ISSUE 16.7.0 • 2019-02-25

Help: customersupport@askwoody.com

In this issue

TOP STORY

By Woody Leonhard

Finding unbiased help for tech topics is difficult; finding worthwhile free help is even harder.

As an AskWoody Plus member — which, because you received this newsletter, you are — you can benefit from some of the best tech help in the business. But to access it, you must first sign up.

Every week, following the publication of an AskWoody Plus newsletter or an online post, I’m inundated with tech questions: How do I fix this? Why doesn’t that work? Where do I get something-or-another? Is my system really borked? They’re all great questions — and they deserve great answers.

I could spend about 30 hours a day, every day of the week, answering these important questions. But that isn’t the best solution for you — or for me. Moreover, answering tech questions scales: if you have a question, there’s at least a 100.1 percent chance that somebody else has the same question. There’s also a 90+ percent chance that there’s a good answer.

So, where do you get great help? The answer, of course, is the AskWoody Lounge — the forum companion to the AskWoody Plus newsletter.

My acquisition of Windows Secrets revealed many surprises. For example, I was astounded that, as of late last year, only a tiny fraction of Windows Secrets Newsletter subscribers participated in the Windows Secrets Lounge. Fewer than five percent had signed in to the forum and asked (or answered!) questions. That’s a pity, because the Windows Secrets Lounge had hundreds of experts who gladly — and freely — gave out great one-on-one advice to people with problems. People like you. People like me.

As an AskWoody Plus subscriber, you probably know we’re in the process of moving the Windows Secrets Lounge — with more than a million posts — over to AskWoody.com. I want to preserve that wealth of knowledge and make it easily accessible to even more folks seeking answers to their computing problems.

Yes, you can use the AskWoody Lounge without signing in or even being registered. And yes, we welcome anonymous posts, and we allow anybody to scan the available information, any time. But you’ll get a lot more out of the Lounge if you have a proper AskWoody account.

If you’re reading this newsletter, you should already be registered on AskWoody.com. But unless you’ve gone through some easy steps, you’re likely stuck with a username that’s also your email address. And that’s a problem: it means, among other things, less privacy. Any spider that crawls the Web will be able to scarf up your email address and associate it with your posts — or anything else on the page, for that matter.

All of us at AskWoody take your privacy very seriously. So, stop watching YouTube cat videos and sign up for a proper AskWoody account — again, it’s quick and easy.

Here’s how to confirm your AskWoody.com account:

• Step 1: Go to AskWoody.com.
• Step 2a: In the upper-right corner, enter your username and password. (If you’ve used your email address for the username, jump to step 4.)
• Step 2b: If you know your username, and if it isn’t an email address, but you’ve forgotten your password, click the Lost Password link and follow the WordPress password-reset routine. (We’ll be improving the default system shortly, but for now that’s what we’ve got.)
• Step 3: If you’re signed in, great! Skip the rest of the steps. On the other hand, if you received a WordPress sign-in error message, try the WordPress password-reset routine.

  If you don’t get a response (its get password routine is notorious for not giving any feedback — just dumping you back at the sign-in screen), shoot me an email at customersupport@askwoody.com. I’ll manually reset everything so you can set up a new account. And yes, your current AskWoody Plus subscription will carry forward.

• Step 4: Don’t know your username? Have a username that’s an email address? Can’t get the %$#@! thing to work? You didn’t do anything wrong — trust me! We’re battling dueling databases, and they’re not completely in sync. Send me and email at customersupport@askwoody.com, and I’ll get you straightened out.

The Lounge moderators and I are working hard to find people who sign in with an email address and manage to post on the Lounge. If you’ve done that, my hat’s off to you: it’s not easy, but it can be done.

In the short term, using an email address as a username might work well enough, but you’ll still have to accept the privacy problems. In the long term, though, you’re going to want a “proper” AskWoody account. It’ll give you access to all Plus Membership benefits. A “proper” AskWoody account will make it easier to renew and to post on the AskWoody Lounge. And it’s absolutely free.

Don’t be bashful! Sign in and sound off.

We have 40 MVPs who are waiting to help. They’re all volunteers, all highly experienced, and all dedicated to getting you the right answers — right away. We have hundreds of additional contributors who are focused on getting out useful tech information.

No, they don’t always agree. That’s good! You’ll see different approaches to solving the problems that dog us all. (They’re an independent group and not afraid to speak out.)

