Find Your Friends with Flickr

Flickr unveiled a new feature recently that enables you to search through your address books in various email systems to find contacts that are also on Flickr. If you’ve used one of the many social networking sites, you’ll realise that this isn’t a new feature – most other social networking sites allow you to search your address books to find friends that are on the same service.

The difference is that Flickr have implemented the feature correctly.

Most other sites ask you to enter the username and password that you use to log in to the various email systems, then once you submit the form, the system logs into your email account, and downloads all of your contacts through a process called ‘screen-scraping’. What ‘screen-scraping’ does isn’t really important, the important bit is that you’ve just trusted another web site with your email’s username and password. Most sites will include a message saying that your username and password won’t be saved and will only be used to grab your contact details. But what if they are lying…

Your password for your email system is probably your most important password that you have. If someone has your email password, then they can access any personal information that you have stored in your inbox and there’s a good chance that they will be able to get ANY of your other online passwords that they like. For example, if you forget your password for an online service, you can usually go to that site, and click on the reset password button. This will either send your password to your email account, or send you an email with instructions on how to reset it. Imagine if I had your email account password, and I logged on to your account and secretly set up a forwarding address for emails to get sent to an anonymous email account I had set up. You wouldn’t know that your emails are being forwarded without delving into your email system’s options and checking the setting manually. Then I could go to any online site that I thought you might use, and reset your password so that I could log on as you.

Even worse, is that if you have an email account with Google, Microsoft or Yahoo!, then your email passwords are linked to all the other services that you use with them. So your Yahoo!Mail password is also used for Flickr, and IM; your Gmail password is also used for Google Docs, Calendar; and your Windows Live ID is used with almost all of Microsoft’s online services.

So back to Flickr’s new feature, and how it’s been done correctly. Flickr gives you the option to search through your Yahoo!, Google, or Microsoft/Live contacts, but the difference is that Flickr don’t ask you for your email account password. Instead they use the various API’s that are available, which means that if you want to search through your Google contacts, you’re redirected to Google’s site where they handle the authentication, and then send back the contact information to Flickr. The same applies to Yahoo! and Microsoft – at no point does Flickr ask you for your password, you only need to supply your password to the site where you would normally log in to anyway.

So the point of this post is to not just congratulate Flickr on implementing this feature correctly, but also highlight to you how dangerous it can be to give out your email account password too freely.

Windows Server 2008 RTM

Microsoft have just announced that Windows Server 2008 has been released to manufacturing. I’m really looking forward to this product becoming publicly available and my own testing has been very positive so far.

I have to correct one point made in Microsoft’s blog announcement, it was stated that Server Core doesn’t install a GUI which is incorrect:

With server core, you can even install a GUI-free server.

When you set up a Server Core box, you still get a GUI, but you don’t have a shell. This isn’t just semantics, it’s a fundamental difference. A Linux or Unix server can be installed without a GUI – all you get is a terminal screen. However the Server Core still presents a graphical interface, you get windowed command prompts and can run several graphical tools and utilities, but you don’t get the Explorer shell or associated components.

Bill Gates CES Keynote

For the second year in a row I’ve made a big effort to watch Bill Gates’s keynote speech at CES, and for the second year in a row I’ve been disappointed. Granted, the video about his last day at Microsoft showed the lighter side to him, but there were no other highlights.

Surface computing is something that demos well but will probably never eventuate to anything. There may be Surface computers that provide interactive displays, but these will just be like touch-screen panels today. I can’t see it happening that you place your cellphone on the Surface and it automagically transfers images or music onto my device easily and seamlessly.

The same goes for the demo of Microsoft’s Sync technology which integrates your MP3 player or phone into your car’s entertainment system. It demos well but can you imagine a mother with screaming kids in the car, talking at her phone and saying, “Play Cars” and the song Cars magically starts playing? It will be more like, “Sorry your device was not recognised, please re-enter your car.” Or, “I’m sorry, did you say, ‘Play Fart?'”

The demo of Live services was the same – what a wonderful world it would be if all of my contacts were on Windows Live, and had Windows Mobile phones, and had a Live Space, and used Live Messenger, and kept their Live Calendar up to date? Then planning an event would be so easy…

I’m interested to see who does the main CES keynote next year – will it even be someone from Microsoft? Imagine if Steve Jobs opened CES – that would be interesting.

