Someone Else

Why Firewalls Suck

Of course they don't really suck, but I needed a snappy tagline to make you read this article. But what does suck is people who assign strange magical powers to firewalls, with the result that you end up less secure with one than you were without. 

Ok, quick quiz.

Who remembers Nimda and / or Code Red? I bet a lot of you still do. They both got enough attention in the news. Who thinks that if only their firewall was setup differently they could have stopped them from doing the damage they did?

I don't know how many of you think that's the case now but at the time a lot of people certainly believed it.

The belief a firewall could have stopped code red is an example of someone not understanding what a firewall can and cannot do. Other common problems are with misconfigured firewalls, which happens all too often where people don't understand how they work, or are being pressured to fix something in a hurry. This is still the problem with firewalls, years after they were first introduced, years after i wrote my first draft of this article, people are still unsure about what a firewall can and cannot reasonably be expected to do, and they're still allowing people who don't know what they're doing to set them up. This is why firewalls suck; not because they do a bad job, but because many of the people using them don't understand what the firewall can do for them, and what they still have to do for themselves.

So what can a firewall do?

Firewalls are generally used as gateways to a network, and as gateways they can inspect incoming and outgoing traffic and either block its passage or allow it to pass depending on certain rules. These rules are usually pretty simple, but can be built up to do some complex things by using combinations of different rules.

So a firewall sitting in front of a Windows based network will probably be set to block all traffic on Windows -specific OS ports in order to stop people examining your network shares (this is the most important function a home firewall performs). It essentially blocks all traffic on a certain port from entering your network. On a Unix network it will probably be configured to be pretty hot on blocking up the RPC ports, and so on.

The firewall hopefully also looks at e-mail traffic and blocks all of that except traffic that is to or from your authorised e-mail server, and probably has very similar rules for web server traffic, FTP traffic, etc. It might do some preliminary checking for those services where it can sensibly do so, e.g. it might do a reverse DNS lookup of incoming mail and discard any that fails that test. Many firewalls these days perform this kind of traffic analysis, the days when you could stick a simple NAT box in front of a network and pretend it's a real firewall seem to be gone. Thank goodness.

Of course all this assumes that the firewall always works correctly - e.g. never has a breakdown or security issue of its own; and also that the people who set it up know what they are doing and never ever make a mistake, which isn't realistic no matter how good you are. Firewalls are like every other bit of computing kit and will do exactly what you tell them to do. The important word is 'exactly'. A firewall doesn't know the difference between what you tell it to do and what you meant to tell it to do.

The reason I'm labouring this point is because human error is one of the biggest reasons firewalls don't work the way they are expected to. This point means that you need to hire good people and train them properly to get the best out of a firewall - training doesn't have to mean an all expenses paid trip to a 4 week course held in a five star hotel in Aruba, maybe just getting some good manuals and giving your staff the time to read them will be enough. If you can't afford the firewall plus the training to use it, then you can't afford the firewall at all. Simple. If more people realised this was the case when it came to any service facing the Internet, I am certain that the number of security incidents would drop dramatically.

What a firewall can't do.

So now we know what a firewall can do, lets take a look at what it can't do.

Firewalls can't protect against attacks that don't go through the firewall. Sounds simple, so why do we keep hearing about security being breached by avoiding the corporate firewall in some company? Surely people must understand this by now?

Many corporations that connect to the Internet are very concerned about proprietary data leaking out of the company through that route. As well they ought to be, but too many think this is their only threat vector. We call these companies 'victims'.

Unfortunately for those concerned, an Ipod or USB memory stick, a rewritable CD or even a pen and paper can all be used to steal data or bring malware onto your network (ok maybe not the pen and paper here!). Far too many people think in terms of "I've got to buy this, some of these, and maybe this and then I'm secure". That approach might work in the short term but will get found out sooner or later.

You don't buy "security" like buying groceries. You need to understand the business, how it works, what are the threats to the business and how security is about people not gadgets. Don't think of tools such as firewalls in terms of "What can I block", instead think "What is the core of this company? How could it be stolen or copied or otherwise attacked, and how can I protect it?"

Surprisingly enough, lots of companies that are terrified of Internet connections have no coherent policy about people taking data away on laptops. Just ask MI5, or Ernst & Young, or Fidelity Investments if having even a single laptop go missing is any kind of problem.

It's silly to build a 6-foot thick steel door when you live in a straw hut, but we do it in IT all the time. Even as you're reading this people are out there right now buying expensive firewalls and neglecting the numerous other back-doors into their network. For a any security gadget or tool to work, it must be a part of a consistent overall security system. Your firewall isn't your security policy, it's simply the method by which you enforce that policy on traffic travelling via the route you place the firewall upon..

Firewall policies must be realistic, and reflect the level of security in the entire network. For example, a site with very sensitive systems shouldn't rely on a firewall to protect that information, they shouldn't be hooking these systems to the Internet (or even their normal LAN) in the first place. Separation of systems is a well known security concept and it galls me to see companies that should know better get caught out like that.

The firewall configuration must reflect your user community's legitimate needs. If your firewall makes it impossible for people to do their jobs then either you'll get fired, your company will go bankrupt, or your users will have to try and work out how to sneak past your firewall, and as a by-product of simply having to do their jobs they will be exposing your network to risks. I'm going to take a wild guess that none of the possible outcomes above are what you were aiming for when you installed a firewall.

Another thing a firewall can't really protect you against is physical intrusion or social engineering. Can someone walk into your office and walk out again with a laptop simply by looking as if they belong there? Users who reveal sensitive information over the telephone are good targets for social engineering: an attacker may be able to break into your network by completely bypassing your firewall if he can find a "helpful" employee inside who can be fooled into giving access to the system.

Firewalls use rules as I've already said. These rules are simple cook-book type filters that the user sets up and configures. The firewall analyses traffic and either passes or blocks traffic depending on what the rules say.

The first problem should therefore be obvious: If you don't setup a rule to deal with an explicit situation then what happens when it occurs? Of course any sensible person would configure their firewall so that it blocked everything except the one or two things they wanted to allow - in fact with most firewalls I've seen this is the default behaviour and you have to work hard at screwing it up. But none the less plenty of people screw it up. Don't ask me how but they do.

Secondly, a firewall can't know about human factors. If it sees a request to upload files to your FTP server it can't be expected to know that the person who owns the account being used for the upload is actually in Aruba on a 4 week course, without access to the Internet, but they dropped their wallet in the airport departure lounge and it had a note inside with your webserver FTP username and password. It also can't know that what is being uploaded is actually the makings of a porn website instead of your usual corporate image.

It also can't examine content of requests it forwards for intent - at least not reliably and efficiently. It might block the ports needed to protect your webserver against someone trying to telnet into it but when it comes to "proper" web traffic it doesn't know the difference between the legitimate GET sequence for loading your index page and the GET sequence that this week's brand new Internet worm du jour uses to scan for vulnerable webservers. To the firewall this looks like legitimate traffic - it was told to allow HTTP traffic to be directed to the webserver, and it can see legitimate HTTP traffic so it forwards it. It has no reliable way of knowing the intent of that traffic.

Firewalls don't suck, it's just the way we use them.

Too often people talk about firewalls as a magic bullet. They want to put a firewall in front of their insecure network and hope it makes the problems all go away. Now obviously, a firewall is a useful piece of equipment and I would say that everyone with a permanent Internet connection should consider one, whether it's the home user with a cable or ADSL connection, or the major business with 300 servers connected to the Internet.

But we need to be clear about what they can and cannot do. They are a valuable protective layer between your network and the outside world when used properly, but they are no substitute for a proper security plan with all the parts of your network setup to be as secure as possible.

To go back to code red and Nimda, which is where I started, those people who just used a firewall and thought they were secure instead of bothering to secure their systems properly found themselves victims of these worms because a firewall does not protect against that kind of attack. What would have protected them would have been a comprehensive patching program that was implemented as part of an overall security policy including the firewall.

A network is only as secure as its weakest point, and that's not the firewall, it's the fool who thinks that a firewall is all he needs.

[yes this is a rewrite / update of an article from the old site]

Firespy proves that just changing your browser isn't enough.

Harry Waldron blogs about the Formspy / Firespy spyware trojan, which is also described by Sophos and McAfee. It's interesting because it's a bit of spyware that abuses the Firefox web browser, and as such could catch people who think they're safe because they don't run IE unaware.

Actually, this is a good old school email distributed hack.It doesn't abuse a security hole in your email client, or hack your browser in order to infect you. It relies on fooling you into downloading and running a file.Harry hopes that it won't be serious because it requires people to download and run the attachment from an email and we all should know better than that, but I'm not so sure. Still it isn't every day you see me actually hoping to be proved wrong!

So if changing your browser isn't enough to keep you safe, what do you need to do? Why drive safely of course. While car analogies often end up being quite tortured in computing articles, I'm going to break out my old stand-by and compare virus scanners and the like to seatbelts and airbags, and stretch it to compare applications to the cars themselves.

Some cars are safer than others, that is true. But no matter how safe a car is by design, no matter how good quality the seatbelts are, how well the airbags do in tests, it never becomes a good idea to intentionally drive into walls at high speed, instead you drive safely and regard these things as insurance for the day it all goes wrong.

As it is with software. You can change from one browser to another or one email client to another in the pursuit of safety (we'll save the discussion about whether or not this is worthwhile for later), and you can install the best virus scanners you can find or even switch to a platform that claims not to need AV scanners, but you still need to 'drive' safely or you'll come unstuck sooner or later.

Browser and Platform Support.

Well it's good to see that I'm getting hits all over the spectrum of OSes and browsers. (CP/M tho?). This just underlines the importance of testing your website in more than one browser, if not whole other OS.

Honest mistakes and coding problems are one thing by the way. It happens. I'm sure my site here doesn't render perfectly in every browser (though I test it in IE, Firefox, Camino and Safari to name just a few) but like most people I at least try. I still see sites that actually announce that they only work in one or two browsers as if it is something to be proud of. Why would you cut off part of your potential readership on purpose?

Lets make this clear. I pretty much use just Firefox, Camino and Safari, in that order. If you operate a store or a service that requires me to shut down my Mac, walk over to the PC, boot up and login with IE (or Vice-Versa) then I won't bother, I'll just go to your rival that actually understands customer service.

Operating Systems (Top 10)   -
Operating Systems Hits Percent Windows 79722 75 % Unknown 14375 13.5 % Macintosh 9338 8.7 % Linux 2685 2.5 % Symbian OS 22 0 % FreeBSD 14 0 % CPM 8 0 % OS/2 7 0 % Sun Solaris 7 0 %

 

Browsers (Top 10)   -
Browsers Grabber Hits Percent MS Internet Explorer No 40876 38.4 % Firefox No 38865 36.6 % Unknown ? 15396 14.5 % Safari No 5038 4.7 % Opera No 2854 2.6 % Mozilla No 1859 1.7 % Camino No 838 0.7 % Netscape No 173 0.1 % Konqueror No 83 0 % Links No 68 0 %   Others   128 0.1 %

Australian CERT manager doesn't like desktop AV?

AV Scanners don't work?

ZDNet Australia reports that Graham Ingram, director of the Australian CERT, delivered a talk at a Messagelabs seminar where he (according to ZDNet anyway) claimed that desktop AV "does not work".

"At the point we see it as a CERT, which is very early on -- the most popular brands of antivirus on the market … have an 80 percent miss rate. That is not a detection rate that is a miss rate."

"So if you are running these pieces of software, eight out of 10 pieces of malicious code are going to get in," said Ingram. (quotes extracted from the ZDNet article.)

Of course, when you dig a little deeper, what he's talking about is heuristic scanning of new viruses, not the overall effectiveness of desktop scanners in general, so we need to look at this a little closer. 

What is Heuristic Scanning?

A typical virus scanner has at least two operation modes, first is what we usually term "signature based scanning", which scans for known viruses by comparing the contents of the file being scanned to a unique signature pattern that corresponds to a particular virus (Its a bit more complex than this, I'm keeping it simple). This represents most of the detection work done by a modern AV scanner. That is, most of the viruses received by a computer are already known.

