I knew right away something wasn’t right and that was quickly confirmed when I realized I couldn’t launch Task Manager or Regedit: I was infected with malware. A trojan to be more specific.

In the last ten years I have been infected once or twice before–usually by something minor like spyware attached to a game my kids downloaded–but I had never anything major like this. Bringing up a command prompt, I quickly fought the infection with my arsenal of cmdlines I had gathered over the years. But once I thought I had the thing completely gone, it once again would appear in my task lists and runonce entries.

It didn’t take long for me to realize that it was using WMI events to keep itself alive on my system. Because these types of infections are difficult to detect and even more difficult to remove, I went after the file system, removing any binaries related to the trojan. Using timestamps and several SysInternals tools, I was able to eliminate all of the infected files, although the trojan was still active–albeit neutered–on my system.

I spent two days working on the server and ultimately ended up with a system that would blue screen before loading Windows. I finally just gave up and reinstalled the system to a fresh state. What bothered me most wasn’t the time I had wasted fighting this trojan, it was the fact that it had beat me. In fact, it beat me using the very same tactics I myself had developed and used over the years.

But as I got thinking I realized that what really bothered me is that this was a fully patched server running Windows 2008 behind two firewalls. And I was downloading a trusted application from a web site I recognized. And most of all, it bothered me that this is 2009 and I still got infected.

A decade ago I remember telling my clients that it would take ten years for the tech industry to get caught up with security. There was simply too much stuff to fix and not enough talent to fix it. Well that ten years has come and I wonder how those clients are doing now. The daily security headlines nowadays really aren’t much different than they were in 1999. Some new worm threatens the Internet infrastructure. Some .gov or .mil was hacked, probably by The Chinese, and it turns out you can still get hacked no matter how many initials you have after your signature and no matter how many standards you comply with.

It’s 2009 and I am still forced to use ancient, unencrypted protocols like FTP, Telnet, and SNMP. And even where public key encryption is commonplace, like with SSL encrypted protocols, I still find myself faced with things like having to decide whether I should trust a self-signed certificate or not.

Then there’s e-mail. Not only is it unencrypted, but it is unauthenticated and also subject to tampering. Nevertheless, I finally stopped installing PGP on all my computers because no one ever sends me PGP-encrypted e-mails and no one is ever able to read the ones I send encrypted. And this is 2009.

Even though it’s 2009, so many are still fooled by those fake e-mails from their banks. And even though spam filters work pretty well at protecting us from seeing our spam, there are still thousands of spam messages that end up on my servers every day.

And when I send an e-mail, there’s no guarantee that only the recipient will receive my message. There’s no guarantee that other’s can’t read or even modify my message.

Ten years ago we knew exactly what it would take to fix our security problems. We got the firewalls down pretty good. Code is generally more secure now. And most of us are good at keeping our systems up-to-date with patches.

But we still don’t have widely-adopted solutions for authentication, encryption, and data integrity. We still have weak passwords and our mother’s still have the same maiden names. And most people are simply too underequipped or undermotivated to combat the skills of the malware developers.

That means that despite all our advances in security technology, the best ways to hack someone are the same as they have always been—through a malicious e-mail attachment, or some infected download, or simply guessing someone’s password.

This is a serious problem, a problem that will take a decade to fix.

But while I thought I had seen the worst CAPTCHAs ever, I stumbled across RapidShare’s new CAPTCHA. Now in the past I have actually praised their CAPTCHA because of it was so user friendly. It wasn’t case-sensitive and when there were ambiguous characters (number 0 vs letter o), it always seemed to work.

Obviously the CAPTCHA was flawed and a number of people wrote some bots and other tools to bypass it. RapidShare felt a need to tighten things up a bit so they came up with the Cat CAPTCHA:

Now it is important to note that if you are not a RapidShare member you often have to wait to be able to download a file. In this case I had to wait three minutes before I even got to the point where I could enter the CAPTCHA. Already thinking this was an annoying CAPTCHA I also grabbed a screen shot.

Now if you look closely, it says to enter all letters having the image of a cat. Looking at the image, I saw both numbers and letters so, while it made me pause and think more than most CAPTCHAs would, I figured the answer was NTPS. The caption says there are four letters, the text box limits your input to four characters, everything was all caps, and so I figured I was all set.

It turned out that NTPS wasn’t the correct answer and it put me back into the queue to wait another three minutes. After the timer finished counting down, RapidShare presented me with another CAPTCHA to solve:

This CAPTCHA was all letters and they all had little cats on them so this seemed easier, but as I started typing I remembered that the text input box only allowed four characters. So which four are the answer? I tried the first four but that didn’t work.

Thinking it might be a browser issue, I tried different browsers,but quickly discovered that after three failures it locks you out. And it doesn’t do this based on a cookie it’s based on your IP address! Being behind a NAT’d connection I guess I just locked out my entire ISP from using RapidShare.

At this point I did some searching and found out that I am just one of hundreds of people blogging about this.

It turns out that I wasn’t being too careful because what RapidShare doesn’t tell you is that some of those images on the letters are actually dogs, not cats. I must be a bot.

Looking (very) close I finally determined that the correct answer to the CAPTCHA above would have been NERW. Geez, they could at least start showing the CAPTCHA during the countdown so you can get started working on it.

This CAPTCHA fails in so many ways it is amazing:

1. They rely too much on their description, which pretty much eliminates anyone who doesn’t speak that language.
2. They lock you out by IP address.
3. If you have to squint or enlarge the picture to figure out the CAPTCHA then something is probably wrong. Try entering this thing on your iPhone outside in the sun.
4. If someone needs to post on Yahoo! Answers to figure out your CAPTCHA then something is probably wrong.
5. If a Yahoo! search for “rapidshare captcha” returns 79,500 results, then something is probably wrong.

RapidShare’s response to the issue is this:

“As every free user should have noticed, we are experimenting once again with the CAPTCHA system. The reason is that RapidShare is popular enough for people to create tools to download from RapidShare as a free user as if they were a premium user. This has a negative impact for our paying premium users, since they expect a fast download.”

In the meantime they are probably losing a lot of visitors and completely destroying the already fragile user experience with CAPTCHAs.

And it seems that very soon we will have to address Windows 7, which could come as soon as next year, and Microsoft has extended the availability of XP home for ultra-low-cost PC’s up to June 2010 so those XP patches could still be around for quite some time.

Nevertheless, I imagine that my headache is nothing compared to what Microsoft has to deal with getting ready for Patch Tuesday. While Microsoft has made tremendous progress in patch management over the last five years, this obviously is an area with lots of room for improvement.

With astronomical growth in spyware and an increase in search engine poisoning, how is my meticulous precaution doing? Well, it’s just plain paranoia now.

So in addition to all the well-known best practices and the stuff I mentioned a couple years ago, here are some additional precautions I feel compelled to take:

1. I have an isolated virtual machine always open that I use just for e-mail and instant messaging. This machine is a member of my domain because I need to move stuff in and out of there so often, but firewall rules and other precautions limit its exposure. Plus I never browse the web from this machine.

2. I have another virtual machine always open for general web browsing and downloading. In this VM I have IE7, Firefox, Netscape, Opera, and Safari installed, as well as all the file downloaders, proxies, filters, and anything else cool I find. The browser security settings themselves are moderately secure, but relaxed enough for good web compatibility. This is where I do all my web 2.0 stuff.

3. I have another extremely isolated and extremely hardened virtual machine for more adventurous web browsing and other risky internet stuff. Just IE7 and Firefox here but lots of scanners, blockers, filters, and just about every security-related add-in I can find. I usually keep scripts, active content, and even images turned off in the browsers. Oh yeah and this vm isn’t even on my physical machine here, it’s at my data center and I connect to it via Terminal Services.

4. And of course I have a separate virtual machine on standby (suspended) for all my financial stuff. There are also a few other VM’s I keep on standby for other dedicated and potentially sensitive tasks. All these virtual machines means I need 4GB RAM and 3 monitors to get any work done.

5. Speaking of financial stuff, whenever I create a new financial account, I set up a new e-mail alias just for that account. In the case of PayPal, I created the account under that unique e-mail address but I added several other e-mail aliases that I can give out to people when they pay me so I never have to reveal my secret login address. When I get an e-mail from PayPal to any address but the secret one my Outlook rules will automatically discard it. And speaking of PayPal, I highly recommend spending five bucks to get a security key for your account.

6. I also use secret e-mail addresses for handling sensitive information. The fact that GMail keeps every e-mail forever is kind of scary, especially since it is a web-based app that could so easily fall prey to a cross-site scripting or similar attacks. This is especially a problem because so many web sites insist on sending you a plaintext e-mail with the account information you just barely set.

So I have an incoming mail filter on my GMail account that looks for words like “password” and “login information,” automatically forwards them on to another non-public e-mail address, and then deletes GMail’s archive copy. If you use Gmail, do a search for “password” and see what it comes up with. In case you were wondering, yes I do need a spreadsheet to keep track of all my e-mail accounts.

7. I frequently exit out of then re-open my web browsers, which are set to clear cache, history, and cookies upon exiting. I don’t want some cross-site scripting attack stealing any session cookies. And I never log out from a sensitive web site, I always exit the browser.

8. Occasionally I use the snapshots feature of VMWare to roll back the OS partition of my most sensitive machines. It’s my version of a Crazy Ivan.

9. And most importantly I back up frequently so I have no problem wiping a machine and starting from scratch if I suspect a malware infection or security breach.

10. Ok, well I’m withholding number 10 because I’m just too paranoid to tell you about it.

It reminds me of one day—and this is a true story—when I was a teenager. A friend and I were driving and we came up behind a woman driving really slow on a street where we couldn’t pass. We were stuck behind her.

We both stared at the woman’s head for a minute because something was definitely strange. We then realized that what we thought was her head was actually just her hair in a big head-shaped ball. Right below that, barely peering over the dashboard was this old woman’s real head.

Needless to say, that really got us laughing. Oh yeah and she had left her turn blinker on.

So here we are driving slowly behind this very short old woman with her hair so big it looks like a second head, with her blinker on. Then there’s us following behind in the next car laughing so hard we start making snorting sounds.

Then something incredible happens. A truck pulled in front of her that was loaded with a bunch of furniture and as it sped up a mattress caught the wind and flew up into the air, flipped a few times, then landed flat in the middle of the road.

We sat there and watched as the short-old-big-hair-blinking lady drove right over the mattress and it stuck underneath her car! So now she’s driving with her blinker on, barely looking over the dashboard, with this big hair head thing and a mattress dragging underneath her car. At this point we were laughing so hard we could barely breathe. You know, those laughs where you start laughing a really high-pitched laugh that sounds so uncool when you’re a teenager but you can’t stop anyway.

Then the smoke started.

Big hair, blinker, old lady who can barely see over the dashboard dragging a mattress under her car with a plume of smoke behind her.

And that’s exactly what I thought of when the cardboard stuck to my car on the freeway today.

Of course, I immediately saw a security analogy in that. I have a client that has a glaring (although hidden) weakness in their product that I have wanted them to fix for quite some time now but it would require such a great effort and they have become so desensitized to it that it has become one of their lowest priorities.

And even though I do my best to secure everything else in the product and mitigate the impact of exploiting this weakness I still know that all it would take is for one clever person to find it to totally embarrass this company.

So many times we justify and minimize the impact of our own security flaws. We get so used to them that we don’t even see them anymore. And since we don’t see them we somehow think that no one else would see them either.

But they do. And before we know it, we are the old lady driving down the street with our blinkers on and dragging a smoking mattress. The problem stems from the fact that sometimes we can barely see over the dashboard ourselves.

Eventually she made a right turn (even though her blinker indicated a left turn), which freed the mattress and it spun across the road and on to the shoulder, smashing into a wall, still smoking and torn to pieces. We drove on, making those sounds you make as you wind down from a really, really good laugh.

It’s not like we haven’t tried containing him. It started when he wouldn’t go down for naps. As a quick fix I just hooked a bungee cord from his door to the closet door in the hall, which really didn’t work and was probably kind of dangerous.

Next, we bought one of those child-proof doorknob covers. He was quite mad when we first put it on. But after about twenty minutes of silence he came walking out of his room—extremely proud of himself, I might add.

So I pulled out the doorknob and reversed it so the lock was on the outside. After a few days of him crying himself to sleep next to his door, we were sure we had him beat. We thought we were so clever.

Until one day his crying suddenly stopped and we heard the unmistakable creak of his door opening. This two-year old figured out that if he rattled the doorknob enough that the lock would eventually edge its way into the open position. Now he can do it in less than a minute.

People wonder why I have so much security on my home computers. That’s why. I have bred a small group of hackers here.

Some say hacking is something you learn. I say you are born with it. For as long as I can remember I have always tried to hack something in one form or another. I’m not talking about hacking in the sense of theft or greed; I am talking about the thrill of the challenge. It’s no different from the thrill I felt when I first solved a Rubick’s Cube when I was eleven. It’s no different than when I went W at the barrow in Zork I.

Hacking just came naturally to me. Yeah I was a hacker and I was good at it. Not because I wanted to hurt anyone, I just loved the adventure. It made me good at what I do now, at least at first.

It has been years since I hacked anything, at least without getting paid to do it. Now I spend all my time securing things. While many of my friends are still hacking legally now as pen-testers, I have always argued that pen-testing is pointless because no matter how people get in, the method of securing your systems will always be the same. Why not just save the money and skip right ahead to the lockdown?

While this has saved my clients plenty of money over the years, I wonder if I myself am beginning to suffer from skipping the pen-test stage. When you secure things you look at thousands entry points and you narrow them down to just a few. It’s easy to feel secure once you have done that. But when you are a hacker you start with nothing and discover those few remaining entry points. That difference in perspective is so significant that you can never truly know how to secure something until you have gone through the process of breaking it.

More and more I find myself making compromises that I never would have done when I started. I find myself minimizing the impact of minor flaws in a system. I no longer get angry when I see people make dumb mistakes on their servers because I know what I would have exploited that as a hacker. I think I am forgetting all that now.

About a week ago my oldest son told me I should start being a hacker again. I suspect he said that because he wanted to brag about it to his friends. I laughed it off but I have to admit it was a lot like offering a drink to an alcoholic who thought he was recovered.

All these years of not hacking has definitely warped my perspective. I need to dig out all my old scripts and try them out on a real network. I need to see what I can pull off with just a few scraps of information on the target dug up from Google. I need to see how far I can really go on a fully patched server. I need to experience once again what it takes to evade detection.

Ok, most of all, I just miss hacking.

There are several traditional access control models we use in computer security. Windows enforces access control using the Discretionary Access Control (DAC) model. In the NTFS file system, DAC allows and restricts access to files solely based on user identity. The system grants a user, or group of users, access to a file based on ownership. The owner decides, at his or her discretion, how to further assign access permission to that file. Discretionary Access Control is a system completely based on who is trying to access a file.

Mandatory Access Control (MAC), on the other hand, is an access control model that focuses more on the content of the file itself. MAC classifies all files based on a level of sensitivity or classification and only allows access to users with appropriate clearance, no matter what other controls may be in place that might permit them access. Therefore, users may only have access to a document with a Top Secret classification only if they have that level of clearance, even if you place that file in the user’s directory. Furthermore, users with the appropriate level of clearance to access a file still cannot grant access to others with a lower level. Mandatory Access Control focuses on what the file contains.

Mandatory Integrity Control is similar to Mandatory Access Control but focuses more on the trustworthiness of files based on where the files came from. MIC provides a barrier between trusted and untrusted processes, files, and other system resources.

MIC works by assigning integrity levels to everything and preventing low integrity users and processes from writing to higher integrity file and Registry locations.