Microsoft bloggers with a sense of humour

I subscribe to lots of blogs written by Microsoft bloggers, and my favourites are from those who aren’t afraid to poke a little fun at themselves and their employer. Here’s a post from The Sean Blog making fun of the fact that when you right click a removable drive in Windows Vista, the kind “Safely remove” and the destructive “Format” commands are 1/8 inch apart. (image leeched below)

These are the bloggers that are helping Microsoft to gain more of a people-friendly reputation, rather than the monopolistic, evil empire that we all love to hate. If you’re a Microsoft blogger, please don’t just regurgitate press-releases and sales pitches – have the guts and sense of humour to poke a bit of fun at yourself sometimes. We’ll like you more for it.

Safe and destructive

Safe computing for your home

On the TV1 Breakfast show this morning, Paul Henry was interviewing Peter Griffin about security software for home computers. In my previous field engineer roles, and my current role as "IT guy" for my extended family, I’ve got a lot of experience setting up and securing home computers as well as small business computers (ones that are not managed by a central server.) I’ve also had a lot of experience fixing computers that have been infected with viruses, trojans and other nasties.

So naturally I have strong opinions on the topic and I tend to disagree on some of the points that Peter was recommending. So here is my advice on securing a home computer running Windows. (See note at the end if you’re running a Mac or Linux.)

Note: This turned into a rather long article – I encourage you to read the whole post, but if you’re in a rush, at least read the summary at the bottom.

Operating System

Starting at the bottom of the stack, if you’re buying a new computer get Windows Vista. I have lots of gripes about Vista, but it is far more secure than Windows XP, and will be supported for the next 5 years. If you’ve already got a computer you should be running Windows XP with service pack 2. If you’re not running service pack 2 on Windows XP, your computer is vulnerable to attacks. If you’re running any operating system prior to Windows XP, such as Windows 2000, Windows ME, Windows 98, etc, your computer is extremely vulnerable and you should probably just upgrade to a new computer running Vista. (Again, see note at the end if you’re running a Mac or Linux.)

You can check your operating system and service pack version by clicking on Start, then Run, and typing: "winver" (without quotes) and pressing enter.

Automatic Updates

Now that we’ve decided on the operating system, you need to make sure that it is kept up to date. This is one of the most important parts of maintaining your computer. As soon as Microsoft release updates to the operating system, hackers start creating malware that targets the vulnerabilities. It’s effectively a race between you and the hackers, which is why I recommend always installing updates as soon as they are released – and rebooting once they are installed.

There is a fear that updates can break your computer if you install them straight away, and there have been some cases in the past where this has been true, but you are far more likely to be infected by a virus by not updating, than you are of having a new update break your computer.

Windows makes it very easy to keep your computer up to date – just go to the Control Panel through the Start Menu, then find the Automatic Updates icon (or Windows Updates icon in Vista) and select "Automatic" which is labelled as the recommended option.

Most other software you install on your computer will also have some mechanism for keeping it up to date. Adobe (Acrobat Reader), Apple (Quicktime, iTunes), Sun (Java) all provide update mechanisms that usually use a scheduled task to check for updates. All of this software is also vulnerable to bugs and attacks so it’s important to let the software notify you when there is an update to install.

This is especially true of your Internet browser of choice. Whether you use Internet Explorer, Firefox, Safari, Opera, etc, it’s important to keep it up date as this is the software that you use the most to interact with the Internet. My personal favourite is Firefox and this is the most secure browser to use in my opinion. Running Internet Explorer on Vista with User Account Control (UAC) enabled has the added benefit of running as a limited user so is also less vulnerable to attack.

Firewall

The single most important security software on a computer is the firewall – in fact, I can’t imagine ever running a home computer without a firewall. If you’re only going to take one piece of advice from this post, then make it the firewall.

If you have Windows XP or Windows Vista then you have a firewall built in, and you need to check that it’s turned on. Head back into the Control Panel, open the Windows Firewall icon, and turn it on. It’s that simple.

More advanced users running Windows XP, should use a third party firewall such as Zone Alarm, as you have more granular control about what comes in and goes out. But for home users not needing to allow any inbound traffic, then the Windows XP firewall is fine.

If you’re running Windows Vista, there’s no need to run any other firewall as the one provided by Vista is superb and has been greatly improved upon since Windows XP. Advanced users on Vista can tweak the firewall to their heart’s content by using the Windows Firewall MMC snap-in which you can get to through the Administrative Tools.

The benefit to using the Windows firewall instead of a third party firewall, is that Microsoft have designed it to hook in to the networking aspects of your computer. So if you enable file and print sharing, then Windows will open the necessary firewall ports.