You don’t have to subscribe to the paid AskWoody Plus Newsletter in order to use the Lounge. You can register, post, interact with the rest of the 15,000+ members without spending a sou. The tab is picked up by donors with gold ribbons next to their pictures.

What’s the hitch? There isn’t any. I set AskWoody up as a way to say thanks to the people who helped me get started — and to connect to the folks who buy my books. AskWoody is something of a throwback to a kinder, gentler age of computing. And we’ll stay that way.

One request: Please be patient. AskWoody.com and the newsletter are a work in progress, and for now, I’m handling all customer support personally. At times it’s overwhelming. That said, don’t hesitate to contact me at cutomersupport@askwoody.com for subscription help — and swing over to the Lounge for your tech-help needs.

Eponymous factotum Woody Leonhard writes lots of books about Windows and Office, creates the Woody on Windows columns for Computerworld, and raises copious red flags in sporadic AskWoody Plus Alerts.

On Security

By Susan Bradley

Microsoft keeps pushing out updated Spectre and Meltdown patches.

But do we need them? You might improve your PC’s speed by turning off the protections for these hardware-based vulnerabilities.

Just when I thought I’d identified all updates for my Win10 1803 system — and proved that I really can control Win10 patching — out comes another update I didn’t know would be automatically installed on my machine. To all you Win7 folks: Feel free to say, “I told you so!”

As regular Patch Watch readers know, I keep a Win10 test-bed system that’s set to Semi-Annual (Targeted) — which means I let Windows Update install patches when it likes, and not on my schedule. (You might also recall that the system is still running Version 1803 because I have Apple iCloud installed, blocking the upgrade to Version 1809 until mid-month.)

Recently, I noticed that Windows Update had installed KB 4100347, an Intel Microcode update designed to help protect against attacks targeting the Spectre and Meltdown vulnerabilities found in modern chip sets. This threat impacts nearly every modern computer, many smartphones, and some tablets. But I’m not convinced we’ll see this form of attack on standalone computers.

I’ll say more about this later; but first, here’s a bit of background on these types of attacks.

Security researchers discovered Spectre and Meltdown in mid-2017, but (as is common practice) kept relatively silent about their findings. (Reportedly, Intel and AMD insist that these vulnerabilities are not flaws — more info.) But by early January 2018, the cat was out of the bag — the discovery generated huge media attention, mostly due to the sheer scope of the threat.

In the ensuing months, researchers found numerous variations of Spectre and Meltdown, some more severe than others. GitHub posted a list with short descriptions, summarized below.

Spectre is listed in the National Vulnerability Database as Common Vulnerabilities and Exposures(CVE)-2017-5715, CVE-2017-5753, CVE-2018-3639, and CVE-2018-3665. Variants include SpectreNG, SpectreRSB, and Spectre Prime.

Meltdown builds on Spectre and is listed as CVE-2017-5754 and CVE-2018-3640, with variants called Meltdown Prime and Total Meltdown.

The two flaws triggered warnings by vendors that both software and hardware (BIOS) patches were needed to prevent attacks. But the early round of software fixes proved buggy. Fortunately, we’re now well past the problems created by those early releases.

Further research revealed additional variants of the two primary vulnerabilities.

For example, Foreshadow (CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646) includes L1-terminal faults and cache overruns.

BranchScope (CVE-2018-9056) targets the Branch Prediction Units that handle speculation when encountering branching instructions (such as conditionals).

TLBleed (no CVE) allows attacks via poorly written software. To work, an attack requires a processor that feeds multiple execution threads to a single processing core — such as Intel’s Hype- Threading and AMD’s Simultaneous Multi-Threading (SMT). GitHub states, “Processor vendors view the fault as a problem with obsolete third-party development libraries that are not thread-safe. As a result, no CVE has been issued.”

PortSmash (CVE-2018-5407) is “particularly effective against cryptographic functions where entropy can be observed or stealthily mirrored.”

NetSpectre (no CVE) attacks systems, without running local code, by flooding systems with network traffic. But such an attack would be extremely slow, so this isn’t considered a real threat.

To be effective, many of these hardware-based attacks require time to gather information about targeted systems. Most malicious hackers will use faster methods, such as bogus Office macros or email phishing.

As it turns out, servers might be more vulnerable than workstations. Although anti-Spectre/Meltdown software is running on most personal computers without user intervention, on servers the protections aren’t enabled by default. (The exception is Server 2019.)

