Jaqui Greenlees

Sadly, I will have to say that with ONE exception it is a no.

A simple test of their products that only one company passed.

I went looking for any home version of their products that would run on any operating system other than windows. After all, while the Macs, GNU-Linux, openBSD, freeBSD, netBSD, pcBSD, desktopBSD, Solaris, HP/UX, Aix … based systems cannot get damaged by the windows viruses, the people using them do send files to people using windows. Those files can contain malware, that the sender doesn’t know about. How could they know? it is next to impossible to find anti-malware software for home desktops, the most likely source for infected files to be transmitted to people on the vulnerable windows.

The options for Anti-virus for home users of these operating systes are two.

1) clam av, which unfortunately according to the latest testing results I know of, is only 43% effective.

2) AVG from Grisoft. They do have their proprietary, sale version only, software available for windows, macos and linux. They do have the avgfree for windows, but not for the other operating systems.

How did I run my little test? I contacted those AV companies that want people to contact them. [ no sign-up for membership / registration of product required to contact them, which is why Symantec / Norton weren't contacted. ]
McAfee never responed.

Comodo never responded.

AVG did, since I couldn’t find anything but windows links before contacting them.

Kaspersky did, when I complained they sent me a trial version link for windows and I don’t have windows. [ but Kaspersky's Linux version is the over-priced Corporate version, not a home system product so it's not actually one to be included as for home users. ]

Trend Micro, no way to cotact them via their website.

Since most of the AV companies have shown they want you to be at risk, if you are using windows, give your support to the one company that has shown they want to actually stop the malware completely. If you are running a Mac of Linux system, support responsible sofwtare companies that really do show they want to do the job right. The companies with all versions of their product available for more operating systems than windows.

Are you concerned about default browser security settings?
You should be, since malicious code can be on ANY website you visit.

The sad truth is that very few websites are written with security of YOUR confidential information in mind. How can we tell this? It is actually easy.
Check the lower right hand corner of your browser window, is the padlock symbol locked, or open?
Odds are, it is open. That means that the website is not using the Secure Socket Layer to create an encrypted tunnel for all information passing between your computer and the server hosting the website. This enables anyone who has a packet sniffer to capture the entire data stream. Those intent on criminal activities have packet sniffers and actively look for information that should be kept confidential, like your user name and password. It is well known that 99% of people online use the same username and password for everything, so anyone will ill intent who gets such can then start accessing things like bank accounts, credit card accounts, etcetera.

What makes this lack of use of ssl in websites is the fact that EVERY browser ships with a list of trusted Certificate Authorities. Though, really, how well can you trust the word of a company that is only saying what they have BEEN PAID to say. After all, if a person is out to rip you off, they will rip you off, no matter what the Certificate Authority says about them, and that Certificate Authority is not responsible for your loss. I personally, delete the list of Certificate Authorities from my browsers, since it is the person or company whose website I am visiting that I trust, or not. It does NOT matter which CA has issued the certificate for the ssl connection, they have nothing to do with the business you are contemplating purchasing from.

The second issue is that EVERY browser is BY DEFAULT enabling things that weaken website security, and expose YOU, the end user / site visitor to having confidential information stolen. I am referring to the use of FLASH, Javascript and Activex on websites. Though Activex is only functional if you are using a Windows based computer, the huge market share Microsoft has means that it is an issue for most people. Clientside scripting exposes application logic to malicious people, making it easier for them to CRACK the website and gain illegal access to information stored on it. We can’t forget, all three of these technologies have the ability to write to the hard drive, this means they can save malicious code on your system. Activex is worse though, it is a SYSTEM level technology on Windows, which means it has System Administrator access. That is total access. The second half of this issue is that after they have written the website script to run on the clients system, the majority of website developers DO NOT bother to verify the information being submitted on the server before they process it. This means that malicious code embedded is executed by the server, possibly causing an exploit of the server in the process.

In essence, if any website that wants you to submit ANY information is not using ssl, then you should not submit any information to that website. If your BROWSER does not pop up a window about not knowing the Certificate Authority, then the people who wrote and configured the browser are TRYING to cause you harm.

That brings up the final point, message boxes or message bars. the two most popular browsers have both implemented the use of message bars across the top of the browser window. The silly thing is, that bar goes away in a few seconds, and is easily missed by the person using the computer. While message boxes get clicked away without being looked at, they still have a 50% effectiveness, while message bars can only have at most 25% effectiveness. So Microsoft’s Internet Explorer and Mozilla’s Firefox are BOTH trying to hide critical warnings from their users when they use the message bar instead of a message box.

