internet Explorer To Mozilla Firefox

Internet Explorer is the preferred choice for 97% of my web site visitors. It was quite a surprise for me because since moving over to Mozilla Firefox a couple of years ago, I haven’t used any other browser for any of my browser needs, including the testing of my website. Was this maybe a costly mistake?

Mozilla Firefox was the solution to so many problems I encountered with Microsoft Internet Explorer. I had an effective browser that dealt with annoying pop-ups and spyware. The best of all was that it performed much better than its counterpart. On a security side you had a better solution than Internet Explorer. Firefox is the result of an open source project and as all of you know, the open source community provides solutions to the vulnerabilities of its software much faster than Microsoft does for Internet Explorer.

Firefox has dealt with various security issues long before Microsoft even discovered similar issues in their browser. There has also been a joke circulating among Firefox fans that there is only one thing that is more secure in Internet Explorer than in Firefox and that is a feature that has not been implemented yet in Internet Explorer. I’m not sure what the specific issue was that this joke referred to, but it is ironic that Firefox is still more secure while providing much more functionality than Internet Explorer and therefore has more possible areas for security holes.

After discovering that so many visitors to my site was Internet Explorer users, I immediately browsed my site with Internet Explorer to see if there were any critical issues I had to deal with. To my surprise I only found that certain images were not completely aligned in the same positions, as they appeared in Firefox, but not so much that they looked out of place, to be honest if you never saw the site with Firefox you would not have even known that the images were out of place. The reason for this misplacement was Internet Explorer’s lack of solid support for CSS (Cascading Style Sheets).

Another problem was my toolbar. All the buttons was glued together, while they are spaced apart from each other when you view the site with Mozilla Firefox. This was easily fixed, ironically with a specific CSS statement that Internet Explorer does not have support for. The last problem was the appearance of a button when you hover with your mouse over it. The last button of every toolbar was broken so that the hovering effect did not display correctly in Internet Explorer. Internet Explorer is so bug ridden that you simply can’t have a work-around for every issue. The point I’m trying to make is that the site looked not to bad after all, if you kept in mind that it was only designed and tested with Mozilla Firefox.

Another interesting thing I discovered from my visitor statistics was that 95% used a screen resolution of 1024x768. I’m still designing on a 14” screen with an 800x600 resolution but always make sure that my site displays correctly on a 1024x768 resolution. I have made the mistake in the past by designing sites for an 800x600 resolution only, because I simply did not think about a higher resolution at that time. This was a very stupid mistake to make, I was chasing visitors away, unknowingly, because I was too reluctant to get myself a bigger screen that could handle a higher screen resolution.

This is maybe the most ironic part of my discoveries. People don’t mind to spend money upgrading their screen in order to comply with the newest trend of screen resolutions, something that does nothing to enhance the security of your online activities, but when they get the opportunity to obtain a free browser, that provides better security than their current browser, they simply refuse to make the move. I have seen Internet Explorer fix common HTML errors, like using two double quotes next to each other while there should have been only one. Firefox did not display the image referenced after these two double quotes and pointed this error out when you viewed the page source.

Internet Explorer ignored the second double quote and displayed the image as if there was no error at all. It did the cover-up work for the coding error, while Mozilla Firefox exposed it. Internet Explorer is therefore not the type of browser a web designer would use to validate his or her HTML code. You would rather prefer an alternative like Firefox, which tells you when you are making coding errors. But this even holds a threat for the normal user. Would you continue to trust a browser that attempt to correct a designer’s mistakes, or would you rather trust a browser that does not allow the faulty code to execute at all? Hackers are always on the lookout for common mistakes to exploit. You have a bigger chance to exploit faulty code than code that never got executed in the first place. After all how confident are you that Internet Explorer will make the right choice when correcting HTML errors?

Mozilla Firefox has a much better track record, not only with security issues, but also various other features, many features that the current version of Internet Explorer does not provide for. Why should web developers waste hours of their precious time to make up for the shortcomings of a browser while they could have spent their lost time making their websites more solid, better and more entertaining to explore with a browser that really works? So next time when you get the opportunity to switch over to Mozilla Firefox, be clever, don’t hesitate, you will be making the right move if you decide to make the switch.

Coenraad de Beer - Platinum Author

Cyber Top Cops - The Cyber Security Specialists Platinum Author

Friday, July 21, 2006

Smelling A Hoax A Mile Away By Using A Little Common Sense

It seems like people in general have a problem identifying hoaxes, because our mailboxes are littered with e-mail hoaxes and scams. Most of the time these e-mails come from friends, colleagues and family. But isn’t there a general rule of thumb that will help people to identify these e-mails? To be honest, no! But it may help if people start to use a little common sense.

