Nine must-have freeware apps rise to the top

Microsoft exec loses his cool on Vista upgrades

By Brian Livingston

Scott Dunn was the first journalist to reveal on Apr. 3, 2008, that Vista Service Pack 1 allows its “upgrade edition” to be clean-installed just like its “full edition.”

This is a feature that hasn’t changed in Vista since I described it back on Feb. 1, 2007. The fact that the trick still exists in SP1 — more than one year later — is strong evidence that at least some high Microsoft officials wanted it left in.

I added details in an Apr. 10, 2008, column. I reported that Microsoft Knowledge Base article 930985, which says Vista itself is a “compliant version” for a clean install, has recommended the procedure since March 2007 with no indication that this is a violation of any end-user license agreement (EULA).

Both Scott and I quoted Microsoft spokespersons who stated that clean-installing the upgrade edition of Vista without having previously purchased a licensed copy of Windows 2000, XP, or 2003 violated Vista’s EULA. Unfortunately, only low-level PR representatives had responded to Scott’s requests for comment, and Microsoft prohibits these reps from being identified by name.

Finally, a Microsoft executive made an on-the-record comment about Vista’s clean-install trick, and it was a doozy. An article by Jason Mick in Daily Tech reported on Apr. 16 that Eric Ligman, senior manager for Microsoft Partners, had offered on his blog a “raving retort”:

• “Just because something will install does not make it legal. For example, a pirated piece of software will (usually) physically install; however, running pirated software is 100% illegal (and who knows what else it will install on or do to your computer). If you don’t believe me, try calling 888-NO-PIRACY and letting them know that you are running pirated software throughout your company.”

Wow, that’s harsh. Let us be clear what piracy means: hackers who mass-produce Windows and distribute it with no payment to Microsoft. Neither Scott nor I have ever advocated piracy.

The clean-install trick requires that an end user pay for a licensed, retail copy of Windows Vista — not a free, hacker copy. One comment posted by Matthew P. on Eric’s blog provides a perfect example of a legitimate reason to use the clean-install method:

• “I bought Vista. The ‘loophole’ in question was the only way I could get Vista to install. When I (down)graded to Vista, it was completely unstable and many things didn’t work. Rather than reloading my ghosted XP and trying for a third time, I went ahead and used this workaround. I have a legal, purchased OEM Windows XP Home that had only ever been run on this machine.”

Some Microsoft executives would say that Matthew had violated the Vista EULA because XP was not running when the Vista upgrade was installed, as is normally required. Do I think that what Matthew did is piracy? Of course not. (My response to Eric’s comments was reported by Channel Web and Daily Tech, among others.)

Stretching the term “piracy” to besmirch individuals who’ve paid for a retail copy of Vista — and are doing what the Knowledge Base recommends to solve a problem — renders the word meaningless. Implying that the Business Software Alliance, which operates 888-NO-PIRACY, would harass people who happened to install a paid-up copy of Vista in a certain way borders on hysteria.

I’d guess that about 99% of Windows Secrets readers have at some point purchased a legitimate copy of Windows 2000, XP, or 2003. These people are unquestionably entitled to purchase and use the upgrade edition of Vista. But buying a retail package of Vista would be a silly way to try to save money.

Scott has reported several times — most recently on May 24, 2007 — that Microsoft sells so-called OEM versions of Vista for much less than retail copies. His article demonstrated that individuals who are building a single PC can clearly buy OEM software under Microsoft’s current rules. In an article on Apr. 26, 2007, Scott showed that OEM full editions of Vista cost about one-fourth less than retail upgrade editions.

It’s ridiculous to label as “pirates” people who buy Vista at the retail price and then use a built-in feature as recommended by the Knowledge Base. The whole controversy was best put into perspective by Lance Ulanoff, editor-in-chief of PC Magazine, who wrote a response to the flap on Apr. 17:

• “Looking at the comments, it’s obvious that [Microsoft reseller] partners are dealing with a wave of rejection. It’s not all about price, either. They can’t seem to get current customers to upgrade to Microsoft’s latest OS, and some of them do not have much faith in Vista, anyway:

  ” ‘I think the real issue is, why bother installing Vista at all? What does it give me over XP? You stripped most of the features out that we were looking forward to before RTM, so this isn’t much more than a slower, prettier XP. Meh. I’ll be waiting for Windows 7. Hopefully, Microsoft gets that right,’ remarked one in a blog comment.

