Watch a live video, share your PC with CNN

Watch a live video, share your PC with CNN

By Brian Livingston

Many people who watched live streaming video of the inauguration of U.S. President Barack Obama on Jan. 20 may not realize that their PC was used to send the video to other PCs, too.

Clicking “yes” to a CNN.com dialog box installed a peer-to-peer (P2P) application that uses your Internet bandwidth rather than CNN’s to send live video to other viewers.

The P2P application is called Octoshape Grid Delivery and is managed by Octoshape ApS, a company based in Copenhagen, Denmark.

Web surfers who visit CNN.com and select a live video stream for the first time see in their browsers a dialog box, shown in Figure 1, saying, “This site requires the Octoshape Grid Delivery enhancement for Adobe Flash Player.” The dialog box doesn’t appear when playing an ordinary video file, only when starting a live feed. (Feeds labeled LIVE typically appear in the upper-right corner of CNN.com’s home page during business hours.)

Figure 1. Users who select a CNN.com live video feed see a dialog box to install the Octoshape Grid Delivery application.

According to Octoshape’s end-user license agreement (EULA), what’s installed is a peer-to-peer app that will “deliver parts of the video and audio stream to other end users of the Software.”

Why should you care? Windows Secrets contributing editor Ryan Russell, using a network sniffer, measured Octoshape using upstream bandwidth of 320 kilobits per second on a broadband connection. Dan Ferrell, in a comment on contributing editor Susan Bradley’s blog, reports seeing 600 Kbps of upstream traffic. At first glance, Ferrell adds, the multiple connections to his PC looked on his security alert system like some kind of SQL attack.

The Internet Storm Center, an Internet security organization, reported that traffic on Jan. 20 had jumped to a level thousands of times higher than usual on port 8247, which is used for UDP, the User Datagram Protocol. (See Figure 2.) The center quickly identified the source as legitimate — CNN — but security consultant Raul Siles warned in his report, “It would be easy for an attacker to hide his actions on this port if we simply ignore it.”

Figure 2. The Internet Storm Center measured an enormous increase in UDP traffic on Jan. 20.

In a telephone interview, Octoshape’s P2P nature was confirmed by Mike Wise, group technical advisor for platform R&D at Turner Broadcasting System, the parent of CNN.

Wise emphasized that the news network had selected the most considerate software for the job: “The Octoshape technology uses a congestion control mechanism that’s less aggressive than TCP and most UDP implementations.” As one example of the way Octoshape gives priority to user tasks, he explained, “we chose an implementation that wouldn’t interfere with consumer’s VoIP [Voice over Internet Protocol] applications.”

As a European company, Octoshape’s technology was initially used on the continent to stream live feeds of such high-profile events as the Eurovision Song Contest and the UEFA Cup. “We’re their first big United States customer, as least that I know of,” says Wise.

“We did some limited trials leading up to the election” on Nov. 4, as Wise describes it. The big test came with the Jan. 20 inaugural address. More than 26 million live feeds (including restarts of crashed streams) were served that day by CNN.com, according to a Jan. 25 article and chart in the New York Times. CNN’s nearest rivals served “only” 9.1 million (MSNBC) and 8 million (AP).

To my surprise, I’ve seen only a few blogs comment on the implications of CNN using so much upstream bandwidth — and almost no headlines in the mainstream U.S. media.

Most Internet service providers support far less bandwidth in the upstream direction (from a PC to the Internet) than they do downstream (from the Internet to a PC). But that isn’t the only concern with CNN’s use of people’s Internet connections:

• Deceptive marketing. Octoshape’s dialog box warns that playing a live video “requires” installing new software. Despite this, however, if you click “no” to Octoshape, you can play the feed using the streaming video capability built into Windows Media Player or Adobe’s Flash Player, although possibly with less fidelity. Small links to choose one of the two standard formats appear in the bottom-right corner of the playback window.

  The Octoshape EULA doesn’t become available until after the user is required to select “yes” or “no” to install the app. But even if the EULA appeared before the buttons, burying in legalese the commandeering of a person’s PC isn’t my idea of “informed consent.” Only a clear explanation of the repurposing of a PC’s bandwidth — in on-screen text, readable without scrolling — is an adequate way to inform users of such a technique.

• Cost-shifting to ISPs. CNN’s use of Octoshape might make live feeds look somewhat smoother to end users, but the primary benefit is a reduction in cost to the cable news network.

  The TorrentFreak blog cites an unnamed insider as saying 30% of CNN’s live feed traffic was served from individual PCs and not the network’s own servers. That saves CNN big time on bandwidth. But the cost doesn’t just disappear — it’s shifted to ISPs.

  Brett Glass, the owner of Lariat.net, a small ISP in Laramie, Wyoming, testified before the FCC last year on cost-shifting. Bandwidth, he explains, can cost hundreds of dollars per Mbps per month to providers in rural areas like his. “CNN is setting up a server on the ISP’s network without permission or compensation,” he told me in an interview. “CNN’s not a charity, in fact it’s doing a lot better than some ISPs.”

• Costs to end users. Many ISPs around the world restrict how much bandwidth users can consume. Those providers charge by the megabyte for any traffic above that level. Users who installed Octoshape’s app and served traffic upstream as well as down may get an unpleasant surprise in their next monthly bill. Octoshape anticipated this in the company’s EULA by saying, “You are responsible for any telecommunication or other connectivity charges incurred through the use of the Software.”

  In addition, ISP terms of service usually prohibit customers from using their Internet connection to host a server. The FCC ruled last year against Comcast, a major U.S. ISP, on peer-to-peer restrictions, as explained in an Ars Technica article. But other legal issues on home-grown servers remain unsettled.

  (In an interview, Comcast spokeswoman Jenny Moyer declined to address CNN’s use of Octoshape, saying, “I don’t think it’s anything we’re going to be able to comment on at this time.”)

• Ludicrous license terms. Anyone who reads Octoshape’s EULA after clicking “yes” to install the app finds that they’ve agreed to some hilarious prohibitions:

  “You may not collect any information about communication in the network of computers that are operating the Software or about the other users of the Software by monitoring, interdicting or intercepting any process of the Software. Octoshape recognizes that firewalls and anti-virus applications can collect such information, in which case you not are allowed to use or distribute such information.”

• Company policies on outbound traffic. No one has suggested that Octoshape is doing anything other than relaying live video streams to other PCs. In a blog comment, Johan Ryman, Octoshape manager of strategic partnership and sales, assures users that the app is well-behaved and stops consuming upstream bandwidth within five seconds of a live stream being closed.

  Many companies, however, have policies against sending data outside their LAN. How many CIOs will be comfortable with an app that sends unknown information to random PCs?

• Use of Flash’s install mechanism. Octoshape is the only outside company that’s allowed to download software using the Adobe Flash Player’s so-called Express Install feature, according to a Flash Magazine technical analysis. Express Install is used by Adobe to push updates and other software, such as Acrobat Connect and the Adobe AIR runtime.

  IT admins who’d like to turn off the installation of Octoshape within their companies could disable Flash’s update mechanism, as explained in Adobe TechNote 16701594. But doing so would disable all auto-updates from Adobe, not just Octoshape.

• Security vulnerabilities. The Octoshape app is supported by an established company and is not any kind of virus or worm. However, most programs have bugs, and Octoshape specifically communicates with its own servers and other PCs in ways that are not apparent to end users.

  Any Web site you visit that is “Octoshape aware” can invoke the application. If a security vulnerability is discovered in the Octoshape software, hackers could exploit the weakness.

  Media players expose PC users to serious security flaws more often than Windows itself does, as WS associate editor Scott Dunn reported on Aug. 16, 2007. For instance, several new vulnerabilities were discovered in Flash Player version 9 in 2008 alone, including one rated “highly critical,” according to advisories by the security firm Secunia.

  In a follow-up article on Sept. 6, 2007, Scott reported that Flash Player 9 was found to be unpatched in 62% of the Windows PCs that participated in a test. End users can correct these holes by patching the player or upgrading to version 10, but too few do so.

• Corporate revolving doors. It’s remarkable to see how a small company in Denmark has managed to gain exclusive contracts with Adobe and CNN. I’m all for innovative software firms selling cutting-edge technology.

  At the same time, I wonder how these relationships came into being. Last month, Octoshape hired as its new U.S. CEO Scott Brown, previously a vice president of Turner Broadcasting, according to the Business of Video blog. Sounds like the connection between CNN and Octoshape is getting stronger all the time.

The question isn’t whether peer-to-peer technology is “good” or “bad.” P2P is here to stay.

But if all TV programs are going to be streamed live by media giants, as I’m sure will eventually happen, the question is what impact this will have on Internet bandwidth — and who will pay for it.