It is amazing how quickly the world knew in September 2001 that America was under attack, but years after discovering that a specific e-mail is a hoax, people still don’t know about it. The main problem for this is that people don’t really take the time and effort to inform others about the hoax and like I said, most of these e-mails come from friends and family and it is not always that easy telling these people that it is a hoax, some may feel embarrassed and react negatively to your information, others will simply not believe you. And it is because of these stumbling blocks that these e-mails make an appearance every now and then.

I will demonstrate how to identify a hoax by using a very common example, the Zero Sector Virus-hoax. This e-mail appeared years ago (it dates back to 2001) and are still in circulation, but only new variants of the original one. The text printed in italics is an extract from the e-mail. Below each extract is an explanation of the common signs of a hoax that appear in the extract.

For a copy of the complete e-mail visit the following link:


This e-mail is intended to inform the receiver about a virus, but the main focus of this e-mail is the spreading of it. Normally the subject of an important e-mail tells you a little bit about the contents of the e-mail, but the writer of this e-mail was more concerned about the distribution of this e-mail than the information contained within. So this heading should already flash some warning lights.

“Be alert during the next few days: Don't open any message with an attached file called "Invitation", regardless of who sent it.“

The first sentence says it all. The next few days are a bit vague. There are no specific dates specified, so the next few days can be any “next few days”. Hoaxes always have generalization in mind, so that the e-mail appears applicable at the time when you read it.

“It's a virus that opens an Olympic Torch that "burns" the whole hard disk of your computer.”

There is only one strange thing about this sentence. Notice the two spaces between the words ‘whole’ and ‘hard’. It is common among creators of hoaxes that they never give attention to style, grammar or punctuation when compiling e-mails like this. So when you get an e-mail like this with lots of grammatical errors and typos, you can be certain that it is some kind of hoax or scam.

“This virus will come from someone who has your e-mail address; that's why you should send this e-mail to all your contacts. It's better to receive this message 25 times than to receive the virus”

The first sentence is total rubbish. Of course an e-mail virus comes from someone who has your e-mail address, but it does not mean that you have the e-mail address of everyone who has yours. Hoaxes and scams thrive on circulation, if there is no circulation, there is no possibility of spreading. The fact that it is better to receive the message 25 times than to receive the virus holds some truth. Hoaxes are like chain letters, they keep coming back to you and never stop until everyone decide to break the chain. Again you will notice that the sentence does not end with a full stop.

“DON'T open it and shut down your computer immediately .. This is the worst virus announced by CNN, it's been classified by Microsoft as the most destructive virus ever."

This paragraph can easily be identified as a hoax by just confirming this on the websites of CNN and Microsoft. You will be surprised to find that there is no record of this on either or McAfee mentions this e-mail, but they also classify it as a hoax. It is strange that no virus name is mentioned in this e-mail, all viruses get a descriptive name to help people identify it, so what does it matter what Microsoft says if you don’t even know what virus they are talking about? Shut down your computer. Why? It won’t even help to shut it down even if it was infected with a virus. Shutting down your computer does not make the virus go away. An e-mail and its contents is completely harmless as long as you don’t open it, so there is no need to shut down your computer when you see this e-mail, simply delete it. E-mails can do harm if you use a preview pane, but if you never use a preview pane, it is totally harmless until you open it.

“The virus was discovered by McAfee yesterday, and there's no repair yet for this particular virus. It simply destroys the Zero Sector of the Hard Disk, where vital information is kept.”

No company in this world will ever confess that they can’t fix a problem that is related to their field expertise. What confidence will you have in an anti-virus company if it only tells you about viruses but never fix them. Again notice the use of time. Yesterday can be any day. Anti-virus companies normally gives a specific date when they announce new viruses.

“Also:- Emails with pictures of Osama Bin-Laden hanged are being sent and the moment you open these emails your computer will crash and you will not be able to fix it! This e-mail is being distributed through countries around the globe, but mainly in the US and Israel. Don't be inconsiderate; send this warning to whomever you know. If you get an email along the lines of "Osama Bin Laden Captured" or "Osama Hanged" don't open the attachment.


There is not much to say about this paragraph. It is added only to make the e-mail look legitimate, by giving the reader more information to consume. The original virus destroys sector zero of your hard disk and now they mention your computer will crash. There are no details about what happens when your computer crashes and there is no consistency about the symptoms of the virus so you can only assume that they are referring to another virus in this paragraph. Again no virus name is mentioned and the tone of this paragraph is almost like “Oh and by the way…” or “I almost forgot…” which shows you that the writer of this e-mail only had distribution of the e-mail in mind and mumbled a bunch of nonsense just to make it look interesting and have you send it to all your contacts. The first and last sentence of the e-mail is proof of this.

