22 January 2006

Life as a Linux/Unix admin in a Windows world - PT1 The experience

This article is not meant, in any way, shape, or form, to put down Windows Admins. Every group has bad eggs, and this is just me writing my experience with the "bad eggs." Please keep in mind, Part 2 of this article will go through my experiences with good Windows Admins, as well as bad. Not all Windows admins are morons, just like not all Linux/Unix admins are the l337.


I have been a professional Linux/Unix Admin for about 7 years now. I actually started off as a Junior Admin at a Linux company. The experience there, taught me a lot, but also got me spoiled. You were made fun of if you used Windows.

At that company, every desktop in the building was running some distro of Linux. Except for one Exchange Server the Development Team used when writing an email client for Linux, and Solaris that would communicate 100% to exchange (yes before evolution did it, and before exchange 2000).

So basically I never had to argue about Linux/Unix stability, ease of use, etc.

I left the Jr. Admin Job to be a full-time Admin at a web development company. The company was awesome, everyone was super nice and to this day I say it was the best job; however it did have its rough areas.

Most of our projects were PHP, Java or ASP, so we ran apps like Tomcat, Websphere and Oracle Application Server (basically a souped up apache with Java built in).

I got hired to take care of all Unix/Linux machines, but little did I know that I was the only Linux/Unix Admin among 5 Windows admins...yes count em 5!

My First Incident with a Windows admin
Our windows admin always gave me a hard time about Linux. He always told me it was less stable, and much harder to work with.

To prove my point, I challenged him to an up-time contest. So he set up his own DNS Server to be a slave to the Master DNS I had just set up using Linux.

After about 120 days I get a call from our Windows admin bragging that my Linux DNS server went down. I was in shock. How the heck did this server go down? I had to have a look.

I went to the KVM switch to bring up my server. When the screen came up, there was a Windows log in prompt.

I was in disbelief. I actually checked all the connections to make sure they were correct.

Come to find out, my clearly labeled LNXDNS-server01, was the victim of a Win2k Server install by the same Admin I had challenged in the up-time contest.
He felt really bad when I asked if that was his way of trying to beat me in the uptime contest.

If your curious, the contest was a blow out. The Windows machine got a virus and failed around day 140. My Linux server went more than 400 days before I had to disconnect it when the company moved to a new location.

Actually, the first incident wasn't to bad. It was actually funny, more than anything.

More Issues
[before I begin this section, I'd like to stress that my jobs has always been great because of the people I work with]

One of the on-going issues was working with the 7 people in charge of the technical team. All of them were cool in there own way, but only one understood Unix/Linux. It was actually a little worse with him because he knew the basics because he, had been a Unix administrator many years ago.

Lets go into some of those issues:


Now, this exact item can be a pain in the ass if your not running a commercial Unix or Linux. I am a firm believer in FreeBSD and some of the free Linux's. However, they do not have commercial support, this caused a lot of unneeded panic. This is how I handled the situation:

Boss: Do our CVS, FTP, PHP/Apache servers have support?
Me: No, they are running a very stable OS called FreeBSD, and they are backed up on a daily basis using a custom perl script I wrote that sends the backups to our fileserver via FTP.
Boss: Thats good, but why don't we have support contracts on these?
Me: Uh, not to sound harsh; but my job is to support these machines correct?
Boss: Yes, but still
Me: Well heres the thing, FreeBSD doesn't have official commercial support. You can hire someone to do this, but your basically going to get someone like me (with more or less knowledge) and pay a lot more money.
Boss: O.k, I see now. I am sorry about the misunderstanding, I am so used to having support on our Windows machines that it seemed odd.

Now this boss was very cool, and very open minded. The great thing is this made him think. Now we had 5 Windows admins, and we payed for every OS ($1000+) and also paid for the top level support contracts with Microsoft.

Now think about that. What the hell is the point of a Windows Admin with all that support? You would think that we could hire a person with basic Windows knowledge to take care of these machines and call support when needed. Or we could have the guys we already have, and not pay for the support. The Windows world is a very confusing place. I know my boss was thinking hard about these things after that conversation.

Virus Scanners

I have had this conversation with every boss except the ex-Unix Admin boss. The conversation usually went like this:
Boss: Windows Admin-A tells me we don't have a virus scanner running on any of our Linux or Unix machines. I need you to find how much this will cost us, and give us a estimate on the time it will take.
Me: There is a reason why we don't run a Virus scanner; because its not needed.
Boss: Why is that? (Keep in mind the Windows Admin did this knowing we didn't need it, think he thought it was funny)
Me: Well none of the Linux machines are fileservers or Email Servers
Boss: So? They are still exposed to the outside world, we have Windows machines that aren't Email or Fileservers and they need and have virus scanners.
Me: Thats true, but Apache, Oracle, Websphere etc are not easily exploited as IIS or any other Windows service. Virus's, just don't exist in the Unix/Linux world like they do in Windows. When a Linux/Unix machine is exposed to the world, I do my job by locking it down and turning off easily exploited services like telnet, talkd, ftp , dns etc. The only thing we have to worry about are rootkits, and I have plenty of measures to stop them and to alert me if we catch one.
Boss: How much did that cost us, and what is the software called.
Me: All of the software was free. I use chkrootkit and Tripwire.
Boss Uh, O.k. Sounds good (has a confused look on his face)

Thes situations were not to bad, but it becomes annoying. It really makes you want to beat your head against the wall when your boss who happens to run the technical side of the company ask questions like this. Man I need to get into management somehow.

Getting Excluded because your a threat
The incident I'm about to write about could of been avoided if I had been involved at the start. Anyway this is a combination of issues with other admins, and power.

It all started when we got a new client, and I mean a big client. The client was to buy all the hardware, software and support as suggested by us. Now, the project is 100% Linux, so you would think they would bring in the Linux Admin to help make the decision right? Well, they didn't. The current "manager" I had, was put in charge of the group. Sort of the head administrator.

Anyway the sales guys brought him in, (they didn't know the difference between OS's and admins) and asked him to help. Usually when this happens we will all have a meeting a discuss it, not this time.

The first thing that went wrong was the sales people brought in Experts, who brought in there own experts. The project was a Oracle/Oracle application design. We needed a production environment, patch, dev, test, standby and failover! IBM came in and brought their friends VMWare along. In the end, my manager came out with 3 machines, 3 copies of VMWare ESX, and 5 copies of Redhat AS 2.0.

Had I been consulted, the company could have saved about $15,000 (yes thats right) and ended up with the correct hardware/software combinations of 3 machines, 1 copy of VMWare, and 3 copies of Redhat AS 2.0.

So I can let that slide as not my problem. However it was a problem when the manager laid out what we are going to do:

Machine one (PROD): Install VMWare ESX and install 1 virtual OS. (yeah, I know whats the point of running vmware with only one OS)
Machine two: Install VMWare ESX and install 4 OS's (patch, dev, test and failover) - Not to bad, but don't like failover setup this way
Machine three: Install VMWare ESX and install 1 OS (again, the point of VMWare is?)

I questioned this, and he basically gave me a hard time. Saying it was the best way and that I had no clue what I was talking about because I have never used VMWare ESX. O.K whatever, I went around him. His Boss pretty much ignored me too.

Now the kicker, Production is running one virtual OS, and needs the Oracle database, and Oracle application running on it at once. According to my boss, the best way to do this is to cripple the OS by putting it on the second layer (layer one is VMWare, layer two is OS). Then, lets install 6Gigs of ram, but only allow the OS to access 3.5Gigs.

Now, you newbies out there may not know this but X86 hardware has limits, and Vmware has them to, so each process is limited to 3.5Gigs of ram (VMWare treats each OS as a process), thus we get limited use of the ram.

As you can guess, when we went live we saw a huge performance problem. We ended up installing another OS and Split the DB and Application. This helped out a lot, but could of been avoided from the start if we just didn't run VMware on it.

We could of had one machine running both apps and db, taking full advantage of 6Gigs of ram and be running at full speed un-virtualized. But, we were stuck with the setup. We couldn't destroy VMWare, and just go full Redhat because uptime for this client was important. Luckily the split was easy to do with VMWare.

The fact that we bought 4 licenses of Redhat for 1 machine is pathetic. Think about this, when you buy Redhat your paying for a license for one machine. So 1 license should work. Oh well, again not my problem.

In the end, the client turned out to be OK and the boss, manager and I ended up leaving. My boss, never saw me as a threat he was just doing the wrong job. He should of been managing another team. My manager, however, was very threatened by me. He would get new projects and never let me in on any of it. He would exclude me from meetings and all kinds of stuff.

So watch your back. If your company runs both Windows and Linux/Unix, and you know your way around both, be prepared for people to dislike you.

Oh no, I now have to take care of Windows too!
Just like every company back in those days, we had layoffs.

Everyone knew that I was a Unix/Linux Admin, but people later found out that I was capable of PHP coding and even Windows administration.

As we lost our PHP developers, and our ASP deployment Admins, I got stuck with the ASP Deployment. Nothing to complicated handling this stuff. However, 1 year later they laid off all admins and decided that since I could administrate both Windows and Linux that I will do both.

Being in charge of all machines has it perks and downsides. A big perk was that I had full control, and with this we (meaning me) decided it would be best to replace all Windows servers that could be replaced with Linux or FreeBSD.

I started small by moving our FTP servers over to BSD. Later, I converted all of our SourceSafe Servers over to CVS. The developers loved me after converting to CVS! Our firewall was nothing complicated, so I moved this over to. Man everything was Linux/Unix except our email. And there was no way I would get around this.

With all the perks mentioned above I must mention the downside... That Exchange 5.5 server was hell.

I knew nothing about it. Adding new accounts at first was a total pain in the butt. On top of that the storage area was running out of space, and people refused to delete email (small company, so they got away with it).

So, I did some searching one day and found that there was a exchange Log directory with over 15 gigs of used space! OMG, wtf. These logs were old, I mean like 3+ years old.

So, like any Unix Admin I did some cleanup. I deleted half of the logs and thought everything was cool. 20 minutes later email is down, WTF. Apparently the logs, were not just logs but journaled data or something odd like that. Now that is weird.

Microsoft needs to learn to name things differently. Logs should be logs, and should be there just for history. 25 hours later (yes I worked 25 hours straight), after talking to MS morons for 7+ hours (keep in mind they charge for this) I got email back up with almost nothing lost. This was a huge nightmare.

First off, we had no backup server. We were running so low on money that we couldn't afford to fix the backups. Second, this email was important, we are talking 5 years of email for every employee. After this, I made sure to read up on any changes. I won't even go into the nightmare of me converting from Exchange 5.5 to 2000. Granted the machine after that is more stable, but it was hell converting.

People who get that you know your stuff
This can be good and bad. As a Unix/Linux Admin, people know that I am capable and will take advantage, especially the Windows admins.

