Cloud computing puts your health data at risk

Say 'hi' to award-winning writer Stuart Johnston

By Brian Livingston

We’ve added to Windows Secrets a new full-time writer who’s dedicated to bringing you new insights into the challenges of running Microsoft software.

Stuart J. Johnston is a technology reporter who’s covered the motley crew that is the computer industry for more than 20 years — and you’ll now find his revelations in Windows Secrets every week.

Stuart has won more awards than I can shake a stick at. As the Northwest bureau chief for InfoWorld magazine starting in 1988, he broke stories such as the Microsoft/IBM “divorce.” In 1993, he won the Computer Press Association’s award for Best News Story for his coverage of Microsoft’s recall of MS-DOS 6.0 and its replacement with version 6.2.

Most recently, Stuart won a gold award from the Association of Business Press Editors for his article on the fire hazards of laptop batteries, which was published in the November 2006 issue of PC World magazine.

Stuart will continue to write each month the widely read “Bugs & Fixes” column in PC World, which he’s contributed to that magazine for the past eight years. Interestingly, he took over that feature from Scott Spanbauer, who now reviews programs in our Best Software column twice a month. (Scott alternates writing that column with Ian “Gizmo” Richards, our senior editor.)

We plucked Stuart from InternetNews.com, where until recently he was posting stories on breaking developments in the computer world. Prior to that, he was writing for such outlets as InformationWeek, the MIT Technology Review, JavaPro, .NET magazine, Enterprise Developer, and many others. (Stuart uses his middle initial, “J.,” to distinguish himself from Stuart C. Johnston, a venture capitalist involved with many high-tech companies.)

As our new associate editor, Stuart joins Scott Dunn, who’s writing a series of reviews to update our site’s “software sidebar.” (See my July 24 article.) Scott tackles the subject of password managers today, with more reviews to follow in future weeks.

If you have a tip for Stuart or any of our writers, they’re eager to hear ’em. Send in your tricks and workarounds, using the Windows Secrets contact page. Thanks!

Brian Livingston is editorial director of WindowsSecrets.com and co-author of Windows Vista Secrets and 10 other books.

Cloud computing puts your health data at risk

By Stuart J. Johnston The advent of “in the cloud” medical records services, such as Microsoft HealthVault and Google Health, promises an explosion in the storage of personal health-care information online. But these services pose sticky privacy questions — unless you know how to protect your personal medical records.

A promise of safer personal health data

Your private health information is migrating wholesale onto the public network with the advent of online health-care records stored in massive data centers around the world.

While the services aim to make it easier for consumers to access and manage their personal health information, the ready availability of this data also makes it much easier and less expensive for insurers to put your medical history under the microscope.

Surprised? You shouldn’t be. You voluntarily grant access to that sensitive information every time you sign a waiver so that your health insurer can decide whether to pay for a doctor’s visit, a prescription, or an expensive medical test.

What’s more, most of the gathering and collating of this information is legal. In fact, the number of companies that have access to this information runs into the millions, say privacy advocates.

As recently as last year, only 1% to 3% of U.S. consumers had electronic versions of their health records, according to market research firm Health Industry Insights, an IDC company.

That is about to change.

The fact that two of the biggest players in the emerging world of cloud computing services — Microsoft and Google — are jumping into that arena with both feet will likely accelerate the shift to online medical records.

Microsoft kicked off the beta test of its HealthVault service almost a year ago, while Google announced its Google Health service last February and launched a beta in May. While both services are still in beta, each company has partnered with large health-care providers for pilot tests: Microsoft with Kaiser Permanente and Google with the Cleveland Clinic.

Private health data goes public by mistake

Part of consumers’ reticence to sign up for electronic personal health-care records — with or without services “in the cloud” — has to do with a handful of recent high-profile data breaches. In April, the largest health insurer in the U.S., WellPoint, disclosed that records on as many as 130,000 of its customers had leaked out and become publicly available over the Internet.

To be fair, so-called cloud services aren’t at fault, at least not so far. Microsoft, Google, and other companies that put your medical records online are adamant that their security is top-of-the-line. Their services are intended to give consumers greater, not less, control over who sees what by giving consumers personal ownership of their information, according to the services.

“[As a consumer], I control release of that information,” Grad Conn, senior director of the Microsoft Health Solutions group, told me in describing HealthVault. A Google spokesperson expressed virtually the same assurance about Google Health. Neither company is disclosing how many users it has signed up thus far.

Indeed, consumers’ control of their health data is not the core problem. It’s what happens to your information after its initial release that worries privacy advocates — and with good reason. Once the data leaves the safe harbor of a secure cloud service, it’s fair game for companies in several different industries.

Take, for example, prescription records.

“All 51,000 pharmacies in the U.S. are wired for data mining. Selling prescription records is a multibillion-dollar-a-year industry,” states an FAQ published by Patient Privacy Rights, a major consumer-health and privacy-rights organization.

This data mining of prescription records can cost consumers big-time.

For instance, a July article in Business Week cited the case of a Louisiana couple denied health insurance because the wife took two medications that set off red flags for a prospective insurer.

Ironically, both were for “off-label” uses — that is, they were prescribed not for the maladies that the drugs were originally designed to treat. The woman’s doctor prescribed an antidepressant to help her sleep due to symptoms of menopause and a hypertension drug to reduce swelling in her ankles.Although clinically she was neither depressed nor had high blood pressure, the couple’s application for health insurance was denied, the article stated.

Or take the case of supermarket customers who use so-called “affinity” cards to obtain discounts at their favorite grocery. Data showing that a customer regularly buys cigarettes might be obtained by an insurer or employer and combined with a health record where the customer claimed to be a nonsmoker.

“It’s interesting how they can tie all of that [information] together,” Lynne Dunbrack, program director at Health Industry Insights, told Windows Secrets.

Consumer privacy may get lost in the clouds

Cloud computing is the latest buzz phrase for putting the massive processing power and storage capacity needed to provide ubiquitous computing out on servers located on the public network, or “in the cloud.” Microsoft, Google, and many other online companies have embraced the idea.

Most observers — including privacy advocates — state that the move to store our health records in the cloud is inevitable. In fact, there are many benefits to consumers for having that information available virtually instantly. For example, if you were in a different city and needed to be rushed to the emergency room, your health history would be immediately available to the physicians on call.

Or, Dunbrack added, having access to a patient’s commplete prescription information can help displaced persons stay alive in a hurricane-ravaged area, for example.

In fact, a survey conducted last spring for the Markle Foundation found that, of nearly 1,600 respondents, four out of five see electronic health records as useful, but many indicated that protecting the confidentiality of that information is crucial. “Nearly half called specific privacy practices ‘critical’ in their decision to try one out,” a foundation statement said.

The downside is that storing health records online makes it easier for insurers to calculate the odds that you will be more expensive to insure than the next person. That’s the rub, say privacy advocates.

Wait, you say. Isn’t there a law that keeps your data from being misused? Yes and no.

It’s called the Health Insurance Portability and Accountability Act, or HIPAA. Moreover, there are many exceptions to the law. Additionally, both Microsoft and Google claim their health services are not subject to HIPAA regulation, since they don’t offer health-care services themselves.

Pam Dixon, executive director of the World Privacy Forum, says HIPAA is far from perfect but better than no protection at all. “Before HIPAA, it really was much worse,” she said. However, she agrees that “secondary use” of patient data has become an industry unto itself — a genie that will be difficult or even impossible to get back into the bottle due to the billions of dollars that can be made from it.

“Right now, disclosure of health information is out of control,” Dixon said, adding ruefully, “Technology is not going to go backwards.”

How to safeguard your health-care records

So, what can you do to protect yourself? Patient Privacy Rights offers these recommendations and questions to ponder as you navigate the sometimes-perilous world of electronic health records:

• Don’t even think about using a personal health record (PHR) that’s offered by an employer or insurer. These are the last companies with which you want to share all your personal health and daily activities.

• Don’t simply rely on a “HIPAA-compliant” PHR. HIPAA has more loopholes than the tax law; millions of businesses can legally access your information without your consent.

• How do you authorize access to the information? If gaining access requires nothing more than having someone guess your password, say “no, thanks.”

• Does the PHR provider have the right under its “agreements” to take, sell, or share your information?

• What security does the PHR provide?

Finally, a little personal advice: hold off signing up for any electronic health-records system for the time being. So few people have joined to date that there are bound to be problems to work out, not to mention the potential for identity theft. Let somebody else play the role of pioneer.

Stuart Johnston is associate editor of WindowsSecrets.com. He’s written about technology for InfoWorld, Computerworld, InformationWeek, and InternetNews.com.

Password managers keep your login data handy

By Scott Dunn From shopping and banking sites to network- and remote-access logins, we’re inundated with requests to create and remember a plethora of passwords. Fortunately, plenty of free tools help us store and organize our passwords in a single, secure location.

Login aids can be more hindrance than help

If you counted the number of times you were prompted to enter a login ID and password in the course of a working day, you could be approaching double digits by your afternoon break.

Firefox, Internet Explorer, and other browsers offer to remember passwords for the sites you visit. However, your passwords are not always secure when stored in a browser — though Firefox is a safer bet, since you can encrypt its passwords with a master password.

Furthermore, you might need a tool that saves passwords for other programs, not just Web sites. If you’re like me, relying on your memory is perilous, and writing your passwords on a piece of paper — even one you keep in your wallet or some other relatively secure location — is dangerous. That’s where password-management utilities come in.