One last thing to mention is the fact that you can’t find the name of party who created this e-mail. It is anonymous, but may fool the reader to believe that it comes from CNN, Microsoft or McAfee. Microsoft and CNN never announce security threats by e-mail and anti-virus companies only provide virus information to users who signed up for periodic e-mail announcements. These e-mails normally have the letterhead and logo of the specific anti-virus company.

People should be on the lookout for e-mails like this one and inform other about them, but most importantly, you need to break the chain! Keeping your silence about this will cause the problem of spam, hoaxes and scams to grow bigger and bigger. People may feel that some of these signs may not look that easy to identify, which is true, because you sometimes need some background information to be able to identify e-mails like this, but you should be able to identify other signs like the lack of specific dates and typos easily. You only need to use a little common sense.

Coenraad de Beer - Platinum Author Platinum Author

Thursday, July 13, 2006

Security Flaws, Hanging Them Against The Big Clock

Buffer overflows, insecure browsers, remote code execution, all common terms in the world of software security. We are surrounded by insecure applications and the big guns are not doing a thing about it. It seems like they are more profitable with insecure software applications than reliable and secure software. Everyone is fed up with the ignorance of giant software companies, but is that enough reason to go public with every security flaw you find in their software?

It won’t hurt when you go public with security flaws of a certain piece of software, if there are only three or four users of the software worldwide. But it becomes a problem if billions of people use the software.

Flashing a security flaw around for everyone to see, puts more people at risk than would have been the case when you kept it quiet. Who are you actually doing a favour? The users? Prospective users? The software company? No not one of them. You are making the job of hackers and people exploiting the flaws that much easier. In fact, you are doing their homework for them and you are feeding their sinister thoughts with sensitive information.

Many people feel they are giving software companies a blow by announcing flaws out in the open. You get the chance of getting even with the companies you hate the most. But does this really have a negative impact on the really big companies? Yes I agree smaller companies will feel the blow much harder than the larger ones, but the big guns strive on controversy because publicity is a free way of marketing your product. You may not impress everyone, but when the word gets out, your product’s name will be mentioned, that’s for sure. Just make sure you take some kind of action, just to make it look like you really care.

Companies like Microsoft and Google make huge mistakes with their products, but almost everyone seems to support them. It will take some huge flops to make people loose confidence in companies like these. This article is a good example, I’m not a huge supporter of Microsoft products. I prefer Open Source products because they are most of the times more secure and effective. But still Microsoft’s name gets mentioned. Google kept doing things right until all their fame and success went to their heads. Today they are disappointing thousands of search engine users, webmasters and advertisers, but people still use their products.

You may give companies a temporary blow by following the public route, but in the end you create new opportunities for them to make something good from something bad. Your efforts will be futile and you end up creating more problems for the software community than helping them.

Why do people think it is a good thing to go public with security flaws? It is because they think in terms of the open source community. The only way of getting an open source application fixed is by going public with the flaw. The open source community comes up with fixes to their applications in next to no time because there is such a huge pool of contributors to the community. Unfortunately you can’t follow this route with closed source applications. You are at the mercy of the software company to get the problem fixed. But you are not making things easier for them by starting a fire in the woods. They end up putting out fires instead of focusing on the root of the problem. This leads to patching the software until a new flaw appears. More patching is done until the next flaw and the process repeats itself over and over until you are stuck with a patched up application, which still can’t battle the posing threat of security flaws. You can keep patching the software but below the patches lays the real nightmare.

Patches are the result of bad development in the first place and impatient users in the second place. I agree it is not the responsibility of the user to debug the software, you pay for the software so that the software company can pay their testers to do their job properly. So what is the bottom line here? Are the intentions of closed source users the same as open source users when they go public with security flaws? Undoubtedly no. Closed source users do it out of frustration with the software companies while open source users seek for a solution to a posing threat.

What do I suggest you do next time you stumble across a security flaw? Keep it quiet for as long as possible and report it to the responsible software company. By doing this you will prevent an uncontrollable spread of exploits for this specific flaw. If the company is dedicated to fixing their software you will allow them more time to focus on the core of the problem. This will be beneficial for the end-user as well as the software company. It will make their software more secure, which will lead to greater support and consumer confidence in their product. Better consumer confidence leads to bigger profits and a responsible company uses these profits to make their product even better.

I agree that the picture I’m painting is one from a perfect unselfish world, but it will do no good to do the opposite either. Encourage people to switch to more secure applications and stop revealing each and every exploit of the less secure application.

Spend your time and energy to promote and enhance promising software instead of bad mouthing software that does not deserve the attention at all.
Coenraad de Beer - Platinum Author Platinum Author

Article Source: