Saturday, August 18, 2007

Technically Reading

Here are a number of interesting "technical" posts I've come across these past two weeks.

Might be something here for the security-minded or the Windows support providers.

Internet Explorer 7 Security Guide

Microsoft whitepaper: IE7 Security Guide

Overview

Internet Explorer 7 offers users more protection than previous versions of the browser through a combination of new features and more secure default settings. In keeping with the need to balance security and usability, the default values for these new features and settings have been configured to offer the best choice for a broad range of users.

This white paper examines some of these new features and settings that you can modify to provide a more "locked down" security configuration. This paper does not provide a complete review of all settings, nor is the guidance in it specifically equivalent to the Enhanced Server Configuration for Windows Server® 2003. The settings and features this paper discusses offer additional security guidance for the broadest impact on most users and administrators.

This paper discusses both the Windows Vista® and Windows® XP versions of Internet Explorer. Administrators and system owners can use the guidance in this paper to tighten security settings in the browser to meet their specific needs. The document is structured to provide a description and review of the settings and features the paper discusses. Microsoft recommendations for enhancing the default security settings in some common deployment scenarios are also provided.

We haven't deployed IE 7 yet as the "standard" browser version yet in our enterprise environment. Too many intranet pages and resources were coded for IE6 in mind and still haven't been fully updated for IE 7 compatibility.

Inside the Windows File Compression Machine

Mark Russinovich ran into a failure attempting to use Windows (XP/Vista) Explorer's built in file compression tool.

It kept giving him a "File not found or no read permission" error.

Not a good thing to do to the All Things Windows Guru.

So he fired up his Sysinternals tools and went to work.

Mark's Blog : The Case of the Failed File Compression

His blog entry provides a fascinating look at just how the Windows file compression tools work behind the curtains.

In the end, he found that the process wasn't really that well optimized in Vista and updated his post with the tantalizing comment that the compression engine has been updated in Vista SP1.

While I personally rarely use the built-in file compression tool in XP/Vista, it is nice to have when servicing a workstation in the field where we don't normally install 3rd party compression tools on our workstations, and I might not have my handy USB drive of utilities with me (say during a remote pc session).

The third-party compression utilities I prefer are all freeware and listed below:

Rogue Domain Name Servers

I've been a big fan of OpenDNS to ensure that my DNS resolutions are fast, accurate, safe, and dependable.

I even hard-coded the OpenDNS server's addresses into our home router.

So I didn't sweat when I read this post over at TrendMicro's TrendLabs warning of some rouge DNS servers that are used by DNS-changing Trojan activity.

Rogue Domain Name System Servers

If you don't know how to check your DNS settings for your Windows PC's it's probably good to know and check periodically.  Obviously, if your primary DNS services are provided by your network group, you might be safer, but it's always a good thing to check the local workstations just to be sure as any values manually entered will override the default networks ones set by system administrators.

Using Fake Software Awards to generate traffic

Ohhh what a dirty scam.

If you are a regular downloader of software from the Internet, you have probably noticed little award "badges" from time to time saying how great a software application must be.

It's a slick psychological tool that may lead someone to download and evaluate a product they might not otherwise have done.

So  blogger and software developer Andy Brice put out a product (simple text file with an exe file association name) and generated 16 awards for this bit of uselessware.

The software awards scam - Successful Software blog

His fantastic post then goes on to examine the seamier-side of software download sites and award badge baiting.

It's great reading for anyone who regularly downloads software from software download sites and the pitfalls they face.

I have a handful of "trusted" download pile sites and I tend to stick with just those.

PaperGhost Exposes FireFox page-view blocking

I choose to use FireFox as my preferred browser for many reasons, it is customizable, it is fast, and it is secure for my browsing habits.

So imagine browsing to a website in Firefox and instead of seeing your expected page, getting a toss-up page saying that because you are using FireFox, and because it supports Ad Blocking tools, you are a bad content stealing, ad-view income thieving, copyright infringing, and sub-percentile web-browser using scumbag.

The SpywareGuide Greynets Blog: Trading Security For Advert Clicks

Hmmmm.  Me-thinks I smell dead crabs on the beach under a hot Texas summer sun.

As Paperghost summarizes:

Yes, we have a right to say what we do and don't want on our PC. And yes, the guy behind this idea does have a right to block you from his website if you don't want to see his adverts.

But wow, it's still stupid and decreasing your web traffic for the sake of a few clicks on random adverts. This says to me that the only thing on the site the creator thinks is worthwhile are the adverts themselves. If they'd rather keep you away from their actual content to keep their precious adverts intact, what does that say about the worth of the material on their homepage in any case?

You're probably better off without them.

Mind you, this does have obvious bad-guy potential. How long will it be before we see someone create a bunch of exploit sites, slap their "no FireFox" code on it and instruct you to come back with a Browser they know they can hijack using x, y or z exploits?

How long, indeed?

Say it with URL Style

I've always had a difficult time explaining the elements of a URL (uniform resource locator) address to end-users.  The URL is the web-address commonly typed into a browser bar to navigate to a webpage or embedded in a hyperlink.

Matt Cutts does a great job breaking the elements down in a clear and easy to understand way.

Talk like a Googler: parts of a url

Great read and even touches on static versus dynamic URL's.  And as usual, the comments are filled with great added material on the discussion.

--Claus

No comments: