Passing off opinions as fact

In the Wall street Journal on March 27, 2007 there was an article on page C12 called Microsoft's Brighter Vista. The point of the article is that while Vista is not selling well now, it may sell better in the future. The sub-title is “Soft Start for the System May Yield to Strength Ahead As Chip Glut Pares PC Costs”.

The starts out saying that Vista sales have been slow because Windows XP works well enough and hardly anyone will upgrade an existing computer from XP to Vista. Fine. But then regarding the “improvements” in Windows Vista the article says:

“Those that are important, such as easier searching and stronger security, do justify using Vista on a new PC….”

This is a matter of opinion all the way around, yet it is presented as fact. Whose to say which "improvements" are important and which are not? Who's to say what justifies Vista on a new PC? There is no one right answer and no consensus amongst us computer nerds. A non-technical business person, no doubt the standard WSJ reader, comes away with the wrong impression.

Also, changes in Vista from Windows XP are referred to as “improvements”. Is this a press release or an investment article? Sounds like a press release. Anyone who has used a computer knows that not all changes are improvements. Whether a change is an improvement is a matter of opinion. Again, opinion being offered as fact.

And speaking of facts that may not be facts, the article says that “20 million copies of Vista have been sold since the January launch”. I have seen this number disputed by someone more familiar with the details than I. However, whether the number is in dispute or not, since it comes from Microsoft, which has an obvious motivation to paint a rosy picture, it should be taken with a grain of salt. Yet, the authors state this number as fact without mentioning the source of the 20 million number.

The article predicts a wave of PC buying due to lower prices and that these sales will boost Vista since “most PCs now come with it loaded…”.

This gives the wrong impression. Pretty much all personal computers marketed to consumers come with Vista (think Kool-AID). However, Windows XP is alive and well in computers marketed to businesses. They still buy XP because of reasons explained below and they have the clout to get what they want. After all, no one would turn down an order for thousands of Windows XP computers.

The reason they say "most" and not "all" PCs come with Vista is that anyone can buy a new PC with Windows XP pre-installed, a fact that I fear too-few people know. In my opinion (note: this is not a fact) opting for XP instead of Vista is the right way to go (more below). If nothing else, it's the path of least resistance. And there are other choices in new computers besides XP and Vista: the Mac and Linux.

Since the point of the article is that Vista sales may take off, the reasons not to get Vista on a new computer are omitted. There are many such reasons:

• Software incompatibly
• Hardware incompatibility
• Inevitable bugs in new software
• The learning curve

Heck, just two days after this article appeared, Walter Mossberg answered a reader question in the same paper that started with: “I have just bought a new Dell Vista computer. None of my backup software now works”. Join the crowd guy. In his response, Mossberg complained about the lack of Vista-compatible drivers.

---

The choice of OS on a new computer brings up an interesting point. Since XP has been around for so long, will it be this generations QWERTY keyboard? That is, will it be a good enough, usable standard that everyone is familiar with, so much so that changing to something else, even something marginally better, just isn’t worth it? We’ll see.

---

The authors, Robert Cyran and Edward Chancellor don’t work for the Journal itself, they work for breakingviews.com an organization that claims on its website to offer “punchy, relevant, timely opinion to the world's financial elite.”

One of the credited authors has a background covering the pharmaceutical industry and a degree in economics. The other specializes in finance and investment. Perhaps not the best backgrounds for offering opinions on the pros/cons of a computer operating system.

Don't Forget a PS/2 Port

Keyboards and mice used to connect to computers via a PS/2 port. Its round and resembles an S-Video port. Now, most keyboards and mice connect to a computer using USB ports. The problem with USB ports is that you need a working copy of Windows to use them.

If Windows won't start up, us computer nerds often run diagnostic utilities, many of which are DOS based and run from a bootable CD disc. I just had to run the Sea Tools hard disk diagnostic program from Seagate on a computer with hard disk problems. But I couldn't. The DOS based utility would not recognize a USB keyboard and the computer had no PS/2 port to plug in a different keyboard.

The morale of the story: when buying a desktop computer, be sure to get at least one PS/2 port. If the computer is termed "legacy free" this is a bad thing, not a good thing.

WSJ article on running Windows on a Mac

This is a review of an article that appeared in the Wall Street Journal on March 20, 2007 called Apple Opens Doors by Running Windows by Nick Wingfield (only available to wsj.com subscribers). The subtitle is: Ability to handle Microsoft operating system may help macs make some inroads.

---

The article says that you need to buy a copy of Windows to use on a Mac. However, it does not say which version(s) of Windows. There are many versions of Windows as we all know, except apparently the author, who repeatedly refers to "Windows" as if it were a single thing without different versions/editions.

To fill in the blank, the Parallels virtual machine lets you run pretty much all versions of Windows on the Mac, even Vista. In fact, it also supports many versions of Linux and even other Operating Systems such as OS/2. The Boot Camp feature from Apple is very different. It only supports Windows XP Home and Professional. No Media Center edition. No Vista. In fact, it only supports the SP2 versions of XP. And, it only supports the more expensive "full" version of Windows XP, not the cheaper "upgrade version". As of March 23, 2007 CompUSA was selling the upgrade version of XP Home for $100 and the full version for $200. The upgrade version of XP Pro was $200, the full version was $300.

The article refers to VMware as new "virtualization" software and refers to Virtual PC as older "emulation" software. They are, in fact, both virtualization software and compete directly. Not to be too nerdy, but they both do emulation.

The article says both Parallels and VMware on Macs take advantage of Intel chips to make it easier to run Windows. A little of this is true, but it gives the wrong impression.

First, from the user point of view, the process of running Windows is the same whether the software takes advantage of Intel chips or not. There are new features in Intel processors specifically designed for virtual machine software. And giving hardware assistance to virtualization software is also done by new processors from AMD. If you have one of these new processors, and a version of virtualization software that is capable of exploiting the new features, then your virtual machines will run faster. What is made "easier" is the programming job of VMware and Parallels as the processor can now do some of the work the software used to have to do.

Omissions

OK, we're running both Windows and the Mac OS on the same computer. Can they share files?

What about the copy of Windows you run on the Mac? Does it have to be a new copy? Can you take the existing copy on an existing computer and run that on the Mac? If this interests you, read about the transporter feature of Parallels.

The terms Host Operating System and Guest Operating System are not used, let alone defined. They are necessary terms when discussion virtualization software.

What about Linux? Articles on Macs and Windows never mention Linux. Likewise, articles on Linux and Windows never mention Macs. Readers need some perspective.

Windows on a Mac was possible way back, before the switch by Apple to Intel processors. The company that actually developed what is now known as Virtual PC was Connectix. Microsoft bought them out and wasn't very interested in software that ran on Apple computers.

Done With D-Link

I will never buy another D-Link product again. Neither will any of my clients. They have been added to my Axis of Avoidance.

I say this based on an experience with an external USB WiFi network adapter, model DWL-G120. In brief:

On the first computer I tried it on, the adapter wouldn't even install. The first response from D-Link tech support was typically useless. I expected that. On the second computer, the software crashed while being installed. Still, on this machine at least, I did get Windows to recognize the adapter and Device Manager to say it was functional. But, it wouldn't connect to any WiFi network.

Then it turns out the adapter does not support WPA encryption despite the fact that the retailer (NewEgg) and D-Link both say that WPA is supported. I'm returning it to NewEgg based on this mis-representation.

Registering the adapter was also miserable. The online registration application doesn't work well, the questions they ask are extremely personal (like how much money do you make and what are your hobbies) and the registration web page is specifically designed to trick you into giving permission for them to spam you.

And uninstalling the D-Link software on the second machine was also a problem.

At my computergripes.com site, I've documented all the details about my DWL-G120 experience. But, in a nutshell, avoid D-Link.

More bad advice from Walter Mossberg

In the March 8, 2007 Mossberg Mailbox column in the Wall Street Journal, a reader asked how he could make sure that no one could piggyback on his WiFi wireless connection. Walter's response was:

"Turn on the password feature in your router, and don't tell anyone the password. You'll usually find the password setting in the installation software that came with the router."

Not quite.

When discussing wireless routers, there are two passwords. I can just imagine the poor reader of the newspaper changing the wrong password and thinking he is safe. False security is worse than no security.

The first password is needed to login to the router itself. Routers have internal websites that you use to make configuration changes, and access to the internal website requires a userid and password. This password has nothing to do with WiFi wireless signals/connections.

