Hot:

Some of you looking at that title might wonder what I’ve been sniffing (packets I tell you!!, Packets!!) In fact this was an article I created on Sept 26, 2006 and actually never posted it!

That’s correct. I typed this article up back then and never published it. I decided that I could honestly publish this now as well I could show you guys some of the pictures I took at the time of building this rig. In early September of last year I finally had all my material for building my two new PC’s were in place. The DVR was cheap running in about $500.00 including all the cabling, keyboards and other miscellaneous stuff that adds considerably. Total system costs break down like so: Existing parts used: Video card. Cost: $0. New parts for PC: motherboard, cpu, harddisk, power supply, ram, case. Cost: $388 Reallocated parts for PC: illuminated keyboard, 50 foot VGA cable, wireless mouse, extended power supply cable. Cost: $112 even though I didn’t actually buy either the keyboard or mouse at this time, I already had them I included their costs since they were now at home in this system.

Ok I didn’t say I’d talk about the cheap system I threw together, I’ll get to the actual story from last September

Well this is a little bit older technology, but still on a very high end.

For this Gaming System I’ve hand picked the parts due to their excellent quality, warranty, and durability. To say nothing of offering the best features and designs to be found anywhere.

The start of our system begins with our case. A Cooler Master CM-Stacker 830. This is a phenomenal case for a gaming rig. However it’s greatness is also it’s curse. This case alone weighs as much as my fully assembled DVR rig, and I’m adding a lot of weight to this. Total should come in around 45~55 lbs completed. Thank god this case features a pair of handholds at the top of the case.

I could get into more and more detail about the case and it’s features but instead I’ll discuss them as I use and work with them. There are many. Primary ones are the many locations for fans, the front jack plate onto of the front of the case and the additional (duplicate) jacks on top with the power/reset buttons and HD activity light. Also is the airflow that this case allows by not having really solid walls. The black mesh is a open grill much like is found in many rack mount components. The other major feature this case offers is it’s size. It sits 22inches high and 25 inches long! Thats 56cm and 64cm for the rest of the planet. This case will support an ATX motherboard in two orientations, or a BTX motherboard.

Our motherboard is a ASUS A8N32-SLI Deluxe powered with an AMD Athlon FX-60 Dual Core CPU. We are using an ATX in normal configuration due to the heat pipes our motherboard features. This is a very important determination of the setup in our case and we will follow the instructions as directed by ASUS.

This is an awesome combination which should give us incredible gaming performance. However in order to not bottleneck the CPU any more than required, we chose the recommended and expensive RAM, Twin 1GB’s matched with the lowest latency we can get for this motherboard. Using unmatched ram is not recommended and we would much prefer to add another 2GB but….unless we are using a x64 compliant OS (not XP or less) it will not work. We could run Redhat or Fedora with 4GB but even this is not that easy to accomplish. We will run Vista on this box so hopefully we can eventually accomplish this.

After we have the RAM installed it’s time to mount the motherboard to the motherboard tray on the case. This makes working on this system very easy since we do not have to work with the entire case while loading the motherboard, etc. This prevents scratching the aluminum case unnecessarily.

All this makes a great computer except for the true power horse behind any decent gaming system…the video card, or in our case the Dual Video Cards. My choice was the extraordinary eVGA Nvidia 7900 GTX times two! These awesome babies are black with silver heat pipes, just perfect match for our black/silver system. They are HUGE! Each card fills two expansion slots (of course each only using ONE PCI-Ex16 slot) and each requiring it’s own power supply connection! These babies are going to get the electricity meter running.

Given the large size I decided to dry run the video cards to see how they would fit and how much they may interfere with the cabling I still need to do. I discovered these huge cards would be very troublesome in a smaller case, even a slightly smaller one, but not for me! Still the biggest problem is denying me access to any of the ports on the motherboard for the front panel connections primarily as well as thinking about using any other expansion slot in the case…it ain’t happening!

Another problem with the eVGA cards is the double slot tabs. My case seemed to have very tight slots to attempt to insert this card while using two of them at the same time. What a patience test! One I was able to stretch out enough to get the card to seat nearly perfect, the second one annoyed me so much I cut the tabs off the video card. My first custom modification

Routing the front panel cables was a bit more challenging as they needed to either lie flat on the motherboard or route around the twin video cards. Since I didn’t want to use any of additional back plate connections since room is a premium with the eVGA’s, I got the connections in as best I could. The case offers a routing rack on both sides of the power supply/water cooler shelf, but I chose the one in the middle between the motherboard and the drive bays. This allowed all the wiring to be routed through and tied up except where it was not possible (one PCI-E power cable just wouldn’t reach until it was allow more direct access), or it was impractical (the ATX 12v connector just made sense to use the other routing since it was closer and hid the cable).

The Enermax Liberty Power Supply Unit is one of the nicest PSU’s I’ve bought without a lot on frivolous features. Ok, there were two which I’ll disclose afterwards, but I don’t want to detract from the nice features of this supply. This 750watt badboy has only built-in cables for the motherboard connections, of which we used all of them except the extra 12v motherboard connector since we are not using an advanced ATX or a BTX motherboard.

The supply itself is enclosed in a black mesh grill aluminum and has round cloth cables on most of the lengths. It features a selection of cables to add which consist of; 2 PCI-E cables; 2 Molex and 2 pSATA connections; and two more Molex and pSATA with Floppy connections also. All the cables come in a Velcro wrap storage bag for convenient and safe storage. I used all but one. Additionally it comes with a key tag necklace for what reason I’m not certain, other than you can wear it. But don’t try to attach the power supply to it. It’s a tad heavy for this necklace, but it’s great for thumb drives and other light weight items

After getting this all in place, like requiring a mounting plate to be removed to install the PSU, I’m now ready to start installing the drives. 4 SATA2 Seagate 7200.10 300GB hard drives go into the original 4-in-3 module. This is going to be converted into a RAID 0+1 array equaling roughly 610GB of storage in a mirrored striped array. Formatting this puppy will take most of the afternoon.

Adding a 5th Seagate on the second SATA controller and installing the 6th Seagate in the external enclosure I purchased so it can be removed and plugged in quite simply.
I will have roughly 1.3TB of storage on this box once it’s complete. Plus another 610GB for mirroring on the RAID0+1 array equals nearly 2 TB or Terabytes of disk space.

The case handles a total of 9 120mm fans and only comes with one. Ultimately I’m going to have 6-8 fans. The rear fan was replace with a white w/Blue LED fan. A chassis ceiling fan was installed of the same type and a third was installed on the lower left cage in the access door. Four fans will fill this space ultimately. Ensuring all the front panel connections are done prior to installing the video cards is important and routing the power cables also is done roughly. Technically we could boot this machine but first we want to check a few things and ensure we don’t need to access anything on the motherboard. We still have a matrix LCD display to install, yes in the case.

To top off the drives we add a Silver NEC DVD 16x burner that supports dual layer disks. This will become our workhorse drive but with all the storage space we’ll put Nero to work building virtual DVDROM’s. Below the burner we install our Matrix LCD display. This unit is red in difference to our silver/black/blue theme simply to give the appearance of an eye (ok now you’ll have to sniff or smoke something to get that image in your brain…). We still have room to add another 4 drives if we acquire another 4 in 3 module, which to date we cannot get. Bad CoolerMaster rep’s…BAD! But realistically we have no capability to run them unless I make them IDE…uh no. However it would allow me to split the 4 drives in the one into two modules and greatly improve airflow between the drives. However my drives run currently a nice 32 degrees so I’ve nothing to worry about at this time.

With the eVGA video cards installed, now the system looks very menacing and promising. We decide that it’s time to exchange the Molex connectors with the UV reactive ones I purchased. The Molex extractor tool is very handy, even though the task is not a highly rewarding one. I simply not using any of them except for the DVD Burner. The other two are attached to fans at the moment and will probably route to the matrix display. Two connectors you will probably never see will glow. Wow…

The time of trial now comes are we are ready to power up the system for the first time. Booting the system the first time was flawless, as everything came to life after powering the system. Quickly went into the BIOS to make a few changes and then rebooted to get the RAID and SATA controllers working. This proved to be a greater challenge. After a few driver upgrades and reconfiguring we get the drives setup, unfortunately our external SATA drive is missing the correct cable, which we will have to get at a later date.