Now, we had a situation where a file needed to be transfered via FTP from a Windows box to a Linux box. Well apparently the Windows Admin thought it would be better if a script was written on the Linux machine. So I had to write a script to go and get files, rename them etc. I also had to do the opposite, no big deal but as you can see the Windows Admin sort of proved me right by basically saying its easier to do this stuff on Unix/Linux machine than it is on Windows . In fact you can see the simple script I wrote in our forums.

I had this kind of stuff happen all the time, and I gladly did them. Why? Because it shows my co-workers that Unix/Linux are better, and that I am capable. So its a win/win situation. It may suck to do the work, but you know what that's my job even if the other guy is lazy. I have been at my company for 5+ years now and lived through close to 5 rounds of layoffs; wonder why I am still here while all the other admins got laid off?

The a$$hole Winblows admins
I've only worked with one really bad Windows Admin, but most of them have done stupid shit that just pissed me off.

As a Linux/Unix Admin you will be told frequently how the system you work with is old and outdated, complicated, and just plain stupid when compared to the great thing they call Windows. I have learned that you just have to nod, and not argue with them because its pointless. For every proof you show them, they will come back with some BS MS FUD. You could be mean, and say the system is easy, it's just that your so stupid you need to click shit to make a server run...but that wouldn't be good So do like me, and just not fight it. I have tried to fight it in the past and it was just pointless and got no where. Don't fight win fan-boys of any kind. And for the record, Linux fan-boys are just as bad as Windows fan-boys.

The Dumb-asses
OK, so a good Linux/Unix Admin will be jack of all trades when it comes to the computer world. Most will have some basic knowledge of just about everything. I want to explain a situation I ran into a few years back that made my jaw drop and got me so freaking frustrated.

We lost power, and I came in along with our Windows Admin at the time to check in on a 2 servers that didn't come up automatically. One Windows and one FreeBSD.

Windows Admin goes to his and to his surprise the Windows machine is going in reboot loop. BIOS, OS start, reboot, BIOS, OS start reboot etc, basically a file system error occurred that was fixed by booting into safe mode and running scan disk I believe.

So we go to my machine and its hung at the BIOS level. I turn it off and turn it back on, same thing. Right after the memory count, and before the SCSI initialization it hard locks. Hrmm, that's weird. I show Windows Admin who laughs at me. This is how the conversation went:

Win Admin: Damn unstable Linux, if that thing was running Windows you would of been able to easily fix it.
Me: Huh (keep in mind, this guy has A+ certification so he should know how a computer works)
Win Admin: System won't even start to boot, Linux really bit the dust that time ha ha.
Me: Hey smart guy, you are aware that it hasn't even tried to touch the Master Boot Sector?
Win Admin: Like I know that Linux crap, you don't have to worry about that crap in Windows.
Me: OMG (I start laughing).
Win Admin: Whats so funny?
Me: Let me get this straight, your A+ certified correct?
I then go on to explain that the issue is not a OS, but at the hardware level. And I also taught him what the master boot record was.

Now all Windows admins are not this way, but in my experience most of them don't know half about OS's or Hardware then your average Unix/Linux user. So keep this in mind. We are a rare breed, in a dumbed down world. Don't blame the Win Admins, blame MS for making crappy and un-open software so they can make money off of businesses (anyone and their dog could get MS certified).

07 January 2006

Behind the magic curtain

Next week Steve Jobs of Apple will grab media attention with another simple-looking stage show. Mike Evangelist tells the insider secrets of his gruelling preparation

Thursday January 5, 2006
The Guardian

If the chief executive of Cadbury-Schweppes speaks at a conference, or Nike's boss introduces a new kind of trainer, you might expect to see it covered in specialist magazines, then quickly forgotten. But on Tuesday a chief executive will stand up and announce something, and within minutes it will be scrutinised across the web and on stockbrokers' computers. It will be in newspapers. They'll talk about it for months.

That chief executive is Steve Jobs, and I know why that speech makes an impact. To a casual observer it is just a guy in a black shirt and jeans talking about some new technology products. But it is in fact an incredibly complex and sophisticated blend of sales pitch, product demonstration and corporate cheerleading, with a dash of religious revival thrown in for good measure. It represents weeks of work, precise orchestration and intense pressure for the scores of people who collectively make up the "man behind the curtain". I know, because I've been there, first as part of the preparation team and later on stage with Steve.

Objectively, Apple Computer is a mid-sized company with a tiny share of its primary market. Apple Macintoshes are only rarely seen in corporate environments, and most software companies don't even offer Apple-compatible versions of their products. To put it another way, Apple is just bit larger than Cadbury-Schweppes and about the same size as Nike or Marks and Spencer in terms of annual sales.

Such comparisons come up short in trying to describe Apple's place in the world of business, because they leave out a key factor: Steve Jobs. That's something only one other company - the filmmaker Pixar - can claim. He's the closest thing to a rock star you will find in the world of business.

When Apple announces something new, people pay attention. This is due, in large measure, to Steve and the way he delivers Apple's messages. His preferred method of making major product announcements is at one of his public presentations, or "keynotes" as they are called inside the company.

Steve starts his preparation for a keynote weeks in advance, reviewing all the products and technologies he might include. Although development and release schedules are set far in advance, he still has to satisfy himself that the chosen products are keynote-ready. For software, this can be hard to decide: the engineering work is usually still underway, so he will make a preliminary determination based on seeing unfinished software. More than once this has caused some tense moments in rehearsal when programs haven't behaved.

Baptism of fire

My first experience of this preparation came in the runup to the Macworld Expo keynote of January 2001, which was to include new Macs able to burn DVDs - then an amazing capability. Steve wanted to show off the new software, iDVD, that could do it. As I was the product manager for Apple's DVD software, I had to organise everything that Steve would need.