By the way, this password should be changed when a new router is installed because all the bad guys know the default passwords. I have an earlier posting on this blog about how important it is to change this router password.

The password that prevents someone from piggybacking on your wireless connection is referred to in all the technical literature as a "key". If the reader looks around the internal router website or the router documentation for a "password", he won't find this. All references to "passwords" refer to the first password, not to the key.

Not to get too technical, but this "key" relates to an encryption standard, either WEP (bad) or WPA (good) or WPA2 (good). And there are good keys and bad ones, an important concept omitted from the response.

So, which password was Mr. Mossberg referring to? Did he have the right concept and use the wrong term, or did he have the wrong concept and use the correct term? Beats me. The PC industry is too new to have a concept of malpractice, but if the shoe fits...

---

Update: On March 15, 2007 Mr. Mossberg issued a clarification. See Securing a Wireless Network. Certainly a step in the right direction, but...

Quoting: "To enable the encryption key, use the router's setup software to turn on security".

There are multiple mistakes in this sentence.

You enable encryption, you do not enable the encryption key. Encryption is the lock, without the lock, having a combination does nothing.

This ignores the fact that the older type of encryption, WEP, has multiple keys/passwords. Only the newer type (WPA) has a single key/password.

Once the router is working, there is no need to use its setup software. Instead you log in to the internal website in the router to make changes.

You don't "turn on security". What he meant to say was you turn on one of the three types of encryption. Routers have multiple types of security, a point he makes later. Mac address filtering, for example, is a security feature having nothing to do with encryption. So too, disabling remote administration, turning off UPnP and not broadcasting the SSID.

Quoting again: "On newer models, the strongest security system is called WPA..."

WPA is not a security system, it is an encryption system (see above). And, the strongest system is actually WPA2, not WPA.

There is a big omission here: for WPA and WPA2, the length of the key/password is critical. Short is bad, long is good. To encourage long keys/passwords you sometimes see references to a "pass phrase". This means the key/password can be an entire sentence. And it should be. A very long key/password is not an ongoing typing annoyance because it only has to be entered once on each computer that want to access the WiFi network. If your WPA key/password is "dog" or "rose" you have no defense at all from a determined bad guy.

And, WPA is not a single thing. There are multiple types of WPA and the people Mr. Mossberg claims to write for need to be told this. Simply put, home users want WPA-PSK. This is also called WPA Pre-Shared Key and WPA Personal. They do not want WPA with a RADIUS server.

Finally, anyone serious about WiFi security should turn off the WiFi network when not in use. There is an option in the router to turn off the radio transmitter that is the wireless network. No hacker can break into a network that doesn't exist.

Mr. Mossberg is loose or sloppy with words/terminology. When nerds are talking amongst themselves, they can be sloppy with terminology because they all understand anyway. But when writing for a non-technical audience, it is important to be very precise when describing something technical because they don't know the ropes.

And there is no excuse for making technical mistakes, something the editors at the Journal share the blame for. Apparently no one reviews his work.

Axis of Avoidance

The world of politics has an "Axis of Evil." While no computer company is evil in the George Bush sense of the word, there are companies that are consistently bad news. Let me suggest an IT Axis of Avoidance:

• Microsoft
• Dell
• Symantec
• Sony
• America OnLine
• D-Link

The less you have to deal with these companies, the better off you will be.

Windows Vista - Ask the right question

Ask not if you are ready for Windows Vista.
Ask if Vista is ready for your applications.

Home routers can be dangerous. VERY dangerous.

Most home users with a broadband connection have a router that sits between the cable or DSL modem and their computer(s). If that is you, read this carefully.

On second thought (thanks Leo) everyone should read this posting because the simple question of whether there is a router in your home/office sitting between you and the Internet is not the trivial question it used to be. Way back, broadband modems (cable and DSL) were separate pieces of hardware from routers. No more. So even if there is a single box between your computer(s) and the outside world, it may very well be both the modem and the router.

NOTE: This problem does not affect you if you have a single computer directly connected to a broadband modem that is only a modem and not also a router. Good luck figuring this out. It also does not effect dial-up users. It is very likely to apply to small businesses (large businesses probably have qualified techies configuring their routers). Both wired and wireless WiFi connections are equally vulnerable.

Just by looking at a web page, you can lose your life savings.

