Defensive Computing

Chances are, there is a copy of Java on any computer you walk up to. According to Sun Microsystems, the company behind Java, it has been installed on more than 800 million computers. There are versions of Java for many operating systems, including Windows, OS X, Linux, and Solaris, just to name a few. You can see if Java is installed on a computer by visiting Javatester.org.

If there is a copy of Java on a computer you own or maintain, it may be old. JavaTester.org not only reports the installed version but gives you some idea of how old that version is, by listing the most recent versions and when they were released.

Multiple versions of Java can, and often do, coexist on a single computer. This is because installing newer versions of Java has never removed older versions. Windows users will see any old versions in the usual Add/Remove Programs list in the Control Panel.

Do you need Java at all? Maybe, maybe not.

Many people use Java without realizing it. I recently wrote about the Secunia Online Software Inspector, a great online service for reporting old, dangerously buggy software that's installed on Windows computers. It requires Java. If you have a Box.net account and use their drag-and-drop multiple file uploader, you're using Java.

Installing

What follows are step-by-step instructions for installing the latest versions of Java on a Windows computer.

Sun, the company behind Java, just released a new version known as Java 6 Update 10 (among other names). As I noted previously, there's no compelling reason to install this latest version, in fact, a case can be made that the prior version, Java 6 Update 7, is the better way to go. The steps involved in installing either version are the same.

The Java plug-in fails to automatically install in Firefox

In theory, the first time you try to use a Web page that requires Java it should be automatically installed. In reality, this rarely works. I just tested it under Windows XP with Firefox versions 2 and 3 and with Internet Explorer versions 6 and 7. Not once did Java auto-install (see above).

No matter, the manual installation is fairly simple. And unlike Flash, Windows users only have to install Java once.

Technically, what you download is the Java Runtime Environment (JRE). The latest JRE version is always available at www.java.com/en/download/manual.jsp. Go for the "offline" version. The prior Java version (Java 6 Update 7) is available at java.sun.com/products/archive/j2se/6u7/index.html. Click on the "Download JRE" link at the bottom of the page.

For both versions, when you run the downloaded EXE file, the installation starts with the usual license agreement.

Starting the installation of Java

Then you may be given the chance to download additional software. When I installed Java 6 Update 7, there was no additional software. But when I installed the latest version, it defaulted to also installing the Yahoo Toolbar for Firefox. No one needs the Yahoo Toolbar, so I suggest not installing it. Defensive computing means installing only the software you really need. The less software installed, the less of a bug magnet your computer is.

Additional software, unrelated to Java, may be an option.

As the software is being installed, you'll see a standard progress bar.

Java is being installed.

When it's all done, this too is clearly shown.

Java has been installed.

Old Versions

What to do with older versions of Java that may be on your computer is debatable.

My preference is to delete old software, so that malicious software can't exploit any known bugs. Others may argue to let sleeping dogs lie because there may be some software that specifically requires an old version of Java. I'll take that chance. In the worst case, you can always download an old version of Java at java.sun.com/products/archive/.

On Windows, Java uninstalls in the normal, standard manner.

This latest version of Java (6 Update 10) is going to complicate things in the future. Newer versions of Java 6 may install themselves over this version or they may not. Java can now be installed in two ways: patch-in-place and static.

If your copy of Java 6 Update 10 is "patch-in-place" then a newer version of Java 6 will remove Update 10 when it's installed. However, if your copy of Java 6 Update 10 is "static," then newer versions of Java 6 will not replace Update 10.

Either way, newer versions of Java 6 will not remove versions of Java 6 prior to Update 10. Also, when Sun gets up to Java version 7 Update 1, that will not remove any copies of Java 6 that may exist.

I don't make these decisions, I only report them.

See a summary of all my Defensive Computing postings.

Sun Microsystems released a new version of Java for Windows, Linux and Solaris a few days ago. Should you rush out to install it? Probably not.

