[Previous entry: "Good Tuesday Morning!"] [Main Index] [Next entry: ""]

03/11/2004 Archived Entry: "Bulletproof computing: web and email"

Several items on top today. First, humor: those who have been following the SCO/IBM/Linux flap will enjoy this week's installment of the Bastard Operator From Hell. (I particularly like the analogy between SCO's products and excrement.)

In the You Heard It Here Beforehand department, it seems that everyone's predictions of the problems with computerized voting have materialized in California. We may never learn what went wrong; the absence of a paper trail means that no one will ever know how bad the miscount was. (The tipoff was districts reporting more votes than registered voters.)

Webmasters should read this item from SecurityFocus courtesy of The Register. I wasn't aware of Google's advanced search capabilities and how they can be used to reveal security flaws on web sites. I'll post more on this later, after I've finished the current thread.

Which brings me to the fourth line of defense for your personal PC: secure email and web software.

I've said it before. I've said it again. I tell you three times: Do not use MS Internet Explorer, MS Outlook, or MS Outlook Express! These products are so riddled with vulnerabilities and design flaws that they are notorious.

(This week's security advisory for Outlook and Office XP is merely rated "serious"; it allows an attacker to run "unwanted code" on -- i.e., take over -- your computer. So what does Microsoft consider a "critical" flaw -- a risk of death?)

Windows users, here's a tip: you don't have to use the web browser and email client that came with your operating system. You can download something else. You can even download several. (I used to have three browsers and two email clients on my old Windows box. Jargon guide: in this context, a "client" is a program that runs on your computer. It talks to a "server" which serves up web pages or email messages or whatever.)

So, at the risk of repeating myself, here are a few suggestions.

Web browser. My favorite, for its attention to security and its speed, is Opera. Opera gives more options than any other browser I've seen to control cookies, pop-ups, and how the broswer identifies you. It was also the only browser to handle the URL spoofing bug by issuing a warning telling you that the site you were about to visit may not be the site you expect. A nice attention to detail, and well-written code.

Second choice and coming up fast is Mozilla (or Netscape). The Mozilla team is busy adding most of the security features of Opera, and it actually has a few features that I prefer (like the ability to easily change font size in a displayed page). My main gripe with Mozilla is that it's slow, and tends to freeze momentarily while fetching pages from the web. But for security it's excellent. (Netscape is essentially a rebranded Mozilla these days.)

Both of these are available for Windows and Linux. There are others.

One more important tip for Windows users: disable ActiveX scripting. ActiveX is yet another example of Microsoft's complete fecklessness where security is concerned; it's almost as if someone said "let's make something like Java, but without any of the security features."

(Not that Java implementations are flawless, despite the attention to security in its design. You might want to disable Java too, although we leave it enabled and have had no security problems. Dump Microsoft's bungled Java engine and install the one from Sun Microsystems instead. My biggest gripe with Java is that most Java web pages use huge Java files, which take forever to load on our dial-up connection.)

Email client. For Windows my favorite is Eudora. It has all of the security features I describe below. As I recall, the latest versions even warn you if you attempt to open an executable attachment.

For Linux my first choice is Mozilla Mail. This is almost as capable as Eudora, and has all the important security features. Usually you'll get this as part of the package when you install the Mozilla web browser, but I hear that you can now get Mail and Browser separately. This would be my second choice for Windows.

I don't yet have a second choice for Linux. I would expect the Opera mail client to be excellent, but the way they've implemented mail folders and labelling is not to my taste, so I've never used it. Other popular programs are Evolution, Balsa, and Sylpheed, but I have no experience with them.

As another choice for Windows, Andrew Grygus of Automation Access recommends PMMail. I haven't tried it, but I respect his opinion.

If you're going to try one of these alternate choices, look for the following features... and if you're using one of my suggested email clients, enable these features:

Remember, most of your defenses can be circumvented if someone sends you an email and you blithely or unwittingly click on the attachment. An email program that places obstacles in this path -- e.g. by requiring you to confirm a download -- is a Good Thing. So is an email program that gives you crucial information -- e.g. the real file type -- about those attachments.


Powered By Greymatter