Secure Windows 2000 and Me (because MS won’t)

Downed servers give readers error messages

Temporary interruptions at two services used by the Windows Secrets Newsletter caused inconveniences for some of our subscribers since our last issue. These problems seem to have been solved, fortunately — but they still burn us up.

Readers who attempted to upgrade their subscriptions from the free version of the newsletter to the paid version, or who tried to view past paid issues, may have seen error messages during the periods of these interruptions. We apologize for the errors and urge anyone who was affected to try again.

The first of the two outages occurred when a hacker directed a distributed denial-of-service (DDoS) attack against Authorize.net. This company handles credit-card authorizations for more than 100,000 businesses, including WindowsSecrets.com.

According to a front-page article published in Computerworld on Sept. 27, an extortionist demanded a “substantial amount of money” from Authorize.net, which is reportedly the largest online credit-card processing gateway in the U.S. When the service rejected the ultimatum, “large-scale” DDoS attacks began on Sept. 15.

The intermittent floods of Internet packets were sent from hacker-controlled “zombie PCs.” These overloads stopped Authorize.net from approving transactions for hours at a time. (Ironically, we described the growing power of these “bot networks” in our Sept. 23 newsletter, before we knew of the attacks on Authorize.net.) Thankfully, the service succeeded in defeating the assault by installing antiflood technologies to filter out the malicious packets, the company said in a statement. Its authorization process has since returned to normal.

No credit-card records were ever at risk, because the attack wasn’t a break-in but merely prevented customers from reaching Authorize.net. During the times when the zombie floods were at their peak, though, our readers who tried to make credit-card payments to get the paid version of the newsletter could not.

The second outage affected the newsletter’s e-mail broadcast service, ActionMessage.com.

An unexpected interruption of Internet connectivity — which was equipment-related, not hacker-related — knocked ActionMessage.com offline for parts of Sept. 28 and 29. During this period, our readers could not access past paid issues of the newsletter, because the service maintains a part of the login routine for those issues. The outage has been completely corrected. 

Our commitment to our readers’ security
Because the Internet is not a very secure place, we decided from the beginning of this newsletter that we would never store or retain credit-card numbers, e-mail addresses, or other sensitive subscriber data on the servers of WindowsSecrets.com (formerly BriansBuzz.com).

Instead, this information is maintained for us on third-party, industrial-strength servers operated by professionals who have developed multiple layers of protection against hacking. (Because of these measures, not even we can find out the full credit-card numbers of our paid subscribers, but that’s a level of security we gladly chose.)

Our service providers, like all Web sites, may experience interruptions of connectivity. But we’ve done our utmost to make sure that our subscribers’ personal information will remain well-guarded and private.

The fact that Authorize.net was able to successfully deflect a massive bot attack — whereas several well-known antispam organizations were forced last year to cease operations because they couldn’t keep their servers up in the face of hacker/spammer DDoS assaults — gives us confidence in our choices.

We also believe in the “full disclosure” school of Internet security thinking. When an outage of service occurs, we feel our readers should know about it and the fact that the problem has been corrected. That’s why we’re using this space to describe the facts to you, rather than keeping quiet.

The attacks on Authorize.net make us more convinced than ever of the stand we took on the State of the Computing Industry in the Sept. 23 newsletter.

That article said: “Our industry’s 600-pound gorillas may not be able to come together and agree on the solutions we need to restore basic safety and reliability to our computing lives. But if we don’t at least demand that they do so, we’ll watch the Internet slide further and further down the rat hole it’s already in.”

If anything else happens on the Internet that might inconvenience our readers, you have our commitment that we’ll dig it out and let you know. —Brian Livingston, Editor

Secure Windows 2000 and Me (because MS won't)

For the past year and more, Microsoft’s coders worked to develop Windows XP Service Pack 2 (SP2). This long, drawn-out effort turned what was previously a minor collection of bug fixes and security updates into a major Windows upgrade.

The Windows client team worked so long and so hard on XP SP2, in fact, that the company ended up delaying the next major release of Windows, codenamed Longhorn.

It also completely ignored approximately 300 million Windows users who are still running Windows 2000, 9x, and Millennium Edition (Me).

Now, with XP SP2 shipped and out the door, users of systems other than XP might well assume that they’ve got some good news coming. Surely Microsoft plans on releasing SP2-style upgrades for Windows 2000, 9x, and Me, right?