First a bit of level-setting. Version numbers are an ongoing annoyance with Java, and this latest go-round is no different. The new release is identified with six names:

• 1.6.0_10 (from the Java runtime)
• Update 10 of Java Standard Edition 6
• Java (TM) 6 Update 10 (in the Add or Remove Programs thingy in the Control Panel)
• Java SE 6u10
• 6.0.100.33 (by the Secunia scanner)
• 1.6.0_10-b33 (a property of the java.exe file)

New software typically has both new features and bug fixes, but this release of Java only has new features. Sun's release notes say "this feature release does not contain any new fixes for security vulnerabilities to its previous release, Java SE 6 Update 7. Users who have Java SE 6 Update 7 have the latest security fixes and do not need to upgrade to this release to be current on security fixes."

From what I've read, this appears to be a pretty big release. There are many new features including some affecting the core of the product. New features inevitably mean new bugs, thus the safer approach is wait. Anyone currently running the previous version of Java (1.6.0_7) is therefore best off doing nothing. To see which version, if any, you have installed simply visit Javatester.org.

If, however, you have an older version of Java installed, then you should update it to 1.6.0_7 (a.k.a. Java 6 Update 7). You can download the older version of Java at java.sun.com/products/archive/j2se/6u7/index.html. Click on the "Download JRE" link.*

If and when the time comes that you need one of the new Java features, that's the time to upgrade. Chances are, that by that time, the new features may have had a bug or two fixed.

One exception, is anyone using Google's Chrome browser, which requires the latest version (1.6.0_10) of Java.

Mac users don't have a decision, there is no new release of Java for OS X. For whatever reason, Sun--the company that developed Java--does not supply it for Macs. But Apple does, and Apple is always behind the curve in terms of new releases.

To take a step back, do you need Java at all? If for nothing else, Java is required for the Secunia Online Software Inspector, which I wrote about two days ago.

*Here is an alternate link directly to the EXE file for Windows users. This should download file jre-6u7-windows-i586-p.exe, which is about 15MB. Surprisingly, CNET's own Download.com is a bit behind on Java releases.

See a summary of all my Defensive Computing postings.

I previously pointed out a couple of Asus Netbooks selling for less than $300. Now, one of the HP Mini-Note series has joined the elite group of really cheap Netbooks.

Liliputing, a Web site dedicated to Netbooks, reported Saturday that the HP 2133 Mini-Note just fell in price to $299 at Amazon.com.

This the bottom-of-line machine from HP's initial Netbook foray back in April.

Originally, HP sold it for $500.
On September 24, it was $432, after a rebate.
On October 20, it sold for $380.
A couple of days later, it was $330.
Now, October 25, it's $299.

The machine runs Suse Linux, has 512MB of RAM, a 4GB solid state disk and a keyboard that everyone says is great. (I have not used it myself.) The screen is 8.9 inches and runs at a higher resolution than other Netbooks. Thus, if you don't have the eyes of a hawk, this isn't the computer for you. I've read elsewhere that it gets fairly hot.

Interestingly, HP was the only company to offer Vista on a Netbook and reviews said it was slow, as you might expect, especially considering HP includes a VIA C7-M processor.

HP's cheapest Vista-based model comes with the same screen and keyboard, 1GB of RAM, and a 120GB hard disk. According to Amazon, pricing started at $630. At the end of September is was $530, after a rebate. Now, it sells sells for $404 at Amazon.

This is not meant to be a recommendation, just an observation on the pricing.

Secunia's Online Software Inspector (OSI) is a great free service, one that all Windows users should avail themselves of regularly. OSI is an online scan of a Windows computer (Macs and Linux are not supported) that looks for software with known security flaws. Any computer that gets a clean bill of health from OSI is better defended than one that doesn't.

As I write this, only 7,019 scans have been run in the last 24 hours. More Windows users need to be made aware of the scanner, and I hope this posting does so. That said, OSI isn't perfect.

Defining The Problem

A screenshot illustrating a portion of the OSI report is shown below. The easy-to-understand green check vs. red X indicates that Flash versions 9 and 10 are considered safe, whereas Flash version 7 is not. This illustrates a design choice made by Secunia that I disagree with.