  “This is from someone who’s supposed to be out in the field representing Microsoft’s products.”

Let me restate the obvious. If you work for a corporation, you’ll get the best price for Windows by buying it through Microsoft’s volume-licensing program. If you’re an individual, you’ll get the best price through Microsoft’s one-unit OEM sales program (which includes no support, as Scott explained).

Vista’s upgrade trick is not a way to “steal” the operating system. The series of dialog boxes we’ve described was programmed in by Microsoft developers because there are legitimate cases in which a clean install is best for security and stability.

The disconnect between Vista developers, who included the trick, and Redmond’s top executives, who rail against its use, is newsworthy. Furthermore, this is an important feature of Vista that legitimate Windows users have a right to know about. It’s our job as journalists to report the facts and let you decide for yourself.

At this point, I’d like to call on Eric Ligman and other Microsoft execs to calm down and give us some assurances. Promise us that the clean-install method will still work when you release Vista Service Pack 2 and all future upgrades to Vista. The trick has a valid reason to be in there. The developers who work for your company put it in there for that purpose. Your developers aren’t supporting piracy. They’re trying to make your products usable, whatever situation a user may run into.

Former PC World editor joins Windows Secrets

The roster of printed magazines continues to shrink, while the world of online publications keeps growing and growing.

There’s evidence of that close to home, as Windows Secrets has attracted a top editor who, until recently, was producing the dead-trees version of PC World magazine.

I have nothing against print publications, mind you. I myself was a contributing editor of PC World for two years, writing a monthly column in the ’90s. It’s just that the action in publishing today has moved online.

Dennis O’Reilly (left) has agreed to become the technical editor of Windows Secrets, effective immediately. He’s already working with me to sharpen our writing on Windows. He’ll soon begin sending you his insights via our Known Issues column and elsewhere on our site.

Dennis edited PC World from early 2000 through December 2007, ending with the title of senior associate editor. In that capacity, he oversaw the magazine’s general reporting and its award-winning Here’s How section. Among other chores, he edited a monthly column in that section that’s been written for years by our associate editor, Scott Dunn.

Financial pressures have been widely reported as causing staff reductions at PC World, but Dennis left voluntarily to better express his creativity online. CNET, the influential tech site, earlier this year gave him an office-tips blog entitled Workers’ Edge, where Dennis posts as often as he can. Windows Secrets will keep him busy the rest of the time.

Prior to PC World, Dennis was a senior editor of Ziff Davis’s Computer Select subscription service from 1985 to early 2000. (He is no relation to Tim O’Reilly, the founder of O’Reilly Media, which produces books and conferences.)

We’re all proud that someone with Dennis’s experience will be polishing our work, and I hope you’ll enjoy his writing, too.

Brian Livingston is editorial director of WindowsSecrets.com and the co-author of Windows Vista Secrets and 10 other books.

Nine must-have freeware apps rise to the top

By Scott Dunn The “best freeware” lists published by Web sites and magazines frequently trumpet dozens of programs, but the results reflect the subjective opinions of just one or two testers. To find the best of the best, I compared roundups of “great” freeware conducted recently by four reputable publications to find the programs that were endorsed by at least three of the reviews.

Only a few freebies win multiple accolades

Nearly any free program can impress one or two people, but an application has to be truly worthwhile to pass muster when tested by several different independent organizations.

To reduce the subjectivity of a single software review, I selected the repeat winners from the most recent (or recently updated) “best freeware” lists posted by these sources:

• “25 Free Downloads You Need Now” from the May 2008 issue of Computer Shopper.

• “101 Fantastic Freebies” from the May 2008 issue of PC World.

• “The Best Free Software” from the March 2008 issue of PC Magazine.

• “46 Best-ever Freeware Utilities,” and “The Extended List — 71 Additional Best-ever Freebies” updated in April and March, respectively, by Gizmo’s Tech Support Alert site. (Note that the extended list is available only to the service’s paid subscribers.)