Wrong. Despite the fact that these non-XP products are in widespread use — and the fact that Microsoft has pledged to provide Windows 2000 corporate users with so-called “mainstream support” for that product through June 2005 — the company is, in fact, leaving at least half of its Windows installed base hanging. As has been reported elsewhere, Microsoft announced last month that it won’t release SP2-style fixes for non-XP veresions of Windows or Internet Explorer.

Rather than supporting Windows 2000, 9x, and Me customers with the relevant security updates, Microsoft is instead supplying those users only with some self-serving advice: If you want your system to be as secure as possible, buy XP and install XP SP2.

While we agree that XP SP2 is a much-needed upgrade that significantly raises the bar for PC security, it’s not a panacea. We understand that many Windows users have some very good reasons to stick with their existing Windows versions.

So instead of hanging you out to dry, as Microsoft is, we want you to know what you can do now to give your 2000/9x/Me system the kinds of protection XP users get by installing SP2.

Then we’ll take it a step further in this issue and give you the information you need to address some issues that even SP2 doesn’t address.

The cost of upgrading vs. the cost of not upgrading

Before we get into the details, here’s some basic advice: Many of the upgrades we’re going to suggest below will require you to spend some money. This may mean that it’s possible for you to spend about as much money securing Windows 2000, 9x, or Me as it would cost you to simply purchase the XP upgrade.

But things are often far more complex than a first glance would suggest. For example, upgrading to XP often brings secondary costs, such as upgrading RAM or other hardware. You also may need to buy new versions of application software or find alternative software if your legacy applications don’t run well under XP.

Finally, you should understand that Windows 2000, 9x, and Me may never be able to take advantage of some of the low-level changes that Microsoft made to XP with Service Pack 2. Only Microsoft has the resources to retroactively re-design entire subsystems of Windows.

Now that we’ve said all that, here we go to give your Windows 2000/9x/Me systems as much SP2-style security as possible.

Step 1: Help Windows help itself

First, ensure that your system is up-to-date. That means visiting Windows Update and downloading all of the latest security updates and any optional updates you want for your particular Windows version. (Larger companies should use a patch-management service, which is beyond the scope of this article.)

For Windows 2000, this includes Service Pack 4 and countless other critical updates. Windows Update also provides other software updates that add security fixes. This includes patches that close security weaknesses present in DirectX 9.0 and the Windows Media Player 9 Series. Make sure you download these and any other relevant fixes for your systems.

Next, if you’re an individual user supporting a single PC or your own small network, ensure that your systems are kept up-to-date by enabling Automatic Updates. (As mentioned above, companies with many PCs should enable the desired auto-update features of their patch-management solution.)

Windows’ Automatic Updates feature, to be sure, is somewhat controversial. Many people are concerned that Microsoft might use it to covertly install unwanted software on their systems.

After the nasty malware attacks that have occurred in the past year, however, our advice is to give in to Automatic Updates unless you’ve got a good reason not to.

As Paul noted recently in a speech to a roomful of system administrators, it’s better to let Microsoft install some software on your system than to allow some hacker from eastern Europe.

Step 2: Emulate major XP SP2 features

Once your system is up to date with Microsoft’s released patches, it’s time to turn to those features in XP SP2 that we can emulate in previous Windows versions:

• Emulate the Windows Firewall. Windows XP SP2 ships with Windows Firewall, a personal firewall program that provides protection against network-based attacks.

  Windows Firewall has one major failing that third-party firewalls do a much better job of addressing. Because Windows Firewall protects only against incoming attacks, it cannot help you if you unknowingly install a malicious software program that attempts to “phone home.”

  We recommend Zone Labs’ ZoneAlarm, which offers a free version. This firewall is more full-featured than Windows Firewall, and does support two-way (inbound and outbound) protection. Heck, even SP2 users should grab a copy (and turn off Windows Firewall as soon as ZoneAlarm is running).

• Duplicate Internet Explorer 6’s pop-up blocking. One of the nicest features in SP2 is the new, pop-up blocking feature in Internet Explorer. This finally eliminates those annoying pop-up ads that often blot your screen while you’re browsing the Web.

  You don’t need SP2 to block pop-ups, though. Both Google and MSN offer free toolbars that block pop-ups. An even better choice is to simply use a more secure and full-featured browser, namely Mozilla Firefox. Oh, and that’s free too.

• Improve on the Security Center. From a user’s point of view, the integrated security front-end called the Security Center is SP2’s most visible feature. From here, you can manage features like Windows Firewall, Automatic Updates, and third party anti-virus packages.