Anything you can secure in Windows also has an integrity level. Anything that doesn’t specifically have an integrity level assignment will receive an integrity level of medium. Furthermore, Windows also assigns integrity levels to users. Normal users will have an integrity level of medium and administrators have an integrity level of high.

When users launch programs, those programs normally launch with the same integrity level of the user, so when medium-integrity users launch programs, those programs will run at a medium integrity level.

On Windows Vista, Internet Explorer 7 is broken down into three different processes that run at different integrity levels so that it can use the lowest integrity level it can get away with for any particular task. By default, IE uses a mode called LP IE that always runs with low integrity. There is also a IEUser process that handles running IE with a medium integrity level. Finally, there is the Application Information service allows the launching of high-integrity instances to handle admin-level tasks.

Low Integrity

Internet Explorer by default will run with low integrity and can only access a limited portion of the file system. By default, most files on the system have a medium integrity level so Internet Explorer cannot access any of those locations. The low-integrity directories that IE can write to are the low integrity cache, temp, cookies, and history directories that Internet Explorer uses for web browsing. Any web site in your Internet zone will always run with low integrity.

Medium Integrity

Internet Explorer uses a medium integrity level for all web sites that are in your trusted zone. If you are browsing to a web site in the Internet zone and wish to open a site that is in your Trusted zone, IE will prompt you to open a new window for that web site. It does this because the site in the Trusted zone will run with a medium integrity level and it needs to create a new process with the appropriate integrity level. In other words, you cannot have Trusted sites and Internet sites open in the same browser instance.

The core concept of UAC is that there is usually a prompt when you switch between tasks of different integrity levels. The idea is that no matter what kind of future attacks hackers might think of, the user will at least see a prompt before anything bad can happen.

When a browser instance is running with low integrity it can automatically save files, such as cookies or temporary internet files, without prompting the user. This is because it only saves the files to low-integrity locations. This way, if a future browser exploit allows a malicious web site to download and run a file, it will not be able to do any damage because the file will be marked as low integrity.

However, if you wish to download a file from a web site in the Internet zone and save it to your desktop or other medium-integrity location, IE will always prompt you before allowing the download. It does this because in order to save the file to a medium-integrity location, it needs to run as a medium-integrity process. Because it is switching from one integrity context to another, it will require user interaction.

It is important to be aware that when you approve the download of files from the Internet and save them to your disk, those files will be marked as medium-integrity files. That means they can run with the same privileges as the current user. IE7 protected mode doesn’t replace the need to be smart about what you download and install on your computer.

High Integrity

Sometimes you need administrative-level rights to install ActiveX components or IE add-ins. To do this, IE will spawn a new high-integrity process. This process can handle any installation issues but will always ask for approval before performing any administrative task.

Mandatory integrity control is still a new concept in Windows and it is obvious it hasn’t been fully integrated into the security model. However, it certainly is a step in the right direction.

It’s not just that I’m not a big football fan; I’m also too impatient to sit through three hours of anything. That’s what’s so great about commercials. Say it in 30 seconds and you’re done. But I was barely through the first Budweiser commercial when I heard our front door slam. My wife walked in the room, threw the car keys at me and told me to go get the car unstuck out of the snow. Oh, and the back window is broken too.

After weeks of heavy snowstorms here in Utah, getting up and digging out the car has been a pretty regular occurrence. Last night we got about 10cm, so I tromped through the snow out to the car. Sure enough, there it was stuck in a snow bank at the end of our driveway with a tree branch going through the back window.

“Great,” I thought, “I’m going to have to get out of my pajamas for this one.”

Now to most people getting out of pajamas is probably a normal thing but when you have worked out of your home for ten years I might as well be putting on a tuxedo.

Yeah, so what, I sit around all day in my pajamas. In my house everyone is used to it. When I tell my wife I need more work clothes, she asks me if I want flannel or fleece.

My kids really have no concept of what a real job is. All they know is that I secure things and I write things, and that somehow involves sitting at a computer all day in your pajamas. Of course, they don’t quite understand the distinction between work time on the computer and play time on the computer so that adds to the confusion.

