Jaqui Greenlees

Sadly, I will have to say that with ONE exception it is a no.

A simple test of their products that only one company passed.

I went looking for any home version of their products that would run on any operating system other than windows. After all, while the Macs, GNU-Linux, openBSD, freeBSD, netBSD, pcBSD, desktopBSD, Solaris, HP/UX, Aix … based systems cannot get damaged by the windows viruses, the people using them do send files to people using windows. Those files can contain malware, that the sender doesn’t know about. How could they know? it is next to impossible to find anti-malware software for home desktops, the most likely source for infected files to be transmitted to people on the vulnerable windows.

The options for Anti-virus for home users of these operating systes are two.

1) clam av, which unfortunately according to the latest testing results I know of, is only 43% effective.

2) AVG from Grisoft. They do have their proprietary, sale version only, software available for windows, macos and linux. They do have the avgfree for windows, but not for the other operating systems.

How did I run my little test? I contacted those AV companies that want people to contact them. [ no sign-up for membership / registration of product required to contact them, which is why Symantec / Norton weren't contacted. ]
McAfee never responed.

Comodo never responded.

AVG did, since I couldn’t find anything but windows links before contacting them.

Kaspersky did, when I complained they sent me a trial version link for windows and I don’t have windows. [ but Kaspersky's Linux version is the over-priced Corporate version, not a home system product so it's not actually one to be included as for home users. ]

Trend Micro, no way to cotact them via their website.

Since most of the AV companies have shown they want you to be at risk, if you are using windows, give your support to the one company that has shown they want to actually stop the malware completely. If you are running a Mac of Linux system, support responsible sofwtare companies that really do show they want to do the job right. The companies with all versions of their product available for more operating systems than windows.

Are you concerned about default browser security settings?
You should be, since malicious code can be on ANY website you visit.

The sad truth is that very few websites are written with security of YOUR confidential information in mind. How can we tell this? It is actually easy.
Check the lower right hand corner of your browser window, is the padlock symbol locked, or open?
Odds are, it is open. That means that the website is not using the Secure Socket Layer to create an encrypted tunnel for all information passing between your computer and the server hosting the website. This enables anyone who has a packet sniffer to capture the entire data stream. Those intent on criminal activities have packet sniffers and actively look for information that should be kept confidential, like your user name and password. It is well known that 99% of people online use the same username and password for everything, so anyone will ill intent who gets such can then start accessing things like bank accounts, credit card accounts, etcetera.

What makes this lack of use of ssl in websites is the fact that EVERY browser ships with a list of trusted Certificate Authorities. Though, really, how well can you trust the word of a company that is only saying what they have BEEN PAID to say. After all, if a person is out to rip you off, they will rip you off, no matter what the Certificate Authority says about them, and that Certificate Authority is not responsible for your loss. I personally, delete the list of Certificate Authorities from my browsers, since it is the person or company whose website I am visiting that I trust, or not. It does NOT matter which CA has issued the certificate for the ssl connection, they have nothing to do with the business you are contemplating purchasing from.

The second issue is that EVERY browser is BY DEFAULT enabling things that weaken website security, and expose YOU, the end user / site visitor to having confidential information stolen. I am referring to the use of FLASH, Javascript and Activex on websites. Though Activex is only functional if you are using a Windows based computer, the huge market share Microsoft has means that it is an issue for most people. Clientside scripting exposes application logic to malicious people, making it easier for them to CRACK the website and gain illegal access to information stored on it. We can’t forget, all three of these technologies have the ability to write to the hard drive, this means they can save malicious code on your system. Activex is worse though, it is a SYSTEM level technology on Windows, which means it has System Administrator access. That is total access. The second half of this issue is that after they have written the website script to run on the clients system, the majority of website developers DO NOT bother to verify the information being submitted on the server before they process it. This means that malicious code embedded is executed by the server, possibly causing an exploit of the server in the process.

In essence, if any website that wants you to submit ANY information is not using ssl, then you should not submit any information to that website. If your BROWSER does not pop up a window about not knowing the Certificate Authority, then the people who wrote and configured the browser are TRYING to cause you harm.