Software with known bugs is given a green check if the vendor has not yet released a patch for the bug(s).

Secunia describes its assorted scanners as focusing "...solely on detection and assessment of missing security patches and end-of-life programs." An unpatched bug is not missing a security patch, so it's green-lighted.

This may be what large organizations need to know, but I think home users should be warned of known buggy software, patch or no patch. For example, if the Adobe Reader has a known bug, we can decide to use the Foxit PDF Reader in the meantime.

Flash version 9 is currently in this state; version 10 fixes a number of bugs. I recently blogged about installing Flash version 10 and warned that version 9 should be replaced. This resulted in an e-mail exchange with Thomas Kristensen, Secunia's CTO.

In his own words:

The OSI and the PSI reports missing security updates for supported software. Flash 9 is still supported and no security related update has been released yet, thus we don't report any missing update for Flash 9. Flash 10 is not a security update for Flash 9, since Flash 9 still is supported.

The interesting perspective here is whether Adobe is using the security issue in Flash 9 to promote Flash 10.

The real problem here is not the OSI and PSI results, the real problem is that Adobe hasn't released an update for Flash 9 (or announced "end of life" for Flash 9).

PSI refers to the Secunia Personal Software Inspector, a free Windows application from Secunia. PSI runs on Windows XP, Vista, 2003, and 2000. The big advantage of PSI is that it scans for 7,000 applications whereas the online scan only evaluates 70. At CNET's Download.com, the editor's review gave PSI five stars (out of five).

Running a scan

The online scan is a Java applet and thus requires that Java be installed. Specifically, it requires Java version 1.6.x. You can test the state of Java on your computer at my javatester.org Web site. If Java is not installed, you can download the latest version at www.java.com/en/download/manual.jsp. I prefer to use the "offline" installation which is just over 15 megabytes.

When the Secunia Java applet loads into your computer, you are asked whether to trust it. This is normal, and you need to trust it to run the scan. The question is issued by the Java runtime environment because Java, by default, does not allow applets to see the local file system. Because it's a Java applet, you can run the scan from any Web browser.

The OSI page has a red "Start Scanner" button at the bottom of the page that doesn't start the scanner. Instead it loads the Java applet and offers a choice as to the type of scan.

A default scan looks for software in the default location for each product. A "thorough system inspection" (enabled by a check box) looks everywhere. Anyone using portable software, needs to run a thorough scan. A default scan is faster and may be a good starting point the first time you use the service. However, I recommend the thorough scan. Inquiring minds want to know.

Scan results

The first thing you'll notice (see below) when the scan completes is the report on missing bug fixes to Windows itself.

Secunia did not reinvent Windows Update; instead, it calls the Windows Update software and reports the results. You see this in the system requirements which include the "Latest version of Microsoft Windows Update."

What it doesn't explicitly mention is that the underlying Windows service (called "Automatic Updates" in XP and 2000, and "Windows Update" in Vista) needs to be running. Every time I run the scan on one of my computers I get the error shown below.

This is because I keep the underlying service disabled, only enabling it once a month to install patches.

I mention this because it brings up another questionable design decision by Secunia. If it can't communicate with the Windows Update software, it nonetheless gives Windows a green check. I think a question mark would better reflect the situation.

E-mailed notifications

When the scan completes, you're prompted to subscribe to Secunia's OSI reminder service, which notifies you by e-mail of significant changes to OSI.

I've been on the list for a while and get maybe one or two notifications a week. The latest one (shown below in a slightly edited format) would have come in very handy Thursday as a warning about the latest critical bug in Windows.

Hi,
Secunia has updated the Secunia Online Software Inspector (OSI) with new rules for detecting insecure software. Run the Secunia OSI to make sure that your system is up-to-date:
What is New:
1) Inspection rules have been updated to detect a special out-of-band security patch from Microsoft.
You have received this email because you have subscribed to the Secunia OSI Reminder Service.

Each e-mail includes a link to remove yourself from the list.

Despite my nit-picking, Secunia is offering a great service to Windows users.

See a summary of all my Defensive Computing postings.