To summarise, EVERY web browser is being sent out configured to ENABLE harm on their users from having a list of “Trusted” Certificate Authorities as well as from having client side scripting technologies enabled by default. Microsoft’s Internet Explorer and Mozilla’s Firefox being worse, in that they PURPOSELY try to hide critical security messages from you with those message bars. YOU, the END USER, need to start complaining to those responsible for these CRIMINAL acts if you really want to stop your confidential information from being exposed.

While I am slamming people for not using ssl on websites, I’ll accept the comments coming, from my own lack of ssl use here
, with only this comment on the subject:

You do not have to submit any information to this website to read it, and if in reading it you start thinking about what you can do to protect your information better, then it is worth it. I chose not to enable ssl because there is not requirement for ANY visitor to give me ANY information anywhere, unless they chose to make a comment. Then they need to give a user name, password and email address, yet after reading this post, I doubt anyone will do so lightly.

Why is this not happening?
Well, let’s see, right now they have 2 separate code bases for their applications, one for Windows and one for Macos. They do not want to add a third code base.

I can understand that, I wouldn’t want to have three times the workload to have my application run on three operating systems.

There is yet another issue though, and it’s one that would slip by most people.
It is that most Linux distributions have customized the FSH, making it harder for anyone to develop a distribution agnostic application than it should be.
Some distros implement the /srv folder tree. some don’t. Most implement the /media folder, which is confusing to MS people, since such a folder means to them STORE MEDIA FILES, LIKE AUDIO, IMAGES AND VIDEO HERE not storage media.

Maybe the Free Software Foundation should pull their heads out of THEIR asses and look at how the FSH drives software companies away from supporting GNU-Linux with it’s completely confusing use of folder names and dismal lack of detailed specifications for such items as codec storage. I have been discussing he location of video codecs on Mandriva 2008 64 bit with Mandriva, they have zero documentation on such information, and what little response I get from the forum admins ignore the reality of compiled in paths not existing insanity.
[ they keep telling me to use a path that does not exist, so would not be in the applications path data, the applications do not have the path option in the settings dialogues and refuse to tell me EXACTLY where they store codecs by default.]

But, the first point, multiple code bases and huge amounts of labour to support multiple operating systems. That is an entirely reasonable issue, until you look at one simple point:
There are no less than 3 widget sets that are cross platform.
1. Q.T. [ http://trolltech.com ]
2. G.T.K. [ http://www.gtk.org ]
3. WxWidgets. [ http://www.wxwidgets.org ]

Each of the three widget sets has it’s own unique drawbacks and benefits.

One of the biggest benefits to using GTK is it’s License:
Licensed under the GNU LGPL 2.1 allowing development of both free and proprietary software with GTK+ without any license fees or royalties.

The drawback is that anyone using Windows would have to get and install the gtk libraries to use the applications requiring it.

QT is the widget set used for the KDE often mentioned for Linux.It also happens to be the widget set used as the foundation for Delphi widgets originally. It is available under the GNU-GPL for non MS Windows systems, and a commercial license version for MS Windows systems. That Commercial License is also available for the non Windows systems.

Both of the above have the next issue in common, the original issue, a code base for each os to be supported required. They do not have tools that will handle creating the os specific code needed for your application.
[ the windows IDE will only handle Windows code etc. ]

WxWidgets gets rid of the multiple code base problem. It’s lacking in a few things, like a single IDE for all operating systems. It seems no-one has yet written a good IDE using WxWidgets
and made it available for all operating systems. Code::Blocks is a wxwidgets based IDE, and is available for most operating systems, yet getting it to run on linux is a pain in the butt.
[ those distro centric customisations I mentioned above ]

With the single code base all os support of WxWidgets, there is one other issue, the widget set is bloated. They have their system create operating system specific calls for every os you chose to enable support for in the project code. Fortunately, the compiled binaries are stripped of code for other operating systems, so the “bloat” only exists in the source code and widget set. Since WxWidgets will use MFC widgets in a windows executable, Cocoa in OSX executable, GTK or QT in every other OS executable, the bloat never hits the end user product.

Ahh, just checked the other possible issue for WxWidgets, which is License issue. Here is what WxWidgets says:

wxWidgets is currently licensed under the “wxWindows Licence” pending approval of the “wxWidgets Licence” which will be identical apart from the name.

The wxWindows Licence is essentially the L-GPL (Library General Public Licence), with an exception stating that derived works in binary form may be distributed on the user’s own terms. This is a solution that satisfies those who wish to produce GPL’ed software using wxWidgets, and also those producing proprietary software.