Originally, I had planned to install Vista beta RC1 on this for the time being, later upgrading to the release version of Vista Ultimate 64bit, but none of my tricks could get the OS to see my SATA drives. I did have to install a floppy drive and have the drivers for the SATA I wished to boot from ready to go during OS setup. But otherwise nothing else needed to be modified from my setup to get this up and running.

Vista was not as accommodating. It simply hung during several phases of the install, but popping the DVD out of the drive usually moved it to the next step. This was not foolproof and was ultimately dumped as a choice and I installed XP SP1a instead. I may upgrade this to SP2, but that will have to be decided later. For now I want to get all the drives working and formatted, drivers installed, and get testing this box out.[Author's Note: At this point I have the PC playing with several OS's using various external SATA drives and Firewire drives, and I've now acquired my Vista Ultimate 64bit I'm going to reattempt this.]

So fan totals: Power Supply = 1 120mm; CPU = 1 80cm; Motherboard = 0; Video Card = 1/each = 2 80cm’s; Chassis has 1 in 4-3 mod, 1 rear, 1 top, 1 side, all 120mm. Total is 8. At this configuration motherboard is running at about 49 C. When we add the 3 other fans this should decrease the temps by about 4-6 degrees. [Authors Note: After getting another 3 fans to fill the side grill up with fans the temperature is now running at 44 idle and 46 peak. The CPU also never peaks over 61 and typically is running around 50] The real beauty is how quiet this whole thing runs at. It’s much quieter than many of my other systems

All the drivers installed ok, and we installed most of the bonus software that came with the hardware, even the time limited stuff, like Nortons Internet Security. Most of this we toasted including the buggy Forceware Firewall that comes with the product. Many other programs had issues with it.

Today the system still runs great. We have also acquired a pair of Viewsonic VX922 monitors to serve as our dual-monitor setup when not playing games, and perform very well when we reduce the output to one display for SLI mode. We have had many games installed and many framerates peaking over 140FPS. Even games like Oblivion we run constantly acheiving over 40FPS even with all the graphics on the highest settings using a display mode of 1280 by 1024. Yes, we do enjoy the games and the performance of these games on this rig. Now we are planning our next build…something to store a incredible amount of files on.

Hot:

No. 

Why do I think so?  

Simple.   When it comes to using technology a term that is used a great deal is ‘ROI’ or Return on Investment.   Another term that is used is ‘TCO’ or Total Cost of Ownership.   These variables account for costs associated with normal use and regularly maintaining equipment, what it costs to keep running, how much IT resources does it require, etc.    Since the Brother MFC 420 is a Printer, copier, scanner, fax machine all in one nice simple package.   I figure it’s far too complex of a system for the folks at Brother to make work nicely all together within a reasonable ROI.   I understand it’s designed for the SOHO market but when you’re a one person operation 4 hours downtime trying to scan a document can really affect your ability to get anything else done.  

 

---

It does work, when it works and works well.

 

In fairness, once you get the software installed and setup it works fine.  But if I reboot the PC or shut off the MFC unit, then for some strange reason my PC keeps losing ability to do ONE thing (scanning typically but printing and faxing also have been affected), forcing a COMPLETE reinstall of all the software again.  Sure it tells you to be selective, but for the most part it’s either an all or nothing install (fonts and the control center can be left out but everything else MUST be installed/reinstalled or you will have issues). 

 

In the six months we have used this product we have reinstalled the software nine (9) times.  You have to research the uninstallation doc from their support web site prior to reinstalling, otherwise you will end up with duplicate drivers.  It took me three installations to determine that having 3 printers, 3 scanners, and 3 fax drivers were not appropriate, forcing a proper cleanup and reinstallation.

 

After our sixth installation (which broke when we rebuilt our LAN) we decided to rebuild the box from scratch for other reasons, but one on the list was to ensure a clean installation of all the MFC drivers, and then did our seventh install.  This was the longest lasting installation to date (3 weeks).  We then attempted our eighth install to fix the scanner which died, which did not solve the issue, then tech support sent us links to new software from Brother and performed our ninth install which so far is still working.

 

Get Tech Support on the phone, we have a problem.

 

During these phases we have had to waste even more numerous hours sitting on hold waiting for tech support.  The queue’s are very slow, and then when you get someone ‘they’ only want to spend 10 minutes with you, and then get you off the phone.   Considering you or I can wait 30 minutes or more on hold to talk to them, I find this very disrespectful.

 

10:30 Attempted to scan from PC.  Device not found.  Prints ok.  Try to manually scan directly from the device, will not perform any action with scanning.

 

11:00 Reinstall of software (8th), still not working.

 

11:18 Called tech support in queue.

 

11:45 Tech support advises they will send me an email pointing towards the uninstallation doc and the new driver software.

 

12:30 No email received, Second Call.  Got into arguing match about receipt of email.  Very unprofessional of Brother to argue whether or not MY email works.  I built my MTA/MUA AND bind, so I know it works.  I get over 200 emails a day on my work account. 

 

1:30  After a Third Call I finally get tech support to provide me with a link to the uninstall doc.  DNS issues with ISP caused issues connecting to site, probably delivery or routing of email also, but resolved.

 

2:00 Finally received a link from tech support for the new software via email.

 

2:15 Finished removing software, noting errors and variants and other inconsistancies with the wording of the uninstallation document.

 

2:35 Rebooted and reinstalled software, confirmed working all componants.

 

2:40  Finally scanned my document. 

 

Total time from start to finish:  4.17 Hours.  

 

@ $90.00/per hour (which is our labor rate for adminstration costing calculations) this means to scan one page cost our company $375.30 labour dollars for scanning one page document.  This affected two people.

 

Factoring in the cost of using IT resources to install and uninstall, IT time @120.00/per hour for the removal and reinstallation add’s another 1.50 hours for an amount of $180.00.  This affected one more additional person.

 

Total cost was $555.30 to scan one page.  Not including the cost of equipment or ink, paper, toner, etc.  We would assume that it should take ONE person roughly 10 minutes total or 0.17 hours at $90 or a cost of $15.30.  This is a difference of $540.00.  Yes, our admin rates are quite high but we do pay our employee’s well.

 

Looking at our history over the last six months this particular product keeps overrunning our operational costs.  We are certainly seeking a better solution, and will probably seek out Canon’s solutions.  Granted this product is not an enterprises class product, but given that there are at most 5 people using our network at any given moment, for it to not be effective even in this environment would be fair for me to say.  Perhaps if you only have it connected to one PC via USB, the MFC device works far superiour, but we did buy this on the basis we could connect via our network switch.

 

I do not understand why Brother cannot do this correctly, this isn’t their first time in this arena (Multi-function products).  But suffice to say, IF you never turn off the MFC unit, and IF you never reboot any of the PC’s that this product has it’s software installed on it works great!  It’s a wonderful product once it’s working 100%.  Too bad it never stays that way.  Of course it also never completely breaks either.

 

What was even more disrespectful of Brother was that they didn’t ‘care’ about fixing their documentation
nor in hearing my advisement on how to improve this.  Well if any Brother executives read this article, please review my walkthrough below.  Some of it may be petty to intelligent thinking people, but I hazard who qualifies as such, and would rather make the document dummy-proof for all people, not just the smart ones.  Saves tech support calls.  Maybe then you can get a decrease in calls to tech support and reduce your hold times for people with bigger problems.  In my instance yesterday I had to call them THREE times, use over FOUR HOURS of time to get two WEB LINKS.  How inefficient is that?  I asked them to give me the links over the phone and got the excuse the ‘link is too big’.  I guess they’ve never heard of tinyurl.  When I mentioned using this, they said ‘we can’t do that’.  This is technical support huh?  Pity.

 

When we brought the product into our environment we decided to connect it to our print server.  This is really just a simple PC running XP that has all the printers connected to it.  Most requests to print get sent to a custom spooler I wrote which then allows you to come over to the machine and forward the job to the appropriate printer. 

