O2 router attack shows danger of staying logged in

Concerned about web security? One thing that may prove more valuable than any amount of supposed security software (anti-virus and the like) is the simple good practice of logging out of web sites at the end of each session.

Here’s the reason. Let’s say you are logged into some site – could be Facebook, or Google, or the admin screen on your router, and you’ve left checked the option that says “keep me logged in”. Then you visit some other site. The vast majority of web pages today run JavaScript code in the background, and these scripts execute on your computer, not on the web server. What if one of those scripts sends a request to a site where you are logged in? The request comes from your computer, so it looks like you to the web site. If you are unlucky, the script will be able to perform any action you could perform, but without your awareness – such as changing your password, or reading confidential information.

For this hack to work, a couple of things need to have gone wrong:

1. You are running a malicious script. This implies that the site you are visiting has been hacked, or has a vulnerability such as forum software which allows users to post content that might trigger a script. Even a link to an image in a forum post might be sufficient.

2. The site where you are logged in doesn’t make any additional checks on the source of the script. Although it is running on your computer, the HTTP request generally includes referrer data, revealing the URL of the page from which the script came. By checking this value, the site can figure out that there is something wrong. Another idea is to have unpredictable URLs for sensitive data.

Still, you’ll notice that neither of these things are under your control, whereas generally the option to log out of a site is under your control. Even that might not always be true – a developer could code a site without an option to log out – but that is unusual.

The O2 attack referenced above exploits this flaw to get into your router admin, if you are running an O2-supplied broadband router. It is a huge vulnerability, since if the router is re-configured a wide range of further attacks are possible. One example is DNS poisoning, where familiar URLs might take you to malicious destinations. It could also disable firewall protection and redirect external requests to one of your home or small business PCs – very nasty.

Here’s a couple of things that will improve security:

1. Don’t use the broadband supplier’s equipment, if it is not entirely under your control. Use your own; turn off universal pnp, change the admin password, don’t stay logged into the admin.

2. Don’t stay logged into any site which matters. Even sites which don’t appear to matter can be a security risk, if they expose passwords or security questions that you use elsewhere, for example. Personally I always log out of Facebook, Google and Twitter, for example, even though sites like these should be aware of the risks and be coded appropriately – they mostly are, but mistakes happen.

Unfortunately many sites encourage you to stay logged in, because it reduces the friction of using the site. Still, there are compromises which work. I notice with Amazon for example, that it uses cookies to give you personalized information even when not logged in, but displays password prompts with boring regularity for actions that spend money – though Amazon also advises you to log out completely if using a public or shared computer.

Why you probably don’t want to buy Microsoft SBS 2008 Premium CALs

I’ve been trying to figure out licensing for Microsoft’s Small Business Server 2008. It’s somewhat perplexing. There are two editions, Standard and Premium, but you can apparently use Standard CALs with the Premium SBS. The Premium edition offers two extra features over the Standard:

1. A second server license for Windows Server 2008.

2. SQL Server 2008 Standard Edition.

So what’s the difference between Standard and Premium CALs? First of all, price. A pack of 5 standard CALs is $385 full retail, while 5 Premium CALs is $945 – that’s 245% more, real money.

But what else? You would have thought that a Premium CAL would be needed to access Premium SBS, but this is not the case. The Pricing page says:

Microsoft offers several flexible licensing options to allow for complete scalability of your cost in relation to your usage, including various CAL quantities to suit your specific needs as well as the ability to purchase SBS 2008 CAL Suite for Premium Users or Devices for only those users or devices accessing the “premium” features.

OK, so what are the “premium” features? Does this mean anyone accessing the second server? Apparently not. The Licensing FAQ says:

The Windows Small Business Server 2008 CAL Suite for Premium Users or Devices should be purchased for only those users or devices accessing the SQL Server 2008 Standard for Small Business shipped as part of Windows Small Business Server 2008 Premium server software.

Now we are getting there. It seems that the “premium features” boil down to just one feature: SQL Server 2008 Standard.

It’s also worth bearing in mind that SBS 2008 can be used by a maximum of 75 users; and that Microsoft offers a free version of SQL Server 2008 called Express which is limited to using a single processor, 1GB RAM and 4GB maximum database size.