Password managers are small databases designed to help you manage the deluge of passwords needed to navigate your computer, network, and Internet needs. With the exception of RoboForm’s browser toolbar, most of these programs have a similar interface and features, including but not limited to the following:

• A main window showing a list of your account names, passwords, URLs, and so forth

• Automatic password generation and optional password-expiration settings

• An option for attaching notes to any name and password entry

• The ability to copy a name and password to the clipboard without opening the dialog for each entry

• A means of launching a URL from the password manager

• A feature for clearing the clipboard and encrypting the password database

• The ability to print the database

The most cumbersome thing about password managers is that you have to cycle through multiple windows to use them. In most cases, the scenario goes like this:

Step 1. Select your account in the password manager window and copy the account name.

Step 2. Switch to your browser (or other application window) and paste in your name.

Step 3. Switch back to the password manager window and copy the account password.

Step 4. Switch to the browser yet again to paste in the password.

KeePass, Access Manager, 4uonly, and other programs simplify this process only slightly by letting you drag and drop the information between windows. However, you still have to switch between windows repeatedly.

There are so many password managers available that I had to limit my selection to those that offer a free version and also include a wealth of features. Not all of the programs claim to run under Vista, but they all worked fine in that operating system during my tests, with the exception of Password Corral’s online help.

#1: SIBER SYSTEMS ROBOFORM

Top choice specializes in Web access

RoboForm takes a unique approach to password management, using as its main interface a toolbar that attaches to your Internet Explorer or Firefox browser. The program monitors your Web surfing and offers to save any name and password information you enter at a site. (You can also enter your Web IDs and passwords manually.)

Once the information is in the program, logging into a site is a simple matter of choosing a button or pop-up menu option from the toolbar to fill and submit the form. It’s slick and easy, and it certainly beats the two-window shuffle required by other password managers.

To save even more clicks, place bookmarks to login pages in RoboForm’s pop-up menu, which lets you navigate to the page and log in with a single click.

RoboForm doesn’t just automate your logins. The program is also a great way to save such personal information as your name, address, phone numbers, and credit card numbers for automatically filling out online forms. Like your passwords, this information is encrypted and accessible from a master password, which is cached in memory so you need enter it only once per session.

As with the other programs I tested, RoboForm lets you organize its “passcards” (what it calls each database record) into groups, if desired. You can also create multiple profiles for other purposes or other users.

Unlike the other applications I tested, you can’t attach custom notes to each item or account in RoboForm. However, the program’s “Safenotes” feature lets you enter secure data for any purpose, such as ATM passwords.

Siber Systems also makes a version called RoboForm2Go that runs from a USB memory stick or flash drive. When you insert the device into a computer’s USB slot, the RoboForm data is available to you. Removing it leaves no trace of your passwords.

For some, the biggest downside to RoboForm is its Web focus. The program is designed to work with Web forms and logins, not network passwords or encrypted folders (although you can always store that info in its Safenotes feature).

The free version of RoboForm limits you to ten passcards and two identities.

#2: KEEPASS PASSWORD SAFE

The open-source option for password management

For fans of open-source software, KeePass Password Safe is certified by the Open Source Initiative and has all the features I mentioned above plus a few extras. For example, KeePass supports keyfiles, a type of file that acts as a key or password and that you can put on a separate USB flash drive for safe-keeping. The program’s search feature helps you find entries in its database. (Access Manager also offers this feature.)

You can even install KeePass on a USB flash drive and carry it with you wherever you go.

KeePass attempts to solve the window-shuffle problem by providing Auto-Type, a simple scripting system that lets you fill in and submit login data with a single keyboard shortcut. However, I was unable to get Auto-Type to work, and the explanation in the program’s help system was no help in this regard.

As a security precaution, KeePass automatically clears the Clipboard ten seconds after you have used it to copy a name or password.

Several tools, including Access Manager and Password Corral, let you organize your passwords by creating custom groups. KeePass provides several built-in groups to start with and forces you to keep your passwords in at least one of these, even if it’s the top “General” level.

This isn’t a big deal most of the time, but if the group becomes deselected in the tree pane on the left, you won’t see any of your password info in the right pane. And this is annoyingly easy to do if you happen to click anywhere in the left pane to activate the window. To work around this, I put all my data into one group and then dragged the divider until the left pane almost disappeared.

Because the product is open-source, you don’t have to worry about paying an upgrade fee to get more features. And you can download and install a number of third-party plug-ins to enhance it.

Despite its shortcomings, KeePass’s many features make it the best freeware password manager I tested.

#3: CITI-SOFTWARE LTD ACCESS MANAGER

These extra features are worth paying for

Like RoboForm, Access Manager 2 comes in a free and paid version. The program’s main window requires that you select an account name before you see the database record listing the password and any other info you’ve entered for it. This is the only password manager I looked at with this requirement.

For each account, you can enter not only a URL but also the name of a file, folder, or program that must be unlocked with a password. You can also open such an item from the Access Manager window.

To get data out of your database and into your login screen, Access Manager offers the option to have the password copied to the clipboard while you drag the account name. That way, you switch windows only once: drag to the name field, and then paste in the password field.

However, Access Manager’s more unique features are found only in the $25 version — including the ability to run the program from a USB flash drive, use an onscreen keyboard to foil keyloggers, or delete files securely, just to name a few examples.

Access Manager is a solid product with strong appeal for those who use passwords for more than just Web sites. Still, you’ll need to pay if you want to use the program in a commercial setting or if you need more advanced password-management features.

#4: CYGNUS PRODUCTIONS PASSWORD CORRAL

A plain-Jane password-management freebie

Password Corral is a typical freeware password manager, but unlike most such tools, the program doesn’t hide your passwords in the main window with the usual asterisks in place of the actual characters. There’s a button you can click to hide (scramble) or unhide the information in the main window, but doing so also hides the user name and URL.

Password Corral is the only password manager I tested that doesn’t let you drag and drop names and passwords into the appropriate files.

Also, the program isn’t intended for Vista: you can’t open its help system in the newest version of Windows. Otherwise, Password Corral runs fine on Vista PCs.

#5: DILLOBITS SOFTWARE 4UONLY

Basic password management with one big flaw

Like Password Corral, 4uonly takes a basic approach to password management, though it does let you drag and drop names and passwords, just as in other password managers.

The program does offer one time-saving feature: it protects your password database by tying it to your Windows account. So as long as you’re logged into Windows, you don’t have to supply 4uonly with a master password. However, you can still assign one in case you are logged in under other credentials.

Unlike the other products I reviewed, 4uonly doesn’t give you the option to organize your passwords into groups to help manage a large number of accounts.

More disturbingly, I noticed the status bar sometimes stated, “The clipboard is empty,” even when my password was still on the clipboard. The program’s command to clear the clipboard resolved this, but the misleading message is a serious security bug.

That’s the only big problem with 4uonly, but why bother using this program when there are safer alternatives you can get for free?

Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the Here’s How section of that magazine.

It beats (ahem) ice-cold showers

By Katy Abby Internet dating services have become overwhelmingly popular in our technologically savvy age. We are constantly inundated with advertisements featuring happy, loving couples who allegedly met online. If you believe the hype, everyone seems to be finding the love of their life via the Internet … everyone except Erik Weiner. This hilarious rap rehashes Erik’s failed attempts to find love on the Web — or even a date — as well as the activity he’s driven to when the Internet just doesn’t seem to hold a love connection for him. (Warning: adult language.) It’s all right, Erik, we’ve all been there. Play the video

Find the backup technique that works for you

By Ian “Gizmo” Richards There are so many backup options available that it’s difficult to decide which is the best. Of course, you have to figure out which files you need to back up before you can determine the best method for doing so.

Are you backing up all the files you need to?

When people think of “backup,” most of them focus on their Word docs, spreadsheets, e-mail, and other application files. These are certainly important, but there are a lot of other vital files on your PC.

Your bookmarks, browsing history, and saved passwords are examples of such files — not to mention the key settings in your application programs, such as the account information for your e-mail and FTP clients. The list goes on and on.

The best way to identify your backup needs is to imagine that you’ve bought a brand-new PC. Ask yourself: “What information would I need to move to that PC so I could work efficiently?”

This is not a theoretical exercise; if your current PC gets stolen or fails catastrophically, you’ll find yourself in this exact position.

As soon as you start documenting your backup needs, you’ll discover that some of the data you need to back up is not held in Windows’ default file-storage locations (such as My Documents in XP and Documents in Vista) but rather in system files such as the Registry and the more arcane user folders.

Worse still, you may not even be able to identify where your data is held. Ask the average Windows user where e-mail files are stored and you will most likely get a blank look. Advanced users face the same problem; I once spent an hour looking for my FTP account settings, only to finally discover that they were stashed in the Registry.

The fact that your vital data may be located in many and various locations on your PC lies at the heart of why backup is not a simple task. This is also critical in determining the best backup solution for your system.

Backup option #1: Stick with local storage

Backing up your PC data files to another hard drive or to a CD or DVD is by far the most widely used approach.

Normally, this is done using a specialty data-backup program such as Genie Backup Manager, NTI BackupNow, Handy Backup, Cobian Backup, or any one of dozens of similar commercial or freeware programs. File backup can also be accomplished by using a file-synchronization program such as Microsoft’s free SyncToy or Always Sync from Usov Labs.

