I have been thinking a lot lately about the situation with computer trojans, hacks, exploits and various viruses that are running around in the wild.

It amazes me that people take so few precautions with the computer systems that control their livelihood or their sensitive personal data. Even people that I have worked with who were outstanding in their own right (but not so literate when it came to computers) took no precautions with their own computer systems.

I just don’t understand it.

Microsoft is of course not blameless. In the effort to make computers more accessible to the masses they have spawned a world full of wizards, automatic configurations and openness that only fosters exploitation.

I have said for years that Microsoft should ship their operating systems in a hardened state. The user should then have to RTFM or hire someone knowledgeable in the field if they wish to open up their system more (I.E. run a web server, mail server, or other software on their PC or connect directly to the Internet without the firewall turned on). Finally with Windows XP Service Pack 2 will they turn on the built in firewall by default. It only took them 10 years to accomplish this.

Most people who have lost personal information or had their computer taken over by a virus or trojan horse spam mailer will tell you that they would much rather have to deal with a locked down system than lose their data.

I just can’t understand why it took this long for the “lock down” idea to sink in. What’s the point of using a computer if at some random time in the future you stand the chance of losing your data?

Oh, I know, most are thinking “wow, this has never happened to me and probably never will”.

Trust me – I have come across literally dozens of people who have lost their data or had to rebuild their operating system from scratch because they were not properly protected from threats.

I recently read a paper (with specific examples and statistics) that reported on how long it takes a stock Windows XP installation (without SP1 and ALL hotfixes) to become infected with Sasser (or other trojan/virus) when directly connected to the Internet.

Guess what. It took no more than 20 MINUTES. That’s right – anywhere from 6 seconds to 20 minutes. This means that if you don’t turn on the Internet Connection Firewall or have your machine set-up behind a cable modem/dsl router you are TOAST. You can’t possibly get the machine patched with all of the necessary hotfixes before it becomes infected.

Another thing. Most people know better than to open e-mail attachments from people they don’t know. Unfortunately most of the new (and effective) viruses will come from someone you DO know. Once your friends get infected the virus sends mail to everyone in their address book. So what does that mean? It means that before you open an attachment you must verify that the sender intended to send you this attachment. If you don’t and open the attachment containing a virus then you are SOL.

Let me go into another thing that really drives me nuts (oh great, another).

SPAM.

You’ve got to ask yourself why spam is so prevalent. How did spammers gain the ability to send so many billions of messages to unsuspecting e-mail recipients every day? Isn’t it possible to simply block all of those nasty spam sending e-mail servers out there?

One answer: the SPAM trojan horse program.

There are literally millions of PC’s connected to the Internet that are not properly protected against attack. All it took was a few well engineered trojan horse programs and guess what. You have those millions of unprotected PC’s now sending billions of SPAM e-mails every day.

How does this happen?

Simple.

You place your PC on the Internet in an unprotected state (defined by not having the built-in firewall turned on or not having a cable/dsl router in front of your PC). You haven’t quite kept up with all of the patches that Microsoft has issued. It takes a mere 10 minutes (no exaggeration here guys) for your PC to be exploited. A program is installed on your PC without your knowledge. Now your PC is ready to participate in the sending of unsolicited e-mails.

There are dozens of IRC chat rooms from which spammers can control these networks of robot (called zombies in techno speak) computers. The spammer issues a command in a chat (IRC) channel and then the zombies run off and spam you and me.

These networks of zombies (called botnets in techno speak) are even sold and traded on a daily basis.
This is how 80% of all SPAM is originated. Trust me folks. It’s a fact.

Now do you see why I rant and rave about protecting yourself? I don’t want you sending me any more SPAM!

So what is this diatribe leading up to?

It leads to my next thought:

Systems Engineers and Software Developers should be required to pass stringent certification and educational pre-requisites.

Certified IT professionals should also be paid at least as much as doctors/lawyers.

That’s right, I said it. I firmly believe that certified and degreed systems engineers and developers should command that kind of compensation. Along with the compensation comes responsibility for the reliability and security of their implementations. Despite what most people think, there is a code of ethics for lawyers
and doctors. It should be no different for certified IT professionals.

Note that I said certified AND degreed. This means that the average Joe high school graduate that knows how to assemble a PC isn’t eligible. In fact, most of the people I graduated with at SMU would be out of luck. I mean to say that there should be an extremely strict certification (I.E. BAR exam anyone?) that information technology professionals should have to pass to become certified as experts in their field.

Don’t even bring up MCSE, MCDBA, MCSD or any of the Microsoft certifications. They are a complete joke. Any certification that can be passed after taking a 1 week bootcamp is not worth the paper it’s printed on. The only certification that is close to what I am talking about is Cisco CCIE (no, not CCNA).

These certified individuals should be required to attend continuing education to retain their certifications.
They should have to re-test if they fail to do so.

Strict certification along with software that is by default “locked down” will save everyone a ton of grief when it comes to computer problems.