Let me explain. A malicious computer program can live inside a web page and run automatically when the page is viewed. This new type of malicious software will modify configuration settings in your router such that when you type in the name of your bank to go to its website, you will instead end up at the website of a bad guy imitating your bank. You enter the userid/password for your bank and the next day there is no money in your accounts.

Nothing is more dangerous than this on the Internet.

Every router has a website built into it that is used for configuring the dozens of options. To make configuration changes you log into this website with a userid/password (the router also has a default IP address that can be used to access its internal website) . For the malicious program to make changes to your router, it needs to know the userid/password. This is only possible if the default password was not changed when the router was installed. That is, if a good computer nerd installed the router you are safe. If your router is still using the default password, change it now!

How can the malicious program know the default userid/password for your router? How can it even know which router you have? It doesn't need to know your exact router model. There are only a handful of companies making the most popular routers. The default userid and password used by these companies is well known. All the program has to do is try them all. It's not a long list.

If you don't know the userid/password to log into your router, I can't stress how important it is to find out. In addition, you also need to know the internal IP address of the router so that you can access it with a web browser.

Let me re-state the problem to hopefully scare you into action. If you enter "www.citibank.com" into your web browser (or use a Favorite/Bookmark) then everyone knows you will go to Citibank's website. But, if you are the victim of this attack, it will not be true. You may end up at a website that looks exactly like Citibank's but is designed for the sole purpose of stealing your userid/password. Even worse, you may end up at the real bank website, but the bad guys could have set themselves up in between you and your bank. Thus, they see everything you enter and all seems perfectly normal because you are, in fact, actually dealing with your bank's website. Just not directly.
Not to pick on Citibank, they are just used as an example.

Computers on the Internet have a unique number assigned to them. They talk to each other using these numbers (us nerds call them IP addresses). Words and letters and names such as google.com or michaelhorowitz.com exist solely for the convenience of human beings. There is a huge system on the Internet called DNS that translates domain names into their corresponding numbers. Every time you ask for a website by name, your computer first contacts a DNS server machine to translate the name to the unique number. This happens so fast that you don't notice it.

The way this attack works is by changing the DNS server computers you use for translating names to numbers. Thus if www.citibank.com should translate to 1.2.3.4, the DNS computers of the bad guys would instead translate it to 88.55.11.99 (the numbers are just for illustration) which just so happens to be their identity theft website. Think of it as having a total stranger translating spoken languages. You can never be sure if the translation is accurate or not.

Adding to the danger of this attack is that it's undetectable. That is, anti-virus and anti-spyware software will not protect you. No files are put on your computer. In fact, no changes are made to your computer at all! Still worse, to review the settings in your router to see if anything has been changed, takes a computer nerd. Its too techie for normal people. As I said, this is as dangerous as dangerous gets.

Technically, this type of attack is known as pharming. Phishing refers to tricking a human being to go to the wrong website. Pharming involves tricking your computer to go to the wrong website.

The malicious program is written in a programming language called JavaScript. JavaScript programs live inside web pages and are executed by your web browser when you view a page. They are not executed by your operating system. This is not a Windows problem, it affects Macs and Linux too (any OS in fact).

You can disable JavaScript in your web browser, but it's not practical as so many web sites require it. You might however, consider using two web browsers and having JavaScript turned off in one of them and use this browser when visiting iffy websites. The Firefox browser has an optional NoScript extension that turns off JavaScript by default and then easily lets you enable it on a site by site basis. It's a very popular extension.

The following is a bit techie.

You can, and should, also protect your router by changing its IP address. This doesn't offer perfect protection, but does make it harder for the malicious software to find your router.

Another way to protect yourself is modifying the TCP/IP settings on your computer so that you don't get DNS services from your router. Let me explain:

Typically when your computer needs to translate a domain name to a number (IP address) it asks the router to do this and the router, in turn, talks to a dedicated DNS computer run by your ISP. A large organization may run their own DNS computers. The whole point here is that the bad guys can modify the router to talk to their DNS server.

Every ISP runs at least two dedicated DNS computers and they will be glad to provide their IP addresses (it's probably listed on the website of your ISP, this isn't a secret). My point here is to configure TCP/IP on your computer to talk directly to the DNS server of your ISP and avoid having the router acting as a middleman. Thus, even if the router is talking to a bad/compromised DNS server computer, you are not asking the router to do the DNS name-to-number translation.