If you use a Windows computer connected to a network, a newly discovered bug makes it possible for a bad guy to wreak havoc on the computer without your doing anything. The most vulnerable versions of Windows are XP, 2000 and Server 2003. Vista and Server 2008 are also vulnerable, but not as badly. Microsoft considers the bug important enough to issue the patch immediately rather than waiting for their normal once-a-month patch Tuesday.

Susan Bradley, writing for the Windows Secrets newsletter recommends immediately installing the just-issued patch. Then she offers some unusual advice, suggesting people first restart their computers "to verify that your machine is bootable." Can't hurt. Then she says to install the patch and reboot again. Her article also includes direct links to the patch for each version of Windows. If, for some reason, you can't run Windows/Microsoft Update you can manually download the patch and install it.

A standard of Defensive Computing is that the less software installed and running the better. This particular bug is with a part of Windows known as the Server service. If you are not sharing files and/or printers on a local area network, then you don't need to have the server service running, bug or no bug.

Making a Windows service not run all the time is called disabling and/or stopping. Stopping refers to the instance of the service currently running. Disabling means preventing it from ever starting again. Microsoft describes how to both stop and disable the Server service in Security Bulletin MS08-067. They also suggest doing the same to the Computer Browser service.

Anyone not sharing files and/or printers on a network should also turn off File and Printer Sharing for Microsoft Networks (the Windows XP name) on all network definitions. For example, on a laptop with both wired Ethernet networking and wireless Wi-Fi networking, File and Printer Sharing should be turned off in both network definitions.

If the Server and Computer Browser services are disabled, then some people might consider the last point (and the next) overkill. I think they are a good idea because it means two mistakes would have to be made to enable file and printer sharing as opposed to only one mistake.

Build a better fence around your Windows computer.

For still more safety, look into how your firewall is configured to ensure that it does not allow incoming traffic on TCP port 139 or 445. Again, this is for someone not sharing files and printers. Firewall configuration varies widely, but if you are using the Windows firewall in XP, the exception for this is called "File and Printer sharing."

Firewalls are the first line of defense against this type of problem. With that in mind, you may want to review the series of postings I did recently on adding a second router to a LAN to provide additional firewall protection to your most important computers. See A second router protects adults from kids.

See a summary of all my Defensive Computing postings.

The New York Times published an article today about making off-site (a.k.a online) backups that contained some debatable advice.

The point I most disagree with is this: "As long as your credit card keeps working, there's no need to think about the backups unless disaster strikes." The problem with this advice is that if something is automated too much, it can break without your knowing it.

The classic example of this was the magazine Business 2.0 (which has since ceased publication). After they deployed an automated backup system, they ignored it. At some point the backup system broke, but no one noticed. Only when their main computer system failed and they needed the backups did they learn that the backup system had stopped working long before.

Do you leave your house and simply close the door, confident that it locks behind you? What if something jams the latch? What if that button that prevents the lock from engaging was pushed in? Isn't it worth taking the extra few seconds to try to open the door after closing it just to ensure that it's really locked?

It's the same with automated backups. If your files are important, it's worth a little time to ensure that the backups are actually being made. Then too, you should test recovering a file or two, just to be sure that you still can. It's the computer equivalent of a fire drill.

Need Software?

The article also said, "The idea is simple. The user installs some software..." Installing software is not necessary for making off-site backups. It may not even be a good approach.

For one thing, installing any software is risky. Backup software that needs to know every time a file is modified has to both run all the time and be intimately wedded to the operating system. Both raise the level of risk.

The requirement to use software from the backup storage company may also limit the computers from which you can make backups or perform restores. Some backup companies charge by the number of computers being backed up, and they use their software to enforce this. Even if you choose a company that charges solely by the gigabyte, if they offer Windows software and you later buy a Mac or a Linux-based Netbook, you may not be able to back up files from your new computer.

Some backup services offer a Web page front end. If you know your user ID and password you can walk up to any Internet-connected computer in the world and either upload or download files from the backup service. There's a lot to be said for that. I just purchased a Netbook computer and used such a service for making my initial backups. No software needed.