I bet you are thinking “I guess Manly would be one of the certified ones – this just benefits him”. Not necessarily. I haven’t passed this test because there isn’t one. If there were I would surely make an effort to become certified (and I am confident that I could pass it – but with a lot of study). The point is that as we rely on information technology more and more we should know without a doubt that the systems are secure and reliable. We have neither at this point in time.

Can you imagine a time when you are completely reliant on your home PC for everything from lighting/security/HVAC control to banking and investments? Ahh, who cares if someone has the ability to take control of your PC or log your keystrokes. What could that hurt? (SARCASM).

I am sure that none of this will come to pass but with all of the talk of terrorism and post 9/11 security you would think that this would be more important. After all, the best way to hurt 260 million Americans is to take away their confidence in their security and make them worry about the stability of the future. How secure would you feel if you knew that the system that houses all of your confidential information is easily compromised? What if you knew that your bank wasn’t taking the appropriate precautions with your information? How about that web site that you entered your credit card info into?

All of this would require some form of licensing. Lawyers and Doctors command high compensation (and generally high levels of trust) because they are protected by their licensing system. Sure, you can practice your own medicine or enter the court room as “pro se” but everyone knows that it’s not a good idea. It is also frowned upon by judges and hospitals (actually, all hospitals prohibit unlicensed physicians from practicing medicine on their premises).

Of course you can’t force businesses to use only licensed IT professionals. On the other hand, as soon as Fortune 500 companies start to require licensing other businesses will soon follow. Large organizations generally set the standard for all others.

This is surely an extreme version of a possible future (or impossible as it may be). There are definately less extreme (and less effective) variations on this theme. Each scenario would present it’s own mix of benefits and assocaited problems.

Let me know what you think.

On another note: How cool is it that Spaceship One achieved spaceflight (they made it to 62 miles). Isn’t it ironic that they achieved this for 20 million dollars? Don’t most of NASA’s programs run into the billions?

Hmm… there may be a lesson here folks. As if we didn’t know that the U.S. government is inefficient (and mostly inept).

Here’s a link to the report on the spaceflight:

http://www.space.com/missionlaunches/SS1_touchdown_040621.html

Manly

P.S. Wouldn’t you know it. Not long after I post this blog there is an article on MSNBC about personal comptuers that are infected with SPAM trojans. The gist of the article is that Comcast is considering cutting off Internet access to those PC’s that are sending tons of spam each day (without the owner’s knowledge).

See this link:

www.msnbc.com

Update (6/25/04):

Another article on CNN describes a new Internet attack on web servers that causes them to serve up pages that contain code that will exploit a security hole in your browser and then install a SPAM trojan on your machine. All the user needs to do is go to a web site hosted on a compromised server and they will be infected by the spam trojan. Sigh.

I would run windows update today before I ran around browsing all over the net if I were you. Those that are running all of the latest hotfixes appear to be ok as it exploits MS04-013 (MHTML).

Update (6/25/04):

You are not completely protected even if you have the latest patches for Internet Explorer.
This exploit uses two unpatched holes in IE.

See the following article for more info.

Well, since I have a million thoughts going around in my head (is it hollow or something?) I thought I would try and organize some of them here. Usually I would shy away from something that is so “hip” or “cool” or recently picked up by the mainstream but I just couldn’t resist the urge to drive at least a few people crazy with my opinions.

This first post will be more of a “what’s going on with me” type of thing than a rant or other musing that I may come up with. I will post something more interesting soon

I have been reading a blog by Mavericks owner Mark Cuban that is really interesting. I am not a huge basketball fan (so anything he writes on Basketball I skip) but he has some very interesting things to say on other topics (movies, T.V., business, the market, etc).

It would be worth your while to take a look at his site just once.

http://www.blogmaverick.com

So, what’s been going on with me?

I have been working a good deal. Our company is taking off and it just seems like we have more and more work to do the more successful we become. My father would tell me “that’s just the way it is when you own your own business”. Add another thing to the long list of things that the parents have been right about. It’s exciting and daunting at the same time. I am a natural worry-wart so it just gives me more time to work when I can’t sleep from worrying about everything. Now that’s what I call a vicious cycle. So, if any personal friends want to get ahold of me you can call me until 2AM most nights

I am currently training for a bike ride called Hotter than Hell in Wichita Falls, TX. We are going to try and ride 100 miles in the nice Texas heat in August (thank God it’s not next month). So far we are doing rides of at least 20-40 miles and training a couple of times per week or more. It’s not RAGBRAI but it will be fun just the same. Wish me luck cause I’ll need it!

The site is: Hotter than Hell 100

I have been working on a few projects as well.

1) DLP T.V./High Definition DirecTV Tivo:

I must say, Hidef is the way to go. I got sick and tired of looking at my old 4:3 Sony rear projection T.V. so I went out and laid down a significant wad of cash for a new Samsung 50″ DLP T.V. Man, that hurt.

Wouldn’t you know it, the minute I get the T.V. I have an incredible itch to go out and get the new HD DirecTivo. That REALLY hurt.