Heuristic scanning is slightly different. It examines the code within a file for virus like behaviour, using a variety of different techniques and traps to understand what a snippet of code is attempting to do. If that bit of code does too many virus like things then it is flagged as potentially being a virus.

This is difficult to do on the desktop because it can be time consuming, and is a very complex job to perform adequately, and users are very sensitive to delays in their system. If you were making a desktop virus scanner would you write a heuristic system that tested every possible condition with each file, but slowed the system down so much doing it that users just turned off the heuristic scanning? Or would you just do a few of the common tests that you can perform quickly, and call it good enough?

It is much easier to do heuristic scanning at the boundary, e.g. on an internet or email gateway scanner, where you can typically delay a file and take as long as you need to scan it. People might notice a second of delay per file on their desktop but you can keep an emailed file back for testing for a good 10 or 15 minutes, which is near enough to eternity with the performance of modern computers.

So does this mean my virus scanner works or not?

It works as well as it ever did. If you've purchased a decent product then the signature based scanner will do a great job of detecting known viruses. The heuristic scanner may not hold up its end as well on a desktop machine, but any effort here is better than none at all.

So is heuristic scanning a waste of time? 

It's less effective on the desktop certainly, compared to how a good server based system can work. it's funny to see someone attacking heuristics in general at a Messagelabs seminar when they make a very big deal of their Skeptic Heuristic Engine being part of their email product, which makes me think that the report is a little distorted.

It's important to look at why Ingram believes heuristics are ineffective, and to consider what this really means.

"I am not suggesting that there is a difference in the quality of the antivirus products themselves. What is happening is that the bad guys, the criminals, are testing their malicious code against the antivirus products to make sure they are undetectable. This is not a representation of the software," said Ingram.

Ah. So the products aren't ineffective because they don't work. They're ineffective because virus writers have access to them and are worried enough about them to take the time to work around them. That's very different.

If virus writers are having to test their viruses and refactor them prior to release then the AV apps are making the cost of developing new malware more expensive. Maybe not as good as stopping all new viruses dead but a fairly realistic goal that is still worth getting out of bed for.

This isn't an entirely new thing either. It's been known for a while that spammers are among some of the most prolific users of spamassassin and the like. Same thing here, should we be sad that spammers can get around the current spam filters, or happy that they have to spend the extra dev time/costs doing so?

[disclosure: I'm security manager for an organisation who uses Messagelabs]

Sorry about the outage this morning...

I've been upgrading this site to the newest beta of Community Server 2.1.

 Feature-wise I'm quite impressed, but I have to say it was a bit of a chore performing the upgrade. I'm not sure at the moment if the problems were due to the nature of beta software, or due to some issues with my particular site (or probably, both) but I think we got there in the end. You may find one or two features not quite behaving at the moment and one or two other features that either didn't work before or which worked but sucked now behaving better.

Softricity now part of Microsoft.

Over in his blog, Alessandro Perilli notes that possibly the worst kept secret in the virtualization rumour mill is now official. We all knew it was happening. We all knew it would be announced soon, but now it's actually a done deal. Microsoft have acquired Softricity.

So what now? Alessandro suggests that Microsoft may be looking to wrap this up into a "Microsoft Live" product for app streaming. Certainly this would fit nicely into a subscription model for those apps, wouldn't it?

I personally wonder if we'll see this applied more as a deployment tool. You've got some nice features here to make deployment very painless, to apply a limited level of sandboxing, and to make it easy for someone who works in more than one place to take their applications with them without needing to carry an entire computer around.

Official press release

It's the content, stupid

Robert Scoble talks about the 11 rules to survive being a Web 2.0 "Dot Bomb".

Robert mentions how this reminds him to watch out for his own new business (Brave move btw Rob, a long way from being a Netmeeting MVP or living in the Microsoft 'comfort zone'  for sure).

One of the things that I miss in Robert's new venture and which I see in the article he referenced, is that you need to have the right content for your podcast, blog or even your business. Imagine a business plan where someone says something like this:

1. I'm bored
2. Get Venture Capital
3. Design Website
4. {Something Magic Happens Here}
5. Buy my own island and either retire or become a paraody of a James Bond villan.

This is what most dot-com business ventures used to look like. Most dot-com 2.0 ventures look much the same except the "something magic" is considered to be part of the website design as well as the product ("Look, it updates on screen without loading the page again... oooh magic!")

Now I admit that some web 2.0 sites are interesting, and that some blogs and interesting and that some podcasts are memorable but here is the big secret.

They're memorable because their content is memorable.

Got that? My blog site here isn't good (or if you prefer, "crap") because it's a blog, or because it's a blog built on Community Server 2.0 (oh yeah, 2.1 beta 1 is looking good btw guys). It's good, or bad, or whatever you like because of my writing. Because of the people who post occasionally in my forums. Because of the comments, as few as they are. The content.

I don't buy books from Amazon because I admire their e-commerce backend, I buy because they have the books I want at a good price. Just about every point in the 11 suggestions can be related to this single point; start a business to fill a need.

Understand how that business will make money.
Understand what a realistic goal is, and then set about reaching it.
Understand that if you have to spend 3 weeks explaining to me that your idea is cool and that I'm an idiot for not accepting that, then it might just be that your idea isn't that good.

The biggest example of this last one is in the book BooHoo, where the people behind Boo.com explain how it was everyone's fault but theirs that they built a web ordering system that would be sluggish on a LAN connection and were then astonished to find that people on a dial up pay-per-minute connection couldn't use it.

In fact, I think that book should be required reading for anyone starting an online business. Just think of the time it would save you if you're a venture capitalist;
VC: "Have you read Boo Hoo?
Online Business: "Er... yeah sure"
VC: "{Quick question about something in Boo Hoo}"
OB: "{dismal failure to answer the question properly}"
VC: "OK. Thanks for that, some interesting thoughts. Door's to your left."

You're either selling something that people want enough to actually pay for, or you're not. And if you're not, I hope you didn't spend too much money on that new office.

Common questions about Computer Processors

A number of discussions about processors quickly show the same questions appearing over and over again. This post is designed to help those people who understand why a computer needs a processor (aka CPU), and that different processors exist and which one you choose can make a big difference to performance.

This article isn't meant to be an in-depth review of any particular processor technologies, but rather a quick examination of the common issues and questions that seem to arise when considering and comparing modern processors. As such, the article will gloss over technical details and arguements about a technology in favour of explaining overall concepts.

Is clock speed a useful measure of processor speed anyway?

Clock Speed was, until recently, the only real measure of speed that you ever saw used to describe processors. People used to talk knowingly about Megahertz and Gigahertz, and how they knew a higher number was better.

This is certainly no longer the case, and even when it was true, it was still less useful than many people seem to think.

Let's start with what "Clock Speed" actually means. Clock Speed can be defined as the basic speed at which a computer component such as the CPU takes to perform a basic operation, measured in Hertz (MegaHertz, GigaHertz...). When used as a speed measurement of a computer, the "clock speed" being talked about will be that of the CPU.

The problem with using clock speed to measure processor performance is that different processors can perform a different amount of work in the same clock "tick" or cycle. For example, lets say that processor A runs at 4 Mhz, and processor B runs at 1 Mhz. Each processor executes one processor instruction with every clock tick, so Processor A executes 4 times the amount of instructions as Processor B in a second. Now lets look at those instructions. If we want to multiply two numbers together, processor A needs to perform 10 instructions to complete this operation but Processor B needs only to complete 2 instructions to perform the same task. Which CPU will give you the answer first?

As you see above, comparing CPU performance by clock speed works well only when comparing two CPUs which are identical in every aspect except for clock speed. For comparing two different processors, e.g. an Intel Pentium 4 with an Intel Core Duo or with an AMD Athlon 64, measuring the clock speed only tells us what the clock speed of each processor is. It tells us nothing about how each processor performs in comparison to the others.

Performance in the real world can be even harder to understand, if comparing processors by clock speed. Other important aspects of a processor are the bus speed (the speed the CPU talks to the memory and other components on the motherboard, usually different to the internal clock speed of the processor) and the amount and speed of the cache memory available to the processor.

(Read this article on the Celeron 300a for a classic example of how bus speed and cache make a big difference to a processor).

OK. We get it already. Robert doesn't like Clock Speed as a way of comparing CPU speeds. So what should we do instead?

Benchmark! A Benchmark is a standard set of tests run in a controlled manner that compares how two well two different objects complete the same task. There are several "standard" benchmarks available to test either systems as a whole or to test components (e.g. the video card or the processor) directly. Pick a standard benchmark that roughly emulates the sort of work you do and which can be used on your target systems / components, run it on each benchmarked item several times and use the average of those runs to determine how well the item performs.

What do terms like 'dual core' mean? What's the difference between dual core and dual processor?

A Processor Core is the part of a CPU that actually does the work of carrying out the instructions your programs send to it. A Dual Core processor is a processor chip that contains two of these cores, effectively two CPUs on a single chip. A detailed discussion of Dual Core chips can be found here.

The much older technology of Dual Processor systems have two seperate processor chips installed on the computer motherboard.

Whichever system you use, the two cores operate together to share out the system's processing workload, by noting where tasks are broken down into seperate 'threads', and each one executing it's share of these threads side by side.

From the point of view of the operating system and application programs, Dual Processor and Dual Core systems work much the same way, but electronically they work very differently. As ever, each kind of system has its own advantages and disadvantages.

(To save my fingers a lot of typing and your eyes a lot of reading, please consider the terms "dual core" and "multi-core" to be interchangable with "dual processor" and "multi-processor" for the remainder of this article.)

So, is a 2Ghz Dual Core processor like having two 2Ghz processors, or like one 4Ghz processor?

A 2Ghz Dual Core processor is effectively two 2Ghz processors. It absolutely does not work like one 4Ghz processor. This goes back to the issue of threads I touch upon briefly above, with multiple cores being able to execute multiple threads side by side. This means that a computer can do more things at once, not that it can do one thing faster.

How come, then, that some benchmarks show a single program being executed faster with multiple cores than with one?

This happens for two reasons.
Firstly, many modern programs are multi-threaded, which means their main jobs are split into several different threads in order to allow them to make efficient use of modern computer systems.

Secondly, even a single-threaded application can run slightly faster on a dual core machine, because it can effectively have nearly free reign over one processor while the other tasks on the system make use of the other processor.

What about Hyperthreading?

Hyperthreading is an interesting technology from Intel that creates "logical" processors on top of the real processors, and hence appears to the OS and applications as a multi-processor system.

The idea is that often, not all the parts of a processor core are in use at the same time, and by creating logical processors on top of the physical one, you can do more work by making fuller use of the processor abilities, by allowing threads that do not need to use the same resources in the core to process through the processor at the same time.

There is considerable debate about how well logical processors can emulate real ones. Overall "real world" performance depends very much on what applications you run and whether or not your OS is Hyperthreading aware.

AMD have recently proposed a kind of "reverse hyperthreading" which allows dual-core systems to combine cores to run one single thread between them and effectively try to function as one processor. I guess one day they'll make a liar out of me and my earlier statement about how to consider dual core chips!

What about 64 bits? Everyone was talking about that and now they're talking about dual cores. Are we not bothering with 64 bit any more?

64-bit processors and multi-core processors address different needs. And, of course, many modern processors manage to combine both features quite happily.

Multi-Core processors allow a computer's work capacity to "scale outwards", to take on more work at once.

64-Bit processors allow a computer's work capacity to "scale upwards", to work faster and more importantly to work with larger memory address spaces.

So if I'm building or buying a fast computer, the most important thing is the fastest possible processor?

Nope. The most important thing is understanding how the system will be used and designing a good "balanced" system for that need. Essentially a computer system working on a task can be thought of as like a production line in a factory, and all the steps in the line need to be kept full of just the right amount of material in order for the line as a whole to be working at optimal performance.