That brings up the final point, message boxes or message bars. the two most popular browsers have both implemented the use of message bars across the top of the browser window. The silly thing is, that bar goes away in a few seconds, and is easily missed by the person using the computer. While message boxes get clicked away without being looked at, they still have a 50% effectiveness, while message bars can only have at most 25% effectiveness. So Microsoft’s Internet Explorer and Mozilla’s Firefox are BOTH trying to hide critical warnings from their users when they use the message bar instead of a message box.

To summarise, EVERY web browser is being sent out configured to ENABLE harm on their users from having a list of “Trusted” Certificate Authorities as well as from having client side scripting technologies enabled by default. Microsoft’s Internet Explorer and Mozilla’s Firefox being worse, in that they PURPOSELY try to hide critical security messages from you with those message bars. YOU, the END USER, need to start complaining to those responsible for these CRIMINAL acts if you really want to stop your confidential information from being exposed.

While I am slamming people for not using ssl on websites, I’ll accept the comments coming, from my own lack of ssl use here
, with only this comment on the subject:

You do not have to submit any information to this website to read it, and if in reading it you start thinking about what you can do to protect your information better, then it is worth it. I chose not to enable ssl because there is not requirement for ANY visitor to give me ANY information anywhere, unless they chose to make a comment. Then they need to give a user name, password and email address, yet after reading this post, I doubt anyone will do so lightly.

I have not looked at the Free Credit Report services offered in different countries, but the one I just saw for here in Canada is just plain wrong.

freecreditreportsincanada

A website offering this service to us Canadians. They REQUIRE that you give them your credit card information… well, ok, that will help to get credit rating. Hold it a second, the page to put the information about the credit card is on the HTTP protocol, not the secured HTTPS.

The Lawyer that owns the site obvious is a shady one, She is PROMOTING both Credit Card Fraud and Identity Theft.

Well, I blasted them directly calling them stupid thieves for not using ssl for handling credit card details.

Then I reported them to the Local RCMP Headquarters, for Montreal Quebec.

It’s only “free” for 7 days anyways, after that they charge you 29.95 a month. And the only way to avoid this recurring charge is to PHONE THEM, within that 7 day period.

so it isn’t free even if they don’t cost you EVERYTHING by their lack of security.

I bet that if you look at the other services you will find many, if not all, of these issues are there as well.

bunch of criminals they are.

here, the whois search results for the domain:

http://www.whois.net/whois_new.cgi?d=freecreditreportsincanada&tld=ca

I have been busy for the last while, in getting everything set up to run my own web hosting business.

The url for this company is http://runic-hosting.com

because of server configuration changes for this new venture, I had to re-publish the entire history of the blog.

all trackbacks to specific entries have been broken because of this.

the change, and re-organization of the site also cost all the comments on posts.

Why is this not happening?
Well, let’s see, right now they have 2 separate code bases for their applications, one for Windows and one for Macos. They do not want to add a third code base.

I can understand that, I wouldn’t want to have three times the workload to have my application run on three operating systems.

There is yet another issue though, and it’s one that would slip by most people.
It is that most Linux distributions have customized the FSH, making it harder for anyone to develop a distribution agnostic application than it should be.
Some distros implement the /srv folder tree. some don’t. Most implement the /media folder, which is confusing to MS people, since such a folder means to them STORE MEDIA FILES, LIKE AUDIO, IMAGES AND VIDEO HERE not storage media.

Maybe the Free Software Foundation should pull their heads out of THEIR asses and look at how the FSH drives software companies away from supporting GNU-Linux with it’s completely confusing use of folder names and dismal lack of detailed specifications for such items as codec storage. I have been discussing he location of video codecs on Mandriva 2008 64 bit with Mandriva, they have zero documentation on such information, and what little response I get from the forum admins ignore the reality of compiled in paths not existing insanity.
[ they keep telling me to use a path that does not exist, so would not be in the applications path data, the applications do not have the path option in the settings dialogues and refuse to tell me EXACTLY where they store codecs by default.]