Security apps and system tools get multiple nods

Despite the hundreds of products covered by the four lists, the overlap is surprisingly small. Only nine products were endorsed by at least three of the publications. I haven’t tested these programs, but Windows Secrets editors are very familiar with them and can state without equivocation that they do indeed belong on this list.

I limited my selection to downloadable software and excluded the best-reviewed online services, which I’ll cover in a future column.

Here’s the consensus of the freeware reviewers:

Avira AntiVir Personal
You’ll probably never see the freeware version of an antivirus program outrank its commercial counterpart in a software roundup, but Avira’s AntiVir gives other fee-based antivirus apps a run for their money. The program receives high marks for its malware detection rates and its ability to take on rootkit viruses. The main disadvantage cited by reviewers is that the free version of AntiVir doesn’t scan incoming e-mail. However, the program does scan e-mail attachments after you’ve saved them, and it detects malware if you open an infected e-mail.

Comodo Firewall Pro
More thorough than the firewalls built into Windows XP and Vista, Comodo comes with a long whitelist of safe sites, which you can add to as you surf. Reviewers call it “tough” and “robust” in protecting your system, but they add that the product is a little complicated for novices, so do your homework before you tweak Comodo’s settings. (In his Apr. 17 column, Mark Joseph Edwards describes the high marks Comodo received in independent tests of personal firewalls.)

TrueCrypt
When it comes to protecting your data from prying eyes, TrueCrypt gets the nod from multiple reviewers. This open-source program can create encrypted files that appear as disk drives in Windows Explorer and other file managers. TrueCrypt also lets you encrypt an entire drive (such as a USB flash drive), a drive partition, and — for extra safety — hidden drive volumes.

Figure 1: Keep your files safe by using the free TrueCrypt utility.

CCleaner
Of the hundreds of products on the lists I examined, only Piriform’s CCleaner was recommended by all four of the freeware roundups. CCleaner scrubs your system by removing temp files, cookies, browsing history, recent-document lists, log files in the Recycle Bin, and a lot of other digital detritus. The utility can also be used to uninstall applications and scan for orphaned and unused Registry entries.

Lightning for Thunderbird
The Mozilla Foundation’s free Thunderbird e-mail program is great, but it lacks Microsoft Outlook’s calendar and to-do list. The solution is Lightning, a plug-in from Mozilla that combines the foundation’s Sunbird calendar program with Thunderbird’s e-mail features. (If you don’t use Thunderbird, Sunbird can be downloaded as a free, standalone tool.)

Foxit Reader
If you’re one of the many people who consider the Adobe Reader PDF viewer too slow and bloated, consider Foxit Reader. Reviewers found it to be much faster than Reader, and they note that Foxit provides more options for viewing, printing, and annotating PDFs. You can even use Foxit to fill out PDF forms.

Audacity
You don’t need to spend your hard-earned money on a commercial audio program to record or edit music or other sounds for use in a presentation or on a Web site. Audacity is an open-source audio editor that supports .mp3, .wav, and other popular audio formats.

Wavosaur
Audacity isn’t the only free sound editor that got the nod from multiple reviewers. Wavosaur also made the cut, and the program has at least one advantage over Audacity: it’s a single executable file, which makes the audio utility easy to run from a USB flash drive. Don’t let Wavosaur’s small size fool you, though; the program has an impressive array of audio-editing features. Note that you may need to download the free Lame Encoder .dll file to allow the program to export to the .mp3 format.

Figure 2: The free Wavosaur sound-editing utility lets you convert audio files to and from various formats.

Pidgin
It’s a royal pain to have to open a different chat application every time you want to keep in touch with someone who uses AIM, Yahoo! Messenger, Windows Live Messenger, or another messaging network. With Pidgin, you can keep all the other chat apps on the shelf. This open-source IM client (formerly called “Gaim”) lets you communicate with users of all the above and a dozen other chat networks.

The ‘best’ is what’s best for you

You may be dismayed that your favorite free program doesn’t appear on this best-of-the-best list. That doesn’t mean it’s not widely valued — some reviewers may simply have wearied of repeatedly mentioning such old freebie standbys as Mozilla’s Firefox browser, the IrfanView graphics viewer, and the WinAmp music player.

