[Previous entry: "Good Tuesday Morning!"] [Main Index] [Next entry: ""]

03/11/2004 Archived Entry: "Bulletproof computing: web and email"

Several items on top today. First, humor: those who have been following the SCO/IBM/Linux flap will enjoy this week's installment of the Bastard Operator From Hell. (I particularly like the analogy between SCO's products and excrement.)

In the You Heard It Here Beforehand department, it seems that everyone's predictions of the problems with computerized voting have materialized in California. We may never learn what went wrong; the absence of a paper trail means that no one will ever know how bad the miscount was. (The tipoff was districts reporting more votes than registered voters.)

Webmasters should read this item from SecurityFocus courtesy of The Register. I wasn't aware of Google's advanced search capabilities and how they can be used to reveal security flaws on web sites. I'll post more on this later, after I've finished the current thread.

Which brings me to the fourth line of defense for your personal PC: secure email and web software.

I've said it before. I've said it again. I tell you three times: Do not use MS Internet Explorer, MS Outlook, or MS Outlook Express! These products are so riddled with vulnerabilities and design flaws that they are notorious.

(This week's security advisory for Outlook and Office XP is merely rated "serious"; it allows an attacker to run "unwanted code" on -- i.e., take over -- your computer. So what does Microsoft consider a "critical" flaw -- a risk of death?)

Windows users, here's a tip: you don't have to use the web browser and email client that came with your operating system. You can download something else. You can even download several. (I used to have three browsers and two email clients on my old Windows box. Jargon guide: in this context, a "client" is a program that runs on your computer. It talks to a "server" which serves up web pages or email messages or whatever.)

So, at the risk of repeating myself, here are a few suggestions.

Web browser. My favorite, for its attention to security and its speed, is Opera. Opera gives more options than any other browser I've seen to control cookies, pop-ups, and how the broswer identifies you. It was also the only browser to handle the URL spoofing bug by issuing a warning telling you that the site you were about to visit may not be the site you expect. A nice attention to detail, and well-written code.

Second choice and coming up fast is Mozilla (or Netscape). The Mozilla team is busy adding most of the security features of Opera, and it actually has a few features that I prefer (like the ability to easily change font size in a displayed page). My main gripe with Mozilla is that it's slow, and tends to freeze momentarily while fetching pages from the web. But for security it's excellent. (Netscape is essentially a rebranded Mozilla these days.)

Both of these are available for Windows and Linux. There are others.

One more important tip for Windows users: disable ActiveX scripting. ActiveX is yet another example of Microsoft's complete fecklessness where security is concerned; it's almost as if someone said "let's make something like Java, but without any of the security features."

(Not that Java implementations are flawless, despite the attention to security in its design. You might want to disable Java too, although we leave it enabled and have had no security problems. Dump Microsoft's bungled Java engine and install the one from Sun Microsystems instead. My biggest gripe with Java is that most Java web pages use huge Java files, which take forever to load on our dial-up connection.)

Email client. For Windows my favorite is Eudora. It has all of the security features I describe below. As I recall, the latest versions even warn you if you attempt to open an executable attachment.

For Linux my first choice is Mozilla Mail. This is almost as capable as Eudora, and has all the important security features. Usually you'll get this as part of the package when you install the Mozilla web browser, but I hear that you can now get Mail and Browser separately. This would be my second choice for Windows.

I don't yet have a second choice for Linux. I would expect the Opera mail client to be excellent, but the way they've implemented mail folders and labelling is not to my taste, so I've never used it. Other popular programs are Evolution, Balsa, and Sylpheed, but I have no experience with them.

As another choice for Windows, Andrew Grygus of Automation Access recommends PMMail. I haven't tried it, but I respect his opinion.

If you're going to try one of these alternate choices, look for the following features... and if you're using one of my suggested email clients, enable these features:

• Limit attachment size. On my computer, any attachment larger than 39K is not automatically downloaded. This blocks most older viruses (but new ones are getting in under this limit).
  
• Display the full file names of attachments. I can always see when an attachment ends in ".exe" or ".scr" or any of the other virus tip-offs.
  
• Display email in ASCII text. This helps protect me from spoofed URLs in emails. It also makes a lot of spam display as a blank page.
  
• Don't download images in email. This also protects me from a lot of spam. More importantly, it prevents the spammers from knowing that I've received their message! Even loading the image is enough to tell them who you are. That's why this is an important feature.
  
• Disable scripting languages in email. I can't think of any valid reason why someone should send me Javascript in an email... but there are lots of reasons spammers would want to do this. I suppose the folks who write email software feel compelled to offer me this as an option, but I always turn it OFF.

brad