Antivirus Software

If you’ve followed the previous three steps, then you’re in pretty good shape already. You’re running a supported operating system, your computer software is patched and up to date, and you have a firewall protecting you from network attacks. However, this does not prevent you from downloading a virus from the Internet, or opening a virus-infected attachment from your emails.

This is where antivirus software comes in – it runs in the background on your computer, monitoring all of the activity going on, looking for viruses that it knows about and also looking out any other suspicious behaviour.

There are lots of different antivirus products available today, some free, most of them not. I don’t recommend using the free software to home users, as you have no guarantees that the software will be kept up to date. I also don’t recommend buying ‘suites’ of software – such as the ones from Symantec/Norton, or McAfee. These suites try to take over whole your computer with their own recommended settings, and you get showered with cryptic alerts, slow performance, and unreliable behaviour from your computer.

My current recommendation is to install Trend Micro Internet Security 2008. This is by far the best antivirus software I have used to date, for the following reasons:

  • It’s lightweight and won’t slow down your computer
  • It’s easy to use
  • It’s easy to configure
  • And you aren’t forced into using all of their settings

During installation of the software, you are asked if you want to install the firewall – I always say no, as I’m quite happy with either the Windows XP or Vista firewall. And once the software is installed, step through each section and turn it off – apart from real-time virus monitoring. All you want antivirus software to do, is to protect you against viruses – anything else will just get in your way and annoy you. If you’re using a desktop email client like Outlook, Outlook Express, Windows Mail, Thunderbird, etc, then you also need to select the antivirus option to scan your emails.

Antispyware Software

Antispyware software generally comes in two types – the basic editions require you to run a scan over your computer so that it can find all the nasties, and the more advanced editions run as a service on your computer like the anti-virus software and constantly monitors your system. Most antivirus software products today have at least some basic antispyware functions that can be enabled.

If you’re running Windows Vista, then you already have Windows Defender installed and running and you need to do nothing else. Defender runs in the background monitoring your computer and updates to the software are delivered through Windows Updates.

If you’re running Windows XP, then you can download and install Windows Defender for free, which you can’t go wrong with. More advanced users may want to use several different versions of antispyware software at the same time, tweaking each one to suite their needs, but an average home user will be well protected with Windows Defender.

Phishing Filter

A phishing filter monitors the web sites you visit and looks out for sites that attempt to deceive you into thinking that you are visiting another site. A common example is a site that looks just like your Internet banking site but is actually a site created by hackers to encourage you to give up important financial information like your account names, passwords, pin numbers, etc.

Hackers use clever techniques by crafting web addresses that are long and confusing to tell whether it is a valid address or not. Phishing filters attempt to identify these dodgy addresses and warn you that the site is not legitimate.

Unfortunately, phishing filters are not yet as advanced as antivirus scanners and lots of dodgy sites don’t get picked up. This means you can’t rely solely on the phishing filter as a means of defence. But Internet Explorer 7 and Firefox 2 both have phishing filters built-in and should be enabled for an added layer of defence.

Common Sense and Dancing Pigs

The last layer of defence should be your common sense. Don’t rely purely on the security software on your computer from protecting you. Don’t trust any attachment that is sent to you – even if it comes from someone you don’t know such as friends or family. Don’t forget that if a friend’s computer gets infected with a virus, there is a chance that the virus may email itself to that friend’s entire address book, making it look as if your friend sent you a joke email.

This is where the Dancing Pigs comes in. In computer security circles, dancing pigs refers to how users will always choose dancing pigs over computer security. Bruce Schneier explains the phenomenon as follows:

If J. Random Websurfer clicks on a button that promises dancing pigs on his computer monitor, and instead gets a hortatory message describing the potential dangers of the applet — he’s going to choose dancing pigs over computer security any day. If the computer prompts him with a warning screen like: "The applet DANCING PIGS could contain malicious code that might do permanent damage to your computer, steal your life’s savings, and impair your ability to have children," he’ll click OK without even reading it. Thirty seconds later he won’t even remember that the warning screen even existed.

If this sounds like something that you do on a daily basis – beware. But take heart in the fact that it’s not your own fault – software developers have made us ambivalent towards security messages over the years, as we get so damn many of them – most of which are safe to ignore, most of the time…

A classic example of this is Windows Vista’s new User Account Control (UAC) feature which is enabled by default on Microsoft’s new operating system. The theory behind this is that you are forced to run as a limited-rights user so that you aren’t able to do any accidental damage to your computer (like running dancing pigs applets.) This is a great idea, and is already implemented on both Macs and Linux, but the implementation of UAC was so poor, that from the first time you turn on your computer, you are bombarded with warning messages for even performing the most trivial of tasks. This forces you to become numb to the messages, and you just get into a routine of clicking "yes" for everything that pops up.