So now I am poor but I have a kick ass T.V. and Tivo! Yay for me (not).
So, during this whole process I am thinking, hey – I need to get ALL of the local channels in HD. So, I go out and buy a $100 HD antenna for the roof. I get up there, mount it where the old oval dish used to be (The DirecTV installer put in my new oval 3 LNB dish the prior week).

A few days later the HD DirecTivo arrives. I get it set-up just in time to witness 24 in HD. NICE.
Once that was over I go about setting the thing up to my liking. Lo and behold I can’t receive 3 local over
the air HD channels. CRAP!

I consider going up to the roof to re-orient the HD antenna. Of course, it is only pointed in the “approximate” direction and could probably use some adjusting. Being the generally sneaky person that I am I think to myself “I wonder if the antenna in the attic will get HD”. Once I connect the attic antenna to the right wire in the home-run box in the garage I get ALL over the air HD’s in the 85-90% range! That just figures. I buy and antenna and the one I already have but have never in my life used works a ton better. UGH.

Anyways, I highly recommend the Samsung DLP TV and/or HD DirecTivo to anyone considering something like this. It completely rocks.

2) Hacking the DirecTivo (HDVR2 – Series 2):

I already had 3 Tivos when I ordered the HD DirecTivo. So, I gave one away (loaned) to a guy here at work. When the HD Tivo came in I gave my oldest DirecTivo to another guy here at work. So now I only have 2. Both virgin, never messed with DirecTivo’s. I simply can’t resist. I buy a hard drive and bracket online and a USB ethernet adapter and go to town on the standard definition DirecTivo. 45 Minutes later it’s done. I have a 157 hour networked DirecTivo. Full web interface, 1 hour live buffer, no more calling in over the phone line and the ability to grab any show from it and place it on VCD, SVCD or DVD. I highly recommend this to anyone who wants more storage from their Tivo. If you are interested in something like this I could literally help you do it over the phone if you have a little computer knowledge.

Mind you this is not my first experience with “hacking” Tivo’s. Every Tivo I have owned has been modified in similar fashion. I am a little wary of opening up the $1000 HD DirecTivo at this point but I will definately add another 300 GB drive to it soon (that would give it the ability to record 80 hours of HD content and 400 hours of SD material).

I made a DVD of 5 episodes of American Hotrod so that I could test the software, etc. It works really well.

3) My own Phone PBX (VOIP, etc):

I have been wanting to get a new phone switch for the office here in Dallas but I hate to just trash the one we have. The biggest problem I have with our current phone switch is that it is difficult to configure and just doesn’t QUITE cut the mustard when compared to what we used to have at Vertaport (EIC). It’s a PC based phone switch.

I have been researching going back to EIC but that will cost us around 4K. Too much.

So, I start researching cheap or open source solutions. I stumbled across an open source PBX called Asterisk ( http://www.asterisk.org ). I also found a place that sells the hardware (analog line cards, VOIP phones) for cheap ( http://www.digitnetworks.com ). I ordered their startup package (1 line analog card plus a cheap-o VOIP phone). It should come in this week, just in time for my usual Sunday afternoon geek-out time).

Now I know that most might not know what VOIP is but it’s basically a telephone that doesn’t require a landline like normal phones do. It requires a TCP/IP connection instead. So, instead of having the phone wire and the ethernet wire (for phone,computer) you just have one (the ethernet wire).

How is this better? Well, it allows you to take your phone anywhere you want that has an Internet connection and receive phone calls. I.E. I could come home for Christmas and receive the phone calls that come into my house at Mom and Dad’s. Not that I would do this but it would work well for my company since we have people that don’t live in Dallas.

You can also use VOIP for long distance calling. Companies offer extremely cheap rate plans for long distance based on the fact that it is FAR cheaper to run calls over the Internet than it is to pay MA Bell (baby bells) for the same service. I am not really worried too much about the cost. I am more into the fact that I could build the machine myself, install and configure Linux and compile Asterisk and then have a fully functional phone switch/VOIP gateway for FREE other than hardware.

I have been RIPPED OFF for years by phone switch providers, etc. I remember when I worked for Vertaport during the .com boom we were looking at a lucent phone switch. They wanted 500K for a DAMN PHONE SYSTEM! Are you kidding me? That’s insane. It’s time to try and build one myself. You watch, I will build one that has more features than the one that Lucent was trying to sell me (but less capacity of course). It’s also very interesting to me

4) Women:

I know someone would ask me about what the woman situation is with me right now. I would consider myself in-between women at the moment (although I am not putting in a lot of effort right now). I go through stages it seems. Sometimes it’s a priority to date, etc and sometimes I am totally pre-occupied with other things (imagine that). I think I am in the latter stage at the moment. That will probably change soon

Well, that’s about all the time I have to write. My fingers are about to fall off anyways. Excuse inappropriate grammer or spelling errors. I tend to write as I think instead of writing like I am in college working on a term paper.

I must give a shout out to all the Grundy people that may read this. The older I get the more I think we had a great experience growing up in such a safe, small, intimate setting.

Anways, LATER.

MANLY