It follows that small businesses only need Premium CALs if they are running a SQL Server 2008 application that is beyond the capabilities of Express, and even then only for those users who access that application.

SBS 2008 Premium Edition comes with 5 Premium CALs and costs $1899 full retail, vs $1089 full retail for the Standard Edition. Real-world prices are likely to be less.

My conclusion is that Premium Edition plus Standard CALs is good value if you can make use of the second server, whereas Premium Edition with Premium CALs (beyond the bundled 5) is poor value for the majority of small businesses, who simply do not need those SQL CALs.

Microsoft could make this much clearer by striking out all the references to “Premium features” in its publicity for SBS 2008, and replacing it with “SQL Server 2008 Standard” – unless it is hoping to sell Premium CALs to customers who do not need them.

Microsoft’s confusing web sites

Scott Barnes draws attention to this study which compares the usability of the Apple vs the Microsoft web sites.

Some things are bad for so long that you stop complaining about them. This is one of them. Let’s acknowledge though that there are mitigating factors:

  • Microsoft is a huge organisation, has a vast number of products, and creating a coherent web presence that covers everything is a monumental task.
  • The goals and technical abilities of visitors to Microsoft’s web properties vary enormously.
  • Staying up-to-date is a challenge.

Against that though, Microsoft is in the IT business and supplies both web design and web server technology; it regularly talks up the importance of “user experience” and must be aware that potential users will judge to some extent by what they find.

I use “web sites” in the plural because there are many Microsoft web sites. Perhaps there should be one; but as the referenced study observes, there are numerous different designs. There are different domains too, such as Silverlight.net, ASP.Net and so on.

Take my experience this morning for example. My question: how many processors are supported by Windows Small Business Server 2008? My Google search got me to here, an overview showing the two editions, Standard and Premium. I clicked Compare Features and got to here, which says I have to visit the Server 2008 web site to find out more about the “Server 2008 product technologies”. I click the link, and now I am looking at info on Server 2008 R2 – only I know already that SBS is based on the original Server 2008, not the R2 version. It’s not clear where to go next, other than back to Google.

Some general observations, after clicking around various SBS sites (I had some other questions too):

  • It’s hard to get past the marketing blather to clear information
  • Too many links lead to menu pages with further links – sometimes it feels like an endless loop
  • I found lots of information in the future tense, clearly prepared before launch and not updated
  • Regionalisation is poor. You can start on the UK site but end up with pricing and availability information applicable only to the US
  • There’s a Technet site as well as a general site and the differentiation is not clear. I suppose the general site is meant to be more business/marketing focused, but there’s plenty of overlap
  • In general pages are too busy with each one offering a splurge of choices
  • Some things are just inherently confusing – like the CAL policy, which has four different types of CAL (user and device in combination with standard and premium) that can be mixed and matched: you can use standard CALs with SBS Premium if they are not used with “Premium features”. Whoever dreamt that up has never worked in a small business.

Clearly this is not a simple problem to solve. At the same time, it is hard to understand why it is so bad. It is a large company problem: maybe too much bureaucracy, conflicting kingdoms, little budget following initial launch, everyone knows it is a problem but nobody knows who should be fixing it, that kind of thing.

Incidentally, I think the processor limit is actually the same in SBS 2008 Standard as in Server 2008 Standard R2, and this chart shows it to be 4 sockets. In other words, you can have up to four physical processors and still benefit from multiple cores. Probably.

Why the EU should not worry about Oracle and MySQL

The European Commission is examining Oracle’s acquisition of Sun and has concerns about the implications for MySQL:

Competition Commissioner Neelie Kroes said: “The Commission has to examine very carefully the effects on competition in Europe when the world’s leading proprietary database company proposes to take over the world’s leading open source database company. In particular, the Commission has an obligation to ensure that customers would not face reduced choice or higher prices as a result of this takeover. Databases are a key element of company IT systems. In the current economic context, all companies are looking for cost-effective IT solutions, and systems based on open-source software are increasingly emerging as viable alternatives to proprietary solutions. The Commission has to ensure that such alternatives would continue to be available”.

The most remarkable thing about this investigation is that it exists. One of the supposed benefits of open source is that, come what may, your product cannot be abandoned at the whim of some commercial giant; you have the code, and as long as a viable community of users and developers exists, its future is in your hands. So why is the EU worried?

The issue I suppose is that while Oracle cannot remove code from the community, it would have it in its power to disrupt MySQL – in fact, that is happening already. It could refuse to invest in further development, and encourage customers with support agreements to move to the latest Oracle solution instead. I am not saying that is likely; I have no idea what Oracle plans, and it already owns Innobase, which supplies the most widely-used transactional engine for MySQL, without obvious adverse affects.

Still, it is important to think clearly about the case. I’ve just been talking to Simon Cattlin at Ingres, who is using the opportunity to mention that worried MySQL customers are making enquiries at his company. He also argues that the EU’s intervention proves the increasing importance of open source technology.

That latter point is true; but there is some doublethink going on here. There are two sides to MySQL. On one side it’s powering a zillion mostly non-critical web applications for free, while on the other it is a serious business contender covered by support contracts. It is all the free users that make it “the world’s leading open source database company”, not the relatively small number of commercial licensees; and it was Sun’s failure to shift users from one to the other that accounted (among other things) for its decline.

So which of these groups is the EU concerned about? If it’s the free users, I don’t think it should worry too much. The existing product works, the community will maintain it, and forks are already appearing, not least MariaDB from a company started by MySQL creator Monty Widenius.

On the other hand, if it is the Enterprise users, I don’t think the EU should worry either, because it is not a big enough deal to warrant anti-competitive concerns. Cattlin told me that Ingres actually had higher revenue that MySQL at the time of the Sun takeover.

It makes no sense to conflate the free and commercial users into one, and use the number of free users to justify action which mainly concerns the commercial users.

That said, it’s true that having an open source product owned and mainly developed by a commercial company is always somewhat uncomfortable. One of the reasons the Apache web server succeeds is because it belongs to an independent foundation. There is rarely a clean separation between what is commercial and what is open source though: the money has to come from somewhere, and entities like Apache and Eclipse survive on staff and funds contributed by profit-making companies.

Technorati Tags: ,,,,,

Logitech Squeezebox Radio has social features, unsocial price

Logitech has announced the Squeezebox Radio, similar in concept to the Squeezebox Boom which I reviewed earlier this year, but smaller, cheaper, and with a colour screen. It’s set to go on sale soon at $199.00.


The Squeezebox Radio has a trendy new feature: Facebook integration:

Say you just discovered a new track listening to Pandora® on your Squeezebox Radio. Now you can tell your friends about it instantly. You can display your Facebook page right on the screen; and send music recommendations to your Facebook friends the moment you hear that amazing new track.

There’s no remote included as standard, but a $50 accessory pack will provide both a remote and a rechargeable battery, for portable use (but don’t go too far, because it depends on a wi-fi connection).

I am a big fan of the Squeezebox system, though it is not the easiest thing to explain in a few words. It’s interesting that Logitech is choosing to emphasise the internet radio aspect – handy for UK listeners threatened with the loss of FM – rather than the networked music player using a local server that is the original Squeezebox concept. I’ve used Squeezebox in conjunction with a Napster all-you-can-eat subscription, and the combination works very well indeed. Logitech needs to support Spotify, which has faster start-up and more mindshare than Napster. It’s a logical move for both companies. Facebook support on the other hand I can live without.

The snag with selling this as a radio is that it looks very expensive for what it is. $199 for a radio with Facebook support? The high price together with the complexity of setting up SqueezeCenter (if you do) is what holds the system back.

Logitech Squeezebox Radio on Amazon.com (Black)

Logitech Squeezebox Radio on Amazon.com (Red)

Technorati Tags: ,,

10 Mac alternatives to Windows utilities

I’ve been spending an extended time on the Mac in order to explore Snow Leopard. As far as possible, I’ve done all my work on the Mac since its release. The trial will be over soon … but in the meantime I’m sharing notes on some of the utilities I used for tasks I normally do on Windows, in no particular order.

1 Capturing screenshots

On Windows I press PrintScreen or Alt-PrintScreen (for the current window), then paste into an ancient copy of Paint Shop Pro 5.0 for trimming and re-sizing. No, it’s not PhotoShop, but it loads in a blink.