The team and I spent hundreds of hours preparing for a segment that lasted about five minutes. Several weeks earlier Steve summoned me to demo the software, and highlight what I thought were its most interesting aspects. Of course he already knew most of this, but the process was still useful. He used the key points from these demos to mould his overall presentation and decide how much time each product would get.

Next, my team was given the task of locating movies, photos and music to be used when he created his sample DVD on stage. Most companies would just choose some clip art, or hire a video producer to make some simulated "home movies". Steve wanted material that looked great, yet was possible for an average person to achieve. So we called on everyone we knew at Apple to submit their best home movies and snapshots. Before long we had an amazing collection of fun, cool and heartwarming videos and photos. My team picked the best and confidently presented them to Steve. True to his reputation as a perfectionist, he hated most of them. We repeated that process several times. At the time I thought he was being unreasonable; but I had to admit that the material we ended up with was much better than what we had begun with.

Then came the process of the demo itself: what precise steps Steve should follow, whether the program should already be running on the computer, what sample movies to play, everything.

With the demo set, my role was to stand by in case of technical problems with the software, or if Steve wanted to change anything. This gave me the opportunity to observe what was going on around me. The big keynotes require a very large crew with separate teams for each major task. One prepares the room to seat several thousand people. Another group builds the stage with its motorised pedestals, risers, trap doors, and so forth. A third manages the stage lighting, audio and effects.

Yet another sets up and calibrates the state-of-the-art projection systems (complete with redundant backup systems), and a huge remote video truck parked outside has its own crew handling video feeds for the webcasts and playback of any video needed during the show. Then there are the people who set up all the computers used in the keynote, each with at least one backup that can be instantly brought online with the flick of a switch.

And of course there's the secrecy. The impact of Steve's presentations depends on surprise; so once the rehearsals begin, security people help keep the curious out and the secrets secret. It was fascinating to watch. No detail was overlooked: for example, while rehearsing the iDVD demo, Steve found that the DVD player's remote control didn't work from where he wanted to stand on the stage. The crew had to make a special repeater system to make it work.

So when Steve steps out on that stage, with its stark black-on-black colour scheme, and does his apparently simple demos, he brings the combined energy and talent of all those people and many more back in Cupertino, California, and channels it to the audience. It makes me think of a magnifying glass used to focus the power of the sun on one small spot until it bursts into flames.

Fast forward a year; much to my surprise I was asked to do a demo in the keynote. And then I really learned about demos. In mid-2001 I had been promoted to manage both the DVD products and Apple's professional video-editing software, Final Cut Pro, a new version of which was to be released in early 2002.

But Steve never does the demos of the pro software; he always relies on someone on the product team more familiar with its features and operation. The job fell to me. It turned out to be my lowest and highest point at Apple.

Steve usually rehearses on the two days before a keynote. On the first day he works on the segments he feels need the most attention. The product managers and engineering managers for each new product are in the room, waiting for their turn. This group also forms Steve's impromptu test audience: he'll often ask for their feedback. He spends a lot of time on his slides, personally writing and designing much of the content, with a little help from Apple's design team.

As each segment of the show is refined, Steve and his producer edit the slides live on a PowerBook so the revised slides can be used immediately. That day Steve was very methodical, going through every aspect of the show. He would test variations of content and flow, looking for the combinations with the most impact. When introducing a major new product, he also liked to show the TV commercial Apple would be using to promote it. Often these had been finished just minutes before rehearsals; Steve would sometimes preview alternate versions to gauge the team's reaction before deciding which to use.

Crunch time

On the day before showtime, things get much more structured, with at least one and sometimes two complete dress rehearsals. Any non-Apple presenters in the keynote take part on the second day (although they cannot be in the room while the secret parts - the unveiling of hot ticket hardware such as a new iPod or laptop - are being rehearsed.) Throughout it all Steve is extremely focused. While we were in that room, all his energy was directed at making this keynote the perfect embodiment of Apple's messages. Steve doesn't give up much of his personality even in rehearsals. He is strictly business, most of the time.

I had worked on my five-minute Final Cut Pro demo for weeks, selecting just the right sample material and honing (I thought) my delivery to a fine edge. My boss and his boss were there for moral support. Steve, as was his custom, sat in the audience. I was very nervous, and having Steve's laser-like attention concentrated on me didn't help. About a minute into the demo, Steve stopped me, saying impatiently, "you gotta get this together or we're going to have to pull this demo from the keynote."

I was devastated. I didn't even know how to respond, or if I should respond. Mercifully my boss and Phil Schiller (Apple's head of marketing, and a frequent keynote presenter) came to my rescue. Over the next few hours they worked with me to polish my demo. More importantly, Phil gave me some great advice: "Those 6,000 Mac fans out there in the hall aren't against you, they're the best friends you can have." The next day at final rehearsal, Steve watched me again. This time he gave it his nod of approval. It felt great; but the real work was yet to be done.

Next morning, as I sat in the front row waiting for my turn on the stage, the full weight of the event hit me. There were several thousand people in the room, and approximately 50,000 watching the webcast. It was the very definition of pressure. Steve started the segment that preceded mine, and my heart started pounding. I felt those hundred thousand eyes all about to be focused on me and feared I would crumble. I had done a bit of public speaking before, but nothing like this.

The assistant producer came over to me to guide me to the stairs at the side of the stage. I stood in the dark, watching Steve put up the slide that introduced me. Just then a wonderful thought hit me; in five minutes the whole thing would be over. If I could only keep going for five minutes I would be fine. I bounced up the stairs and on to the stage, and everything was suddenly OK. The demo worked perfectly, the audience seemed to love the product, and their applause was an incredible adrenaline rush.

When it was over I received many compliments on how well it went, including the one I prize the most, from Steve himself.

In the following months I was on stage for two more keynotes, and each time was incredibly grateful for the apparently harsh treatment Steve had dished out the first time. He forced me to work harder, and in the end I did a much better job than I would have otherwise. I believe it is one of the most important aspects of Steve Jobs's impact on Apple: he has little or no patience for anything but excellence from himself or others.

· Mike Evangelist left Apple in 2002 and is writing a book about his time there, provisionally called Jobs I've Known, live on his site,

05 January 2006

A Naive User's Guide to Running Windows More Securely

Like a lot of people who have worked in the business, I find myself in conversations about computer security with people who are having problems or know people who have problems. I wrote this to save me from explaining the same thing over and over again to different people, and to save them the trouble of having to make notes as we talked. It was meant to be something you could give to a 'naive user' and have them be able to read and follow it more or less unaided, and while not being a complete guide, at least be something that made them more secure than before they got it.

What is the danger?

That a machine will have 'malware' loaded onto it. This will then allow criminals to use it to send spam (often promoting pornography), hack other computers, make it dial up premium rate numbers, or steal information from it, including bank account numbers and passwords. In bad cases bank accounts can be stolen, in extreme cases identity theft is possible. The risks are mainly financial, but if a machine is captured by pornographers, they may also be legal. In the UK, for example, the existence of some kinds of material on a computer is going to be a strict liability offence. The onus is going to be on the holder to prove he/she was not the agent/owner, and it may not be easy.

How bad is it?

Bad and worsening. Here is one example. USA Today, in November 2004, set up 6 machines on the net and observed the results. In two weeks they attracted 306,000 attacks, and an XP SP1 machine was broken into in four minutes. The Denver Post did the same thing in February 2005, and attracted 45,000 attacks in a week. This is the risk from simply being connected. To it, you have to add user actions - unwittingly visiting fraudulent and malicious sites, receiving malicious emails or attachments. There have been 100,000+ Windows viruses, 2,500 Windows spyware releases, and some studies show 80% of home PCs may be infected with spyware broadly defined. The latest thing is Windows rootkits - essentially undetectable infections.

Who is at risk, and from who?

Anyone connecting to the net with Windows 95, 98, ME, or XP with Service Pack 1 or lower. Broadband makes the risk much greater. Fully up to date versions of XP SP2 are much less at risk. People running Unix based systems (including MacOS and Linux flavours) are much less at risk. People running firewalls are also much less at risk.

Basically, connect Windows XP SP1, 98 or 95 to the net without a firewall, and the evidence is, you'll likely be hacked within an hour. You are almost certain to get infected if you (or your children) use music sharing software, or if you agree to download and install software as a condition for free access to some kinds of services. Downloading ring tones for mobiles is a common source of infection. Downloading bootleg software (so called warez) is another.

You can find out how secure your machine is to some kinds of attacks by going to Steve Gibson's Shields Up site: (go to the Shields Up section) to test the vulnerability of your firewall and system. Recommended. This tells you about liability to incoming attacks. Leak Test, from the same site, will tell you whether your firewall protects from outbound leakage.

The perpetrators are mostly criminals in it for profit. The days of the amateur teenage hacker in a suburban bedroom are over.

If I follow these recommendations am I safe?

No. You are safer. You are still running an Operating System with a proven record of security faults in a network environment. And this guide is not a complete account of the subject.

Are there alternatives to these recommendations?

Yes. Plan B is: go to a Unix based Operating System, like Linux or MacOS or one of the BSDs. Here are some thoughts on this one.

It helps because there's been far less malware. Probably under 50 real viruses for both MacOS and Linux, even less for Commercial Unix. Spyware is so far unknown (according to Webroot).

Linux or BSD will run on your existing machine side by side with Windows. It is also free, so this is the cheapest of the Plans B. However, don't try moving to Linux or a BSD without help. Your helper should agree to be available for support for six months after the installation. MacOS, which is similarly or maybe more secure, and also Unix based, one probably can do unaided. But you need a whole new computer for it, and new versions of your applications, so it gets expensive. The Mac Mini is worth considering if you are tempted.

The best bet in Linux/Unix for the end user is probably PCLinux, available free for download over the net as a single CD iso. Mepis is also very good. Either will come, free, with all the applications you are likely to need, including Office packages. Maybe fewer games than you would like. In BSDs, PCBSD and DesktopBSD are end-user oriented distributions. They are so far a lot less popular than the Linuxes.

How to safeguard Windows? Four rules go a long way.

Rule 1. Use a limited user account for normal work, and for connection to the net. Never connect from an account with administration privileges.

How to do this. Use the Users and Passwords control panel to create a new Administrator account. Reset your current account to limited user. Then only use the Administrator account to manage the system, install software etc, and then sign off. Never connect to the net when signed on as Administrator, except to do Windows Update. Enable privacy between user accounts, and have separate user accounts for everyone who uses the computer. Make a separate dedicated limited user account for shopping & banking.

Why this helps. Any attacks made on you while on the net will have the same privileges as the account you signed on with. (There have been some exceptions, but this is mostly true for up to date systems). Administrator accounts can do anything at all to the system. Limited user accounts can do relatively little. Signing on as a limited user restricts the attacker's options. Microsoft's default on this is for you to sign on as administrator. It is as if, in an hotel, every guest key opened all guest rooms and the main safe, kitchen and boiler room as well. Change it.

