Scobleizer Weblog

Daily link Sunday, August 22, 2004

Dylan Greene, me, and a couple of his friends, Dennis Cheng and David Ross, went to the new Seattle Public Library this afternoon.

It was my first time. This is a stunning library. If you come to town you must visit. I don't even know where to start. The architecture. The information technologies support (Wifi everywhere). The color schemes. The art. The book handling system.

2200 people donated money to build it -- I saw quite a few Microsoft names on the wall. Job well done!

9:30:17 PM    comment 

This LiveJournal site (siqi's house of vanity), which details a Chinese cop killing a kidnapper (with photos of everything) is getting a bit of traffic.

How is our culture changing? It'd be a rare day for media to run these photos 10 years ago and you'd never see the kind of comments that follow.

In Jim McNay's photojournalism class (back 14 years ago) he taught us to "capture the moment." I don't remember seeing a better example of capturing the moment than these pictures. I don't know who the photographer was, but these photos are emotional and stunning.

Don't look if you're queasy about violence or death.

George Carlin's famous words are used a lot by commenters underneath. Beware. The new journalism isn't nice. Very in your face.

9:22:23 PM    comment 

Phil Ringnalda takes me to task over my comments about blog comments. Agreed -- comments are important to me and while I was lashing out yesterday I went a little overboard. By the way, just fixed my link to Browse Happy to reflect that that was done by Web Standards org, not Mozilla's org.

I'm working with UserLand on this cause I don't want to move my blog and like Radio.

9:09:31 PM    comment 

Olivier Travers asks webloggers to stop calling Ludicorp's Organizr a Web app because it uses Flash as its display technology.

Hmm. That's why I call these things Internet-connected apps. At Microsoft we go even further and call non-browser apps "SmartClients." Outlook, for instance, hooks up to Exchange over the Internet and can display Web pages (or, even RSS feeds) but it's not a Web app.

Now, this is all a bit pedantic, I'm sure, and the only ones who care are the geeks. Normal people who see something running inside a Web browser like FireFox or IE call those things Websites. For instance, uses Flash extensively in the games they present there. Only the most pedantic among us don't call that a Website or Web app.

Maybe we need a new lingo? Personally whenever I'm thinking of using new technology I think of "reach" vs. "richness."

For instance, a .NET app is very "rich" but can mostly only run on Windows (I'll have a demo of what I mean up soon since I interviewed the WinForms team and they showed me a killer clone of Outlook that they built in 50 lines of code).

But for my weblog I stay with "reach" technologies (good old W3C-compliant HTML). Why? Because I want you to be able to read my weblog on any browser on any device. I've had people come up to me and show me my blog running on Treos, PocketPCs, Tablet PCs, and various cell phones).

So, maybe we need a "rich vs. reach" meter so you can pick the right technology for the job. Now that Flash is on quite a wide variety of devices (I've heard market share numbers of more than 90%, depending on how you measure it) so Flash is pretty darn close to HTML today in the reach department.

Translation: doesn't matter what you call it. Organizr is cool.

1:58:32 PM    comment 

Tim Anderson: SP2 debate exposes deeper problems.

ZDNet's David Berlind: SP2's new firewall: better than nothing, but not good enough.

Security is an interesting issue. How much security is good enough?

Let's get out of the computer world. Let's talk about heirloom jewelry. My wife, Maryam, has a bit of jewelry. Does she store it here in the house? No. Why not? It's not secure enough. Where does she store it? In a safe deposit box in a bank. Let's talk about a bank's security and how many layers it has.

1) The jewelry is stored in a safe deposit box with a lock.
2) There's a camera on the box area, so if something goes missing they can verify what happened later.
3) Each box is alarmed. So, if you try to break into someone else's box, an alarm will cry out.
4) The safe deposit boxes are stored inside the bank vault. Three feet of concrete and steel with a very sophisticated lock on the door.
5) Video cameras on the vault door to verify who goes in and out.
6) The vault is behind a counter and you aren't allowed to go near it unless an employee lets you in.
7) The vault is in a building that's designed to be difficult to break into. Alarms. Heavy duty doors. Lighting that makes it easy to see in.

I'm sure there's more layers too that I'm not even aware of. But, let's not dwell on this. The point is that there's multiple layers of security all to protect my wife's jewelry. Let's say any one of these layers failed. Her jewelry would still be safe. It would take multiple failures for a criminal to be able to steal her jewelry.

So, what's my point? Well, when it comes to computer security you should have multiple layers as well. If you have multiple layers of security, then any one layer -- even if it's not well designed -- will prove sufficient in keeping criminals away from the digital equivilent of your jewelry.

If you visit you'll see the layers that Microsoft is recommending. For me, I go further. Here's what I'm doing now.

1) Install Windows XP Service Pack 2. This update has many protections against attacks (recompiled code, closed APIs, firewall on by default, all known patches, etc).

2) Get a good anti-virus program. Visit for some suggestions, including a Computer Associates one that's free for first 12 months. Why is this important? It'll protect your system from all the known viruses, worms, and trojan horses.

3) Get a good two-way firewall on every machine. The Sygate Personal Firewall is free and is good. Zone Alarm is another popular choice. Why don't I just use the firewall that's included in XPSP2? Because it is only a one-way firewall. Sygate's watches activity going on from both inside your computer as well as out on the Internet. What if your company already has a firewall? That's not enough. You need one on every machine now because if someone takes a laptop outside of your network, gets infected, then comes back in, they'll infect you too. In fact, I use two firewalls now, even at work (one software that runs on all my machines, and one that hooks to the network before I even hook a machine to it). XPSP2's firewall is definitely better than not having a firewall at all, but for some people like me it's not enough.

