Trade in and Save $50 with HPPreviously, I wrote about using a second router to provide additional protection to high-value computers--specifically, to protect computers used by adults from those used by children on a shared Local Area Network (LAN).
That article was mostly conceptual, this one covers the nitty-gritty technical details.
First, the good news. Adding a second router has no effect on the first router and no effect on the untrusted (kids) computers. Each is blissfully ignorant of the following changes.
In describing the steps, the existing/first router will be referred to as the kids router since the untrusted kids computers connect to it. The new, second router will be referred to as the adults router since its job is to protect the computers used by adults.
For the sake of simplicity, I'll start with wired Ethernet connections and assume, as is usually the case, that the kids router is handing out private IP addresses* in the range 192.168.1.x using DHCP. The steps below apply regardless of the operating system employed on any particular computer.
Here's what needs to be done:
- The high-value (adults) computers are unplugged from the kids router and plugged into the LAN ports of the adults router.
- The WAN port of the adults router is plugged into a LAN port on the kids router. WAN stands for Wide Area Network, and refers to the Internet. From the perspective of the adults router, the kids router is the Internet. On some routers, the Ethernet WAN port is a different color from the LAN ports, but not always.
- What the adults router thinks is its public IP address is really a private IP address (192.168.1.x) used by the kids router. This is configured in the adults router using the type of Internet connection option. The easiest thing is to set the adults router to DHCP or dynamic. It can, alternatively, be configured for a static IP address, but this requires a knowledge of the private IP address range used by the kids computers and router. Also, if the configuration of the kids router were ever to change in the future, the static IP address may no longer be valid and thus knock the adults computers offline.
- On the WAN/Internet side, the default gateway and the primary DNS server for the adults router is the kids router (probably 192.168.1.1). If you opted for dynamic in the prior step, this should happen automatically, after rebooting the adults router. If you opted for a static IP address, you'll have to set this manually.
- On the LAN side, the adults router can use DHCP to hand out IP addresses in any private address range other than that used by the kids router. For example, it could use 192.168.2.x or 192.168.8.x. To make things as obvious as possible, however, I suggest configuring the adults router to issue IP addresses in the 10.x.x.x range with the default subnet mask of 255.0.0.0. Along with this, set the LAN side IP address of the adults router to 10.0.0.1.
- Each adults computer needs to use an IP address in the 10.x.x.x range. Most likely the computer(s) will already be configured to get an IP address using DHCP, in which case nothing needs to be changed. If, however, one was using a static IP address, a new one probably needs to be assigned, one that is outside the DHCP range handed out by the adults router.
Once this is done, an adults computer, which used to have a TCP/IP default gateway of 192.168.1.1, will now have a default gateway of 10.0.0.1. Likewise, the DNS server and DHCP server for an adults computer will now also be 10.0.0.1.
Not to switch subjects, but elsewhere I've written that I'm a big fan of OpenDNS. Any computer can be manually set up for OpenDNS, but another approach is to configure the router to use the OpenDNS servers and the router will then pass along this setting to computers that connect to it with DHCP.
More about living with this setup, and about Wi-Fi, next time.
*For more on public vs. private IP address, see What does your IP address say about you?
See also How to check if a computer is using OpenDNS
See a summary of all my
Defensive Computing postings.
All web browsers have bugs, but when simply viewing a web page can infect your computer with malicious software, the speed with which bugs are found and fixed is critical. It may be the most important yardstick by which to measure any web browser.
For Windows users, the choice between Firefox and Internet Explorer isn't a contest at all. Microsoft is slow in fixing IE bugs, being locked into a once a month cycle. Not Firefox.
Mozilla released version 3.02 of Firefox on Tuesday. It had a bug. Happens all the time. What doesn't happen all the time is that the bug was fixed quickly and version 3.03 of Firefox was released on Friday.
Anyone interested in Defensive Computing doesn't want their bug fixes idling at the gate waiting for the one day a month when they are set free.