Still, the fact that the nine programs on this list are top-rated by several major publications suggests that one or more of them will be useful to you, too.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the Here’s How section of that magazine.

Keep malvertisements from infecting your PC

By Scott Dunn

Some of the Flash ads that crowd your browser are serving up more than just another annoying sales pitch.

Windows Secrets readers suggest simple and free methods for protecting yourself against an onslaught of malware-toting advertisements.

Pull the plug on animations bearing malware

They’re hard to miss: those ubiquitous Web ads bounce and glow and gambol across nearly every page your browser opens. As I reported in last week’s column, a new breed of Flash ads is appearing on sites large and small. These “malvertisements” can infect your PC with viruses or spyware if you simply view the page they’re loaded into. No clicking required.

Protecting yourself against these attack ads entails updating your Flash Player and deactivating Flash and other active Web content on sites you don’t trust. Unfortunately, knowing which sites to trust is nearly impossible.

Reader Elaine Allison writes to point out that even Microsoft-sponsored sites have had problems serving up malvertisements:

• “Microsoft [MSN] Web sites were infected about 18 months ago. [The company] denied it at first, of course (and probably still would). JudyC, manager at the Community Feedback MSN help group, informed MSN about these dodgy ads, and it’s funny how they were all removed very quickly from the group’s pages (without [MSN] acknowledging that the ads were infected).

  “Judy had to remove the malware from a number of members’ computers by her sheer determination and expertise. (Community Feedback [was] started by MSN and is now run by [more] knowledgeable members.)”

Turn Flash on and off with IE7Pro

A number of readers offered a recommendation first sent in by Dave:

• “I find that the IE7Pro add-on for Internet Explorer 7 is very valuable for Flash blocking and is useful in several other ways as well. Thanks for all the great info.”

Thanks, Dave. Although installing IE7Pro requires you to restart Internet Explorer 7 when it’s first installed, you can turn Flash animations on and off thereafter without launching a new instance of the browser. Moreover, the program lets you selectively unblock individual Flash animations on a single Web page.

This free add-on for IE 7 adds a number of other useful features to the browser, including tab management, spell checking, and crash recovery.

If you don’t want to create separate profiles for Firefox, Mark Henn has an easier solution:

• “One potential solution you left out: install two browsers. I use Firefox with Flashblock because I can’t stand the annoying adverts that use constant motion ond gaudy colors to get your attention. My Firefox sessions are quiet. There are times, however, that I have to have flash in order to view some sort of content. For that, I open up IE.”

Thanks, Mark. Naturally, you can use any combination of two browsers, as long as at least one of them has Flash turned off or a flash blocker installed.

Get the latest Flash Player version

When it comes to removing an old version of the Flash Player, Rick Austin has some advice:

• “As a fan of Secunia’s Software Inspector, I frequently have been notified to install the latest up-to-date version of the Flash Player and get rid of the old one. But I have found that getting rid of the old version as you describe doesn’t work. The only way I know to do it is as follows:

  Step 1. Download the Adobe Uninstaller found on Adobe’s Web Players page and save it for future use. (It only needs to be downloaded one time, because it is not version-sensitive.)

  Step 2. Create a desktop shortcut linking back to the same Web Player page.

  Step 3. Close the browser.

  Step 4. Run the “Uninstaller.”

  Step 5. Click the link to the Web Players page to open your browser, and then run the appropriate installer.

  Step 6. Run Secunia to confirm.

  Step 7. Rejoice!

  “This works every time for me.”

Thanks, Rick. Some users may also need to uninstall other applications that come with Flash components — such as older versions of Adobe Photoshop Elements — and then upgrade to newer versions.

The Known Issues column brings you readers’ comments on our recent articles. Scott Dunn is associate editor of WindowsSecrets.com.

A new twist on table manners

Mothers spend years teaching their children to keep their elbows off the table, chew their food with their mouths closed, and avoid slurping their drinks. Some children take to these lessons more eagerly than others. Clearly, the man in this sexually charged, 30-second commercial still has some manners to learn. Luckily for him, his friend is more than tolerant of his behavior. (Warning: your mother may not approve of you viewing this ad.) Play the video

How Firefox 3 blocks bad sites better

By Woody Leonhard With the release of Firefox 3 imminent, your ability to identify and block “bad” Web sites automatically is about to take a giant leap forward. A fascinating new feature in the browser adds near-real-time — and anonymous — checking to stop phishing and other malicious sites in their tracks.

Browser malware-prevention techniques are flawed

Dangerous Web sites come and go faster than a decaying photon. Whether they’re phishing sites that lure you into divulging personal information by masquerading as someone you trust, or malware sites that dump a myriad of offensive and damaging programs on your PC, it’s tough to stay one step ahead of them.

The challenge facing the people who devise phish- and malware-fighting strategies lies in identifying “bad” sites quickly and accurately without jeopardizing your privacy or overloading your system. My column of Sept. 28, 2006, describes the antiphishing options built into Internet Explorer 7 and Firefox 2.

In a nutshell, you have three choices with these browsers, all of which have faults:

• Turn off antiphishing protection. Both Internet Explorer 7 and Firefox 2 let you deactivate their antiphishing filters completely. I recommend this approach only for those who adhere to the “ready, fire, aim” school of safe surfing.
• Turn on real-time filtering. The real-time filters in IE 7 and Firefox 2 check each site you visit against a blacklist of bad sites maintained in a centralized database. Firefox 2 uses a database maintained by Google, while IE 7 checks with Mother Microsoft. In both cases, the company maintaining the database can (and probably does) keep a complete record of every site you visit. The trackers claim that users can’t be identified based on these Web histories, but who knows? Scary any way you look at it.
• Use Firefox’s locally stored blacklist. You can choose to let Firefox 2 place a blacklist of offensive sites directly onto your computer. When you try to go to a new site, Firefox checks the URL against this blacklist and blocks you from opening any that it finds. Unfortunately, there are many inefficiencies in the way Firefox maintains the blacklist. Also, IE 7’s real-time filtering appears to do a better job of blocking bad sites than Firefox 2’s resident blacklist.

There are other bits and pieces of phishing and malware protection floating around in IE 7 and Firefox 2. For example, IE 7 makes a noble attempt at identifying phishing sites based solely on their content — a method know as heuristic analysis.

Unfortunately, the cretins behind phishing and malware know enough to check whether their sites are flagged by IE 7 (and Firefox 2) prior to posting them. That puts a big dent in this technique’s effectiveness.

Firefox 3’s blacklists update faster

The improved phishing and malware protection built into Firefox 3 relies exclusively on a collection of blacklists maintained on your computer rather than on a single, central database. If you venture to a site that appears on one of the local blacklists, Firefox 3 does a quick double-check online to make sure the site is still blacklisted. If it is, the browser raises a virtual red flag, as shown in Figure 1.

Figure 1: Firefox raises the Attack Site alarm.
__________

Other than that, there’s no reporting to Firefox’s server. Even if you wanted to give the Mozilla Foundation a permanent trail of all the sites you’ve visited, you can’t.

Firefox 3’s automatic blacklist updates occur about every 30 minutes. The browser’s new approach is much more efficient and fault-tolerant than Firefox 2’s routines. For example, Firefox 3 ensures that the most recent offenders are posted on your machine first. That way, if you’re offline for a while, Firefox 3 gets the latest (and likely most active) sites nailed down quickly.

Many other technical improvements in the browser are described in a document on the Google Code site called the Client Specification for the Google Safe Browsing v2 Protocol. If you’d like to try out the browser’s new malware protection yourself, Firefox 3 Beta 5 is now available for download.

Firefox security relies on Google payments

Most people don’t realize it, but the Mozilla Foundation — the organization behind Firefox &#8212 makes tens of millions of dollars every year from Google. A large percentage of the money that pays for Mozilla’s 90-plus employees comes from Google’s coffers, due to Firefox’s promotion of the Google Toolbar.

This isn’t necessarily a bad thing, though it provides Firefox’s developers with a built-in incentive to use Google technologies rather than alternatives from the search king’s rivals. On the plus side, this cozy relationship gives the Firefox programmers plenty of experience working with Google technology. Case in point: the new Firefox 3 antiphishing and antiattackware blacklists, which are created and maintained by Google.

If Google flags a URL as a phishing site or dings a site for harboring malware, the Google determination drives the way Firefox behaves (see below for an example of this).