For the Mac I use Ctrl-Command-Shift-3 (whole screen) or Ctrl-Command-Shift-4 (selectable area) which adds a screenshot to the clipboard. Then I use the latest Preview, which has a File – New from Clipboard option. I love Preview – it has tools for further trimming and resizing, and when you save it shows the file size as you select different formats. Since I often want to minimise the size for a web page, it’s ideal.

2 Secure file transfer

I avoid FTP for security reasons, so on Windows I normally use WinSCP for secure file transfer.

On the Mac I use Fugu, and of the two I prefer it.

3 Word processing

On Windows I use Microsoft Word. On the Mac I mainly use NeoOffice, which actually felt a bit nicer than its parent, OpenOffice. I also spent some time with Word 2008 (good for compatibility, but slow) and Apple’s Pages from iWork 09. One nice feature of Pages, for journalism, is the stats window that shows the word count as you type.

4 Web browsing

I used Safari, in order to get the most complete Apple experience. I’m getting to like the Top Sites feature, though it’s hardly essential, especially the way it shows at a glance which pages have changed.

5 Sound editing

On Windows I use Audacity. On the Mac I use … Audacity, though for some reason I found it slightly less smooth.

6 Playing FLAC

Apple is still stubbornly refusing to support FLAC in iTunes or Quicktime. My solution was Songbird, a great alternative, which supports FLAC straight out of the box, or rather download.

For converting to FLAC I used MacFLAC, though I found it less than robust. I missed dbPowerAmp (Windows).

7 Remote desktop

I find Remote Desktop invaluable for managing servers. On the Mac I used the official Remote Desktop client, which worked well though it falls slightly short of the Windows version (perhaps this is a policy!).

8 Twitter

I use Twhirl on both Mac and Windows, an Adobe AIR application. One oddity (getting picky): the font spacing is slightly better on Windows. In the word Blog, for example, there is too much space between the B and the l, but only on the Mac.

9 Email

I never thought I’d say I missed Outlook, but I did. The thing is, after much experimentation I’ve found a permutation that works really well on Windows: 64-bit Windows and Outlook 2007 SP2 in online mode (only for a desktop, of course).

On the Mac I use Mail, but I’ve found it less than satisfactory even though I run Exchange 2007 with all the required configuration.

10 Blog authoring

On Windows I use Live Writer, which is superb.

On the Mac I write posts (like this one) in the WordPress online editor. I don’t like it as much, but it does the job.

11 Bridge

Now this one is a problem :-). I find JackBridge ideal for those moments when I need a break from work. It won this year’s World Champion computer bridge contest.

The Mac is not so well served, but I have trialled Bridge Baron and found it not bad at all.

Docx on a Mac: still rough without Microsoft Word

I’ve been living on a Mac recently, while thoroughly investigating the new Snow Leopard. One of the questions that interests me: how difficult is it to use a Mac in a Windows-centric environment? Once facet of this is Microsoft’s latest document formats, introduced with Office 2007: docx, xlsx and pptx. What if you get sent one of these, and don’t have Mac Office 2008 installed?

I downloaded a document on Azure blob storage from Microsoft – a random example. I opened it in four different applications: Apple’s TextEdit, which comes with docx support built-in; Microsoft Word 2008; Pages from Apple’s iWork 09, and NeoOffice, the Mac-specific port of OpenOffice. In the image below, Word is on the left, TextEdit on the right, and NeoOffice in the foreground.

Word 2008 opened it perfectly, as far as I could tell.

TextEdit crashed on the first attempt. On the second attempt it loaded, preserving the text but losing most of the formatting. Not a bad result, considering the scope of the application.

Pages was the best of the three non-Microsoft applications. It gave me a warning about paragraph borders being lost, but did not mention that the diagrams were messed up (Pages is on the right):

Image corruption in Pages with docx

NeoOffice made a fair stab at the formatting, but included some extraneous characters (you can spot these at top left in the screen grab) and omitted the pictures completely.

As a final test, I used Word’s Save As feature to convert the document to plain old .doc. This opened fine in Pages and in NeoOffice, though I have to say TextEdit gave a mixed result: the formatting was better, but the hyperlinked table of contents came out worse in .doc than in .docx.

Conclusion: don’t send .docx to Mac users unless you are sure that they have the latest Microsoft Word.