See a summary of all my Defensive Computing postings.
Everyone knows that Mac is safer than Windows because almost all malicious software targets Windows. But every rule has exceptions, and in this case, the exception has been Java.
Java is unusual in that any company can write a Java runtime environment for any operating system. Microsoft, at one point, provided one for Windows, but those days are long gone. ThinkPad laptops still come with a Java runtime developed by IBM. Netscape used to ship its own Java runtime as part of the Navigator Web browser. Today, most Windows users get their Java runtime from Sun Microsystems, the company that originally developed the language.
For whatever reason, Sun does not provide a Java runtime for Macs, instead this is left to Apple.* And, Apple has a history of being slow to fix bugs in Java, trailing Sun by many months.
All this is background to the fact that this week Apple released a large number of bug fixes for Java on Mac OS X 10.5 (Leopard) and OS X 10.4 (Tiger).
Mac users can go to my Javatester.org Web site to see the version of Java being used by their web browser. Anyone using multiple web browsers needs to check the Java version in each browser separately.
Apple supports three versions/editions/families of Java:
• The oldest family is 1.4.2 and the latest version there is now 1.4.2_18. (The prior buggy version was 1.4.2_16.)
• Next is the 1.5.0 family where the latest go-round is 1.5.0_16. (The prior buggy version was 1.5.0_13.)
• The latest and greatest version of Java for Macs is 1.6.0 and the latest version here is 1.6.0_07. (The prior buggy version was 1.6.0_05.)
*Sun points users to developer.apple.com/java/, a page that hasn't been updated to reflect the latest releases.
See a summary of all my Defensive Computing postings.
If you live in a home where parents/adults have one or more computers, children have their own computer(s), and everyone shares a single Internet connection, then you should consider a second router.
While the main function of a router is to let multiple computers share a single broadband connection to the outside world, it is also invaluable in offering firewall protection. Firewalls that run on your computer have their place, but you are much safer with the additional protection offered by the firewall in a standard, ordinary, consumer-grade router. Previously, I suggested that even someone with only one computer get a router, just for the firewall protection.
Last week, Leo Notenboom, of Ask-Leo.com, wrote about using a second router to protect adults from children sharing the same Local Area Network (LAN) at home (see How do I protect myself from my children? )
Leo targets Windows users, and I take it as a given that no mix of defensive software offers perfect protection on a Windows machine. That said, the networking scheme he discusses is applicable and sensible regardless of the operating system running on any single computer. If you are an adult, sharing a network with children, and the health and well-being of your computer is important to you, then investing in a second router makes sense.
The basic idea that Leo suggests is to put the adult computers in their own LAN, protected by the second router from the LAN segment with the children's computers. Everyone still shares the single Internet connection.
In addition to the firewall, the NAT feature in a router also offers protection. For example, if the kids use private IP addresses* such as 192.168.1.x then the adults can use private IP addresses in the range 192.168.8.x. Assuming everyone uses the default subnet mask of 255.255.255.0 (a topic for another day) then the adult computers and the kids' computers can't directly talk to each other.
This networking scheme does not eliminate the need for firewall software in each individual computer.
This approach may also apply to a small business if certain computers do work that is judged to be much more important than others. Here too, the small expense of a second router offers additional protection to the most important computers. Taking this even further, it is not at all unreasonable for a small business to ban an important computer from ever touching the Internet.
Finally, anyone installing a new router should read my earlier posting Defending your router, and your identity, with a password change.
Update. September 27, 2008. For more on this subject, see my follow-up Using a second router: A techie how-to
*For more on public vs. private IP address, see What does your IP address say about you?
See a summary of all my
Defensive Computing postings.
On the Internet, no one knows you're a dog. That, of course, was the caption to the classic cartoon from The New Yorker magazine. This anonymity comes into play even when instant messaging with someone you know. All the responses from your friends' computer may not actually be coming from your friend. Some may be inserted by malicious software running on your friend's computer.