  There’s no third party tool that directly emulates this software. But various security companies, including McAfee and Symantec, do offer Internet security packages that bundle a number of security-oriented products together and offer a single front-end to manage them all.

  McAfee’s most full-featured offering is called Internet Security Suite ($50 for the download version). It includes McAfee VirusScan, Personal Firewall Plus, SpamKiller, Privacy Service, Identity Protection, Spyware/Adware Protection, and Add & Pop- up Blocker.

  McAfee offers other bundles, too, so check out their Web site for the one that makes the most sense for you.

  Symantec’s offering is called Norton Internet Security 2005 ($70 for download or CD version). This package offers Norton AntiVirus, Personal Firewall, Privacy Control, AntiSpam, and Parental Control.

Step 3: Go the extra mile

OK, so you’ve installed a reasonable approximation of the security features in Windows XP SP2. Now what?

The next step is to go beyond the security fixes Microsoft offers in XP SP2. This advice applies to all Windows users, including those who are running XP.

• Hardware router/firewall/switch. In this age of always-on broadband connections, it doesn’t make sense to attach an unprotected PC to the Internet, Hackers are constantly running port scans of every possible IP address looking for machines to attack.

  Even if you own only one PC, spend the money to purchase a hardware router. This will typically include a hardware firewall, wireless capabilities to support Wi-Fi units, and a 4- to 8-port switch for connecting PCs into a local area network via Ethernet. The wireless access point can be disabled if you don’t have any wireless-capable devices.

  Such routers are available from a variety of manufacturers, including Linksys, Netgear, D-Link, and many others. They provide a physical layer of security between your PC(s) and your Internet connection, hiding them from detection. Prices and features vary, but you should be able to find a decent router for $50 to $100.

• Antispyware/antiadware. Spyware and adware are fairly recent plagues that were born on the Internet and are typically delivered via the Web. There are a couple of things you can do to minimize your risk.

  First, stop using IE, which has security weaknesses that allow Web sites to silently install software on your PC. (XP SP2 changes this situation, but some security holes still remain.) Instead, use the aforementioned Firefox, which never supported dangerous, IE-only technologies such as ActiveX.

  Second, various third-party applications search for and remove spyware. Ohe of the best is Lavasoft Ad-Aware (http://www.lavasoftusa.com/), which offers a free version. Ad-Aware Plus ($26.95), however, includes real-time monitoring, which we consider a must-have feature.

• Antivirus and antispam. If the Web is the number one electronic attack vector these days, e-mail is surely number two. You need good anti-virus and anti-spam packages. XP SP2 offers no antivirus or antiispam features at all, so this step is important for all Windows users.

  For anti-virus, we recommend Norton AntiVirus or McAfee VirusScan. (Both products are also part of the respective security suites described above).

  Antispam programs are a bit more complicated. You must ensure that any solution you choose will work with the type of e-mail server you’re using.

  Most antispam packages work fine with POP3 accounts, which allow you to download e-mail from a distant server. Few, however, are able to handle Web- or IMAP-based e-mail. Some antispam solutions, furthermore, support only certain e-mail clients.

  Finally, some e-mail applications now support decent Bayesian-based spam filtering capabilities on their own. This can often dramatically lower unwanted email, particularly after a period of time in which you “train” the software to recognize the kinds of spam and nonspam messages you receive.

  For all of the above reasons, it’s hard to pick a clear antispam winner that’s best for everyone. A good place to look is PC World, which reviewed anti-spam applications in its June 2004 issue.

Step 4: Read up on securing Windows 98, Me, and NT

For even more steps you can take to secure non-XP versions of Windows, you should read “The Microsoft Windows NT 4.0 and Windows 98 Threat Mitigation Guide.” This guide includes 1.3 MB of .pdf, .txt, and .reg files that Microsoft posted for downloading as a 970 KB .zip file on Sept. 10. (The text refers to Windows 98, 98SE, and Me as “Windows 98,” so the document can in fact be helpful to users of all these Windows versions. Windows 2000, for whatever reason, is not discussed.)

Microsoft takes a somewhat insulting tone in the guide, stating at one point: “Newer versions of Windows offer significantly increased security.” This ignores that fact that many hacker attacks became possible only because of new, poorly-tested features that first appeared in Windows XP.

