For Your Information - Information, Technology, Society
Issue #2, November 15, 2002
It turned out that several items related to security and virus protection came up in the past couple of weeks, so I collected several of the more interesting things in one mailing and am sending them out together. There's also an interesting new game -- written by the United States Army -- that bears consideration. Finally, a client of mine is looking for funding; help me if you can.
As you can tell, the "writing bug" bit me this week :). Let me know if you like/don't like/don't care about this kind of mailing.
If you are interested in internet security, read on.
You may recall that President Bush scheduled the release of a National Strategy to Secure Cyberspace back in September, but it was delayed because government reviewers believed that more public comment was required. That draft is available online at http://www.whitehouse.gov/pcipb/; get a copy, review it, and send your feedback to firstname.lastname@example.org. NOTE: Feedback is due by November 18, 2002.
Some of the key points that may interest you are (and of which you may already be aware):
-- The draft recommends that a "Cyberspace Network Operations Center" (Cyberspace NOC) be established to "...share information and ensure coordination to support the health and reliability of Internet operations in the US... [it] would be managed by a private board ...[and] cooperate with the Federal government." In the classical sense, a NOC is an operating center where all the relevant infrastructure components can be managed by the responsible parties (such as your ISP). Such an operating center is a good news/bad news situation: it can control everything under its purview, but can also provide a single point of attack/failure.
-- There are several recommendations that privacy is a major consideration throughout these efforts, recognizing the strong commentary that was received when this Strategy was first publicly reviewed earlier this year. For example, Recommendation R4-36 states that: "The Executive branch should consult regularly with privacy advocates ... to facilitate consideration of privacy and civil liberties concerns ... and to achieve solutions that protect privacy." This is a good beginning, although we still need to continue our vigilance with regard to the balance between privacy and security.
-- As always, the individual user is identified as a key participant in this whole effort. The increase in "always-on" internet connections such as DSL or cable have increased the level of risk, since many of the computers thus connected are completely unprotected. We recommend that you purchase and install a hardware firewall in you have such a connection. We installed the Netopia product several years ago, and there are now many more options.
-- Interestingly, none of the recommendations directly address the issue of product development and increased consideration of security issues during development. This is indirectly addressed through R&D and best practices recommendations. The recommendations are more directly addressed to IT departments and functions rather than the product development industry.
Whether you agree or disagree with the points raised in the document, it deserves some review and comment. It has broad scope and has the potential to have an impact on privacy and product development, in addition to its hoped-for impact on internet security.
I've had two people send me emails this week urging me to check my computer for the "virus" file, jdbgmgr.exe. Both people told me that after being advised to check their system, they found the "virus" and safely deleted it. Too bad for them; this virus warning is a hoax -- the file jdbgmgr.exe is a normal part of the windows operating system and should be left alone. When they delete this file, they're deleting the Java Debug Registrar module, which may be used by certain developers. You can restore this module using instructions at Microsoft's website: http://support.microsoft.com/default.aspx?scid=KB;en-us;322993&.
If you want to check out possible virus hoaxes in the future, go to: http://www.vmyths.com
It has excellent descriptions of many hoaxes that have appeared over the years. I use this site regularly to check warnings from helpful friends who think they've solved the virus war.
Best approach: If you haven't done so already, install a good virus protection program on your computer. I've used Norton Anti-Virus for years (http://www.symantec.com/nav/nav_9xnt/). There are several others, but I don't have recent first-hand experience with them. Whichever one you get, make sure you keep it updated using the virus subscription. See the "Security Tips" section later in this email.
Here's an interesting twist on email Spam -- a ploy to get you to unknowingly agree to the use of your address book to Spam your friends and associates.
Here's how it works. You receive an email inviting you to click on an embedded link to receive the greeting card that was sent to you by a friend (we've probably all gotten these kinds of emails; I've received my share of legitimate birthday cards, usually from www.bluemountain.com which appears to be just fine). In this case, however, when you click on the graphic saying that you have received an email card, you are directed to the friendlygreetings.com site, and then the fun begins. (You might have missed the fine print that said that you might have to download a viewer to view some of the cards). Anyway, once you get to the site, you are asked to sign a EULA (End User License Agreement) that looks innocuous; you know the kind: "I agree that this information is copyrighted and can't be copied...."
In this EULA, however, you are actually agreeing to allow email to be sent to people from your own address book: you have legally given away your rights and allowed your address book to be used to Spam other people! According to MSNBC news reports (link below), this technique was used to collect email addresses to build a database for a spammer to send out unsolicited emails.
Since this was covered in the news, this site has been taken down, but it does highlight a new technique available to folks who want to surreptitiously collect your email address and/or obtain your 'permission' to use other information on your system.
The result: don't accept any online agreement without reading the fine print, particularly if it's a site that you don't know well.
For the MSNBC news report, see: http://www.sophos.com/virusinfo/articles/greetings/html
For another description of this technique, see: http://www.truthorfiction.com/rumors/e-card.htm
While I would expect that most of you have already secured your systems, it's worth repeating a quick list of some DOs and DON'Ts.
-- DO install and run an anti-virus program such as Norton Anti-Virus.
-- DO keep your anti-virus program up-to-date with (at least) twice monthly updates. These can usually be done automatically with options available in the anti-virus program.
-- DO configure your email system and anti-virus program to automatically scan emails (I scan both incoming and outgoing emails just to make sure). If you can't configure your system in this fashion, investigate an upgrade so that you can.
-- DON'T open emails from people you don't know... you never can tell what payload it's packing.