 

The first time I decided to use a network connection as this allowed me more flexibility with the other printers I own to still allow me to receive a fax on the MFC, and print on one of the lasers without building a queue for the jobs.  So I noticed it supported DHCP and decided that would be the way to go.  For a while (holidays) the unit was not going to be used so we turned off the MFC.  Upon powering on again, none of the software would talk to the printer.  Why?  Because it now had a new IP address, thanks to DHCP.  I had to reinstall the software to get it working again.  However without a ‘complete clean’ uninstall of the products software PRIOR to reinstallation will cause you the next issue duplicate drivers.  Yes, now the system registers FAX#2, and SCANNER#2, and PRINTER#2 since you have now installed the product twice.  A third time causes serious malfunctions and instability of the machine which I believe to be due to the fact that your only permitted to install this software on two machines.  So now we incurred additional calls from staff indicating their documents are not printing due to selecting the ‘older’ driver vs. the ‘newer driver’.

 

Now if you have a couple hours to kill, you can call the technical support line for help.   They can provide you with a link that I have supplied here to remove the software.  

Understanding it is another issue, let me explain with a walkthrough the document:

 

Note: this document is quoted in italic, regular text is my comment.

1. Unplug the printer cable.

 

This term is very ambiguous.  A Traditional ‘printer cable is a parallel cable that connects to a parallel port on a PC to the same port on the printer.  This product HAS NO parallel port.  It DOES provide a USB and Network interface for connecting the product to a PC/Network.  Why it doesn’t explain:

1. Open the MFC by lifting the cover from the right hand side, and lock the hinge in place.
2. Once open, disconnect either the USB cable and/or Cat5 Networking cable.  Ensure there is no cable connecting the MFC to the Computer or any Networking Equipment.

 

1. Click on START , CONTROL PANEL , ADD & REMOVE PROGRAMS , and remove the following programs: MFL Pro .

r

 

The actual program as listed is ‘Brother MFL Pro‘.  Since the add/remove software application lists all the selections aphabeticaly this would be important for finding the proper install file for the MFC, rather than looking for something that doesn’t actually exist [anymore | in this case | due to new setup], whatever is applicable.

 

1. Click on START , SETTINGS and PRINTERS & FAXES and delete the Brother driver & the PC-Fax driver.

r

 

Well I found a fully successful removal of the software at STEP 2 discovered that there was nothing to do here.

 

1. In the “Printers & Faxes” window, you will click on File and Server Properties .

 

Yes.

 

1. Click on the “Drivers” tab.

 

Yes they could have combined this step, but it’s more clear as two.

 

1. Select the “BrotherMFC-xxxx” driver or any other Brother driver, then click REMOVE .

 

Ok.  Um, there is nothing here.  Three steps wasted.  In fairness perhaps this ‘could have been here’ so checking is preferable regardless of the result.

 

1. From “My Computer”, click on Tools and Folder Options , and then click on View . Put a check mark on “Show hidden files and folders” and uncheck “Hide extensions for known file types” and then click on OK .

r

 

This has already been done, but confirmed regardless.  Another potential wasted step.  Granted many people may not have this option previously set and will require it for proper performing of the next two steps.  Again in fairness, this is a well documented step.

 

Then double click on your C:\\ drive and the delete the Brother folder and also delete the Brother folder in C:\\Programs Files.

 

Done.  However if you installed the MFC solution say to drive D: instead of C: you would find that the brother software ineffectively installs in C: in two locations additionally also in D: as directed.  So in this case you would have to search for THREE folders named ‘brother’ (C:\\, C:\\Program Files, D:\\Program Files) and remove them.  Very unclear wording of this requirement.

 

r

1. From the C:\\ drive double click on the “Windows” folder and the “INF” folder.

 

Ok

 

r

1. Search for OEM files that are related to Brother and delete those files. To see if it’s related to Brother, you double click on the first OEM files on the list (For example: OEM1.inf). If the OEM file is related to Brother then close that window and delete that file. And delete the PNF file that follows it with the same number (For example: OEM1.PNF). If the file is NOT related to Brother then don’t delete that file , just close that window and continue with the other OEM files. You have to go through all the OEM files to make sure nothing is left from the Brother software.

r

 

Unfortunately this is very vague.  Let me give you a example.

 

I currently have 1469 objects in this particular directory.  Of these 21 meet the criteria as selected above.  I know since I wiped this hard disk and reinstalled windows XP sp2, that only TWICE have I installed this, so perhaps the setup uses many of these, or perhaps it uses a select number.  Either way I have no further information to differentiate these files from the ‘related to Brother’ ones.  So which do I delete?  INF files tend to be fairly important and I certainly don’t want to determine them all.

 

I simply ignored this step as I was not about to inspect 21 items to determine which is which.  Why don’t they log this in a installation logfile, then review that to determine which OEM files to remove?  Makes sense doesn’t it?  Too bad Brother didn’t think so.

 

1. Also in the Windows folder, look for the TWAIN folder and the Twain_32folder. You will double click on those folders and delete any folder that begins with brmf.

 

Only Twain_32 for me, I simply tossed the entire directory.

 

1. Then open the “Registry” window by clicking on START , Run and type regedit and click OK .

 

Yes.

 

r

1. From the
   left column, open the folder called HKEY_LOCAL_MACHINE , then he SOFTWARE  Folder.

 

Yes.

 

1. From the SOFTWARE folder, delete the an>Brother Key.

 

Yes.

 

1. Restart the Computer.

 

But once you do STEP 2 it wants to reboot.  So, if your not careful, after doing STEP 2, you may reboot at this point, and then have to finish the steps in the remainder THEN REBOOT a second time.

 

I guess I could have mentioned this above eh?

 

Here is the link to the actual document, I hope it works, it gave me a ton of difficulty

 

Document stored at <http://welcome.solutions.brother.com/BSC/public/us/ca/en/faq/faq/000000/002000/000040/faq002040_000.html?reg=us&c=ca&lang=en&prod=mfc210c_all&Cat=15>

 

 

To buy or not to buy, that is the question.

 

So, after all this you hope that you can now do a ‘clean’ reinstallation of the software without multiple drivers appearing all over.  It’s too bad Brother doesn’t care about the quality of it’s documentation, only that it’s accurate enough that you can go to it.  If they had clarified a couple of the terms they misused, in the first place, this may have alleviated a great deal of confusion, but I leave that determination to you.  The manual is even worse reading and tends also to misinform you about the proper steps to fix or troubleshoot installations or broken installations.

 

Some people like very accurate information, others like very generalized information.  Some vary depending on the circumstance.  In any event it’s difficult to get the CORRECT information without some interpretation. 

 

If I was to review this product for it’s actual performance it would get very good marks.  It goes through ink in ridiculous quantities but name a printer these days that doesn’t.

 

However the constant breaking of various components forcing uninstall/reinstalls is very annoying.  Further discussion with Brother indicates this is very abnormal, but I have no way to compare this, except with my other 3 printers none of which are brother products and none of which have EVER had this problem.  Of course only one of them also uses a network connection (HP) the rest are either USB or parallel.  The other parallel is also connected to the network but it uses a custom driver to link over this cable the printer to the network.

At this point I don’t think we are going to continue with this product if a part fails again, that just may be the time we retire the unit.  Let’s hope it was a simple buggy driver product and we have gotten past this and will never have this occur again. 

 

P.S.  If you have any stories yourself on this product line I’d be glad to hear your input. 

Hot:

As I’m sure you’re aware Microsoft had rumored to release Vista this year, but instead decided to delay its release.  We won’t be able to purchase Vista until 2007 now, but until next summer Microsoft has given everyone the opportunity to try Vista in beta test until it’s released.  I don’t think Microsoft has ever before offered a new OS release under a completely open beta. 

Downloading Vista is truly an easy thing, but as anyone who has used windows before, the real challenges occur during the installation and continue into the setup, and do not stop once you are logged in.

There are some nice cleanups and improvements over XP, but I’m afraid that I certainly understand why this product was delayed and certainly why there are still lots of unhappy MVP’s and users.