But, the first point, multiple code bases and huge amounts of labour to support multiple operating systems. That is an entirely reasonable issue, until you look at one simple point:
There are no less than 3 widget sets that are cross platform.
1. Q.T. [ http://trolltech.com ]
2. G.T.K. [ http://www.gtk.org ]
3. WxWidgets. [ http://www.wxwidgets.org ]

Each of the three widget sets has it’s own unique drawbacks and benefits.

One of the biggest benefits to using GTK is it’s License:
Licensed under the GNU LGPL 2.1 allowing development of both free and proprietary software with GTK+ without any license fees or royalties.

The drawback is that anyone using Windows would have to get and install the gtk libraries to use the applications requiring it.

QT is the widget set used for the KDE often mentioned for Linux.It also happens to be the widget set used as the foundation for Delphi widgets originally. It is available under the GNU-GPL for non MS Windows systems, and a commercial license version for MS Windows systems. That Commercial License is also available for the non Windows systems.

Both of the above have the next issue in common, the original issue, a code base for each os to be supported required. They do not have tools that will handle creating the os specific code needed for your application.
[ the windows IDE will only handle Windows code etc. ]

WxWidgets gets rid of the multiple code base problem. It’s lacking in a few things, like a single IDE for all operating systems. It seems no-one has yet written a good IDE using WxWidgets
and made it available for all operating systems. Code::Blocks is a wxwidgets based IDE, and is available for most operating systems, yet getting it to run on linux is a pain in the butt.
[ those distro centric customisations I mentioned above ]

With the single code base all os support of WxWidgets, there is one other issue, the widget set is bloated. They have their system create operating system specific calls for every os you chose to enable support for in the project code. Fortunately, the compiled binaries are stripped of code for other operating systems, so the “bloat” only exists in the source code and widget set. Since WxWidgets will use MFC widgets in a windows executable, Cocoa in OSX executable, GTK or QT in every other OS executable, the bloat never hits the end user product.

Ahh, just checked the other possible issue for WxWidgets, which is License issue. Here is what WxWidgets says:

wxWidgets is currently licensed under the “wxWindows Licence” pending approval of the “wxWidgets Licence” which will be identical apart from the name.

The wxWindows Licence is essentially the L-GPL (Library General Public Licence), with an exception stating that derived works in binary form may be distributed on the user’s own terms. This is a solution that satisfies those who wish to produce GPL’ed software using wxWidgets, and also those producing proprietary software.

So, other than the lack of a good, CROSS PLATFORM, IDE for working with WxWidgets, there is no reason not to use them for software development of cross platform applications.

What about Java for cross platform development?
Well, only if you are stupid is that an option.
I installed Sun’s Java to attend a webinar, it IMMEDIATELY caused a 50% reduction in system performance.
[ I removed Java, it's not acceptable to have that happen, specially on a dual core 2.4GHz 64 bit system. ]
Java is bloated in it’s design, and EVERY Java application is bloated because of the language failings.

In his security blog entry Bolted-on security features aren’t secure Chad Perrin missed one of the important implications of my own blog post: Microsoft breaking the law again?

If Microsoft uses the capability of sending data from any windows system to themselves without notification to the end user, without authorization by the end user, for the WGA/MGAprogram, where else are they using it?
Are they not most likely also using it to collect information they have no legal right to?

How many companies have Microsoft had windows send them client lists or accounting databases in this manner from?

I don’t really care if the WGA/MGA program collects and sends data to Microsoft, since I don’t use windows, or any other MS products, the problem of it being possible and the high probability that MS has used that elsewhere is what is the biggest issue. The issues Chad raises are all excellent ones, and ones that should be addressed by anyone looking at replacing any software, maybe hey will help to push people into moving away from MS based software.

[ Architects being the only industry screwed over and forced to use windows based software, since Autodesk is screwing them by only having the ubiquitous Autocad run on windows, even worse, it uses the .net framework, making it a guarantee that it will never run on anything but windows. ]

I’ve known Chad for a few years now, originally as apotheon on CNET’s TechRepublic. While we have our disagreements on some things, I generally find his opinion to be worth listening to.

get yourself your handy hex editor, like the one that comes with MS Visual Basic.

fire it up and open the file open dialog.

browse to the windows\system32 folder

select the LegitCheckControl.DLL in there.

open it up.

reading the partial english in the right column, look for the LegitCheckWWd

read from there to where it displays SupressWarning.