Note1: Windows 9x has only one account, so this won't work with 95 or 98 or ME. Either upgrade to XP, but its not simple, or consider buying Anti-Executable from Learn to use it to lock down your machine. Note that I have not used this package - the recommendation comes from the product specification, user guide, and testimonials. Also use ZoneAlarm (below) to disconnect from Broadband when not actively using it.

Note2: Some older software, and all CD burning software, will have problems running as a limited user. Use the 'run as' function (right click on the program icon) to run them as Administrator.

Rule 2. Connect to Broadband via an ADSL Router, never just an ADSL modem.

How to do this. Either ask your provider to supply Broadband with an ADSL Router, or buy a combined modem/router yourself (cheapest by mail order). Make sure you have the right PC ports to connect it up and that you get cables. If you have a choice, use an Ethernet connection, in preference to USB. Find out how to address the hardware firewall it will have in it, and set it to high protection if it isn't already.

Why this helps. If you just connect via a modem, your machine will be visible to hackers worldwide. If you use a Router, it will use a private address for your machine, and the only thing visible on the net will be the Router (a much harder target). If you set the hardware firewall to high, the router also will be invisible.

Rule 3: Only use secure software.

This falls into three parts.

First, don't use the chronically insecure Microsoft Explorer and Outlook; get (free) Mozilla Firefox (Web) and Mozilla Thunderbird (Email). Also get the Firefox Spoofstick plugin and Adblock to guard against phishing. One or two UK banks require Explorer, and firewalls off. Avoid them. Use Mailwasher to screen and delete unwanted mail on the server.

Second, get the following:

ZoneAlarm is a free software firewall. You do need this as well as the router hardware firewall. Replace the weak XP built in firewall with it. Use it to disconnect from the net when inactive, and to control outbound traffic from applications.

AVG is a free anti virus package (Kapersky and McAfee are also very good, paid packages). Update at every connection.

AdAware & Spybot Search and Destroy are free anti-spyware packages. Get both, and update at least weekly. Microsoft's own anti-spyware package is free and highly rated. Webroot's Spysweeper is a paid, well regarded package, as is Pestpatrol. One anti spyware package is definitely not enough. Find all these by using Google, or on Tucows. Also, install SpywareBlaster for real time protection, but still sweep with the others weekly.

If using Anti-Executable, I wouldn't rely solely on these scans, to clean up the system first, but would do a clean Windows reinstall as explained later.

WinPatrol is also highly rated, and protects against some system parameter changes.

Third, keep Windows up to date using the Windows Update control. You'll have to sign on with an account with admin privileges. Check out Sans Institute Internet Storm Center, 'Windows XP, Surviving the First Day', for instructions on doing this safely - find it using Google. This helps because security updates for Windows come out often - as more holes are discovered and exploited. The quicker you get them in, the shorter the time you are at risk.

One should also disable insecure Windows services, as Greene's book (below) explains. And never install anything when prompted to do so by a web site or email.

Rule 4: Keep as much personal information as possible off the machine, on paper.

Never have your browser remember passwords or logon information. Never keep NIS numbers, passport numbers, drivers license numbers, bank account numbers or branch addresses on disk. Never use Quicken or MS Money to connect to your bank to download data. Never dispose of a PC with a hard drive in it: take out the drive first, and destroy hard drives before disposal.

If you have children, have a dedicated machine for gaming, music downloads, chat etc, keep no personal data whatever on it, and if you allow it to share the Broadband connection, firewall it off totally from the other machines. Consider using Anti-Executable or even DeepFreeze (also Faronics) on it. All this will be fairly technical, and will probably require professional help. It will be worth it.

Microsoft has just published the 'Shared Computer Toolkit' for making a machine safe for multiple users in a walkup environment. Professional help will probably be needed to install and use this, and it may be overkill for home users.


Thomas Greene's book 'Internet Security for the Home and Small Office', is essential reading if you ever use Windows on the net, dialup or broadband, to bank or shop. Get it (from Amazon). Clear, detailed (lots of screen shots) how-to on hardening Windows. It explains how to disable insecure Windows services, which is a must, but which is too big a topic for these pages. Steve Gibson's site, see previous page, is worth a visit. Secunia and SecurityFocus are very good but technical. has lots of good links and clear explanations.

How to know if your machine is infected, and what to do.

You'll know because of slowdowns, crashes or unpredictable behaviour, especially of Explorer or Outlook, or because scans with anti-virus or anti spyware software tell you of infections. You may find lots of popups appearing, you may find yourself on sites which you have not clicked on. Your internet connection may be very active when you are not doing anything. Your ISP or other people may tell you your machine is sending spam. Trying to find out what is going on by Crtl-Alt-Delete may not permit you to examine running processes.

Take this very seriously and do not bank or shop online until fixed.

What to do? It used to be a very simple matter, get and run anti-virus software and keep it up to date. No more. In the last year, it has become decreasingly possible to be sure of having cleaned a badly infected Windows OS that one has booted from. The only method reasonably certain to succeed nowadays is, back up your work files to removable storage, then format and partition the affected hard drives and reinstall Windows, harden it, and then copy back the work files and reinstall software. I would personally do this by buying a new hard drive (Seagate Barracuda) with an OEM copy of XP, and starting from scratch. I would do the data backup by booting from Knoppix or similar Linux live CD.

Advice. Find a professional and say this is what you want done. If he tells you it is not necessary, and that simply running AdAware etc is enough, well, it may be. But there again, it may not be. The question is, how much do you want to bet?

I would demand (and pay for) a clean install...

Appendix: where does this problem come from?