-- DON'T open emails from people you do know that look "strange"... it could be an automated virus attack from someone you know who didn't take adequate precautions.
-- DO install a (preferably hardware) firewall device if you have an "always on" internet connection. I have had a Netopia for several years (www.netopia.com), but today there are less expensive solutions available from Netgear (www.netgear.com), D-Link (www.dlink.com), and Linksys (www.linksys.com). Check out a November 2002 review of such products in PC Magazine (Part I: http://www.pcmag.com/article2/0,4149,654618,00.asp; Part II: http://www.pcmag.com/article2/0,4149,644364,00.asp).
-- DO read the fine print (often called a EULA or End-User License Agreement) to make sure that you aren't accidentally signing away your address book or your first-born.
-- DO check out virus claims that come from your friends so that you don't fall for a hoax... your friends are more likely wrong than right. (see http://www.vmyths.com for more information).
-- DO perform a regular scan of your hard drive with your anti-virus software just to make sure you're not infected.
-- DO review the available security updates for your operating system (Windows, Unix, Macintosh, etc.) and keep your system as up-to-date as you can. This is admittedly a challenging task, given the large number of security "holes" that appear and the potential complexities/dangers involved in updating your operating system.
My kids are playing it; maybe your kids are too?
It's a new 3D "first-person shooter" war game published by ... the United States Army. You can download this game for free from http://www.americasarmy.com, play the game on Army-run public servers, connect back to the site for support or chat, and -- the point of it, we presume -- link to the Army's recruiting site at http://www.goarmy.com. To actually play the game (which runs online only), you have to go through a simulated "boot camp".
My sons (18 and 22) have been playing computer games since they could hit the keys on my old Televideo terminal connected to an Onyx computer, and can certainly be called seasoned aficionados of computer games. We still have an old Vic20 stored somewhere down in the cellar. They got Doom when it first came out and were thrilled when we got DSL (so that they could have good "ping" values in the online multi-player games).
The game (called "America's Army: Operations") is an online, multi-player game with two opposing teams: one for offense and one for defense. There are various scenarios that define the terrain and the specific objectives. You may be at an Alaskan oil-pumping station and your job is to shut it down (offense) or keep that from happening (defense). Another scenario involves crossing a bridge that is littered with bombed-out vehicles and is heavily defended. You can play either offense or defense, but -- regardless of which you choose -- it appears to you as if you are a US Army soldier and the other side is a camouflaged, guerilla-like opposing force. Any other recruiting tactics are pretty subtle; the only other visible piece of information is the "goarmy.com" link that can take you from the game directly to the Army's recruiting website.
Elements of the game are quite detailed, down to the M-16 rifle's frequently jamming; this means that you have to go through an extra procedure to "clear" the weapon -- extra time which could, of course, result in your dying. Some weapons have detailed reloading procedures, such as the machine gun, which requires that you check to make sure that you open the firing chamber to make sure it is clear before you put in the new belt of ammunition.
I've seen them playing it quite a bit, recently, even though they complain that the code is unstable and the servers crash regularly. According to their practiced view, the code is only "so-so." However, they also proclaim it to be a pretty decent game in terms of its action and presentation, and it's fun to play, in spite of the stability problems.
In case they get tired of this game, there is a new one on the horizon called "America's Army: Soldiers".
According to my older son: "I might as well play it because I already paid for it with my taxes!"
I just hope that the Army's "real" software is more stable than the game.
Some of you may recall that we were looking for an expert in water purification through an earlier email. Well, we did find such an expert, and we worked on a preliminary assessment for the client.
That client has licensed or developed technology that is integral to water purification approaches using Iodine as the disinfectant medium. If you do a lot of camping, you may be familiar with Iodine treatment and the problems that it has posed in the past. Iodine does a great job of killing the harmful "bugs" in the water. The problem is that too much Iodine can lead to thyroid problems such as goiter. Because of this, the treatment has been useful only for short duration usage, because (until now) there has not been an effective method to completely remove the Iodine once it has completed the disinfection.
My client appears to have an answer to this problem: their patented method claims to remove effectively all of the Iodine following the disinfection process, resulting in clean water that can be drunk with no repercussions from excess Iodine. We have completed a preliminary due-diligence of the company and the process and believe it has merit; some independent testing has been done and appears to confirm their claims. The company had originally thought to pursue a retail model for their product, but have since modified their approach to an OEM/Intellectual Property model (similar to what Dolby Enterprises has pursued with its recording technology). The company is currently in negotiations with one Fortune 500 company regarding the use of this Iodine removal technology, and has preliminary contact with a second company that is internationally-based.
This technology can be used in what are called "pitcher" devices: small, low-flow devices which can process a pitcher full of water for drinking or cooking, and is suitable for 2nd and 3rd world markets where bottled water (at prices approaching $.50/gallon) is the only approach for the residents. A device equipped with this technology has the potential to compete economically with existing costs and approaches.
The company is looking for bridge funding in the amount of roughly $500,000 dollars so that they can be in a better position to complete their marketing and negotiations. Additional venture funding would also be pursued with an amenable investor. The company has currently exhausted the sources of funding with which they are familiar and have asked me to give their request a wider audience.
If you know of someone (Angel investor or Venture Capitalist) who might be interested in obtaining more information, please email or call me directly.
This is one of an occasional mailing to people I know and respect. Feel free to ignore what doesn't interest you. I'll give you my best opinion, but your mileage may vary.
Have a great day!
edp consulting, inc.
3373 Guido Street
Oakland, CA 94602