Until recently, most folks backed up their files to optical media, but external USB hard drives and flash drives are now so cheap that they are fast replacing CDs and DVDs as the backup medium of choice for PC users.

Here are some of the advantages of local backup:

• It’s conceptually simple. You identify which files are important and back them up automatically to another drive on your PC.

• There is a wide choice of backup software available, including a number of free products.

• It’s convenient, as everything takes place on your own PC under your control.

• It’s fast, because backup and recovery take place at your system’s high data-transfer rates.

• It’s cheap. Both the software and the backup media cost very little.

Here are some disadvantages of the local approach:

• It can be difficult to identify where on your PC the data you want to backup is located. The best backup software, such as Genie Backup Manager, can help in this regard by automatically locating some hidden files, such as e-mail archives and bookmarks, but the problem remains.

• Onsite backup needs to be complemented with additional offsite copies to guard against fire, theft, and similar risks. Not all users are disciplined enough to create and maintain an offsite-backup regimen.

• Most data backup programs do not back up Windows itself, so if your OS fails, your backed-up data will not be accessible.

Backup option #2: Store your data online

With the ready availability of broadband Internet, it is now quite practical for you to back up your data to a remote server by using an online backup service such as Jungle Disk, Mozy, or Carbonite. I discussed these services in some detail in my Sept. 4 column.

These are some of online backup’s advantages:

• Your data is secure against fire, theft, and other local mishaps, because the backup copies are stored on a remote server.

• It’s convenient in that your backup data can be remotely accessed from any PC.

• It can be a cheap option for low-volume users, as some commercial services such as Mozy offer limited storage for free.

There are also some disadvantages to online backups:

• Backing up and recovering your data are much slower than with local backup solutions. For large, regularly updated files such as Outlook .pst files, this can be a real problem because the online copy may never be current.

• Security is a concern because your data is transmitted across the Internet. Worse still, your files are in the hands of a third party. Encrypting your files reduces these risks, but this remains an issue for sensitive data.

• Service continuity is a real concern. Several online backup companies have failed, causing their customers to lose all backups. This risk can be minimized by choosing a substantial and well-funded provider, but the danger cannot be eliminated.

• It can be relatively expensive, as most online backup services charge a recurring fee rather than a one-time payment.

Backup option #3: Use drive-imaging software

Drive imaging is a backup technique that involves taking a snapshot of your entire hard drive and storing this snapshot as a compressed file called an image file.

Unlike local file backup and online backup, this approach captures all the data on your computer, not just specific files. That means everything gets backed up, even your Windows configuration itself.

There are several excellent drive-imaging programs available, including Acronis True Image and Symantec’s Norton Ghost. A freeware alternative is Drive Image XML.

Among the advantages of disk imaging are these:

• Since you’re also backing up Windows, you can restore your entire system from the backup image if your PC gets corrupted or becomes unbootable.

• It’s simple. There’s no need to specify what is backed up, because everything is backed up.

• It’s convenient. Individual files stored in an image can usually be accessed or recovered by mounting the image file as a virtual disk drive. This takes less than a minute. Once mounted, all the files in the image are accessible just as though they were stored on a local drive.

There are also disadvantages to disk imaging:

• The image files are huge, typically 30% to 50% of the size of the drive being backed up. Files of this size are generally too large to be stored online or on removable media; they have to be stored on a hard drive.

• It’s slow. Creating and restoring large image files can take hours. This presents problems when backing up files that are frequently changed.

• Since this is a local backup method, a separate offsite copy is required to guard against such risks as theft and fire.

The backup method that works for me

Clearly, each backup method has its strengths and weaknesses. No single technique is ideal for all users.

In practice, I’ve found the best backup strategy for a given situation is often to use two or more different methods, each targeted at different kinds of data.

For example, online backup is ideal for small files and those that you want to access from more than one PC. On the other hand, local backup is well-suited to files that you update frequently. However, for backing up Windows, drive imaging is unbeatable.

Bearing this in mind, here’s what I do:

• Every hour, I use the online service Jungle Disk to automatically back up my working notes and several other frequently updated files. That’s not only for security, but also because I often need to access these files from another PC.

• Once a day, I back up my e-mail files, my Office documents, and my application settings to an external USB hard drive. This is automatically performed overnight using Genie Backup Manager.

• Once a week, I back up the same data to a second external hard drive that I store offsite for security. I also image my system drive weekly by creating a full backup copy of Windows using Acronis True Image. The image file is stored on the same hard drive I use for my daily backups. A second copy is kept with my offsite backup.

You can see that combining these three backup methods allows me to recover rapidly from just about any disaster without being excessively burdened by the backup process itself.

I suspect most folks will find a mix of backup methods is the best option. Indeed, several backup software vendors have recently extended their products to include multiple backup approaches. For example, recent versions of True Image offer individual file backup as well as whole drive imaging, while Genie Backup Manager now features data backup, drive imaging, and online storage.