Another organization in the Firefox 3 mix is a nonprofit called StopBadware.org, which bills itself as an electronic “Neighborhood Watch” and clearinghouse for information about bad sites. StopBadware.org started as a joint effort of Harvard and Oxford universities. Its funding is provided by Lenovo, Sun, and — you guessed it — Google.

If Firefox flags a site as off-limits and you’re curious to see why the site has been relegated to the Google blacklist, enter its name in the StopBadware.org search page and take a look at the reason given for blocking the site.

In my experience, StopBadware.org almost always reports merely that the site has been blocked because Google blocked it. There’s a bit of buck-passing in those reports, and the buck stops with Google. StopBadware.org claims that it performs its own independent reviews on some sites, but the lion’s share of reported offenders come straight from Google’s bad-guy roster.

StopBadware helps restore your site’s good name

While most of the user-level reports from StopBadware.org simply echo Google, in my experience the site and the organization have helped save my bacon. If you have your own Web site, take note.

In my column on Mar. 6, 2008, I wrote about an iFrame exploit that infected my personal site earlier this year. Google notified me by e-mail about the infection and immediately started blocking the site. A notice stating “This site may harm your computer” appeared whenever my site was listed on Google search-result pages, and people were prevented from clicking through to the site from the results.

I fixed the iFrame problem within hours of receiving the notice. Then I applied to Google, via its Webmaster Tools site, to have the blockade lifted. I waited a day. Then a week. Still, my squeaky-clean site remained blocked. Finally, after three weeks with no response, I repeated the Webmaster Tools procedure, requesting again that the block be lifted. No joy in Mudville.

Adding insult to injury, when I started beta-testing Firefox 3, the new browser picked up Google’s blockade and tossed a red flag on the screen each time I tried to go to my own site. Humiliating.

A good five weeks after I cleaned up the site, I learned about StopBadware.org. Using the site’s “Flagged by Google?” page, I applied anew for relief. Within 48 hours, I received a message from StopBadware.org, stating that the block on my site was being reconsidered. Shortly thereafter, I got another message telling me that Google had lifted the block. Perhaps most amazingly, within 20 minutes Firefox 3 stopped throwing up the red flags.

Impressive, eh?
Woody Leonhard‘s latest books — Windows Vista All-In-One Desk Reference For Dummies and Windows Vista Timesaving Techniques For Dummies — explore what you need to know about Vista in a way that won’t put you to sleep. He and Ed Bott also wrote the encyclopedic Special Edition Using Office 2007.

Detect zombie PCs by sniffing your network

By Ryan Russell If one of the PCs on your network were infected with a botnet, how would you know? Identify the interloper by using the free Wireshark network monitor, which also helps you troubleshoot e-mail and other programs that fail to establish or maintain a network connection.

Scan your network for noisy botnet interlopers

The Internet is plagued by botnets. These armies of compromised computers do the bidding of nefarious masters — sending spam, instigating distributed denial of service (DDoS) attacks, and searching out other PCs to victimize. Fortunately, it’s pretty easy to detect whether your system has been recruited into a botnet army.

If you suspect you may have a “zombie” PC, run the free Wireshark network monitor, which I described in an Apr. 3 column as a tool for capturing network traffic and filtering out the noise. Since bot programs are pretty noisy, you won’t have any trouble spotting them with Wireshark.

Start by shutting down (or filtering) all programs that are authorized to phone home via the Internet, such as e-mail and other network-connected applications. Then let Wireshark monitor your computer for a while as the machine remains idle. Any subsequent connections made from the computer must be unauthorized. (My earlier column provides step-by-step instructions for using Wireshark.)

A network-security study I helped conduct in 2004 relied extensively on network monitoring, not only as post-infection forensics but also to detect when the victim became infected in the first place.

The monitoring process was relatively easy in the study’s test situation; the target computers didn’t have any extraneous software installed, and they weren’t being used on a day-to-day basis. The second we detected one of them initiating a connection to the Internet, we knew it had been infected (after we filtered out a little NetBIOS noise, of course).

The chances of a typical Windows Secrets reader having an infected machine are slim. This botnet-detection technique is most useful as a tool in your belt for when you’re visiting relatives and they ask you why their computer has slowed to a creep. Still, running Wireshark once or twice a year reduces a PC’s risk of infection.