4) Get a hardware-based firewall or NAT at point of network entry. Why? Because many of us attach unpatched computers while installing, or want to play networked games, or have other reasons for turning off our software firewalls (some software won't work through firewalls). Plus, even if you don't turn them off, provides one more barrier that hackers have to go through. Again, it's about layers of security and not needing to rely on any one security device.

5) Turn on automatic updating. Visit so you'll always have the latest security patches. Why do that? Because software evolves. We learn about mistakes we made in our code. We find new ways to keep criminals out. If you aren't running the absolute latest software, you're vulnerable (and this is true if you're on Linux or the Macintosh too).

6) Run the latest email and Web clients. Outlook 2003 and the latest Outlook Express, for instance, has another level of security against running exe's (you can't even run them if emailed in the latest versions, but if you used earlier versions they didn't have those protections). If you are running Firefox or Netscape, they regularly fix vulnerabilities in their products too. Always run the latest. That's the safest.

7) Visit regularly. for the latest information on security threats. That's the official place where Microsoft will communicate about security threats and/or the latest updates.

8) Run at least one good anti-spyware program like Adaware or Webroot's Spy Sweeper or Spyware Blaster. That'll make sure that no spyware sneaks onto your system. With XPSP2 I've found that spyware is far less likely to get onto your system, but I've already found one site that has some spyware that gets past XPSP2. So, you'll need to still check, particularly if you visit "high risk" sites (sites that aren't known to you, for instance, or adult sites which are famous for putting spyware on your systems).

9) If you visit high-risk Websites, turn off ActiveX and scripting in your browser. (I turn off scripting even on Firefox when I'm visiting high-risk sites -- you all can guess what I'm talking about here. It's just too risky.) In Internet Explorer, just visit Tools/Internet Options. Click on the security tab. Then move the security slider to "high." That'll disable both ActiveX and scripting.

10) Don't run in administrator mode. I'm slowly moving my machines to not running in administrator mode. That way if something does get through all the protection it can't do as much damage. Out of all the steps here, this one is the hardest to do, though, because a lot of things don't work on Windows if you're not running as administrator.

11) Keep an install partition on each of your machines. I put a backup version of my Windows XP install CD on the second partition so that if all else fails and my machine is taken down, I can quickly repair the system and get back up with nothing more than a boot floppy that any machine can produce (since my install bits are on the second partition I don't need to do anything fancy to get back up).

Update: Chris Coulter says that an even better thing to do is to get a second hard drive and put an image of the first drive on the second (he recommends Norton Ghost). If something happens to the first drive, you can build a new image off of the second drive and be back up and running within minutes.

12) Don't allow anonymous users on your wireless network. Why not? Because if they have been infected then you'll have invited them behind several layers of your security. Plus, a criminal could use your line to send spam or infect other people. Do you really want to help those people out?

13) Use better passwords. Come on, I know some of you aren't using good passwords. For instance, I knew one person who'd just use "password" as his password. That meant his machine could be broken into very quickly (never use a single word as a password -- hackers have dictionary cracking tools that can break such passwords ). Read Robert Hensing's advice. He's a security expert here at Microsoft and works in support and explains a good way to choose passwords that are hard to break.

14) Backup your data regularly. It's amazing how few people backup their stuff. Hard drives die. Things happen. If you have backups, you'll be OK even if your machine gets wiped by something. Personally most people don't need to do it very often. I backup once a month. Why? I'm willing to lose a month's worth of stuff. (Most of my important stuff is in Outlook and that's backed up automatically by the company I work for).

Anyway, my whole thing is to treat your computers like you treat valuable jewelry. Put up multiple security barriers. This is true, by the way, whether you are on a Mac or Linux too. All the above except for loading XPSP2 apply to you too. Just because the criminals aren't attacking your systems right now doesn't mean they won't in the future. That's like saying "well, if I hide my jewelry in a box at the North Pole the criminals aren't going to take the time to go there." That might be true, but is that really a good way to approach the world?

What do you think? How many layers of security do you have? How many do you need?

You might not need all the above, by the way. At home I don't have an alarm. I don't have video cameras. I don't have a vault with three-feet of concrete between me and any potential criminal.

So, the 14 security layers I use for my computers might be overkill for you. Which layers above do you choose not to have and why?

12:38:45 AM    comment 

August 2004
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31        
Jul   Sep

(On Bloglines)
(From NewsGator)
(On TextAmerica)
Naked Conversations
(Book blog)
Main Feed
Link Blog
Microsoft's Channel9
Comment Feed
Referer Page

Click here to visit the Radio UserLand website.

Click to see the XML version of this web page.

© Copyright 2005
Robert Scoble
My cell phone: 425-205-1921
Are you with the press?
Last updated:
5/11/2005; 12:56:39 AM.

Robert Scoble works at Microsoft (title: technical evangelist). Everything here, though, is his personal opinion and is not read or approved before it is posted. No warranties or other guarantees will be offered as to the quality of the opinions or anything else offered here.

Be the first to comment! Free real-time blog alerts via MSN Messenger, mobile, or email.
Technorati search