Microsoft won’t admit to UAC being a poor implementation, but they are changing the amount of alerts you receive in service pack 1, which is going through testing at the moment. So they must be aware of the problem.

Backups

Although backups aren’t strictly related to computer security, ensuring that have a good backup system could be priceless should your machine get so terribly broken from a virus that it can’t even boot up and needs to be reinstalled.

How many of you have your only copy of your digital photos sitting on the hard drive of your computers? Imagine how you would feel if that hard drive broke, or the contents got erased, or your computer got stolen.

I recommend a three-pronged approach to backing up your important data:

  • Keep your important data cleanly organised  on your computer and set up a backup routine either manually or using software such as the built-in backup software in Windows.
  • Backup all your important files to a separate, external hard drive, or DVDs/CDs, or to another computer or server in your house.
  • Then create another backup of your important files offsite – i.e. not in your house or possibly even your neighbourhood.

The third step seems a bit over the top at first, but keeping a backup of your photos on DVDs is no good if your house burns down or gets flooded. The best way to backup your photos to just upload them to a photo sharing site like Flickr – you get the added bonus of being able to show off your photos to friends and families. And if disaster ever strikes, your photos are preserved online and can be downloaded again in the future. For other important files, there are various online backup companies starting up but prices do vary so it’s worth shopping around.

In Summary

To summarise, here’s a check-list for safe computing:

  • Make sure you’re running a supported operating system. Windows Vista or Windows XP with service pack 2. Nothing earlier.
  • Make sure that your operating system is up to date with Windows Updates, and make sure that all other software is kept up to date too.
  • Use a firewall! The Windows built-in firewall is fine, only use a third party one if you know what you’re doing.
  • Use antivirus software – but don’t let it take over your whole system, this just causes more problems. Disable the bits you don’t want to run.
  • Use antispyware software – Windows Defender is good.
  • Use the phishing filter built into your browser, but don’t depend on it to be 100% accurate.
  • Use your common sense – treat all email attachments with caution.

Apart from purchasing antivirus software (Trend Micro Internet Security 2008 costs about $100), everything mentioned above is already built into your operating system or web browser and costs nothing extra to use.

Using a Mac or Linux

This post has focused on Windows only, but most of the same principals can be applied to either Macs or Linux computers. Historically there have been very few viruses found in the wild for either operating system, but as both Linux and Macs gain in popularity (as they are now) there will no doubt be more hackers targeting them. Don’t sit back and think that you’re secure just because you’re not running Windows.

Well done Mauricio and Geekzone

Mauricio has just completed the upgrade of the Geekzone site and it is now running on Windows Server 2008 (RC0, I’m assuming.) This is a good showcase for Microsoft as Geekzone is in the top 15 NZ sites for unique visitors, according to Mauricio. Microsoft have already moved 75% of their servers on to Windows Server 2008 which shows the confidence they have in the new version.

I’m genuinely excited about Server 2008, and every day I learn about new features that will benefit all sizes of organisations. Today, at the monthly Unplugged event at Microsoft in Wellington, Nathan showed off the new Group Policy Preferences which almost completely remove the need for login scripts. This is a feature that was acquired by Microsoft when they purchased Desktop Standard, so it’s nice to see it being released for free as part of the operating system.

I have the latest build and will be testing it out over the next week, including the newly-announced virtualisation role – now called Hyper-V. I’m also hoping to test out the Windows Essentials Business Server product which was code-named ‘Centro’ (much cooler name) up until recently.

Update: Mauricio got a shout out on the Windows Server blog

Hot off the press – Centro gets official

This press release just popped up as I was about to sign off the for the night, but I just had to get a quick mention out: "Integrated IT Designed for Midsized Businesses"

Microsoft have finally revealed some details about a new server bundle for "midsized" business called Windows Essential Business Server. This has been known as Centro in the invitation-only beta phase, which I had hoped to participate in, but was lacking three spare 64 bit servers to test on.

My previous understanding of Centro was that it would require three, 64 bit servers and would bundle several Microsoft server products into a unified, easy to manage, suite. It is effectively a step up from Small Business Server, which runs on a single server and is licensed up to 75 users.

The term "midsized" is relative, depending on the market, but in Microsoft’s terms this is up to 250 computers.