Then too, some backup services can be used with portable software. In the Windows world, the term "portable" refers to software than can be run without being installed. Typically, portable software is thought of in terms of running the software from a USB flash drive, but the software can also run from the C disk. I personally use the free, portable WinSCP program offered at PortableApps.com with a paid backup service.

WebDAV is yet another option for accessing off-site backups without installing software. WebDAV is a protocol that, in Windows, lets you view remote files much like Windows Explorer lets you view local files. WebDAV support is available in all current operating systems.

In Windows XP, WebDAV is a "Network place." The procedure to add a remote network place is simple, all you need to know is the name of the remote computer, and a user ID/password. An existing network place can be made into a desktop icon, providing simple, easy access to remote files.

Where Are Your Off-site Files Stored?

Anyone serious about off-site backups needs to consider where, physically, their remote files reside.

The article touched on this and reported that Intronis stores files in Toronto and New Jersey, iBackup stores customer files at two of the company's four centers in California, and iDrive uses only one data center.

Off-site backups are best stored as far away from you as possible. Another time zone is a good rule of thumb.

If your off-site backups are your only backups (not advisable but better than nothing), then you should only consider a company that keeps redundant copies of your files in multiple locations. Here too, the farther apart the better.

Amazon's S3 service stores files in multiple data centers in the U.S. For an extra fee, you can also have your files stored in Europe. When you sign up with rsync.net, you get to choose whether you want your files stored in San Diego, Denver, or Zurich, Switzerland. Here too, for an extra fee they will store your files in two locations.

Mozy

I can't discuss off-site backups without mentioning Mozy. Last summer I wrote two postings (here and here) about Mozy that anyone considering the service should read.

In brief, you need to be aware that if you accidentally delete a file from your computer, Mozy will delete their backup of that file. Such is the nature of a service that offers unlimited storage space for a fixed price. Any such provider is motivated to minimize the amount of data they store.

Another optimization they use is to copy only the portions of your files that have changed, rather than the entire file. This is complicated, and I think simple is best, especially when it comes to backups.

See a summary of all my Defensive Computing postings.

Frank Hayes, writing in Computerworld, does a great job recounting how an Excel to PDF conversion resulted in Barclays Capital making a multi-million dollar mistake in their offering to buy part of Lehman Brothers. In and of itself, it's an interesting story, but Hayes concludes with this advice for using technology:

Keep it simple.
Don't make assumptions.
And never, ever trust tech more than you really have to.

Agreed.

See a summary of all my Defensive Computing postings.

My What is a Netbook posting briefly mentioned some low end models both because those are the ones that interest me and because that's where I think the future of Netbooks lie. While many Netbooks sell for over $500, it's debatable whether any laptop computer priced over $500 can be considered a Netbook.

Brad Linder at Liliputing just compiled a list of low end Netbooks called 13 netbooks for $399 or less.

One thing missing from his brief descriptions is whether the screens have a matt or glossy finish. To me this is a big deal, I much prefer matt.

One minor nit to pick. The cheapest Acer Aspire One with Windows XP is $350 at Newegg. Brad links to it at Amazon which charges $379.

Anyone buying a Netbook has a big initial decision, Linux or Windows XP? My thoughts on that soon.

See a summary of all my Defensive Computing postings.

I just got a Lenovo S10 Netbook computer and couldn't have been more enthusiastic about kicking the tires. As I've written before, I think Netbooks will be very big, and this was to be my first.

So this posting should have been a first look. I should be offering my opinion on whether the keyboard is too small, what it's like to use Windows XP on such a small screen, and how hot the thing gets. But I didn't get that far.

After a delay in getting the machine the box arrived all beat up. Not unusual, of course, but computers are normally so well packaged that it doesn't matter. Not this time.

My first impression was that the box had been opened in transit; two sides weren't sealed at all. As you can see below, a golf ball easily fit in the open sides of the box.

The golf ball points up three problems:

• Something could have fallen out or been purposely removed during shipping.
• The cardboard was thin, closer to a manila envelope than something protective.
• It didn't appear that the box had been vandalized, rather two sides were never sealed in the first place.