So, other than the lack of a good, CROSS PLATFORM, IDE for working with WxWidgets, there is no reason not to use them for software development of cross platform applications.

What about Java for cross platform development?
Well, only if you are stupid is that an option.
I installed Sun’s Java to attend a webinar, it IMMEDIATELY caused a 50% reduction in system performance.
[ I removed Java, it's not acceptable to have that happen, specially on a dual core 2.4GHz 64 bit system. ]
Java is bloated in it’s design, and EVERY Java application is bloated because of the language failings.

In his security blog entry Bolted-on security features aren’t secure Chad Perrin missed one of the important implications of my own blog post: Microsoft breaking the law again?

If Microsoft uses the capability of sending data from any windows system to themselves without notification to the end user, without authorization by the end user, for the WGA/MGAprogram, where else are they using it?
Are they not most likely also using it to collect information they have no legal right to?

How many companies have Microsoft had windows send them client lists or accounting databases in this manner from?

I don’t really care if the WGA/MGA program collects and sends data to Microsoft, since I don’t use windows, or any other MS products, the problem of it being possible and the high probability that MS has used that elsewhere is what is the biggest issue. The issues Chad raises are all excellent ones, and ones that should be addressed by anyone looking at replacing any software, maybe hey will help to push people into moving away from MS based software.

[ Architects being the only industry screwed over and forced to use windows based software, since Autodesk is screwing them by only having the ubiquitous Autocad run on windows, even worse, it uses the .net framework, making it a guarantee that it will never run on anything but windows. ]

I’ve known Chad for a few years now, originally as apotheon on CNET’s TechRepublic. While we have our disagreements on some things, I generally find his opinion to be worth listening to.

get yourself your handy hex editor, like the one that comes with MS Visual Basic.

fire it up and open the file open dialog.

browse to the windows\system32 folder

select the LegitCheckControl.DLL in there.

open it up.

reading the partial english in the right column, look for the LegitCheckWWd

read from there to where it displays SupressWarning.

That one section of the file logs in as administrator, if you are not, turns off warnings, collects data from your computer, sends that data to Microsoft, then turns warnings back on and logs off as administrator.

I could put all 4832 html pages of the file up and let you browse through them to find it, but it would be meaningless, since I could have inserted that into what I post. find it in the file on Your LEGIT version of Windows with MS Office installed.

Then decide, is Microsoft committing the same criminal act they were penalized for by the US Courts with the Windows 98 Update issue of sending information to themselves when you ran windows update in windows 98?

Yes, this is an insane concept for developers to have.
It is used by developers that fit into one of two groups:

1) INCOMPETENT
2) LAZY

They are either incapable of writing good code, which is why they say hardware is cheap, or they are to lazy to write good code, so they say hardware is cheap.

The reality is, why would anyone, or any company, want to buy your software, if it means they will have to buy new computer(s) to run it?
They wouldn’t.

The hardware is cheap concept is the absolute worst one any software developer could hold. Since Java is designed around this model, anyone advocating the use of Java is saying they buy into the hardware is cheap model, so they are either lazy or incompetent. Either way, their software is not ready for use, not until they wipe the concept that hardware is cheap out of their minds.

I know, This subject has been covered in depth on many blogs, and on many other sites, but as long as sites are not being written to be standards compliant, it won’t die out.

Most business websites are “designed” to answer the following 5 points, with no consideration of website standards.

1. How do we increase revenue?
2. How do we reduce expenses?
3. How do we bring in more customers?
4. How do we get more business out of each existing customer?
5. How do we increase shareholder value?

To answer them, pointing out the benefits of standards compliant websites:

1. How do we increase revenue?

A well written standards compliant website is accessible by everyone, even those who have to use assistive technologies like screen readers. A.J.A.X. and most “Web2.0″ technologies don’t play nice with these technologies.

2. How to we reduce expenses?

A standards compliant website doesn’t have that huge data transfer bill hitting you every month, they tend to use far less data transfer than non-compliant websites. They also play nice with search engine robots, allowing the website to be indexed properly, improving the effectiveness of your SEO and advertising [ Google keywords etc ] for your website, making a lower expense on the advertising feasible.

3. How do we bring in more customers?

Quit driving people away from your business and website with a site that is not accessible.

4. How do we get more business out of each customer?

The short answer, better customer service as well as better customer experience when they are making a purchase from you. A standards compliant website is as easy to use, accessible by all, and isn’t cluttered with extraneous cruft. [ yahoo.com is cluttered, google.com isn't, look at both as the interface for doing a web search and you will find google as done it right. ]

5. How do we increase shareholder value?

When the sales / service revenues are increasing, then the shareholder vale increases along with it. If a company website is designed and developed to be accessible, secure and look good then your internet site expenses are giving a very large return on investment, it can get as high as 3000% [ yes, three thousand ]

An additional point to remember, if a company cannot be bothered to meet the standards for website design and development, why would anyone trust them to meet the standards for their products? I would never trust a building contractor that has a non standards compliant website. I would never trust any company that can’t meet standards that apply in ALL aspects of their business operation. A non compliant website says to people that the company doesn’t meet any standards they are supposed to in any fashion whatsoever. [ Microsoft® is an excellent example, not one Microsoft® product meets the ISO standards set out for software. ]

We have all heard the term “Open Source” and most of us have used at least one open source program, but what is the real impact of open source software?

According to the European Union’s Enterprise and Industry report it is quite substantial ( see http://ec.europa.eu/enterprise/ict/studies/publications.htm the Economic Impact Final Report downloadable from there. I have also made it available: http://jaqui-greenlees.net/files/2006-11-20-flossimpact.pdf ( to save the EU the data transfer ) ) This report, while an in depth study, is focussed solely on the economic impact and ignores several key areas, while only lightly covering others.

The impact of Free / Libre Open Source Software on innovation and improvement in software s mentioned, but they don’t really cover some of the more significant events recently. Mostly because the report was finalized before the events occurred. One of the most significant was the release of Microsoft’s ® Internet Explorer 7 ®. The new features included in this product are a direct response to the success of the open source browser Mozilla Firefox. MS ® also included support for the open source gecko rendering engine that Firefox uses, for both it’s speed and it’s ability to handle Standards Compliant website scripts, which IE ® is known for failing miserably at.

The most important area that the EU report doesn’t really cover is the social impact that open source software has. Open Source Software has a huge social impact, for the simple reason of it is a community effort to develop open source software. The social and political borders that have limited “community” style interactions in the past were destroyed in the open source community. It doesn’t matter where someone comes from in the world, what their education is, what their political stand is, or religion.* What matters is who you are and what you can contribute. As Linus Torvalds has always said: “Show me the code”, his recent actions in submitting patches to the GNOME project to address some of the problems he commented on with GNOME are an example of this attitude. When he was asked for input on how to fix GNOME he just gave them “the code” to fix them, living up to the words he has used for years.

The open source community is comfortable with using collaboration tools online, and working with people from all over the world, the number of languages supported by open source software would not be as great as it is without the efforts of people who know these languages in translating the documentation, allowing for software coded right to display messages, menus and content in the end user’s language of choice.

Free / Libre Open Source Software is one half of the driving forces in the Global Community that has started ending the threat of another World War. Will anyone be willing to go to war with another country when the people in those countrys are regularly in collaboration online? Or in communication? A few short years ago it would have been unusual to find yourself in a discussion with someone on the other side of the planet about their local legal system, or the social scene in their town. Now, it’s common.

What? You don’t think Free / Libre Open Source Software had anything to do with that? Sorry, it did. F.L.O.S.S. is still the driving power of the internet, which is the other half of the equation in the Global Community.

Oh, no, Microsoft ® did not invent the internet, it was around in two different incarnations before Microsoft ® even started selling DOS. Microsoft ® did make it more popular when they integrated IE ® with Windows 95 ® making it far simpler for the average person to get online.

Instead of spending 90% of your time online dong the social web thing and blogging, use your preferred search engine and research the history of the internet and open source software, 60% of what Microsoft ® has done in the last 10 years is battle to keep up with open source software. A battle they are doomed to lose, not even Microsoft ® can afford to pay 20 million programmers to be at work 24 hours a day, seven days a week, which is a rough estimate of the number of people actively volunteering their time and effort to an open source project at any given time.

* the religious wars over vi/emacs, gnome/kde, linux/*bsd, grub/lilo excepted

This exploit is caused by one thing and one thing only: script author’s screwup.
Any website script that does not, by default, treat all site visitor input as dangerous is vulnerable to such an attack.

The only thing that can be done is to use scripts that do not pass SQL from within a users post to the database engine, it should instead mark such as code or a quote and put it into the database as text in the “comment” section of the table when the page displays, the user attempt to exploit the database engine by injection SQL is shown in the post, rather than actually being processed by the database engine. This, along with server logs, can be used as evidence in a court of law for the user’s attempted criminal activity. It also will very quickly stop others from attempting the same thing, as they can see that the attempt with fail and be publicly displayed as such.