Fitting a upgraded packing machine at the end of a factory line will not increase that line's rate of production if the other parts of the factory line are already working at capacity, all that will happen is that the new packing machine at the end of the line will sit idle some of the time.

Installing the fastest processor you can find but fitting the computer with insufficient RAM or a very slow hard disk will constrain the processor and prevent it from reaching its full potential. The same applies of course to neglecting the processor in order to fit very fast RAM or hard disks.

If these lastest processors are so quick why doesn't my desktop seem to be any faster? It still takes about as long to load an application.

This is an example of the sort of contraints I talk about above. Starting a new application is likely to be disk and memory intensive as much as it will be processor intensive. We already passed the point at which a faster processor would help applications load faster, and we're now often constrained by the memory and disk systems loading the application.

I hate Comment Spam

So does the always angry and always amusing Mr Angry. In fact, after getting spammed he has complained about it, and says that Stormfront (The racist asshats who spammed his blog) are in fact a support group for a gay Jewish support group. Like Mr Angry, I'm going to underline the fact that I don't think "gay" is an insult, I just agree that being linked with a gay Jewish group would be the best way to piss off racist losers like Stormfront.

Still, I've got my own problems with comment spam. Unlike Stormfront the people trying to leave comment spam on my blog are either too stupid to understand how blogs work, or too stupid to understand how MY blog works, because they instead fill up my "contact me" link with comment spam so I get lots of idiotic emails. What a bunch of idiots.

It isn't all angry ranting about spammers over there by the way. Mr Angry has some good posts on How To Make IT Staff Less Angry (Part 1, Part 2) and how bad managers can make bad jobs worse.

More WGA madness

Well it seems people won't stop complaining about WGA no matter what. Wonder why that is. I would be really interested to break down the list of complainants to find out what portions are made up of the following groups

1. People who'll moan and whine about anything Microsoft do (sorry dudes I meant to write that as "M$" just for you, really I did, then I realised I was older than 15.). And probably use Linux anyway. If you're not actually a customer then you don't have a vote at this table, IMHO.
   
2. People who have been genuinely taken in by 3rd parties who have defrauded both them and Microsoft. I feel very sorry for these people, but their beef is with the people who have defrauded them, not with Microsoft.
   
3. People who have actually broken the EULA terms, intentionally or otherwise. Without getting into rights and wrongs of the EULA, I'm thinking this is the main target of this scheme. If you've broken the terms of the EULA then you've kinda got what you "deserved" (note the quotes before you flame me!). If you don't agree with the terms of the EULA then don't use the software. My suggestion that people buy an Apple Mac if they have no pressing need for Windows still stands.
4. Crackers and software Pirates. who are cracking the Microsoft anti-piracy stuff on purpose. You've kinda made your own bed there, haven't you? This group will continue cracking the software and probably won't be terribly bothered by WGA.
   
5. People who have been victimised by a bug in the WGA code that has falsely accused them of using counterfeit software. A group that is larger than Microsoft want to admit, at the moment. Lots of people in group #2 think they're part of group #5.
6. People who are unaffected by WGA per-se, but who are offended by the very concept. Who feel (rightly IMHO) that they're being treated as guilty until proven innocent every time WGA runs on their system. This is the largest group of complainers, I suspect, and the most dangerous one. Y'see, once customer goodwill has gone, it is very difficult to get it back.
   

The trouble with this software is that it increases the attack surface of Windows. You never improve security and reliability on a system by giving it yet more critical and delicate code to run.

Server Admins - what are you going to do when Microsoft want you to install WGA on your critical server infrastucture? CTOs - what are you going to do when your CEO calls you and asks why her laptop accuses her of being a thief halfway through a demo to some important clients?

A virus writer who wants to really hang a black-eye on Microsoft can go after the WGA subsystem and get double-bubble value for their attack... not only the machines they infect but also the consternation of all other Microsoft customers worried their computer will be taken out by the anti-piracy code being fooled with.

In a desperate attempt to justify their assault on paying customers, Microsoft have started to try and produce things like this 'WGA blog' and this WGA Forum. If WGA concerns you then be sure to visit them and leave constructive comments about how it makes you feel.