As Randy Abrams, director of technical education for ESET, the company that produces the NOD32 antivirus program, put it last month:
"Instant messaging is a very successful means for the bad guys to get their software onto your computer...If a virus infects your friend's computer's instant messaging program then it can "type" anything into the chat windows and it will look like your friend said it. It can provide a link for you to click that may lead you to malicious software."
Abrams offers two defensive steps.
If you get sent a link to a Web site, verify with your friend that they really sent the link. This isn't a perfect defense, as the malware may respond rather than your friend, but it's better than blindly trusting. For users of Windows Live Messenger, he also suggests a configuration change that will prevent the program from downloading many types of malicious software.
As I noted before, skepticism is your best defense on the Internet.
See a summary of all my Defensive Computing postings.
Previously I suggested not letting children receive email from Gmail because they hide the source IP address making it easier for bad guys to hide. In contrast, the free webmail services from Yahoo and Hotmail do not hide the source IP address.
In response, Google pointed me to an item at the Gmail help center called Harassment from a Gmail user. Below is what Google has to say regarding harassing emails from a Gmail user.
"... if you feel that you are in danger, we suggest contacting your local authorities.
Because message headers and senders can be spoofed using a variety of means, we're unable to take action on any user without further verification. In accordance with state and federal law, it is Google's policy only to provide information about a specific Gmail user pursuant to a valid third party subpoena or other appropriate legal process.
We apologize for any inconvenience, and we're sorry that you're receiving such messages."
Google won't take complaints directly from harassment victims and they omit contact information for law enforcement agencies. Not particularly comforting.
Judge for yourself, but I think this validates my prior suggestion not to let children receive email from Gmail users. The source IP address can not directly identify someone, (for more about this see What does your IP address say about you?) but victims of harassment are far better off with it than without it.
See a summary of all my Defensive Computing postings.
When it comes to the question of whether an IP address is personal or not, Google seems to swing both ways.
In February, Google software engineer Alma Whitten wrote Are IP addresses personal? on the Google Public Policy blog. In the posting she said "... in most cases, an IP address without additional information cannot [identify you]."
But someone commenting on the posting pointed out that Gmail goes out of its way to hide the IP address of the sender of a Gmail-originated message. The item User IP addresses from the Gmail help says:
"Protecting our users' privacy is something we take very seriously. Personal information, including someone's exact location, can be gathered from someone's IP address, so Gmail doesn't reveal this information in outgoing mail headers. This prevents recipients from being able to track our users, or uncover what may be potentially sensitive personal information."
I verified this by examining the headers of a Gmail-originated message. The source IP address was 74.125.46.31 which, according to ip-adress.com is Google in Mountain View, California. In other places the email header identified the source computer as yw-out-2324.google.com. Nothing pointed to the actual IP address of the sender.
As someone pointed out, this anonymity makes Gmail a haven for bad guys. Anyone interested in sending threatening email messages or perhaps inappropriate messages to children, can hide behind Gmail.
If I was the parent of a small child, I wouldn't want them to receive any email from Gmail. Period.
Earthlink, my ISP, does let their customers define spam filters that can reject all messages from a domain such as gmail.com or google.com.
Yahoo Mail does not hide the originating IP address. If and when I do, I'll update this posting.
Someone I know in New York City recently said they were going on a trip to Switzerland. After a few days, they sent a Yahoo email message claiming to be from Switzerland. I had no reason to doubt them, but just for fun, I looked into the email header, got the source IP address and ran it through the services I wrote about last time. Sure enough, the message came from Switzerland.
I didn't test if Hotmail hides the true source IP address. If and when I do, I'll update this posting.
Update. September 16, 2008: According to Leo Notenboom Hotmail is inconsistent when it comes to including the source IP address, sometimes it does, sometimes it doesn't. He was nice enough to test it again today (thanks Leo) and reported that the true source IP address did appear in the email header of a message that originated from Hotmail.