Windows Essentials Business Server will bundle the following products and will provide a single Client Access License (CAL) to cover use of all included products:

  • Windows Server 2008
  • Exchange Server 2007
  • Forefront Security for Exchange
  • System Center Essentials
  • ISA Server (whatever the next version number is called – probably 2008)
  • SQL Server 2008

The press release doesn’t confirm whether three servers are still required or not, but looking at the components, you would want to run them on no less than three boxes. I’d imagine that the ISA server would act as the gateway box, running Forefront SMTP scanning and the Exchange Edge Transport role; then Systems Center Essentials and SQL Server 2008 would sit on another box, and the other Exchange roles would be on the third box. (All 64bit of course.)

Microsoft have also announced the usual list of partners that will be providing solutions specifically for Essential Business Server (EBS) such as HP, IBM, Intel on the hardware front, and Trend Micro, CA, and Citrix on the software front.

The private beta will be expanded into a more public beta in the new year, with a final release date set for the second half of 2008.

This is big news for NZ companies as I know of lots of companies that quickly grow out of an SBS solution but are still small enough to not be considered an Enterprise customer. Local Microsoft partners will be keen on this too, because if a customer is considering upgrading to Exchange 2007, then why not see if they would like the latest version of ISA to complement Exchange – and then you’re two thirds of the way to implementing EBS.

Still some questions that need to be answered…

  • How will the licensing work for customers that already have Server and Exchange CALs – will they be able to trade them in for EBS CALs?
  • How easily will EBS integrate into an existing environment? SBS needs to be its own root domain and can’t join into any existing domains, surely this wouldn’t be the case for EBS?
  • Will there be an upgrade path from SBS to EBS?
  • And will there be an upgrade path from EBS to the full version products if needed?

I’m looking forward to testing out the bits and pieces… anybody want to donate/lend me three 64bit servers??

Update with new links:

Powershell 2.0 on the way

The PowerShell team have just released the first publicly available CTP of PowerShell 2.0. This hasn’t even reached beta stage yet, so there is bound to be lots of bugs and no doubt the product will change  a lot prior to release.

Lots of new features, but the stand-out ones for me are:

  • Remote scripting – now you can run PowerShell scripts against remote computers, as long as they also have PowerShell installed.
  • Background jobs – you can run a PowerShell script and it will run in the background. This means that your cursor will return to the next line in the console and you can continue with other tasks. You can then query the progress of the background job at any time with another command.
  • Script cmdlets – cmdlets can be created using PowerShell scripts whereas in the current version you need to compile them as managed code, for example C# or VB.Net.
  • PowerShell GUI – there’s an early preview of a graphical PowerShell front end that gives you colour-coding syntax, as well as multiple tabs with multiple shells (up to eight.)

There’s also mention of improved hosting APIs but I’m not sure if that just applies to compiled applications being built on top of PowerShell. I’d like to be able to run PowerShell in HTAs in the same way that VBScript can currently be run.

I’ve been giving a lot of thought recently as to how PowerShell can be implemented in production, and some of these features will definitely make it more relevant – especially the ability to run PowerShell scripts against remote computers.

64 Bit Rant

I’ve been persevering with Vista 64 bit over the last few weeks, but I’m failing to see any benefit in sticking with it. Very few applications are native 64 bit and some applications just do not run at all.

Microsoft is probably the worst culprit – last year they released Exchange 2007 and forced all customers that wanted to use it to upgrade to 64 bit hardware and software. At about the same time as Exchange was released, Office 2007 and Vista were released too.

MS made a big deal about Vista 64 bit – just read the blurb on this page and you’ll think that 64 bit is the only way to go: http://www.microsoft.com/windows/products/windowsvista/editions/64bit.mspx. But there was no 64 bit version of Office 2007 released. Sure Office 2007 runs fine on 64 bit, but why wasn’t there a 64 bit edition?

And today Microsoft is making a big deal about the new upgrades to the Live suite of products, including a new unified installer that lets you install a bunch of Live applications at once, like the Google Pack. BUT NO 64 BIT SUPPORT! None of the applications will install if you’re stupid enough to be running a 64 bit operating system, you’re just greeted with a lovely error.

No 64 bit support

So I’m running an operating system which Microsoft says, “… deliver premier performance, reliability, and security,providing you access to the next generation of PC innovations.” but I can’t install the latest updates to Microsoft’s own software. (end of rant)

When does my evaluation copy of Windows Server expire?

I’ve been using a lot of evaluation software at home recently to build up a virtual lab that I’ll use for testing and demos. I needed to know when my eval copies of Windows Server 2003 were due to expire but couldn’t figure it out without having to trawl through Google Groups first.

Turns out it was fairly simple, just run “winver” and it tells you the exact date and time that the copy is due to expire.

winver