Parent-Teacher conferences are always fun because my kids always have creative ways of explaining what their father does for a living. “So, I hear you’re a hacker?” a teacher once asked me with some concern. “I understand your work involves playing video games all night?” another one asked, somewhat confused.

So I got out of my pajamas and into some real clothes to dig the car out, and then drop it off at the glass repair shop.

The whole point of all this is that after getting back from the repair shop I sat down at my computer.

To my shock there was a virus warning. That virus scanner that has sat there, along with all the others over the years doing nothing actually reported that I had a virus.

I haven’t had a virus in years—people like me aren’t supposed to get viruses.

I always do everything right plus a lot of other things that most people wouldn’t even think of. But there it was, with a big red warning icon: Found 1 infected files. I was shocked, were the shoemaker’s children actually shoeless? Where did I fail? What is the world coming to? Ok a broken window I can put up with, but a VIRUS?!

At this point I had had enough. I just gave up, got back into my pajamas, laid in my bed, then hit play on the DVR that was still paused at the Budweiser commercial.

http://windowsvistablog.com/blogs/windowsvista/archive/2008/02/04/announcing-the-rtm-of-windows-vista-sp1.aspx

Of course it’s not too hard to see that I am to blame for this. I spent the good part of a year writing a book on passwords. I spent a number of years developing Pafwert, a unique passphrase generator. I collect passwords every day. I always talk about passwords. And of course, there are those times when every PC in the house is running slow because they are either cracking away at passwords or generating rainbow tables.

And not to mention that when they arrive at that age, they get that father-and-son talk. Not the sex one, the one about never sharing your passwords with others.

So coming up with passwords is a fun thing around here. Maybe not for my wife—who only has long passwords because the domain policy forces it—but for the boys a great password is a matter of pride. The only problem is you can’t ever tell it to anyone. To emphasize that point I even keep the administrator password secret from my boys until they come of age and get the talk at which point they also get to know the secret admin password they have coveted for so many years. It’s a rites of passage thing around our house—kind of an IT Bar Mitzvah.

But the thing is they respect passwords now. When their friends come over and want to use a locked PC, my kids don’t just tell them the password, they have them move aside and enter it for them.

The nice thing about this sibling password rivalry is that there is always this pressure to have a better password. Forget being teased about your first girlfriend, around here you get teased if you haven’t changed your password in the last couple months.

Of course my influence on them won’t last forever. My oldest boy is almost sixteen and will soon want to trade in his RSA SecurID for the type of key you start a car with. And perhaps he’ll start using weak passwords because that’s what all the cool kids do.

But at least I still have my youngest son, who is just over two. He still has at least another 6 months before his first password, but I know that time will come fast. Before I know it I will be sitting down with him, giving the talk: son, don’t ever share your password with others.

X-Out is a simple utility that makes the process more consistent by deleting files using a native application that runs very early in the Windows boot process (the same place where autochk runs). At this point there are no file
permissions or applications to get in the way. Even Windows won’t stop you from deleting the files you want.

When Windows starts, it will see that those files are not there and therefore will not configure WFP to monitor those files.

You can download X-Out here.

Here’s a breakdown of Microsoft’s client protection offerings in an attempt to help you understand what might be best for you:

Malicious Software Removal Tool

The free Malicious Software Removal Tool cleans up computers infected with the most common or most active malware threats. Microsoft updates the tool with each monthly patch cycle therefore you must always download the latest version . The tool simply cleans up common malware that might already be on your system.

The tool does not provide malware protection, only addresses the most prevalent threats, and does not scale well and therefore is not a great long-term security solution. It does, however, provide a quick cleanup that might be necessary in some cases.

OneCare Safety Scanner

The OneCare Safety Scanner is a free online tool that scans for and removes viruses and spyware and then performs a few system checks. These system checks include a disk cleanup, defragmentation check, and registry cleanup. The tool also performs a port scan on your system to check for open ports.

The OneCare Safety Scanner is a quick and easy solution for inexperienced consumers and it’s a great place to send your neighbors who call you asking for help getting rid of some malware.