For example, the recently-revealed JPEG Processing vulnerability — which can infect a PC with a virus when a victim merely displays a .jpeg image file in Internet Explorer, Microsoft Outlook, Microsoft Office, and some other programs — affects only Windows XP, Office XP, and later versions. Windows 2000, 98, Me, and NT are immune. (Microsoft released a patch for the problem on Sept. 14. We described this security hole and its fix in the Sept. 23 issue of the Windows Secrets Newsletter.)

If you can ignore the marketing hype in Microsoft’s threat mitigation guide, however, the text does provide numerous technical tips that go beyond what we can cover in this article. The chapter on “Hardening Windows 98,” for instance, describes changes to the Msdos.sys file that can make the boot sequence of a PC more secure.

The 9-chapter document, in addition to being available as a downloadable set of files, is also posted as a series of linked Web pages at Microsoft’s site. More info

Step 5: Be realistic

As you work to secure whatever Windows version(s) you may use, remember that what you’re doing is likely just a stop-gap measure.

Windows 2000 and Windows Me may run fine today and do what you need them to do. But these systems have already reached the end of what Microsoft calls their “availability life cycles” and will soon no longer be supported by Microsoft. (To be honest, they’re barely supported today.)

It’s important for you to understand that, under Microsoft’s current support policies, we’re quickly approaching the point of no return with these systems. It’s essential for you to bolster these versions of Windows as much as possible with the best possible digital defenses. But don’t expect a lot of help from the executives in Redmond.

To send us more information about this, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You’ll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.

Buckle up: JPEG attacks are in the wild

In the Sept. 23 issue of the Windows Secrets Newsletter, we warned you about the so-called GDI+/JPEG Processing flaw. This security hole allows a vicim’s PC to be infected by merely viewing a hacked JPEG file in Windows XP, Microsoft Office XP/2003, and numerous other Microsoft products (and third-party products that rely on Microsoft programming libraries). That issue provides numerous hyperlinks to help you download the several patches you need for different versions of MS software.

This week, industrious hackers have already exploited the flaw. There are at least three known attacks making the rounds. Here’s what you need to look out for.

1. The proof of concept.
First, hackers posted to security mailing lists at least one proof-of-concept hack to show that the vulnerability could, in fact, be exploited. The proof of concept we’ve seen involves a command-line interface, meaning this technique is not likely to be used as-is as the basis for a successful worm or virus attack. But the techniques it employs could certainly be used to create a more sophisticated attack.

2. The AOL Instant Messenger attack
The second attack we’re aware of is, indeed, more sophisticated. Using AOL Instant Messenger (AIM), hackers have discovered a powerful new way to spread a virus using one of the world’s most popular instant messaging systems.

Here’s how it works. If you’re an AIM user, you might see an IM chat window appear with the text “Check out my profile, click GET INFO!” or “hi you. Look at my new profile. click on GET INFO!”

The messages appear to come from random AIM members with mixes of alphanumeric characters for names. The GET INFO text, in both cases, is a link to a Web site that contains an infected JPEG file, which in turn installs the virus.

Once planted on your system, the virus sends an instant message to every user in your AIM Buddy List, attempting to get them to visit the same site. It also creates a backdoor on your system so hackers can later remotely control your PC.

To date, no damage has been caused by this attack, but that could obviously change. A good article on the progress of this technique was posted on Sept. 29 by InfoWorld.com. More info

3. The e-mail attack
The third type of attack that’s been reported is e-mail-based. The authoritative SANS Internet Storm Center, which has noted these reports, unfortunately has almost no information to share about these attacks at this time. But clearly these first, halting reports are just the tip of the iceberg of what’s coming.

Sadly, a tool that Microsoft released recently to help fend off JPEG flaw attacks is woefully inadequate for that task. Helping you overcome this is the subject of the following article. 

Replace Microsoft’s weak GDI scanning tool

Last week, Microsoft issued a new software tool designed to help you detect whether your computers have any vulnerable copies of the GDI Plus system library file (gdiplus.dll) on your system. This graphics device interface library has been used by numerous Microsoft developers and other companies’ developers to render JPEG image files, but the library routines wrongly execute commands in “hacked” JPEG files.

Windows XP and 2003 users can find this tool by visiting Windows Update. Users of Windows 2000 can access a version for their systems on the Microsoft Security Web site.

The file is a tiny download in either case, but is notable mostly for being particularly useless.