I have some feedback and initial impressions of the Vista product which I will discuss in future blogs but right now I want to give everyone the information about acquiring and installing Vista.

Keep in mind, getting Vista and installing it isnt any more difficult than any other OS installer or previous versions of Windows, unless you introduce limitations.  Vista really wants to use a powerful machine, and will seriously take advantage of newer hardware.  That certainly doesnt mean you have to upgrade or even buy a new PC for Vista, though it may not be a bad idea.  The time you will run into problems is when you have a box that barely ran XP, and you decide to upgrade/install Vista on this.  That would probably be a bad idea.  If you meet the minimum specifications you should be fine.  If you meet or exceed the recommended specifications you should be able to see and use a very powerful OS.

To start first thing to do is get the software and the license.

The first thing to do is to go to Microsoft’s Vista web page and download the ISO file.  This is a large roughly 3GB file so be prepared to spend some time downloading this, ensure you have enough free space available.  A high speed connection wouldn’t hurt either.  During the initial week of release the download servers were simply overwhelmed and many of the servers and additional processes simply broke.  At the time of writing this, you should have little difficulty as I\’m sure the initial demand has dropped. 

I have a fairly decent cable connection and had the ISO in less than one hour.  I didn’t really time it, I went out for lunch and when I came back I was ready to burn this to a DVD.  An ISO now needs to be burned to the DVD.  Any DVD Burning software that supports ISO images should be effective at making the Vista Installation DVD, in our case we used Nero Burning ROM which is one of the more common and feature rich software for removable media.  Nero was able to quickly create our Installation disk which we booted in our machine for installation.

Yes, a 3GB ISO is not going to fit on a CD, so DVD was the only option which leads to qualification #1 is that you must have a DVD Burner to create the Installation Disk, and the machine your installing to must have a DVD ROM drive.  I have heard some folks attempting to break this into a multi-CD format but I couldn’t be bothered to attempt this.  However this did limit a couple installation candidates for me, and I decided to be able to install this on a couple different setups so I decided to go the VMWare route for most of my installations rather than move DVD ROM’s around constantly. 

Ok, so you got the ISO downloaded, now just like a real Installation you need a product key which Microsoft provides you.  When you normally acquire the ISO it will step you through the process to getting a product key, but at the time I acquired it, this was broken.  Later I was able to go back and get one (actually two ) so this was only some confusion on my part trying to decide what I did wrong. 

You will need a Windows Live account (also known as Passport) and this is easy to setup and then allows you to go to the download beta section and then it will present you with both the download link and the product key for you to use.  The really nice thing about this is that the beta is good for one year roughly and this is exceptional.  I do believe microsoft wants as much possible feedback from the community prior to finalizing and releasing this product.  If so this may be the most demanding OS released in history and additionally one of the more supported and user-backed OS’s ever.   I say this because many linux distro’s and Apple are moving into Microsofts markets and taking advantage of the fact that many folks understand the value they get with non-microsoft OS’s and software.  However many users still require (or think they require) Windows in order to use their PC’s.  By offering Vista as a free beta for a full year you allow the users to grow accustomed to the OS, and when they do release it sales should be immediate.  Just like a game company releasing demo’s, this allows them to guage the market, demographic, potential share, potential growth projections based on beta reaction and feedback, etc.

So to say this was simply an ability for Microsoft to release Vista at no cost to ensure quick adoption of the OS would not be entirely incorrect.  I’m sure there were other reasons, some would say security issues, but I don’t think they would delay because of security issues, unless it was a core/fundamental process in one of the new features.  Other reasons may be because key features still don’t work as well as they should.  Regardless once you have your own copy installed you can decide this for yourself.

If you boot your computer from the Vista disk you quickly see a familiar looking setup environment.  One of the main differences is that awful blue background is gone and replaced with a nice web like white background that loads a image.  Since I chose to use VMWare to install Vista with for my first couple tests, I decided to install it on a fresh machine and had considerable problems.  This was apparently more of an issue with VMWare and following the helpful hints on their support forums enabled me finally get past this I only ever had this error with Vista.  No other OS including Windows varieties had this issue. 

I did not attempt this for real, but the idea crossed my mind, and that was to simply mount the install disk vs. burn and run from a DVD-ROM.  This is not recommended. 

The questionnaire was easier than XP in that it allowed you to get the installer running faster with less questions, the disk setup also is more friendly which allows you to pick which disk, and how to set it up and format it prior to you running the OS installer.  The default admin account is still created and the installer will ask you to create a user for your use (or more if you require, however I would not use this method for anything other than home-based/test installation).  For most users this will be enough to get everything working. 

The installer runs and about 45 minutes later (or more) it starts rebooting and initializing the desktop. This is the time to be patient and allow the installer to do its several reboots to get all the hardware initialized and working.  Hopefully you won’t have any issues with this, as I was using VMWare I had no difficulty installing the basic driver set, and when I added specific drivers for video card I was able to quickly find them online and install them.  The only downside to this I had was the numerous reboots before everything was ready to use.  I counted 14 reboots.

The really nice feature of the login screen is that a key set of features
for accessibility are moved here so that when you login, you can choose the features you want to use, otherwise once you login these features are no longer directly available.  I welcomed this change since windows 95 these features have been left as simple tools that any user can enable at any time, and they tend to cause operational issues that confuse users later.   By sticking these features at the login screen allows most users who never use these features to ignore them and move into the desktop with less ability to enable these ‘while using’ the system, whereas for those users who depend on these features they are able to set them before login so they can quickly take advantage of these features.

Now you login and the desktop loads and you are greeted with a familiar desktop with some interesting changes.  The icons on the desktop have increased  and they are much bigger.  You can even make them bigger than the default install.  I could not comprehend this.  I have used software in the past to make these smaller, and I would have jumped for joy to have discovered a ‘shrink’ or ‘smaller’ option for the desktop icons.  Nope.  Regular, huge and really huge only.  The start button has some nice changes which can be easily configured by right clicking on the taskbar and selecting properties.  The system properties have also taken over the traditional display properties when you right click on the desktop background.  This allows you to make the numerous changes as before, plus additional system property changes. This should make moving around the control panel looking for that setting much less likely in Vista.  For the most part the desktop changes are not revolutionary simply evolutionary but still not utilizing all the ideas that have been developed into other desktop UI’s over the last ten years.  Of course now the Vista desktop actually takes advantage of transparnency in the desktop that has actually been around since Windows 2000.  They’ve also added some nice features that take advantage of better utilization of older features.

From here you get to see the ‘Welcome Center’ which is a glorified control panel and allows the user to quickly get to nearly any setting for the system they might be interested in.  Microsoft Update along with the Security Center run immediately putting the checks into protecting your system from hackers and malware, and Microsoft Defender is running along with the Microsoft Firewall also.  Essentially the next thing is to install a Anti-Virus product, and the Security Center takes you to the one Vista-ready product (Trend Micro) but the product is not available for download.  The page indicates that the beta is running and only good til the end of the year, one could decide whether they wish to try this vista-ready product now, or wait for another or to try installing a current stable product and test it on the beta.

Next…New features highlighted and discussed.

Hot:

…for lack of a better title.

Or for those more whimsical:

 

Cyber Crime Enforcement – Strengths and Weaknesses.

 

Definition of Cyber-Crime:

 

“a criminal offence involving a computer as the object of the crime, or the tool used to commit a material component of the offence.” 1

 

The police define two ‘types’ of cyber-crime, one where the computer is the ‘TOOL’ (like a pry bar or such implement, the computer is used to assist in the crime.; the second where the computer is the ‘object’ or desire (identity theft, cyber-stalking, unauthorized intrusion, etc.) just as a house or business or other property damage occurs.

Looking at these definitions I would say that pretty much summarizes the capacity of the computer in most of what we see in today’s crime reports. The problem with these definitions is there subjectiveness to the way we use computers ‘at the moment’, and more importantly how they are legally allowed to be used. When the ‘use’ of computers change so does how we look at them.  The do lack clarity for other types of crime and newer challenges to cyber-crime.