If you detect some weird network behavior, I’d like to hear about it. I may ask you to send me your packet capture, so please remember to save it. However, if Wireshark unearths something troubling and you want to research it on your own, check out TCPView, a great network-monitoring tool from Microsoft (previously SysInternals). I’ll be covering TCPView in a future column.

You’re welcome to send me questions about any other topic, too, via the Windows Secrets contact page. (Several readers encouraged me to go into more detail on Wireshark, for example.)

Track down other network glitches

Even if you don’t have a bot problem, you might occasionally encounter a network program that stalls for some other reason. Last week, one of my co-workers installed an internal Internet Relay Chat (IRC) server. (The IRC chat protocol has been in use for many years and predates instant messaging.)

Once all the techies in our office were informed of this new toy, productivity dropped to zero for the rest of the afternoon. Most of us were practicing our ‘leet–speak (short for “elite speak”). But others were writing IRC bots, a friendly and harmless kind of bot, to perform silly functions.

After downloading a Perl module to speak IRC and writing a sample bot program, I found that I couldn’t get my bot creation to log in and show up in the channel. Wireshark to the rescue! I used the program to perform a “follow TCP stream” action on my bot’s connection. Wireshark detected a bunch of chatter between the IRC server and the client that a typical IRC client won’t show the user.

The chatter included an error message stating there was no Message of the Day (MOTD). Aha! I saw in my bot’s code that the trigger allowing it to join a channel was located at the end of the MOTD. Code changed, problem solved.

Your network problem is likely more serious than the IRC bot error, though. The chatter-analysis technique works equally well with POP mail clients, for example. The next time you’re unable to download your e-mail, break out Wireshark to find out what’s going on behind the scenes. In fact, you may want to run the scan before you encounter a network problem, so you know what a clean channel looks like.

Find out more about Wireshark

I’ve focused on how a network-monitoring tool can be used for security and maintenance, but there is a ton of functionality in Wireshark that I haven’t covered here. In fact, it would take a whole book to make a dent in all the ways the program could be used.

I haven’t written such a book myself, but my publisher Syngress got some knowledgeable guys to do just that. I checked with the company to see whether it had a sample chapter or similar information it could share with Windows Secrets readers. Turns out it does. Here’s the Filters chapter (PDF) from Syngress’s Wireshark & Ethereal Network Protocol Analyzer Toolkit, which I’ve obtained permission for you to download. (More info about the book: United States / Canada / Elsewhere.)

The filters chapter covers the subject in much more depth than I was able to in two Windows Secrets columns. I haven’t read the whole book, but a couple of reviewers whose opinions I respect have given it four stars on Amazon.

There is at least one other book on Wireshark, entitled Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems. (Find out more about the book here: United States / Canada / Elsewhere.)

Some useful sites for more information are the Firewall Forensics FAQ, the Internet Assigned Numbers Authority’s ports list, the Wireshark mailing lists, and Daryl’s TCP/IP primer.

The Perimeter Scan column gives you the facts you need to test your systems to prevent weaknesses. Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias “Blue Boar.” He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.

Finally, here comes XP Service Pack 3

By Susan Bradley On the heels of Vista Service Pack 1 comes the update that far more Windows users have been anticipating. Unfortunately, XP Service Pack 3 is an unremarkable update for everyone except network admins, who will appreciate the additional control over wired and wireless connections offered by SP3’s Network Access Protection.

Installs made easy, networks kept safe

After three and a half long years of waiting, XP Service Pack 3 will be available for download via Microsoft Update next week. That’s good news for anyone who installs Windows XP on new PCs; you won’t have to load separately the dozens of patches that were required in the past.

In my testing, XP SP3 is a stable — in fact, quite boring — update, with just one noteworthy advance. For organizations running the Network Policy Server on Windows Server 2008, the new Network Access Protection client lets them quarantine Vista and XP workstations. Microsoft’s Network Access Protection blog has many posts regarding this technology’s ability to add workstation health checks to your network.

One issue relating to XP SP3 that I’m still investigating involves the Media Center Edition of Windows XP. Because Windows Media Center Edition (MCE) was not designed to be used on a network, that version of the OS could be installed only in a workgroup, not in a domain.