Frankly, I’ve not found any of these all-in-one backup solutions as effective or convenient as using separate, specialized backup products. But the emergence of these omnibus approaches underscores the fact that there is no single perfect backup solution. Different situations require unique solutions.

Ian “Gizmo” Richards is senior editor of the Windows Secrets Newsletter. He was formerly editor of the Support Alert Newsletter, which merged with Windows Secrets in July 2008. Gizmo alternates the Best Software column each week with contributing editor Scott Spanbauer.

Services let you offload your file downloads

By Mark Joseph Edwards New file-sharing sites are springing up faster than campaign promises, but which one is the best for your needs? The answer depends largely on how much disk space and bandwidth you require, as well as which special features you find most important in the six services I tested.

File-sharing sites make mega-uploads a breeze

There’s nothing new about file-sharing services. Among the increasingly crowded field are a few mainstays that have been around for years. There are also a few shining stars, though as you might suspect, no two services offer the same set of features. That can make it difficult to find the one that best meets your needs.

For example, you might use a file-sharing service to distribute software that you’ve developed or to share your photographs or audio and video recordings. Any file that would tax your own system to disseminate is a good candidate to drop onto a file-sharing site.

Just to be clear, these file-sharing sites are not synonymous with peer-to-peer networks. You use file-sharing services just as you would any other Web service: via your browser. You don’t need any additional software to upload and download the files, unlike BitTorrent and other peer-to-peer systems.

Although you might consider using the tested file-sharing sites for remote backup, the services are not really intended for that purpose. For one thing, your uploaded files might wind up in search results, because search engines often index these services’ download pages. You may or may not want your files to be discoverable, so keep this in mind when considering what to upload.

Of the file-sharing sites I reviewed, Megaupload is the clear choice. The company offers more storage and more features than the competition. MediaFire claims to offer unlimited storage, but I seriously doubt that the service can make good on that boast.

A downside of the free services is their varying policies on deleting your files. Some remove content you haven’t accessed within a specified period, while others delete things if you haven’t signed in for a while. These limitations are expressed in Table 1 as “time limit.”

Table 1: Feature comparison of file-sharing services.

*FileQube offers 500MB of storage only to people who register for a free account.

As the table indicates, the services vary considerably. Be sure to review each offering’s complete set of features before you sign up. Some file-sharing services provide bells and whistles that you might find advantageous, depending on your needs.

In rating the providers, I place a lot of weight on their Web interface, since that’s the primary method for using the services. Other considerations are price, upload methods, and storage-space allotments.

#1: MEGAUPLOAD

The best combination of storage and features

Megaupload is the king of file-sharing sites, providing more bandwidth and storage than the competition. The company also uses lots of interesting Flash tools for managing your uploads and downloads.

At first glance, the site looks a little confusing. After a few minutes of mousing over various icons, however, the gist of how to use the site becomes clear. The service’s premium version costs from U.S. $10 a month to $200 for a lifetime membership.

#2: FILEFACTORY

Up-and-comer makes media-sharing simple

File Factory provides a good set of file-sharing services whether you register for a free account or pay for its premium offerings. By registering, you get access to media widgets for sharing music, videos, and other files, plus a decent file-management interface for your uploads.

Paid accounts give you more storage and bandwidth, for prices ranging from $12 for two months to $90 for two years.

Keep on eye on these guys — they could become a formidable threat in the file-sharing arena.

#3: RAPIDSHARE

Popular file-sharing site limits your storage

The popular RapidShare service is a close third behind MegaUpload and File Factory in terms of overall features. Even though I see more links around the Internet to RapidShare than to any other file-sharing system, the service offers only half the maximum storage of my top choice, but it charges several dollars a month less.

The site’s interface presents its many functions simply and cleanly. Premium accounts get more storage and bandwidth for prices of $6.50 for three days and $77 for a year. (RapidShare prices its accounts in euros, so the price in U.S. dollars will fluctuate with the exchange rate.)

#4: MEDIAFIRE

A promise of unlimited storage and bandwidth

As with most of the competition, MediaFire sports a clean and easy-to-use site, although it doesn’t indicate how long files are stored with paid accounts. The service claims to offer unlimited disk space and bandwidth, which certainly makes it unique. I have my doubts whenever a company makes such broad statements. How would MediaFire react if someone uploaded a terabyte of data, for example?

Paid accounts costs $7 per month; if you prepay for a year, you get two months for free, although the site doesn’t make it clear whether the two free months are included in the 12-month period or tacked onto the end.

#5: FILE QUBE

New service makes media publishing a snap

One of the newer entrants in the file-sharing market is File Qube, which adds some interesting wrinkles to the field. While the service’s storage allotments are lower than those of some bigger competitors, the site features a clean design and such cool extras as widgets for publishing media files on other sites.