 

 

---

Let me give you a quick example. In the 50′s to 70′s computing was centralized, and it was foreseen in the end of this era (mid 80′s) that no-one would need to have a computer and that all data would fit into large data storage area’s and archives. Today we foresee huge growth in data mining and farming as well as private sector compliance with current legislation to see that SAN (storage area networks) deployment will be the largest growth sector in the computing industry through 2010. This means we need more stuff to store our data in.

 

In between time (mid 80′s to 2000) we decentralized. Yes, the birth and adolescence of the PC made everyone aware that we all could become data collectors, and in some cases it made more sense to be (for instance letters, emails, game saves, etc.) your own data collector because during this time your ability to store data improved vastly.  In the early years of the PC, both memory and hard disks were very expensive. Only rich and foolish people used hard disks in the beginning of PC computing. Later the technology became more reliable, and the costs dropped to small levels that average consumers could buy them [average?...The first hard disks would take a 2000 system and double the price in some cases simply for 10 or 20 megabytes of storage. It was not cheap, but much less than the price tag of 45,000+ (at the time) for a multi-disk array. Over the years getting more and more data storage became the result of filling more hard disks. Today having a terabyte or two of storage is not unrealistic.

 

However I believe the PC industry is realizing its limitations of this decentralization, and is falling into the pit of 'convergence' and is truly seeing itself in everything around us, and as well our data needs are being reconsidered. Yes, why couldn't we have a computer who's sole task is to display art? Sure we have paintings and statue's but why not have a computer do that for us? I'm sure it would be cheaper, and if someone stole it, we'd restore a backup from somewhere else.  But we don't need to store World of Warcraft on this same box?  Does it make sense to?

 

What this means is that we now will use computers not as Swiss army knifes we've grown to use them for over the years (if in doubt ask the average non-techie what they are going to use the computer for) but as specific tools to the job, just like a hammer or drill. This computer will watch our perimeter, this one will handle the email and news, this one will be the general browser, this will be the 'office' pc('s) this one will be a file server, this will be a media server, etc. Since my computer that shows my art doesn't actually contain any data nor store anything, it just needs a Ethernet connection to update it's changes, and to turn off when I stop paying the bill. So that's why there is a LAN port waay up there.

 

So yes, how police view 'computer crime' or cyber-crime, will have a direct impact on how we use our computers, and what actually constitutes a crime against or using one.

 

Encarta Dictionary has one subjective definition of 'crime':

 

"a shameful, unwise, or regrettable act"

 

Some people feel that way after buying (or selling) a stock. That doesn't make it a crime. Some people feel that way after other non-criminal acts. This is why it's important to understand what is a crime, and is it really criminal to me. I'm sure the computer is no exception to an area people work or play around where the regular crime vs. legal use comes into play.

 

Everyone knows racing cars on the street are illegal, but people do it everyday. Most get away with it because of the tolerance in society towards it. So if we were a racer, we'd probably allow this to occur, but if someone tried stealing a set of hub caps off a fellow racer we'd probably do something to stop that, even report them for theft at an illegal race gathering Or, how about panhandling and begging or the worst, squeegee-kids who ask for money cleaning your windshield. We may even report them to the police, but all they do is scare them off temporarily. There is nothing else to do that is 'worthy' here, unless one of them gets killed in front of a dumpster. So here goes a crime that we tolerate and ignore for the most part.

 

Another example is kids. Kids ponder these items every day (well we used to I'm not sure about today's kids so much).

 

We'd know that Mrs. Abbot down the street will call our folks and the police if anyone wanders into her yard and tries to get apples from her trees, but the kids do it anyways, because she has the best apples (forbidden fruit anyone?). The police never charge anyone, they simply warn the kids not to bother the lady or her apples. We agree with out halo's spit-polished, and our fingers crossed behind our backs.

 

Trespassing is against the law, and the police could easily charge these kids (us) with this crime, however its unlikely we'd be convicted as it could be defended that there is no signage to indicate 'normal activity' may be deemed trespassing.

 

Yes you do not need permission to enter someone's yard if you are there for a purpose. (Again, once you commit a crime on the property you now void yourself of that right) , so until we get that apple we are ok. Since we are familiar to the property owner, the owner should make a clear statement as to whether we are welcome or not. By doing nothing the law states that this is permission. Now if you are fearful for your life calling 911 and reporting it as such is appropriate, but we'll assume most women are not afraid of a group of 6 year olds[?].

 

Also there are no locks applied to the gates further indicating ‘authorized use only’. Yes bypassing a lock is referred to as ‘breaking’, and then ‘entering’ the property, so is a criminal offense (unless the lock is a safety hazard). Imagine if she had only gotten a big noisy dog.

 

So what am I going on about apples and six year olds for? Well this is a good example of where ‘practically, or technically’ we have a law being broken and a clearly definable AND chargeable instance that occurs, yet it probably never will be seen in a court of law since ‘reality’ would not deem this worthy or ‘worth’ the effort of laying charges, going to court, etc. But comparing this to cyber-crime and you can see where the same ideas in a computer or network could be highly suspect and may very well lead to a criminal charge. Sure Mrs. Abbot tried, but the law didn’t see any damages. ABC Corporation on the other hand will look rather unfavorably towards unauthorized use of company resources, or in the case of this text, it should take a very serious look at this. This isn’t just apples.

 

‘Classification’ of crime. This is where you’ll see no lack of correlation between ‘brick and morter’ types of crime and cyber-crime.

 

When it comes to the Internet, every second, hundreds if not thousands of crimes occur on computers, and this statistic is growing rapidly, however many of these are just like our apples and six year olds example, they are not worthy of reporting or even taking seriously because of any array of reasons. I’ll call these ‘false-crimes’, just like we saw the ignored-crime above. They may or may not be crimes, but we won’t take them seriously as crimes by themselves.

 

Namely but not exclusively, are some of the false-crimes are:

 

Portscans. Most jurisdictions define this as annoying, and not criminal but it’s role in a real cyber-crime cannot be ignored.

 

Vulnerability detection. These also may or may not apply to your computer, most aren’t so these tend to be forgotten also. Again, in a real cyber-crime you cannot ignore this.

 

Atypical Network activity. This is the kind of stuff you typically see but your seeing it in a new or different light in this case. Is it a bad software, broken nic, vulnerability scans on a PC, who knows.

 

IPS false positives. Yes badly tuned instruments of protection can start causing grief all the way down the chain of command. This can lead to wasted diagnosis to improper enforcement to unecessary weekend rebuilds of computers and/or networks.

 

Misdiagnosis. Yes, you thought World War 8 broke out in the server room, but it was a random test from an authorized pen-tester you hired last week. You wasted all day before recalling that fact, maybe even wasted some other folks time too. It’s a funny thing to think, but its does happen. Well maybe you did some ground work for that report the pen-tester will hand in next week, if your lucky.

 

Now, on the other hand you may have a more serious, we’ll call it a ‘true-crime’, not to be misread as a actual crime but just to differentiate between a ‘false-crime’ which also may or may not be a crime. T-crime = we believe this is a crime we should deal with; F-crime = we don’t believe this is a crime we should deal with.

 

Some of the examples that could be used as a ‘true-crime’ reason, but then again this is subjective to the person or corporation.

 

 

Intrusion. Access gained by an intruder. Intruder defined as someone without authorized access.

 

Break in. – vulnerability has been used, and a open door left behind for the attacker. This could be reused but unfound for some time, so it’s not a true cross between a property break in, where open doors are usually detected immediately and fixed.

Of course we can monitor connections and see if the break in reoccurs.

 

Data theft. Due to intrusion and/or break in and/or by authorized access, data is taken without permission and removed and/or copied to other medium.

 

Data loss. Due to some reason, data is lost to the company, typically from permanent loss of tape archives. This has been mislabeled as a crime, when in most cases it’s been seen that careless handling and usage of archives is typically the problem. If better tracking and control methods were integrated, the losses would not occur. Now if a company has decent procedures, and they are neglectfully not followed, would that be a criminal offense?