Update. September 16, 2008: For more on this topic, see Harassment from a Gmail user.
See a summary of all my Defensive Computing postings.
Last week Google announced that they were protecting user privacy (their words not mine) by modifying IP addresses in their activity logs after 9 months. Fellow CNET blogger Chris Soghoian felt this was a sham because it ignored cookies, but it brings up an interesting point, just what does your IP address say about you? Or, in other words, does your IP address point to you?
In some ways, an IP address does identify you or else there would be no need for Google to "anonymize IP addresses" in order to "address regulatory concerns" (again, their words not mine).
What's an IP address?
Every computer on a network has a unique number. On networks such as the Internet that use the TCP/IP protocol stack (which is most networks nowadays), the unique number is called an IP address. When computers on a TCP/IP network talk to each other, they address themselves by IP address.
To techies, IP addresses are 32 bit binary numbers, but to normal people they consist of four decimal numbers, each between zero and 255, separated by periods. As I write this, the IP address for the cnet.com website is 216.239.122.102. For more on IP addresses see my posting OpenDNS provides added safety for free from December of last year.
In the old days, individual computers on the Internet were directly addressable by their IP address, but now it is much more common for a router to have an IP address and for the router to act as the front man for bunch of computers on a Local Area Network.
In this scenario, the only thing that directly connects to the outside world is the router, each individual computer on the LAN goes through the router to get to the Internet. Thus, a single IP address, assigned to the router, is shared by many computers. And that means, there is no way for the outside world to identify one computer on the LAN from another. The outside world only communicates with the router.
Some people gladly share their wireless network with their neighbors. If a bad guy gets on to your wireless network and does something illegal, law enforcement may knock on your door. To the outside world, the bad guy seems to be you. All the computers on the LAN have the same public IP address, that of the router.
This brings up two points:
- Yes, law enforcement officials can trace your IP address back to your exact physical address
- What IP addresses are being used on the LAN?
To answer the second question, there are three groups of IP addresses that have been reserved for internal use only. That is, the TCP/IP rules state that these IP addresses will never be used on the public Internet. They are referred to as private IP addresses.
The most common private IP group starts with 192.168.x.x. So, for example, there can be millions of computers accessing the Internet, each using an IP address of 192.168.1.2. But, because each resides on a different Local Area Network there are no conflicts. Another group of private IP addresses starts with 10.x.x.x and the third starts with 172.x.x.x.
Your operating system deals with private IP addresses as does your router. When data moves between a Local Area Network and the Internet, the router serves as a translator between the IP addressing scheme on the inside (LAN) and the outside (Internet).* On a Windows computer, the command "ipconfig" will display the private IP address.
View From The Outside
Since all communication on the Internet (or any TCP/IP based network) is from an IP address to an IP address, every website that you visit knows the public IP address of your router. None of them know the private IP address of your computer.
Many websites will display your public IP address, my favorite is www.ipchicken.com (see above) because it also displays the name of your computer (purposely omitted from the screen shot). I find the computer name very handy for identifying the Internet Service Provider (ISP) connecting the computer to the Internet. Some sample computer names are shown below, the numbers in the name are typically the public IP address:
- adsl-99-99-99-99.sip.asm.bellsouth.net
- c-99-99-99-99.hsd1.nj.comcast.net
- ppp-99-99-99-99.dsl.hstntx.swbell.net
- user-99xxxxx.cable.mindspring.com
- 99-99-99-99.static.reno.nv.charter.com
- static-99-99-99-99-primus-india.net
- adsl-99-99-99-99.dsl.sfldmi.sbcglobal.net
Where Is An IP Address
Just as websites know your public IP address, so too, you know theirs.