Among the small businesses I work with, owners often bought the MCE version of XP without realizing that it couldn’t be used in a domain. There’s an unsupported way to add PCs running MCE to a domain, however. It’s called the “banana hack,” and I first blogged about it in late 2005.

When I test domain-resident MCE systems with XP SP3 installed, though, the machines lose their network connectivity. At this time, it’s uncertain whether the banana hack will be updated to allow PCs running MCE (and patched with SP3) to join a domain.

In fairness, the hack is not endorsed by Microsoft, so those who rely on it have only themselves to blame for their predicament. Still, it’s an honest mistake, since it isn’t obvious that MCE can’t be installed on domains. The good news is that Vista Ultimate includes all MCE features and does support domains.

Intel chipset woes keep Vista SP1 from auto-updating

If you’ve been waiting for Vista Service Pack 1 to be included in an automatic Windows update, you may receive the patch starting next week. However, if you have a PC like my sister’s Dell laptop, your wait might not be over so soon.

I couldn’t get the service pack to download on the machine, even though I scanned for the service pack manually and attempted to update the notebook’s Sigma audio drivers. (Sigma is one of the manufacturers whose drivers are said to block the service pack, as reported in Microsoft Knowledge Base article 948187.)

My sister may be facing even more hardware brick walls in her attempts to install Vista SP1. As reported by Redmond Developer News, an update for Intel graphics chipset drivers must be installed on your system for it to be offered Vista SP1. The impacted chipsets are the Intel G31, G33, G35, Q33, Q35, G965, Q965, Q963, 946GZ, 945G, and 945GZ Express for desktops, and the GM965, 945GT, 945GM, 945GMS, and 940GML Express for mobile PCs.

The driver update can be downloaded from Intel.

I may just give up and download the full service pack to my sister’s notebook manually. It just goes to show you that, even with a name-brand laptop, Vista SP1 can be elusive.

951405
A big thumbs-up for the Excel 2003 update

Many people have asked me if I’m ready to recommend that they install Access 2003 Service Pack 3. I’m not quite comfortable giving you the “go” sign for that update yet.

However, I have good news for anyone who was hit by the glitch affecting custom macros that copy data from Excel 2003 into Word 2003. After installing Office 2003 SP3, they lost the ability to use this link macro. KB 951405 describes a release that fixes this issue. Simply request the hotfix via that article and apply it to your systems.

If you’re waiting for my verdict on Access 2003 SP3, note that I’ll report in my next column on lingering issues related to that service pack.

Office validation patch lands with a belly flop

As I wrote last week’s column, I visited the Microsoft Update site to confirm that the patches I described were available. I was surprised to be offered the Office Genuine Advantage patch. I was even more surprised when Windows Secrets contributing editor Woody Leonhard told me that the test run of this update was intended for release only in Chile, Spain, Turkey, and Italy. I live in California. That’s not even close.

When Office Genuine Advantage appeared along with my Windows Server updates, I knew something was wrong. The Windows Server Update Services (WSUS) blog confirmed in a recent post that the Office validation update wasn’t supposed to be offered to me.

It’s events like this that make me recommend that you set Windows Update to the “download but do not install” option rather than the automatic download/install setting. You still need to patch the OS regularly, but it’s key that you do so deliberately, and only after you’ve reviewed and approved all of the updates.

Did Apple clean up its Safari-download act?

Technology pundits must have complained loudly enough for the folks in Cupertino to take notice. Apple has changed the way the iTunes update offers to install the company’s Safari browser. The installer no longer appears to be offering you an update to Safari; now Apple makes it very clear that Safari is new to your PC.

I’d be happier still if the company went one step further and didn’t check the box next to the Safari listing by default. Incident.org’s Joe Esler asserts in a blog post from last week that Apple is far from the only company at fault for these annoying updating practices. Still, I’ve had it up to here with all installers that try to foist on me Google Desktop, OpenOffice.org, or any other program I didn’t specifically ask for.

Note to Apple: uncheck the box, don’t bundle anything, and just let me update the software — and only the software — that I downloaded. I don’t think that’s too much to ask.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.