Right now, File Qube isn’t offering any paid plans, although that might change. While you can use the service without signing up for an account, registering lifts the file-size and overall storage limits that are imposed on anonymous accounts.

#6: FILEDEN

Unusable interface cripples this service

FileDen’s Web interface is outright annoying due to the large, square Google ads at the top of every screen. The ads force you to scroll down to find the actual page content. Paid accounts remove the ads, but I’m guessing that most people will simply choose another service instead. Then again, maybe these ad-laden pages don’t bother you.

Of all the file-sharing services I looked at, FileDen is the only one that requires registration to use the service. Along with the free package, the company offers paid accounts at prices from $50 to $200 per year, depending on the features you require. Paid accounts get priority tech support, access to folder creation and management tools, and other features in addition to the ad-free interface.

Mark Joseph Edwards is a senior contributing editor of Windows IT Pro Magazine and regularly writes for its Security Matters blog. He’s a network engineer, freelance writer, and the author of Internet Security with Windows NT.

Antivirus 2008/2009 is the scum of the earth

By Susan Bradley Fake security programs are taking advantage of user gullibility in order to hold people’s PCs for ransom. Windows XP users who are running with administrator rights are especially vulnerable to these drive-by downloads.

System-clogging antivirus scam hits home

Queries entered at Google and other Web search engines are returning links to sites that try to infect your system with the dreaded Antivirus 2008/2009 scam. This threat was reported by Windows Secrets associate editor Scott Dunn on Sept. 4 and described by the folks at the Internet Storm Center in a Sept. 15 bulletin.

My dad was one of the victims of this malware after he followed such a search link. These downloads purport to be free antivirus programs, yet in reality they offer no protection but demand payment for their removal.

While a visit to the malware-cleaning site Malwarebytes helped me get my dad’s PC back into shape, the incident points out how difficult it is to secure a Windows XP workstation when the user runs with full administrator rights.

Search engines do not cleanse their results, and antivirus programs are not stopping many of these rogue variants. They morph and change just enough to evade our virus protection.

It’s easier for me to protect the XP systems in my office because I can ensure that they are deployed without administrator rights. Doing the same for my dad’s PC is tougher.

This is yet another reminder that you have to be careful out there. Watch out for sites that try to trick you into downloading protection that is anything but.

MS08-052
Microsoft’s GDI+ patch is a bear to install

I won’t list all 25 of the Knowledge Base articles that describe the various patches for GDI+ in MS08-052, which Microsoft released last week and I described in my Sept. 11 column. I haven’t heard of any significant installation side-effects from these patches, but the sheer number of programs affected makes this set of patches unique.

On Sept. 12, the bulletin was updated to add Office Project 2002 Service Pack 2 to the list, and the many Office platform viewers are also vulnerable to this issue. If you use any of these apps, expect a patch to be offered up via Windows Updates.

In addition, SQL Server administrators who have installed Cumulative Update Package 9 for SQL Server 2005 SP2, 953752, don’t need the QFE update for SQL server 2005 SP2 in 954607.

Wording was added to the bulletin to clarify that this patch affects only SQL Server 2005 when SQL reporting services are installed. If the services are not installed, you don’t need the patch.

A blue day for Apple’s iTunes 8

When Apple first released iTunes 8, many Vista users reported Blue Screens of Death appearing when they plugged in their iPod. Blue screens occur when a driver causes an operating-system error. This abrupt error even made an appearance on the large projection screen used during the 2008 Beijing Olympics.

Just as with the iTunes update, most blue screens are the result of faulty third-party drivers.

In this case, Apple’s USB driver caused the iPod to trigger a BSOD as soon as it was plugged into the PC. Apple has fixed and re-released the driver on its site. If you have been affected by the glitch, uninstall iTunes 8 and reinstall the new version.

If you have not yet installed the update, the replaced version will be offered to you automatically.

Apple joins the security-update party

Not to be outdone by this month’s megapatch released by Microsoft, Apple has issued version 10.5.5 of the Mac OS, which fixes 30 different security problems.

If you use the Leopard version of the Mac OS, expect to see updates for QuickTime, iTunes, the core operating system, and possibly printer drivers when the Apple Software Update utility makes its next appearance.

Figure 1. Apple will provide patches for several different programs in September.

If you are getting ready to send little Johnny back to school with that brand new MacBook, make sure his machine is fully patched. You can provide help remotely by using remote-access programs such as LogMeIn, which lets a Windows machine log into a Macintosh from afar.

Then again, you may need to set him up with a dual-boot configuration of Windows and the Mac OS so he can help you troubleshoot your PC!