Previously, I wrote about Flagfox, a Firefox extension that takes the public IP address of the website you are visiting, looks it up in a table to learn the country it is in and displays the flag for the country. This can be useful in insuring you are actually at the website you think you are.
There are a number of websites that, given an IP address, will tell you not only the country, but also the city where that IP address resides. I have found them to be hit or miss when it comes to pinpointing the city, but they always seem to be accurate in identifying the country and the ISP.
- Geotool is the service used by Flagfox.
- The good stuff at ip-adress.com requires your clicking on the small text at the bottom of the page.
- The other sites auto-detect your current IP address, but at IP2Location you have to provide the IP address.
- Geobytes seems to be least accurate, but in fairness, I haven't done detailed testing.
Currently I am in New York City. Geobytes says I am in Newburgh, New York and IP2Location says I am in Atlanta, Georgia. Geotools and ip-adress.com got it right.
This may be the best that normal people can do in terms of tracking an IP address to a physical location, but your ISP certainly knows where you are. Your public IP address is one that is assigned, technically, to your ISP rather than to you. Only your ISP knows which of their assigned IP addresses they assigned to you and when you were using it. Businesses often have a permanent IP address while consumers can get a different IP address every day.
The good news is that ISPs keep this information to themselves, normally. In some circumstances, however, they will tell law enforcement agencies the exact physical location associated with an IP address.
This cuts both ways. If, for example, a fellow customer of your ISP did something horribly bad and illegal last week while using IP address 1.2.3.4 (for example) then when law enforcement officials see that you have that address today, they won't think you're the bad guy. Your ISP would know that IP address 1.2.3.4 was given out to someone else last week.
Note again that nothing points to an individual computer on the LAN. Even your ISP is only aware of your router. And speaking of your router, be sure to change the default password.
For more about tracing an IP address see The Myth and the Truth of the IP Address Tracing by Leo Notenboom.
Update: September 16, 2008. For more on the issue of whether IP addresses are personal or not, see my next posting Don't let children receive email messages from Gmail.
*If you have a single computer directly connected to the Internet without a router, then the IP address the operating system knows about is the public IP address.
See a summary of all my
Defensive Computing postings.
The September 11th edition of the Windows Secrets newsletter included a couple stories about Windows XP SP3, trying to answer the questions of when and whether to install it. Back in April, when Service Pack 3 was released, I advised against rushing into it. But, it's been almost five months, is it safe to go into the SP3 water?
According to Scott Dunn, who wrote the lead article, you don't need to install Service Pack 3 for another year and a half. He says "... overall support for SP2 expires in early 2010, [so] you'll need to have SP3 installed by that date if you want general support for XP."
I view the SP3 issue as a risk vs. reward decision and the reward still seems small compared to the risk. But there can be a Defensive Computing advantage to not installing SP3 that has nothing to do with avoiding potential problems.
The risk of SP3 causing a problem, while persistent, decreases daily as more software, people and hardware get acquainted with it. You can get a sense of the risk involved by reviewing the Microsoft Knowledge Base article Steps to take before you install Windows XP Service Pack 3. As for reward, in one of the articles Scott Dunn tries to make a case for the upside of SP3. I wasn't impressed.
A New Reason To Wait
But, this assumes you're dealing with a normally functioning copy of Windows XP. Installing SP3 can be a great ace in the hole to have when dealing with a problematic or infected copy of Windows XP. I learned this hard way working on a couple computers for clients. In each case the near total refresh of Windows that SP3 provides proved invaluable.
One computer had been sent to the hardware manufacturer for repair and when it was returned, it was forgotten about, since it was old and just serving as a backup. But, when it became important again, it needed 99 bug fixes. Downloading the patches went fine, but only seconds after the installation process started, it ended with a useless error message and no error code.
Suspecting that the install logic for 99 concurrent patches might not have been well-tested, I tried installing just one patch and it worked fine. Then I removed a few that I suspected might be problematic but the remaining 90 failed to install. A random clump of 5 patches installed cleanly, but I wasn't going to sit around installing a couple patches at a time.