Internet Explorer 7

Internet Explorer 7 provides better overall security than previous versions of IE and has several new security features. IE7 includes a phishing filter to warn of potential fishing attempts, better spyware protection, and a pop-up blocker.

Windows Defender

Windows Defender–now included as part of Windows Vista–provides spyware protection and cleanup. Although it works well for consumers and business users, it does not provide any centralized management.

Windows Live OneCare

Windows Live OneCare is a combination software and paid online service that provides virus, spyware, and phishing protection. It keeps your hard drive defragmented and clean from unnecessary files, cleans the registry, and makes sure you always have the latest patches from Microsoft installed. It also provides regular backups of your important files to a second location, such as another hard drive or a CD-ROM.

Windows Live OneCare tries to run continuously and quietly so it is a great solution for consumers.

Forefront Client Security

Microsoft Forefront Client Security is the most comprehensive, most configurable, and best manageable client security product. If you manage more than a dozen systems, you would definitely benefit from the centralized management and control features that Forefront provides. You can control Forefront Client Security settings through Group Policy and it integrates well with WSUS for distributing signature updates to client systems.

So what does this all mean? Well this is how I would break it down:

• If you are a consumer, visit the OneCare Safety Scanner site periodically and do a scan. If using XP or Windows 2003, install Windows Defender and IE7. Keep up-to-date with Automatic Updates.
• If you are a consumer and don’t mind spending some extra money, go with the full OneCare service.
• Small organizations with limited IT support should have users visit the OneCare Safety Scanner site periodically and do a scan. If using XP or Windows 2003, install Windows Defender and IE7. Keep up-to-date with Automatic Updates.
• Larger organizations should use Forefront Client Security, Windows Defender, and IE7. Use WSUS or another patch management product to keep systems up-to-date.

But I quickly realized how much I actually use the new Start Menu’s search feature. In fact I use it so much that I switched back and now I officially recant my complaint on Vista’s Start Menu based on that feature alone.

This is why it is so cool: not only can you search for stuff on your Start Menu, you can directly launch stuff from there. For example, type calc and press Enter and the Windows Calculator comes up.

Even better, you don’t have to type the whole thing, just enough for it to be unique. In the case of Calculator, just the letter C is enough.

Even better, the search box automatically gets focus when you open the Start Menu, so you can just start typing.

Even better, since most keyboards nowadays have a Start button that brings up the Start Menu and gives it focus, you can hit that button while in any application and do a search without ever moving your hands from the keyboard.

So if I want to open MS Word, I can hit the Start button, type the letter W, hit Enter and Word launches. Three keystrokes to access most of my applications. I’d say that’s worth a recant.

While I am often tempted to ditch it and go back to Windows 2003 or XP, I keep holding out for SP1 and some much-needed improvements.

Here are some things–ok maybe not officially bugs–that annoy me most about Vista:

1. Not responding white-out mode. If a program does not respond after a few clicks, that application’s window takes on a whitish tint and remains so until it responds. While the white-out concept is nice because I can work on something else until I notice the other application’s window return to normal, it seems like it happens way too much. Way, way too much.

2. Computing how long it will take. What really annoys me is when I go to delete a file and a screen pops up saying Windows is computing how long it will take to delete the file. Frankly I don’t care how long it will take to delete a file, just delete it.

3. Finding a solution. When a program crashes, Vista first wants you to wait while it checks for a solution before it lets me move on, which can be really annoying with things like games that change video modes. The fact is that the program crashed and finding a solution won’t make it uncrash. So just let the thing finish crashing and then go find a solution.

4. Double warnings. It is annoying when you perform a privileged operation and Vista pops up a message box saying that what you are about to do will require authorization and once you clear the box you are then prompted for authorization. If they just went ahead and asked for authorization we’d get it; there’s no need to warn us beforehand.