The last word (I hope) on installing XP SP3

Last week’s Known Issues column by Dennis O’Reilly quoted reader Terry Theresa, who took us to task for giving conflicting advice about Windows XP SP3. Quite frankly, I think the criticism is justified.

Let me explain why I still recommend that you have a good backup and a spare Internet-connected computer ready to go when you add this update to your PC. To be sure, the vast majority of Windows XP users will have no problems with SP3. We’ve now identified the major issues that were affecting the bulk of the XP users.

What remains are instances where Googling makes it look like there are thousands of folks hitting the same issue. This is actually the result of the way blogs and search engines pick up stories.

The bottom line is that the service pack is as steady as it’s going to get. It’s nearly impossible for me or anyone else to predict whether you will be one of the unlucky ones who fall into the SP3 death spiral. The best I can do is tell you to be in a position where you can roll your system back or find help.

I’ve experienced no glitches with the SP3 installations at my office. However, our machines are pretty clean. While helping my dad and the neighbors down the street to install XP SP3, I found that it’s best not to use Windows Update to install it, but rather to go to the download location on Microsoft’s site and manually download the entire XP SP3 from there. Place it anywhere on your computer, and after the file downloads, temporarily disable your antivirus software and install the update.

As Dennis’s column stated, Microsoft’s free installation support expires next April, so it’s wise to install the service pack before then. If you observe the great American tradition of geeks visiting their relatives over the Christmas holidays and fixing their computers, keep SP3 in mind before official support ends.

I bet there are more than a few readers who would prefer to spend their time installing SP3 on somebody’s computer rather than listen to some second cousin drone on in detail about their three-week blow-out vacation in Yuba City.

MS08-053 (954156)
Windows Media Coder 9 re-released in Norway

This item is for all our readers in Norway. On Sept. 15, Microsoft released KB 954156, which fixes a deployment problem relating to Windows XP SP2 and SP3 and Windows Server SP1 and SP2. If Windows Update offers you this patch again, you’ll need to reinstall it because the original did not install correctly.

Interestingly, this is the same patch whose English version had detection problems. Based on the small number of folks reporting this problem on the Windows Update newsgroups, whatever detection issues were occurring last week have been cleaned up.

The patch fixes a problem where malicious media files could take control of your system. To date, I’ve seen only detection issues and not any attacks leveraging this security hole.

MS08-054 (954154)
Windows Media Player 11 also re-released

On a related note, Windows Media Player 11, KB 954154, was also re-released in Norway because it, too, had detection problems on 32-bit versions of Windows XP. (Must be something in the fjords.)

If you have the Norwegian language update installed for either KB 954156 or 954154, ensure that you get these two patches installed on your system.

For those of us who have other languages as our default, I’ve seen no indication that this glitch is being used for malware infection. Still, I strongly recommend that you install it if you haven’t done so already

Sometimes, your security app is the problem

In the past two weeks, two antivirus vendors have announced flawed updates. Refreshes of two of my favorite security programs — NOD32 from Eset and Trend Micro’s AntiVirus — caused problems for Windows Secrets readers.

NOD32 even made my office computer slow to a crawl due to a permission problem that was reported on the company’s support forum. Trend Micro made headlines with the flawed update to its antivirus program, as best described in a Network World article.

Every definition update for your antivirus is the equivalent of a Patch Tuesday. When you have a problem with your system and it’s not on a Patch Tuesday, remind yourself that your antivirus updates every day. While most of the updates are completed quietly and correctly, every now and then things go awry.

Jumping the gun on an Exchange 2007 update

I’m a beta tester for Microsoft’s Small Business Server 2008, which includes the 64-bit version of Exchange 2007. I’m looking forward to the release of Update Rollup 4 for Exchange 2007. This rollup was not scheduled for the most recent Patch Tuesday, but a pre-release was inadvertently included in the Microsoft Update. The Microsoft Exchange team announced that they are looking into how this happened to ensure that it won’t happen again.

While I can understand some of the frustration that occurs when Microsoft updates malfunction, some of the comments posted to the Exchange blog and highlighted in various news articles surprised me a bit.

For example, one indignant poster said the issue of having a prerelease patch end up in a Microsoft update left him no choice but to disable automatic updates. To that I ask, “Why did you have automatic updates enabled on a mail server in the first place?!”

E-mail is the lifeblood in many firms. As long as I have been patching servers — and in particular Exchange 2003’s mail server (part of Small Business Server 2003) — I have never set a production server to install patches automatically.

You need a good backup under your belt before installing patches to a mail server. If you have automatic updates enabled, chances are you can’t be sure of that. While I might understand a policy of automatic updates for large organizations with automated processes and fall-over mail servers, anyone without such a disaster recovery plan should please flip that server’s update settings to Download but do not install. Then, no matter what “oops” Microsoft may come up with, you will not be caught by it.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.