Service Pack 3 to the rescue. It downloaded and installed just fine.
Another computer was blue-screening at startup, just after the Windows desktop was displayed. By the time I got it, things had improved, only a background process was crashing, Windows itself remained up. But, as soon as I clicked OK to the warning about a serious failure, it failed again. The Microsoft online crash debugger reported that the offending driver was for the WiFi network adapter. But, updating the driver didn't fix the problem. In fact, the new driver had a new name but the crashes kept occurring in the old driver according to Microsoft.
There were dozens of available Minidumps, but I didn't feel like tracking down and installing the software to read and format the dumps. Much of the information in the dump is over my head anyway.
Here again, Service Pack 3 came to my rescue. Since it was installed, no more crashes.
SP3 is like doing a repair install of Windows, only better. It's a nice fallback option to have when things go wrong.
What To Do?
There is no one right answer for when to install Service Pack 3. Me, I'm hanging back for now. But one thing every techie can agree on, is the need for a disk image backup before installing any service pack.
If you haven't installed SP3 yet, then be aware that Microsoft offers free technical support for installing it until April 14, 2009. Depending on where you live, you may be able to speak to someone from Microsoft on the phone, use an online chat or communicate with them by email.
And take a look at the Windows Secrets newsletter. I find it worthwhile.
Updated September 12, 2008: Re-wrote introductory paragraphs to make things clearer.
See a summary of all my Defensive Computing postings.
On the Internet people lie to you all the time. Back in April, I wrote that the most important aspect of Defensive Computing may very well be skepticism.
For the second time in the last few days, I received a phony e-mail message purporting to be from the package delivery company UPS. A skeptical person would have deleted the message, and good thing too, because odds are that anti-malware software on a Windows* computer would not have protected the trusting or inexperienced user that believed the scam.
The first thing to be skeptical of is the From address. Never trust the From address in an e-mail message, it is easily forged. Digging into the e-mail headers showed that the message, shown below, actually came from a computer at IP address 121.139.93.144.
Civilians (meaning someone not involved in law enforcement) cannot reliably trace an IP address to a city, let alone an exact address. However, tracing it to a country is, I believe, reliable: the message came from Korea.**
Subject: Problems with delivery
Unfortunately we were not able to deliver postal package you sent on September the 1st in time because the recipient's address is not correct. Please print out the invoice copy attached and collect the package at our office
Thank you for your attention!
Your United Postal Service
http://www.ups.com
The attached file, ups_invoice.zip contained a single file, ups_invoice.exe.
The interesting thing here is the constant struggle of anti-malware companies to keep up with the latest malicious software.
I sent the EXE file to Virus Total and they had already seen it. Of the 36 anti-malware products they scanned it with, only 14 (39 percent) correctly flagged ups_invoice.exe as something to avoid. Among the free anti-malware programs, Avira's AntiVir correctly flagged it as bad, but Avast and AVG did not. McAfee missed it, as did NOD32, Panda, PC Tools, Sunbelt and Trend Micro.
Yes, this message was amateurish and a number of things give it away as phony. However, the next one may not be so obvious and anti-malware software will always be imperfect. Thus, skepticism may be your best defense.
Update September 12, 2008: Two more of these came today. Neither even bothered hiding the EXE file inside a zip file. I sent one of them to VirusTotal and, again, they had seen it before, this time about 20 hours prior to my uploading it. Initially, 17 out of 37 anti-malware products (46%) detected it as suspicious. When I requested VirusTotal to scan it again, 17 out of 36 products (47%) detected it as malicious. Beats me what happened to that missing anti-malware product.
*As is the norm, Mac and Linux users would have been protected as the malicious software was Windows based.
**The message initially passed through an e-mail server run by servage.net, which was probably innocent in all this.
See a summary of all my Defensive Computing postings.