If you are just trying to keep systems secure, this may seem a bit academic. But people do ask, so here is a very short account. First, to avoid being forced by anti-trust actions to give equal treatment to all browsers, Microsoft, during the 'browser wars', made Explorer part of the Operating System, and also linked Outlook to Explorer. This means it really cannot be removed. But it also means any vulnerability of Explorer or Outlook is a vulnerability of Windows. Second, it's the social culture of Windows use - in particular, the universal practice of signing on with Administrator privileges. This means any infection is automatically a system wide infection. Third, its to do with myriad vulnerabilities in the way Windows handles services. As an example, the recent wmf flaw enables graphics, regardless of browser, to carry malicious code. This is because of flaws in the way thumbnails and graphics rendering is done in Windows. RPC (Remote Procedure Calls) is another example.

Bottom line: it is not going to go away any time soon.


I've taken care over this, but its a very brief guide to a very complicated and rapidly changing subject. I can't be responsible for any inaccuracies or any consequences of following these recommendations. Do not follow them blindly. Verify first, and then use them only as the basis for formulating your own security policy, and arriving at your own list of dos and don'ts.


02 January 2006

100 things we didn't know this time last year

Each week the Magazine picks out snippets from the news, and compiles them into 10 Things We Didn't Know This Time Last Week. Here's an end of year almanac.

1. The UK's first mobile phone call was made 20 years ago this year, when Ernie Wise rang the Vodafone head office, which was then above a curry shop in Newbury.

2. Mohammed is now one of the 20 most popular names for boys born in England and Wales.

3. While it's an offence to drop litter on the pavement, it's not an offence to throw it over someone's garden wall.

4. An average record shop needs to sell at least two copies of a CD per year to make it worth stocking, according to Wired magazine.

5. Nicole Kidman is scared of butterflies. "I jump out of planes, I could be covered in cockroaches, I do all sorts of things, but I just don't like the feel of butterflies' bodies," she says.

6. WD-40 dissolves cocaine - it has been used by a pub landlord to prevent drug-taking in his pub's toilets.

7. Baboons can tell the difference between English and French. Zoo keepers at Port Lympne wild animal park in Kent are having to learn French to communicate with the baboons which had been transferred from Paris zoo.

8. Devout Orthodox Jews are three times as likely to jaywalk as other people, according to an Israeli survey reported in the New Scientist. The researchers say it's possibly because religious people have less fear of death.

9. The energy used to build an average Victorian terrace house would be enough to send a car round the Earth five times, says English Heritage.

10. Humans can be born suffering from a rare condition known as "sirenomelia" or "mermaid syndrome", in which the legs are fused together to resemble the tail of a fish.

11. One in 10 Europeans is allegedly conceived in an Ikea bed.

12. Until the 1940s rhubarb was considered a vegetable. It became a fruit when US customs officials, baffled by the foreign food, decided it should be classified according to the way it was eaten.

13. Prince Charles broke with an 80-year tradition by giving Camilla Parker Bowles a wedding ring fashioned from Cornish gold, instead of the nugget of Welsh gold that has provided rings for all royal brides and grooms since 1923.

14. It's possible for a human to blow up balloons via the ear. A 55-year-old factory worker from China reportedly discovered 20 years ago that air leaked from his ears, and he can now inflate balloons and blow out candles.

15. Lionesses like their males to be deep brunettes.

16. The London borough of Westminster has an average of 20 pieces of chewing gum for every square metre of pavement.

17. Bosses at Madame Tussauds spent £10,000 separating the models of Brad Pitt and Jennifer Aniston when they separated. It was the first time the museum had two people's waxworks joined together.

18. If all the Smarties eaten in one year were laid end to end it would equal almost 63,380 miles, more than two-and-a-half times around the Earth's equator.

19. The = sign was invented by 16th Century Welsh mathematician Robert Recorde, who was fed up with writing "is equal to" in his equations. He chose the two lines because "noe 2 thynges can be moare equalle".

20. The Queen has never been on a computer, she told Bill Gates as she awarded him an honorary knighthood.

21. One person in four has had their identity stolen or knows someone who has.

22. The length of a man's fingers can reveal how physically aggressive he is, scientists say.

23. In America it's possible to subpoena a dog.

24. The 71m packets of biscuits sold annually by United Biscuits, owner of McVitie's, generate 127.8 tonnes of crumbs.

25. Nelson probably had a broad Norfolk accent.

26. One in four people does not know 192, the old number for directory inquiries in the UK, has been abolished.

27. Only in France and California are under 18s banned from using sunbeds.

28. The British buy the most compact discs in the world - an average of 3.2 per year, compared to 2.8 in the US and 2.1 in France.

29. When faced with danger, the octopus can wrap six of its legs around its head to disguise itself as a fallen coconut shell and escape by walking backwards on the other two legs, scientists discovered.

30. There are an estimated 1,000 people in the UK in a persistent vegetative state.

31. Train passengers in the UK waited a total of 11.5m minutes in 2004 for delayed services.

32. "Restaurant" is the most mis-spelled word in search engines.

33. Chelsea boss Jose Mourinho has only been in an English pub once, to buy his wife cigarettes.

34. The Little Britain wheelchair sketch with Lou and Andy was inspired by Lou Reed and Andy Warhol.

35. The name Lego came from two Danish words "leg godt", meaning "play well". It also means "I put together" in Latin.

36. The average employee spends 14 working days a year on personal e-mails, phone calls and web browsing, outside official breaks, according to employment analysts Captor.