As the tool itself states, “The Microsoft GDI+ Detection Tool helps detect the presence of Microsoft products (other than Windows) that contain the GDI+ component. Microsoft customers can run this tool to help determine if a GDI+ security update is required. Microsoft recommends you visit the Office Update site to determine if your computer requires security updates for Office family products.”

If the GDI+ Detection tool finds any flawed copies of the file, it displays the following note: “The software tool has detected that you are running Microsoft software that may contain a security vulnerability. There are security updates available from Microsoft that fix this security vulnerability. Would you like to learn more about the security vulnerability as well as the necessary security updates that address it? (Note that if you click No this tool will not prompt you again.)”

If you select Yes, IE opens up and navigates to the aforementioned page on the Microsoft Security Web site. There are no links at all to automatically fix the flaw, which seems like a curious omission.

Other security firms are working on similar tools. For example, the SANS Internet Storm Center has created a tool called GDI Scan that actually pinpoints the location of each flawed file. (This works best on Windows 2000 and higher, but it also works on Windows 98 and Me, although with some spurious characters added to the report it generates).

Both GUI and command-line versions of the tool are available. The GUI version can paste its report to the Clipboard for easy conversion to a script for removal purposes. The output looks as follows (Note: the black and red colors shown below are in the original output):

Scanning Drive C: …
C:Program FilesCommon FilesMicrosoft SharedOFFICE11MSO.DLL
  Version: 11.0.6360.0
C:Program FilesCommon FilesMicrosoft SharedVGXvgx.dll
  Version: 6.0.2900.2180
C:Program FilesCommon FilesSonic Sharedgdiplus.dll
  Version: 5.1.3097.0 <-- vulnerable version
C:Program FilesDesktop Sidebargdiplus.dll
  Version: 5.1.3097.0 <-- vulnerable version
…

As you can see, vulnerable files are marked in red (the last line and the 3rd-to-last line). SANS’ GDI Scan goes one step further than Microsoft’s tool by at least identifying where the flawed files are on your system. However, you will still need to manually replace each flawed file in order to protect yourself.

We outlined that process in the last issue, but let’s review it here for the sake of completeness.

To get the patched version of gdiplus.dll, which is not vulnerable to the attack, download Microsoft’s Platform SDK Redistributable version of the GDI+ system library file. Run this file to extract gdiplus.dll. Make sure no applications are running, then rename the older, flawed versions of the gdiplus.dll files. Finally, replace the older versions with the newer one (version 5.1.3102.1360) in each location.

If you have a lot of flawed files on your system, you may want to create a batch file to do the renaming/replacing task. In this case, the output from SANS’ GDI Scan is invaluable. 

k RealPlayer flaw could lead to video-borne viruses

Also in the Sept. 23 issue, we recommended RealNetworks’ RealPlayer Music Store as the current champion of online music services.

This week, however, RealNetworks announced a fix for a critical vulnerability in various versions of the RealPlayer application, which is needed to access that service. We recommend that you download the latest version of RealPlayer 10.5 in order to protect yourself.

According to RealNetworks, the software flaw in its player could let hackers create a specially-encoded movie file that runs a program on your system when played back through RealPlayer. The flaw affects a wide range of RealPlayer versions on Windows, Linux, and Macintosh computers.

To fix the problem in Windows, launch RealPlayer and choose Tools, then Check For Update. The RealPlayer AutoUpdate utility will recommend that you download and install the latest version of RealPlayer 10.5. (Unfortunately, there is no patch-only version of the fix.)

More information about this flaw is available at the RealPlayer security site. More info

Multi-user management needed for homes and small businesses

The State of the Computing Industry was the lead story in the Sept. 23 issue of the Windows Secrets Newsletter. This piece claimed that Windows users were faced with overwhelming attacks and that the computing industry is in denial of how bad the problem is.

Multi-user management needed for homes and small businesses

Erik Schmith illustrates the problems with trying to manage multiple security suites in an environment where several people live or work together:

• “You recommend a hardware firewall, individual software firewall, an antivirus program, an antispam program, and an anti-adware program for all users. I wholeheartedly agree with that recommendation. But for average home users and small office users (and, for that matter, some larger users as well) it becomes difficult to implement and maintain these product suites, due to:

  • Price of buying individual products from different vendors
  • Lack of affordable multi-user licensing for home SB versions
  • Lack of interoperability between products from different vendors (though I’m seeing a small start to this, with products like Zone Alarm and Microsoft SP2 at least trying to monitor to see if other firewall or antivirus products are running
  • The lack of ability to control and monitor multiple licenses of the same product.