In a nutshell, the contents were not well protected in transit.

As I examined the box and turned it over, stuff was rattling inside. I've had more than my fair share of computers mailed to me, and never before did a box arrive with stuff rattling around inside.

I removed the 4-inch strip of tape that held the outside box closed and found the computer and a white box inside as shown below.

The white interior box was the source of the rattling. As you can see in the picture below, the battery and the AC adapter are together in the box and neither was covered. There was a plastic bag in the box, but it wasn't wrapped around anything.

That Lenovo would ship a battery in a plastic bag without cushioning is, to me, poor judgment--a corner that should not have been cut. That Lenovo would ship the battery without the plastic bag actually covering the thing is poor quality control.

Am I overreacting? After all, it's a $400 laptop. Perhaps, but lithium-ion batteries are a well-known fire hazard. In normal use I'm sure they are safe, but one mistake that you can make with a lithium-ion battery is banging it. According to PC Pitstop:

There are numerous conditions where these fires can occur in real life. Faulty battery packs (driving the recalls), faulty protection circuits inside the PC, exposure to excessive heat, and blunt force are some of the major ways that this could happen to you.

Shipping an unprotected, unwrapped battery right next to a hard object is risking "blunt force."

The Department of Transportation no longer allows lithium-ion batteries in checked baggage when flying. As for carry-on bags they say that "you may still carry any number of some types of lithium batteries, such as the ones used in cell phones and most laptop computers, provided you take measures to protect terminals." Why the different policies for checked vs. carry-on bags? "In the passenger compartment, flight crews can better monitor safety conditions to prevent an incident, and can access fire extinguishers, if an incident does happen."

To further illustrate the danger, the Department of Transportation offers these suggestions for flying with a loose lithium-ion battery:

• Place tape across the battery's contacts to isolate terminals. Isolating terminals prevents short-circuiting.
• If original packaging is not available, effectively insulate battery terminals by isolating spare batteries from contact with other batteries and metal. Place each battery in its own protective case, plastic bag, or package. Do not permit a loose battery to come in contact with metal objects, such as coins, keys, or jewelry.
• Take steps to prevent crushing, puncturing, or putting a high degree of pressure on the battery, as this can cause an internal short-circuit, resulting in overheating.

As for the S10 itself, I never removed the plastic covering the computer. It's going back.

As I was deciding whether to keep the computer or not, Lenovo e-mailed a receipt for the purchase. The receipt arrived a couple days after the computer arrived, and eight days after the initial order. There was a link in the e-mail message (www.lenovo.com/products/us/returns) for how to return a purchase, but it's broken. Instead of the return policy, the link results in "There were no items matching your search." This is on top of the shipping delay because UPS said there was no label on the box.

Lenovo ThinkPads have an excellent reputation, but an IdeaPad is not a ThinkPad. The S10, in particular, is a whole new product category, one for which there is no pre-existing reputation. So things boil down to confidence and Lenovo did not inspire confidence.

My next hassle is trying to convince Lenovo not to charge me the $60 restocking fee. If you're thinking of buying a Lenovo computer, be aware that machines sold on their Web site are subject to a 15 percent restocking fee. You may be better off at a local retailer with a more liberal return policy.

Update: Unboxing other Netbooks

• The Dell Mini 9 comes wrapped in heavy cardboard and seems to have the battery already inserted.
• The battery for the MSI Wind U90 ships in plastic bubble-wrap. The computer itself comes in box inside another box.
• The Acer Aspire One battery is wrapped in plastic and seems cushioned by cardboard to keep it from moving in transit (2 minutes, 10 seconds into video).
• Laptop magazine got a very early copy of the Lenovo S10 and unboxed it on video. First point they made was that it might not be the final retail boxing. Still, their battery, like mine, shipped naked.
• Brand Linder at Liliputing did an unboxing video of the Asus Eee PC 100H. It shipped as a box within a box and the battery was protected by plastic bubble-wrap.

See a summary of all my Defensive Computing postings.