5. Too many message boxes. Seems like I am clicking OK much more than I ever did in previous versions of Windows.

6. Stop trying to be smart. I hate it when Vista guesses that since there are MP3’s in a folder it tries to be smart and changes the Explorer columns to show custom MP3 file info. The problem is that often there are other files in that folder and I would actually prefer each folder to be consistent so I wish it would stop trying to think it knows what I want more than I do.

7. Try being a little smarter. Another thing I find annoying is the box that comes up after some install programs run where the Program Compatibility Assistant wants to know if an install failed or succeeded. Ok maybe I don’t fully understand the value this adds, but it is irritating whenever I cancel a setup program or a setup fails, Vista wants to know if it installed correctly. The problem is that the dialog box doesn’t give any clear guidance or description about what it will do differently if I tell it to try to reinstall, and although there is a cancel button the dialog box doesn’t have an option to just ignore that particular program. And what will it do differently if I say it didn’t install correctly? I just always hit cancel because that seems safe. This feature definitely could be smarter.

8. Even more confusing ACL dialog box. *sigh*

9. Hidden network adaptor properties. Why is Microsoft so determined to hide the network adaptor properties from us? And what happened to the option to show an icon on the system tray for each network adaptor?

10. The Start Menu. Ok, it’s really not so bad in itself, it’s just that Microsoft feels like they need to keep changing it. Is the first thing Microsoft does with each version of Windows, decide how they will change the Start Menu? It’s never been that great but familiarity is a part of usability too.

Ok, well if I thought about it, sure I could come up with a hundred things I like about Vista, but those things aren’t screaming at me every day like the white windows and the message boxes and the confusing user interfaces.

Then, I went to several well-known web sites where you can upload a list of proxies to test them. On each site I uploaded just one of my proxy addresses. The other I kept secret.

I opened up the proxy logs for the address I checked and, as I expected, there were several requests testing to see if the proxy was open. I then added a rule on my router so I could monitor that traffic. As soon as I created the rule I saw that I was getting 1mb/s of traffic to the proxy’s port. Surprised, I went back to the proxy logs and they were already 100mb on disk. The other proxy I had kept secret had no traffic.

Within five minutes the proxy was averaging 3mb/s and I noticed checks from several companies that provide paid proxy services. Apparently they use free proxies as part of their services. Within fifteen minutes it was doing a steady 6mb/s and my proxy server had transferred over a gigabit of data! Sure I had expected people to use the proxy but I had never expected 6mb/s of use so quickly.

In that fifteen minutes there were 75 source IP addresses, many of them other open proxies, TOR exit points, or compromised servers. Those IP addresses hit 9,359 target hosts. Who were the targets? Just about anyone and everyone.

Most of the traffic consisted of probes for exploitable CGI scripts, mostly the kind that would allow user-generated content such as guestbooks, unauthenticated forums, or comment forms for blogs. The content wasn’t quite what I had expected but I really wasn’t too surprised.

Oh yeah, I also had Cain & Abel running and I collected over 500 passwords from HTTP authentication attempts.

After fifteen minutes, I killed the proxy with all the traffic but kept the other one up. After several weeks there was still minimal traffic on the private proxy. However, several times that month I fired up the other proxy and within a few minutes it was right back up to 5-6mb/s.

So why did I find this so interesting?

1. If you get a proxy server IP address that has been on a public web site for more than 5 minutes it is probably already being hammered to death.

2. Online proxy checkers, along with other proxy-related tools, no doubt are there to collect or publish lists of open proxy servers. Many others seem to automatically harvest those lists.

3. Running an open proxy is an excellent glimpse into the workings of the evil side of the internet. No doubt there are many organizations that set up open proxies just to monitor those who would use them. If a proxy is still good after 24 hours I’d say chances are it’s there on purpose.

4. If you are evil and want to eat up someone’s bandwidth, sneak a few proxies onto their network, check them using online tools, then watch the traffic start flowing.

5. On your own network you should probably monitor the most common proxy ports for surges in traffic. In fact, a simple rule would be to watch inbound traffic to TCP ports 80 (excluding your web servers), 81, 1080, 3128, 6588, 8000, and 8080 where traffic exceeds 1-2mb/s.