To the best of my knowledge, there are no active attacks using Spectre, Meltdown, or their variants. Moreover, the protective software can have a significant performance impact on some older workstations. If you have a machine that seemed to become sluggish sometime after January 2018, consider disabling any installed Spectre/Meltdown protections and see whether your system performs better.

There are several ways to test and then disable these protections on your computer. First and easiest is to download the InSpectre tool and run it under an admin account. As shown in Figure 1, the app displays a short summary and gives you the option to disable Spectre/Meltdown protections. Try benchmarking your computer before and after.

Figure 1. The extremely simple InSpectre tool shows your current level of protection and estimated performance impact.

You can also disable Spectre/Meltdown protections by editing the Registry. From an admin-level command line, enter the following commands:

• reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
• reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Now reboot your computer to have the disable settings take effect.

Back in early 2018, the public revelations about Spectre and Meltdown — and their huge potential threat — seemed to cause widespread panic in the computing industry. But you rarely hear about them now.

Still, a year later, the significant threats from Spectre/Meltdown remain. Intel and AMD are reportedly working on new, Spectre/Meltdown-proof chip sets, but that doesn’t help the millions of computers in use today. And, according to a Google report, Spectre/Meltdown might never be fixed.

But again, I’m convinced that cloud and web-hosting servers will be the primary recipients of these hardware-based attacks. When targeting workstations, malicious hackers will more likely stick to tried-and-true methods such as phishing and the bogus emails that arrive in our mailboxes every day.

Still, there may come a time when I’ll recommend enabling or re-enabling these protections on workstations.

Patching is always a balancing act between security and system stability/performance. On our personal systems, we need to keep in mind that the bad guys aren’t usually out to specifically target any one of us — they’re looking for the easy targets among us all.

So take a bit of time to consider your Spectre and Meltdown risk and whether it’s greater than the problems of sometimes buggy updates. That trade-off isn’t the same for everyone.

Susan Bradley was for many years the Windows Secrets Patch Watch diva. In real life she's a Microsoft Security MVP and IT wrangler at a California accounting firm, where she manages a fleet of servers, virtual machines, workstations, iPhones, and other digital devices. She also does forensic investigations of computer systems for the firm.

Best Utilities

By Deanna McElveen

For those who routinely dig into the depths of Windows, the Local Group Policy Editor is one of the go-to tools.

Unfortunately, it’s not available on the millions of Home Edition machines. That’s right, no gpedit.msc (more info) — it’s only in Windows Pro and Enterprise. Apparently Microsoft, in its infinite wisdom, decided Mom didn’t need it.

We frequently run into this problem when working on clients’ computers. There are kludgy ways around this, such as carving out bits and pieces of the tool from Pro editions. But it’s a pain and — according to your Microsoft software license — a big no-no. (You did read your ULA — didn’t you?)

Talented developer Ben Nordick has a better solution: Policy Plus is a local group-policy editor for all Windows editions. (For this article, we’re focusing on its use with Home editions.) As with any good utility, the program is portable, so it can live on, and run from, a flash drive.

To get a copy, jump over to our OlderGeeks download page. Oddly, the apps’ version number (1.0.0.0) doesn’t seem to change — though the app is regularly updated. For example, the Win10 1809 ADMX file-download links were recently added, but Policy still has the same 1.0 version number. Hmmm?

To use the app, open it in an administrator account and accept the User Account Control challenge. Figure 1 shows Policy Plus running on Win10 Home. Look familiar?

Figure 1. Policy Plus looks and works like Windows’ classic Group Policy Editor.

As you dig into Policy Plus on a Home Edition PC, you’ll notice that it’s missing some administrative templates. Under the app’s Help tab, you can click Acquire ADMX files to download the latest .ADMX templated files (more info; see Figure 2).

Figure 2. Use the Acquire ADMX files option to download administrative templates.

Here are a couple of important things to know when using Policy Plus on Home Editions:

• In the Windows gpedit (on Pro and Enterprise systems), the RefreshPolicyEx function applies changes in real time. That’s not the case with Policy Plus; you’ll need to sign off and sign back in to Windows for most changes to take effect.
• Although Policy Plus allows the creation and editing of policies of each user, those settings are ignored on Windows Home. Instead, you must edit the settings for individual users in the Registry User hives, as shown in Figures 3 and 4. (For a quick refresher on the Registry structure and hives, see this PCinsider article.)

  

  Figure 3. To edit specific user policies in Win10 Home, start by clicking File/Open Policy Resources.