That one section of the file logs in as administrator, if you are not, turns off warnings, collects data from your computer, sends that data to Microsoft, then turns warnings back on and logs off as administrator.

I could put all 4832 html pages of the file up and let you browse through them to find it, but it would be meaningless, since I could have inserted that into what I post. find it in the file on Your LEGIT version of Windows with MS Office installed.

Then decide, is Microsoft committing the same criminal act they were penalized for by the US Courts with the Windows 98 Update issue of sending information to themselves when you ran windows update in windows 98?

I can only see one reason that proprietary software companies, like Microsoft, Adobe, Corel and Autodesk do not release the source code for their products. Nope, it’s not as they say, to protect their intellectual property, it’s because they must have something to hide. After all, if they didn’t have anything to hide, like MALWARE embedded into their product(s) they would release the source code.

The recent Court decision supporting the claim of the busybox developers against a proprietary software company shows that intellectual proprty is protected when the software in question is open source kind of ruins the claim that keeping it proprietary is to protect intellectual property.

http://www.theinquirer.net/gb/inquirer/news/2007/10/31/monsoon-settles-busybox

http://www.softwarefreedom.org/news/2007/oct/30/busybox-monsoon-settlement/

Since Richard Stallman and the FSF are so dead set against proprietary technology in an open source package, That would mean that Samba and G.N.O.M.E. violate the GNU-GPL V3 because of the anti-drm stance.
http://www.infoworld.com/article/06/01/23/74618_04OPopenent_1.html
http://www.theregister.co.uk/2006/04/15/lessig_stallman_drm/
http://www.gnu.org/philosophy/can-you-trust.html

Samba duplicates a PROPRIETARY protocol. [ Microsoft's smb protocol ]

G.N.O.M.E. requires this proprietary protocol to function.

Didn’t I hear somewhere that Richard Stallman actually uses the G.N.O.M.E. Desktop Environment?
I guess he will have to remove his preferred ui to be in accordance with the GNU-GPL Version 3.

I guess that RHEL, Fedora-core, Centos, Ubuntu, … will have to be completely rebuilt to remove this GNU-GPL V3 violating software.

I am not promoting the use of proprietary technology, I myself do not use any software that is not open source, nor do I use any that requires any proprietary technology where I have the option. My wireless NIC has binary roms for it, though the drivers are GNU-GPL code. [ Ralink's open source drivers on serialmonkey.com ]

I guess NDISwrapper, wine, crossover office will have to be removed, they promote the use of proprietary technologies, in direct violation of Richard Stallman’s stand on proprietary technology on Linux*.

I personally will continue to develop open source software, and use the CCD Copywrite as it is less restrictive than the GNU-GPL in end use, while still requiring open source software to remain open source.
[ http://ccd.apotheon.org/ ]

UPDATE: December 21, 2007:

Microsoft and the Samba development group have reached an agreement where MS gives the documentation for the smb protocol to the Samba group, so this issue is now dead and buried.

The news article:

http://www.networkworld.com/news/2007/122007-microsoft-samba-windows.html?page=1

* Linux being the name of the kernel itself, GNU-Linux being the name of the operating system commonly misnamed Linux.

Yes, this is an insane concept for developers to have.
It is used by developers that fit into one of two groups:

1) INCOMPETENT
2) LAZY

They are either incapable of writing good code, which is why they say hardware is cheap, or they are to lazy to write good code, so they say hardware is cheap.

The reality is, why would anyone, or any company, want to buy your software, if it means they will have to buy new computer(s) to run it?
They wouldn’t.

The hardware is cheap concept is the absolute worst one any software developer could hold. Since Java is designed around this model, anyone advocating the use of Java is saying they buy into the hardware is cheap model, so they are either lazy or incompetent. Either way, their software is not ready for use, not until they wipe the concept that hardware is cheap out of their minds.