  “For example, I use the latest version of Zonealarm Pro (I’ve bought a “2-license” version) and also Norton Antivirus 2004. I have three PCs set up at home. Neither product has any features to allow me to remotely monitor/configure the machines my wife and kids use with the other licensed installations on them.

  “Looking at the trial version of Norton Internet Security (again, multiple-license version), one sees the same thing. Though I’ve not looked at many products out there, the one popular one that I’ve seen try to handle this properly is Trend Micro.

  “There have to be many home users with multiple machines, and small business owners in the same situation, who cannot afford the corporate multi-user versions of some of these products, or who don’t have the needed server space/horsepower to run their Control Panel applets.

  “I think that the home/small-business user segment won’t ever start to be really protected until it’s affordable and easy to purchase, install, configure, and maintain a suite of these products that we are discussing on all home/small-business PCs with some centralized control ability.”

You must patch before connecting to the Internet

Robert Graham points out that the current instructions given to new PC users — “connect to the Internet, then download the latest Windows patches” — is all wrong:

• “Your recent issue (or a future one) might comment on the fact that a new system will become infected before it has time to download the updates to protect it.

  “On average, it only takes 16 minutes of online connectivity before infection.

  “The major retailers should provide a CD with the latest updates with any sale of a new PC. This way the CD updates can be installed before connecting to the Internet.

  “This is much cheaper for the industry than trying to preload updated software. Since the CD would only have the updates, there would be no issue of piracy to worry about.”

Since this isn’t the current practice, people who are buying new PCs should order the latest updates on CD-ROM directly from the software makers, whenever possible. Microsoft, for example, sells update CDs for Windows 2000 Service Pack 4 and Windows XP Service Pack 2 for little more than the cost of shipping. 

How 80% of PCs get infected

Joshua Liberman writes about his findings with users of new PCs:

• “We explain to every user that they need antivirus software, antispyware software, a software firewall (at least), and regular patches to Windows, MSIE/OE6, and Office, if they run it.

  “Better than 80 percent of these systems, when they come in for their free one-year checkup, are riddled with problems resulting from neglect in one or more of these areas.

  “The number one reason given for this oversight: I didn’t know.

  “Perhaps a license to surf is as necessary as a license to drive. After all, even an impressively bad driver can affect only a few dozen others, while a truly negligent high-speed connected Netizen can touch tens of thousands.” 

It took 25 years to suddenly become a disaster

Rod Sparks from the land down under puts the subject into the perspective of two decades of PC development:

• “Thank you for your last edition of Windows Secrets. I am very rarely moved to reply to anything, but your latest edition of your newsletter has ‘stirred the possum,’ as we say in Australia.

  “I am a long time Woody’s Watch reader and an IT consultant, and have been in the industry over twenty-five years.

  “Never have I seen the industry in so much of a critical mess. Whereas, at the beginning of the year, virus problems predominated, now two out of three PC problems we deal with are spyware/malware related. Your average user is being cleverly tricked into downloading this guff by some very clever pop-ups and Web hijacks.

  “I can remember the ‘Net when it was pretty much all truth and light — it really was a period of enlightenment. The best of the Web is still there, but it is being clouded by unscrupulous morons.

  “I agree with you that it is beholden on the 600-pound gorillas to improve our ‘Net through improved security and flawless programming (if such a beast exists!). But we also need to raise the public’s awareness of the perils of having an unprotected PC, educate them in identifying the symptoms of infection, and instruct them on the safe removal of infections. We need to keep PC security at the forefront of the public consciousness.

  “You’ve done this. Great article. Well done.”

Readers Schmith, Graham, Liberman, and Sparks will receive gift certificates for a book, CD, or DVD of their choice for sending us comments that we printed.

Wiggle while you work

Inventors at the MIT Media Lab have created Topobo (pictured at left), a construction kit consisting of what they call “dynamic biomorphic forms.” By snapping together various parts, you can create dogs, skeletons, or whatever you like, and then push and pull them in various ways. Your creations “remember” the motions they went through and repeat them over and over using tiny motors.

The creators are Amanda J. Parkes and Hayes Solos Raffle, the latter of whom has posted on the Web his master’s thesis on the subject. Visit the following link, then use the “Videos” link on that page to select from a variety of hilarious scenes of kids, adults, and these critters jumping and crawling about. More info