  

  Figure 4. The next step is to create a User hive.

Note that you can’t change settings for the currently active (signed-in) account.

Warning! We realize that our readers’ skills range from übertechs to geeks in training. But we must remind everyone that making changes with either Windows’ gpedit or Policy Plus can really mess up your system. If you don’t know the consequences of changing a setting, don’t change it! If you don’t know what something does, don’t use it.

Unless, of course, you’re working on your fully backed-up tinker machine — then, by all means, experiment! (Cloned virtual machines make excellent platforms for experimenting and testing. You can break them without incurring any long-term or costly damage.)

Note: A few “block-everything-so-we-don’t-miss-any-viruses” anti-malware programs might flag Policy Plus. It’s perfectly safe and clean. Click here for its VirusTotal results.

Deanna and Randy McElveen are celebrating 20 years in the computer business, seven years running OlderGeeks.com and 26 years of putting up with each other. Their computer store is in a small town in the Missouri Ozarks. Believing that happy customers are always the best advertisement, they hope to do it for another 20 years.

SECURITY ALERT

By Tracey Capen

This morning, my wife received a frantic call.

The caller — we’ll call her Jane — had returned to her home minutes before her Airbnb guest’s checkout time. And it was immediately apparent that something was wrong. For instance, the front and back doors were open. We advised her to immediately call the cops — and to not enter the house by herself.

Jane and her boyfriend (who was off skiing) were not new to Airbnb; they’d rented their house numerous times, whenever they ventured out of town. But this time, they ended up with nightmare guests.

While John and Jane were gone for the weekend, the “guests” had a grand time poking through the house and packing up things they wanted to take with them. That included such mundane items as cookbooks, inexpensive jewelry, and clothes. Guns locked in a safe? No problem, the thieves simply walked off with the entire safe.

This was no snatch-and-run operation. The “guests” slept in all the beds, left dirty dishes, cleaned out the refrigerator, and moved things around to suit their comfort. They obviously had a good time.

Jane’s situation seemed a bit ironic, because my wife and I experienced the flip side this past Thanksgiving. At the time, we decided to get out of the cold Northwest and visit family in Central California. And to be good guests, we decided to rent a house in the area for a few days.

In our attempt to book a suitable home, we were nearly scammed. We found a place on Craigslist that fit our needs (e.g., dog-friendly) and contacted the host. But the more we communicated with him, the more suspicious we became. Just as we were about to send a check, we did a bit of investigating — and decided it had to be a scam.

Apparently, it’s common for someone to steal home photos from real-estate sites and use them to make bogus rental offers online. We actually found the identical images on (as I recall) Zillow. This experience, added to past events, confirmed my feeling that you can’t trust anything on Craigslist. (Don’t even get me started about bogus employment offers.)

Back to Jane’s episode. She and her boyfriend made a few basic mistakes — or became a bit complacent because there had been no problems with their previous rentals. First and foremost was putting away, and thoroughly securing, important items. For example, the loss of work identity cards and passports is a serious problem that can be easily prevented.

They should also have followed a few basic host rules to prevent loss. A Western Safe site has a short list of tips.

At this point, Jane doesn’t know whether the official guest was the thief, or the guest’s profile was stolen, or she was the victim of phishing. Airbnb requires documentation from guests to confirm their identity, but there are lots of posts by members that their accounts appear to have been hacked.

In similar cases, Airbnb has stated that the problem is phishing: a hacker sends an email that looks just like it came from Airbnb, and the host replies with detailed information — such as the code number for the key box.

That technique might have been used against Jane and her boyfriend; they received a confirmation notice for the weekend rental, though neither could remember offering the house for that period of time. (We’re talking about a young, busy, professional couple that might have too many irons in the fire.)

Before becoming a host, take a serious inventory of your home security. A simple cabinet lock might keep legitimate guests from poking around in your personal things, but it wouldn’t slow down guests like Jane’s. Get a safe and use it. Put strong locks on off-limits rooms.

From both my experience and Jane’s, the key anti-fraud tool is communication. Via emails or phone, both host and guest can ask questions about the other. A Guesty page offers tips for screening potential guests. But it works the other way, too. When checking out a host, ask questions a visitor might request. For example, what’s fun to do in the area? What are some good restaurants? A scammer will usually not have suitable answers.

As with all things on the Internet, the sharing economy has some serious hazards. Be prepared.

Tracey Capen is the editor in chief of the AskWoody Plus Newsletter.