 

Forensic costs. Costs associated with recovery of data or systems. Sometimes misused as cleanup and other costs (replacement of hardware, appropriation of licenses, etc.) which should be avoided. (i.e. ‘You probably needed that firewall BEFORE the intrusion also’)

 

Unauthorized access. Someone (or thing) using the system without authorization to do so.

 

Use of unauthorized hardware/software. This is where nearly everyone who works for a company will fall victim to. Some companies are not that concerned, others can be very concerned. But connecting or installing anything to a company owned ‘network’ and/or’ infrastructure systems or subsystems’ can also be considered criminal. Typically you just lose your bonus for the year

 

Unprivileged use of systems. Another area of growing concern (thanks in part to effective management of group policy) is how much use is being done with privileges that the user should not have. Or worse someone from outside your company has found a open door, and simply walked in.

 

Unauthorized installation or removal of hardware/software. Here again is a fuzzy area that may or may not be a problem in some corporations, where is should be very concerning. If you are adding or removing hardware for ‘any’ reason,
it should be documented. If you audit the hardware on your boxes (for licenses, product fitness, etc) then this simply should not be allowed. If it is then it’s clear that you deem this inappropriate behavior and can follow up as necessary. If not, then what? What if you don’t document or audit your hardware? It may sound silly to some but what if someone ‘adds’ hardware to your network? This could be the cause of bigger issues like intrusion, theft of bandwidth, theft of storage.

 

Theft of hardware/software. A traditional crime with a high tech face. Hardware theft is pretty obvious, ranging from petty to grand larceny. Software theft can be more insidious, ranging from ‘borrowing’ licensed goods, to taking exact copies from backups restored to different systems, to copying licenses for use elsewhere. In some cases this is done to commit further cyber-crimes (using stolen hardware for cyber-stalking, or breaking into other systems, using credentials stored in hardware to access systems, replacing licenses, there was even a case of an NOC being robbed and the property used by a competitor to startup., etc.)

 

Cyber-stalking. This is a newer and older type of crime rolled into one term. The traditional stalking in relation to computers is still performed but in some cases with the use of tools freely available to anyone. From debt tracking, to credit checks, to phone lists, memberships, etc. tracking down someone on the internet is not that hard if you can find the resources and they allow you to use their systems. Lots of this stuff is supposed to be ‘access restricted’ but I’ve seen cases where if your visa card works, it’s ok for us to allow you usage. Newer stalking is less direct, but just as personal where someone goes to every site and or IM network you are in and continuously sends you messages either decent or otherwise, whether you want them or not. Sometimes this gets confused with addictive personality behavior, but it can get really out of hand, such as when someone flames you everywhere you go.

 

Theft of Bandwidth/Storage. This used to mean after access, someone used your bandwidth or storage for their nefarious purposes, but not so much anymore. Nowadays it can mean using someone’s web site too much. How silly is that?

 

Misc. Harassment or Abuse of person(s). This covers more normal usage used inappropriately. Such as sending a legit email to simply harass someone.

 

And the list grows on and on. This is by no means a complete list, nor an accurate definition of each type. Nearly every law enforcement office in Canada had it’s own definitions, and only two used the Canadian Police College definition of cyber-crime.

 

How you view these types of behavior vs. the type of incidents that are ‘typical’ on a daily basis depends on what you do with your systems, but there is little correlation between the problems ‘in your yard’ vs. ‘the worthy’ ones.

 

So we can see that the technical reality of cyber-crime and the actual concern of the legal system are not equal. This is why in the past when definitions were less meaningful most institutions would not bother law enforcement with their ‘internal’ problems. However as organized crime gains larger and larger access to today’s public systems, the protection of these systems should grow systemically. They do not.

 

This is why it will become misleading to gauge our ability based on public protection. One needs to understand and know how to identify acceptable use and how to identify unacceptable use, and then determine to what degree that use is classified for punishment is critical. This will allow persons or corporations to take appropriate action with issues rather than respond either too seriously or leniently.

 

Today though, a growing number of (corporate) citizens are feeling that law enforcement needs to take a larger role and become the gatekeepers so to speak. This is the wrong approach. People and more importantly corporations need to address their own ‘law enforcement’ approach with it’s systems, and understand that they have a great role in the society that organization has created for itself. Understanding how to track and report, and ultimately deal with it’s own ‘law breakers’ will go a long way to assisting the public at large with understanding what it is dealing with. Is it a CEO that is viewing child porn who needs to be sent to therapy to straighten out (as well as taken out of a pivotal role the company needs a stable person at the helms), or is it a saboteur that is slowing stealing resources to slow down some projects completion, or is it a mole stealing data from the warehouse.

 

 

StatsCan does not look at all the types or classifications of cyber-crime the same, (and I should say nor should they) they state:

In addition to cyber-crime, there is also computer-supported crime which covers the use of computers by criminals for communication and document or data storage. This type of crime is not included in the definition of cyber-crime used in this report.

The terms computer crime, computer-related crime, high-tech crime, cyber-crime and Internet crime are often used interchangeably when police and other information sources are discussed.

 

One of the more important pieces of legislation our government has passed is Bill C-15A. This bill is specific in regard to child pornography.

 

Bill C15A – Legislation to better protect children from sexual exploitation:

Creates a new offence that targets criminals who use the Internet to lure and exploit children for sexual purposes;

Makes it a crime to transmit, make available, export and intentionally access child pornography on the Internet;

Allows judges to order the forfeiture of any materials or equipment used in the commission of a child pornography offence;

Enhances the ability of judges to keep known sex offenders away from children by making prohibition orders, long-term offender designations and one-year peace bonds available for offences relating to child pornography

and the Internet; and,

Amends the child sex tourism law enacted in 1997 to simplify the process to prosecute Canadians who sexually assault children in other countries.

Source: Department of Justice Canada: 2002

 

Just as interesting is when we look at the NIBRS report of 2000:

Three classification categories arise, against person, against property and against society.

 

We do not differentiate against these categories but they may be worthwhile in a criminal case. Simply put it is a case against a noun, and we will defend against the noun. Our english prof would be so proud.

 

We see that the computer is never the victim in a sexual crime (whew!) so it doesn’t generate any stats towards this, but in a murder it did! Hasn’t everyone wanted to kill a computer now and then?

 

We can also see how there is no civil definition over some of our classifications, for instance we are not concerned about murder as that is not a cyber crime, but hold on you say. Lets pretend you contacted an assassin in secret over an encrypted session on the internet? Now we would want to see, legit access (??) to gain information discussed in that session. This is where one would traditionally wiretap the session and gather the information this way. I do not see this as a cyber-crime.

 

Ok, how about this one. Thanks to the Internet and eBay, we now have widespread Internet fraud. Well there was those 419 schemes, aka Nigerian email scams. It’s amazing how well these work. Anyways, Internet fraud is now as common as regular fraud:

 

 

 

Amazing that business fraud is at the bottom of this chart, or is it? Not bad for the first year.

 

Well maybe most businesses accept responsibility for being shafted and don’t look at everyone as a thief. Then again maybe most do, but they are just nicer to them

I still think that this type of fraud will always be underreported regardless of reason. ID theft however I think is becoming a bigger issue, and at this stage it was not being diagnosed correctly by most seeing the reports.

 

 

But we can see that since these are two widespread uses of cyber-crime people highly want these controlled. Here industry has shown it cannot nor will not police itself even though both actions are clearly
against most industries ‘acceptable use’ polices or similar papers.

 

Now lets keep in mind, most XXX web sites forbid the use of child pornography, and will terminate anyone’s account associated with allowing minors to access the material or sharing content consisting of minors.

 

They make good money legitimately why would they screw around with child porn or people associated with it? So where are the problems? Instant Messaging, and web cams. These two area’s have allowed kids to become unwitting porn starts (or in some cases wittingly) or be stalked by sexual predators seeking minors.

 

eBay has a lot of processes involved in making sure that the auctioneers and the buyers are in the up and up as well. They have created some of the keener idea’s at self-policing, such as feedback, that keep the place from completely going to hell. Yes it appears peer pressure is still the most effective, but then there are a few who seem to have no conscience.