37. Cyclist Lance Armstrong's heart is almost a third larger than the average man's.

38. Nasa boss Michael Griffin has seven university degrees: a bachelor's degree, a PhD, and five masters degrees.

39. Australians host barbecues at polling stations on general election days.
More details

40. An average Briton will spend £1,537,380 during his or her lifetime, a survey from insurer Prudential suggests.
More details

41. Tactically, the best Monopoly properties to buy are the orange ones: Vine Street, Marlborough Street and Bow Street.
More details

42. Britain's smallest church , near Malmesbury, Wiltshire, opens just once a year. It measures 4m by 3.6m and has one pew.
More details

43. The spiciness of sauces is measured in Scoville Units.
More details

44. Rubber gloves could save you from lightning.
More details

45. C3PO and R2D2 do not speak to each other off-camera because the actors don't get on.

46. Driving at 159mph - reached by the police driver cleared of speeding - it would take nearly a third of a mile to stop.
More details

47. Liverpool has 42 cranes redeveloping the city centre.

48. A quarter of the world's clematis come from one Guernsey nursery, where production will top 4.5m plants this year alone.

49. Tim Henman has a tennis court at his new home in Oxfordshire which he has never used.

50. Only 36% of the world's newspapers are tabloid.

51. Parking wardens walk about 15 miles a day.
More details

52. You're 10 times more likely to be bitten by a human than a rat.
More details

53. It takes 75kg of raw materials to make a mobile phone.
More details

54. Deep Throat is reportedly the most profitable film ever. It was made for $25,000 (£13,700) and has grossed more than $600m.

55. Antony Worrall-Thompson swam the English Channel in his youth.

56. The Pyruvate Scale measures pungency in onions and garlic. It's named after the acid in onions which makes cooks cry when cutting them.

57. The man who was the voice of one of the original Daleks, Roy Skelton, also did the voices for George and Zippy in Rainbow.

58. The average guest at a Buckingham Palace garden party scoffs 14 cakes, sandwiches, scones and ice-cream, according to royal accounts.

59. Oliver Twist is very popular in China, where its title is translated as Foggy City Orphan.

60. Newborn dolphins and killer whales don't sleep for a month, according to research carried out by University of California.

61. You can bet on your own death.
Full story

62. MPs use communal hairbrushes in the washrooms of the Houses of Parliament.

63. It takes less energy to import a tomato from Spain than to grow them in this country because of the artificial heat needed, according to Defra.

64. New York mayor Michael Bloomberg's home number is listed by directory inquiries.

65. Actor James Doohan , who played Scotty, had a hand in creating the Klingon language that was used in the movies, and which Shakespeare plays were subsequently translated into.

66. The hotter it is, the more difficult it is for aeroplanes to take off. Air passengers in Nevada, where temperatures have reached 120F, have been told they can't fly.

67. Giant squid eat each other - especially during sex.

68. The Very Hungry Caterpillar has sold one copy every minute since its 1969 publication.
More details

69. First-born children are less creative but more stable, while last-born are more promiscuous, says US research.

70. Reebok, which is being bought by Adidas, traces its history back more than 100 years to Bolton.

71. Jimi Hendrix pretended to be gay to be discharged from the US Army.

72. A towel doesn't legally reserve a sun lounger - and there is nothing in German or Spanish law to stop other holidaymakers removing those left on vacant seats.

73. One in six children think that broccoli is a baby tree.

74. It takes a gallon of oil to make three fake fur coats.

75. Each successive monarch faces in a different direction on British coins.

76. The day when most suicides occurred in the UK between 1993 and 2002 was 1 January, 2000.

77. The only day in that time when no-one killed themselves was 16 March, 2001, the day Comic Relief viewers saw Jack Dee win Celebrity Big Brother.

78. One in 18 people has a third nipple.

79. The section of coast around Cleethorpes has the highest concentration of caravans in Europe.

80. Fifty-seven Bic Biros are sold every second - amounting to 100bn since 1950.

81. George Bernard Shaw named his shed after the UK capital so that when visitors called they could be told he was away in London.

82. Former Labour MP Oona King's aunt is agony aunt Miriam Stoppard.

83. Britain produces 700 regional cheeses, more even than France.

84. The actor who plays Mike Tucker in BBC Radio 4's The Archers is the father of the actor who plays Will Grundy.

85. Japanese knotweed can grow from a piece of root the size of pea. And it can flourish anew if disturbed after lying dormant for more than 20 years.

86. Hecklers are so-called because of militant textile workers in Dundee.

87. Pulling your foot out of quicksand takes a force equivalent to that needed to lift a medium-sized car.

88. A single "mother" spud from southern Peru gave rise to all the varieties of potato eaten today, scientists have learned.

89. Spanish Flu, the epidemic that killed 50 million people in 1918/9, was known as French Flu in Spain.

90. Ordinary - not avian - flu kills about 12,000 people in the UK every winter.

91. Croydon has more CCTV cameras than New York.

92. You are 176 times more likely to be murdered than to win the National Lottery.

93. Koalas have fingerprints exactly like humans (although obviously smaller).

94. Bill Gates does not have an iPod.

95. The first traffic cones were used in building Preston bypass in the late 1950s, replacing red lantern paraffin burners.

96. Britons buy about one million pumpkins for Halloween, 99% of which are used for lanterns rather than for eating.

97. The mother of stocky cricketer - and this year's Strictly Come Dancing champion - Darren Gough was a ballet dancer. She helped him with his pivots.

98. Nettles growing on land where bodies are buried will reach a foot higher than those growing elsewhere.

99. The Japanese word "chokuegambo" describes the wish that there were more designer-brand shops on a given street.

100. Musical instrument shops must pay an annual royalty to cover shoppers who perform a recognisable riff before they buy, thereby making a "public performance".