 

Yes, regardless of even the FBI getting them, some think they have a right to defraud you. It’s truly sad but a fact that about 3-5% of all online auctions end in fraud. For the record eBay has one of the lowest ratios in the business (and they dominate it!), but this also means they have the lions share of the numbers.

 

I heard of one guy selling stuff he really didn’t have to get enough money to leave town. Yep, he was using a friends computer and account. Nice friend.

 

Well the reality of most fraud is it occurs randomly, and it’s hard to know just when someone is going to do so.

 

But is auction fraud ‘really’ cyber-crime? Isn;’t this the same good old fashioned fraud just using eBay instead of the back alley? Some say that this fact, that you can do this over the Internet gives one a bigger audience, better tools, faster response, easier hiding out, easier to pull off, but still it’s the same old crime.

 

Nowadays encountering direct forgeries of goods is becoming a huge problem. You buy the popular new X Doll, and you find a site selling them for pennies each. You buy a lot, and then resell them. They look like the goods and everythings fine, except they were not made buy the real manufacturer of X Doll. But to you, me, the buyer, the seller most are not going to notice the difference. Besides imitators and knock off producers also are not new, they are just becoming much larger players thanks to on-line auctions and the demand for CHEAP and LOW PRICED goods. More importantly a global economy is to blame. Good luck changing that one, but is that a cyber-crime or just a victim?

 

Auction fraud for instance is a huge and growing crime area, yet law enforcement does nothing about it unless it’s very large and very serious. We cannot ignore crime because it’s small, this just lets everyone think that no one cares and that simply isn’t true. But if we spend all our time worrying about pedophiles and rapists who stack MSN chat, then we will never stop the bigger and more important crimes against society as a whole.

 

So, there are many crimes being performed either more effectively and/or more successfully due to the advantages of computers and the Internet, but so are many law enforcement organizations.

 

Many are now building and/or using databases for tracking incidents and outcomes. Many are utilizing other databases in the country and internationally to compare and analyze which is allowing many more law enforcement organizations to be wiser when crime moves from jurisdiction to jurisdiction. This in the past allowed many criminals to simply disappear when a new country would know nothing of an individual, or they may even be illegally hiding there (with or without knowledge of the local law enforcement) and still to be deemed at large in their home country.

 

Today systems are being built and implemented to allow law enforcement to track the movement of people at such places like airports, shipyards, train stations, bus depots, and car rental outfits. Some are still many years from implementation, and other may already be in place. Some car rental agencies have camera’s built into the dashes of the car and record everything the driver does, like smoke or not wearing a seatbelt, being the driver recorded speeding at a particular time.

 

Some places in the UK they can track your movements across town via camera. But I digress, some other time I’ll discuss this.

 

I for one would like to see a better definition of cyber-crime at all levels of the law, and clearly remove crimes that are ‘traditional’ but simply use computers as a tool are clearly ignoring other much more important types of crimes that are completely missing law enforcements radar either due to lack of interest in upholding the law or lack of ability to properly enforce it, both need to be reviewed and improved.

 

Cyberspace is a vast and expanding universe that invades all levels of life, as such integrating laws into this universe is essential to its well being.  However some may see policing and laws as interfering with the regular day to day use and detract from it’s purpose.  Truthfully we need to understand what is a ‘traditional’ crime, how technology modifies those crimes, and how technology creates new crimes.

 

For instance, how would we deal with cyber-stalking using Web 2.0? Food for thought.

 

---

 

1 This definition is offered at the Canadian Police College, where Canadian police officers undergo training in computer crime investigative techniques.

 

(Source: Report on Cyber-Crime. Statistics Canada Catalogue no. 85-558)

Hot:

To be quite frank no language is secure, no language was built from a security perspective.

 

So….

Many people these days seem to get it in their head that there are secure designs in the world, and I digress, no their isn’t. Nobody thinks deeply about security except those with a great deal to lose, and they pay very heavy for it.

Your bank is not really that secure.  Your data is not really secure.  Your personal government files are not secure.  Your home is not secure.  Your business is not secure, your car is (phht a joke!) not secure.  What does this tell you?

Well what did September 11, 2001 tell you?  What did Hurricane Katrina tell you?  

I think it’s telling us, that no ‘system’ or ‘process’ is secure by design.  Security is something we thought about afterwards, generally speaking when someone else quite distinctly shows you the insecurity.

When it comes to software, we cannot think that ‘security’ is job #1.  We’d be lucky if they even considered it in a fleeting moment, let alone design with it in mind.

So why would we think anything we do on computers or online, is secure?  It isn’t,  it’s even worse.  Online banking/payment systems are not secure, our Media players are not secure, our email and IM is not secure, our web browsing is not secure, nothing in our software is secure… 

…unless we want it secure. 

So if we want to think about secure design, what should we use as a language, and is there any languages we should avoid.  Well a ton of FUD is being generated towards PHP, like it’s the first language to have a high degree of problems.  Probably Microsoft detractors trying to suck people disillusioned by PHP info thinking that Visual Studio will be the holy grail for secure programming.  Only a total idiot could have that type of an epiphany.  Anyways, my thoughts on this subject have been heightened by a recent thread on Bugtraq by a group you’d think knew what they were talking about.  But it shows that its all opinion with little fact.  I question some of this and downright disagree with vast sums of it.

Let me quote:

> —–Original Message—–

> From: Thomas M. Payerle

> Sent: Thursday, February 23, 2006 1:38 PM

> To: Christine Kronberg

> Cc: Gadi Evron; bugtraq@securityfocus.com

> Subject: Re: PHP as a secure language? PHP worms? [was: Re:

> new linux malware]

>

> >> 1. PHP is the “serious” or at least open-source/Linux/security

> >> freak’s choice for web development. Mine as well (although as many

> >> still say, Perl does a better job).

> While PHP is extremely popular, especially in open-source and

> Linux communities,I am not sure it qualifies as the defacto

> choice of “serious” web developers.

 

What language is ranked the ‘defacto choice of “serious” web developers’? 

When I talk to them I typically hear three answers, Javascript, PHP, and ASP. When I look on google to see if there are any trends out there I find most ‘serious’ web developers typically use PHP and a lot of the design houses use ASP.

For developers in general (app, web, etc.)

 

Which programming languages are currently in use at your company for development?

C – 32%

C++ – 54%

C# – 72%

Delphi – 7%

Java – 66%

JavaScript – 50%

PHP – 16%

Perl – 34%

Python – 8%

Ruby – 1%

TCL – 6%

Unix shell scripts – 42%

Visual Basic – 62%

Other interpreted languages – 33%

 

Pasted from <ComputerWorld>

 

According to this I would rank PHP as #3.

Javascript, Perl, then PHP, followed by Python and TCL.

ASP didn’t even qualify (probably a chunk of that ‘other’). 

So what about web developers specifically?  Do they simply use Dreamweaver and frown on the rest?  It’s really up in the air.  A lot of choices out there.  Lets pick a couple examples.

The US  (GAO) General Accounting Office decided that PHP was the choice over java for such reasons as (gasp) security! 

Infoworld

Then there is this guy who thinks the sky is falling.

Nut Case Against PHP

May as well say Windows is a growing target for trojans and worms.  How about Mountains are a growing target for rain?  Taxi drivers are a growing target for passengers?  Runways are a growing target for airplanes (literally!)?  See how foundless this type of comment is?  Javascript has so many holes in it, they cannot realistically be patched, so the best solution is restricting what sites can use javascript, again another solution that has never worked, but at least allows us the whitelist-approach to the solution.

So it’s fairly obvious something with a HUGE penetration into the server market, cost is nil, and developers are abundant around the world,  is to be considered a ‘growing target’ for something!!  If peanut butter became the next language and used by a growing group, guess what?  It too will experience this type of exploitation, it’s part of life.  It’s what we as people do. 

Anyways, lets get back to our bugtraq discussion.

> And I did not think it was as popular in the security

> community (when I occasionally scan one of the reports on the

> frequent PHP based applications that grace this list, I

> thought exploit code is as often as not given in

> Perl:)

Ridiculous and nonsensical comment.  Perl is typically used because it’s easier to write PoC or exploits in.  I personally prefer Python.

Remember, we are here because nobody thinks about the ‘right’ way, just the fast or simple way. What difference does the PoC source mean?

 

> >> 2. Developing secure applications in PHP is difficult, as one of

> >> PHP’s creators said recently – even to him after years of trying.

> The number of PHP applications getting reported on bugtraq

> would seem to support this, although likely also contributed

> to the fact that it is popular, and perhaps that it is (or at

> least has the reputation of being) of being easy to program,

> leading to programs written by people without understanding

> of security implications.

Again, just like any other language or ‘code base’ when we learn from our mistakes we explore new avenues and not necessarily like what we see.  PHP was the least designed to do only a trifle amount of what it has turned into.  It went from being a very simple ‘scripting home pages language’ to a very ‘sophisticated server side language’ in better course of a few years.  In that very short time frame a LOT has been learned about writing secure code in PHP, and the next generation of stuff will be leaps and bounds better, however; a LOT of old code (some no longer supported) needs to be fixed and the fact that the community is working to fix it is king.

But that doesn’t mean that the ‘need’ for secure code is present in all cases.  A Good example of this is ACID, for the longest time the only front end for the popular IDS called Snort used by a security analyst to gather information.  Simply said, one of the worst written apps in PHP probably ever “from a security perspective”. My analysis would be to chuck the whole thing out and rebuild, something a lot of people are currently doing and/or considering, or in the least, aware of the reality.

But in fairness to the author he did not design it ‘for secureness’ he designed it to view insecure data.  He did not think the average ‘user’ would ‘need it’ secure. Again, if the need for something in the software is not perceived, why would you waste time designing it.

The latest push has been into BASE development which has improved, is still nothing secure or even remotely close.  This team still is trying to grasp rewriting the application.  I personally think this was written this way for a reason, but I digress.

These were developed BY SECURITY PROFESSIONALS yet even they failed to account for writing secure code.  What does this tell you, I know what it tells me.  That nobody understands secure code in the first place, so how can they write it? Do people today still think that BASE needs to be written securely?  Back to our discussion:

 

> >> 3. Staying on top of new PHP vulnerabilities has become

> impossible,

> >> popping around everywhere.

> While I concede I am less than happy about the frequency with

> which patched versions of php come out, and most versions

> include some security related patches, I do not think it is

> impossible.  Furthermore, most of the “security”

> patches have been rather localized, and affect only a small

> number of functions and often only in rather specific

> circumstances, and with some knowledge of the PHP

> applications running on your system you can often leap frog

> over some of the versions.

 

 

I’m not quite following this statement, but it would certainly be the one I agree mostly with.  Most patches are good at fixing the issue with the function.  Typically has to do with no longer trusting some data source, and viola it more secure. But it’s similar to patching C functions also.  Or Perl, or Javascript, so why is PHP being singled out?

If you understand the C code, you can fix the problems when they are pointed out to you.  It seems silly to say, but it’s true.  But what is the likeliness of the developer being able to see the problems in his own code.  I think it’s stupid to comment on, but people are inherently egotistical, and programmers even more so.  When it comes to being honest with themselves and seeing their flaws for what they are we seem to emit a hormone that allows our senses to ignore our own, and home in on other peoples.  So, it’s quite unlikely the average developer is going to notice his or her own security flaws.  They will require someone  less in tune with their code, or picks up their hormone.

 

> Most bugtraq messages with PHP in the subject appear to be

> holes in specific applications, usually due to programming

> errors on the part of the application author.  This does not

> mean the language is inherently insecure; although it may

> indicate that it is difficult to write secure PHP code.  It

> could also mean that PHP is easy enough to program that a lot

> of people without knowledge of how to program securely are

> writing PHP code.

Again, I don’t understand what you would define a secure vs. insecure authoring language.  It’s difficult to write secure C code.  It’s difficult to write ANY code, if your not familiar with it, let alone expert with.  So…back to reality…

No language is secure to start with, so your choice is either defined by:

• Application
• Usage
• Availability
• Cost

 

Even if ‘Secure’ was in there, how would you measure it?

Some people never grasp this. 

Then what comes along…I see this fellow has figured this out:

 

On 22/02/06, Kevin Waterson wrote:

> This one time, at band camp, Gadi Evron wrote:

>

> > 3. Staying on top of new PHP vulnerabilities has become impossible,

> > popping around everywhere.

>

> What vulnerabilities in PHP?

> Are implying the fault is within the language itself?

 

I think Gadi meant vulnerabilities in PHP applications; though the language doesn’t make it particularly easy to write secure code.

 

> This is akin to saying C has vulnerabilites because some script kiddie

> wrote a poor application.

 

Like this ?

 

“We can give you advice on how to write good cryptographic code. Avoid any programming language that allows buffer overflows. Specifically:

don’t use C or C++” — Practical Cryptography, Schneier and Ferguson,

(p149 in my copy).

 

It’s a point of view that has
something to be said for it. You *can* write secure code in C and PHP, but it takes a lot of care and most programmers don’t take that care. I’ve been told privately that one penetration tester could gain system privileges on the majority of webservers he checked; that used to surprise me, but doesn’t any longer. I don’t whether that’s a ‘vulnerability’, ‘disadvantage’ or ‘feature’ of PHP and other scripting languages.

cheers,

Jamie

–

Jamie Riden

 

Agreed.  That doesn’t surprise me anymore either .  Why aren’t we surprised by this?  Simple.  We understand that servers are built with money, and nobody wants to spend more money than they have to.  LAMP (Linux, Apache, MySQL, PHP) is a very common web server setup and can be rolled out quickly, easily, and cheaply.  They need little maintenance, and if they aren’t harmed by the users or the guests, then they can stay running for a long time.   If they get infected or hacked, or whatever, they dump the site, and recreate it somewhere else.  If they need to, they can revert back to a old backup of the site once patching a particular hole. 

Why worry about secure software“it doesn’t exist”.

I think this is the mentality that needs to be changed now.

When people think security in their applications they realize that 100% success isn’t going to happen, and that maybe all they can truly offer is 10% or maybe 20% towards that goal.  So they give up or don’t bother.  I hazard that adding that portion will allow us all to get closer and maybe allow the next person to see how to achieve the next 10%.

PHP 5 is showing its progress at dealing with security, but like most good apps, it also relies heavily on the developer to use the tools properly.  PHP has always been a hacker-friendly languange, and there are not a lot of low level design tools to assist in this.  In this regard it allows poorly written apps to be built, but then so does any other language.

We have to judge it on it’s accomplishments with secure design inherit to the language. 

But we shouldn’t think any particular language is “out to get us”.  And this highlights the importance of not relying on any ONE language thinking it’s solutions are the best.  If that was the case we’d never have matured passed FORTRAN.  Maple is so much better to use.

Recently Visual Studio 9 was being released and as I uncovered from the opinionated source ‘eweek’, Peter Coffee mentions about this new developer tool:

I get a queasy feeling, though, from a combination of comments by Visual Studio Team System Lead Program Manager Jeff Beehler, who told us all on his blog last week that (i) “we’ve been fixing tons of bugs” and (ii) “we’re only fixing the most critical of issues to help prevent regressions.”

Does that give anyone else a sense of “uh-oh”? There’s plenty of room for debate about the precise behavior of bug discovery rates as the number of remaining defects in code shrinks down, but I don’t know of any model that estimates a sharp and sudden cutoff between “tons of bugs” and “good to go.”

 

Pasted from <http://www.eweek.com/article2/0,1895,1914426,00.asp>

So, yes in order to reduce costs (regressions) microsoft will concentrate on the critical issues.  No statement that they will fix them, just concentrate efforts towards them.

I too am skeptical about the cutoff point and where that occurs.  But that won’t change the fact that (i) it will happen and (ii) there will be issues and (iii) there will be supporters and defectors as a result. 

Oh I almost forgot, (iv) a holy war.

I’d normally start this paragraph out with ‘in conclusion’ or some such official closing remark, but is this really concluded?  Not by a long shot.