I’d like to see the computer industry start a well-publicized discussion in the major news media about this. If we’re going to stream TV across the Internet, shouldn’t we select an open standard (the TorrentFreak blog likes P2P-Next), rather than proprietary technology that’s restricted to a few parties with patents?

What to do if you have Octoshape on your PC

As I mentioned earlier, the Octoshape app isn’t currently a threat. But I personally would rather put up with a slightly jerky video than run an application on my PC that’s sending God-knows-what to who-knows-whom.

Fortunately, the Octoshape program isn’t hard to find or remove:

• Step 1. To find out whether the Octoshape app is running, you can use Windows’ built-in Task Manager. (Right-click a blank space on the Task Bar, and then click Task Manager.)

  As Susan Bradley shows in a blog post, when you’re viewing a live stream from CNN.com, you’ll see in Task Manager a service called octoshape.exe. (In the illustration on her blog, instances of the service are shown to be consuming 63MB of RAM, but a lot of this memory may be taken up by the Flash Player itself.)

• Step 2. To remove Octoshape’s app, you can use the Control Panel in either Windows XP or Vista. In XP, the applet is called Add or Remove Programs. In Vista, it’s Programs and Features. The “Octoshape add-in for Adobe Flash Player” is the name of the program to uninstall.

  Strangely, there isn’t an uninstaller for the Mac version of the app. You have to manually delete the Octoshape folder.

  These removal procedures are explained in detail at the bottom of the Octoshape Grid Delivery FAQ.

There’s much more to write on this subject, but I’ll stop here. If you have additional specifics on any of this, please send a tip via the Windows Secrets contact page. Thanks!

Brian Livingston is editorial director of WindowsSecrets.com and co-author of Windows Vista Secrets and 10 other books.

If NoAutoRun.reg doesn't work, you may need space

By Dennis O’Reilly The way word-wrapping alters line breaks in some browser windows thwarted a few of our readers’ attempts to disable AutoRun. If you manually typed a line break where the code requires a space, and you couldn’t get the file to work, a simple change will do the trick.

Windows Secrets contributing editor Woody Leonhard authored a Jan. 22 Top Story on the Conficker/Downadup worm and included a link to a Nov. 8, 2007, article.

That article, by associate editor Scott Dunn, explained how to add a Registry key to block Windows’ AutoRun function. After you do this, if you unknowingly insert a hacked CD, DVD, USB drive, or other external drive, it won’t automatically infect your PC. The technique involves copying and pasting three lines of code into a NoAutoRun.reg file, then right-clicking the file, merging it into the Registry, and rebooting.

One of the lines of code is very long and looks as follows (it’s all one line, but it word-wraps to two lines in small windows):

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIniFileMappingAutorun.inf

Reader Rob Oppenheim wasn’t the only reader who found that merging into the Registry the file he created had no effect, because he’d entered a line break where his e-mail program had word-wrapped that line:

• “In your [most recent] newsletter, you refer to a Web page that describes how to disable autoruns. The page describes a .reg file with a key that displays broken across two lines (at least on my machine it displays that way). Unfortunately, it’s not obvious that there’s a space in the key; that is, it should be ‘Windows NT’ and not ‘WindowsNT.’

  “The page does explain that the key should be all on one line but does not mention that the space is required.”

If this key shows up in your e-mail program as a single line, all is fine. However, if it wraps to two lines between “Windows” and “NT,” and you manually type in the key, you may not realize that there should be a space between the two words, not a carriage return.

Regardless how the Registry key appears in your browser, if you copy the lines from Scott’s article and paste them into your text editor to create a NoAutoRun.reg file, the space between “Windows” and “NT” will be included.

Delete the key to restore your AutoRun

Several people tried life without AutoRun and decided they missed the feature. For example, after disabling AutoRun, you must manually open the autorun.inf file on any software disc you might want to auto-install. Marlin Brutlag puts it succinctly:

• “Is there a safe way to remove it [the block on Windows’ AutoRun feature] if no longer desired?”

To restore Windows’ default AutoRun behavior, simply delete the key that was created when you merged the NoAutoRun.reg file. To do this, open the Registry Editor: in Vista, click Start, but in XP, click Start, Run. Then type regedit and press Enter. In the left pane, navigate to the IniFileMapping key in the Registry path shown above. Expand the key, right-click Autorun.inf below it, and choose Delete.

See Microsoft Knowledge Base article 310516 for details on adding, deleting, and modifying Registry keys.

Resuscitate a dead drive by giving it the gas

After reading reader Scotty Burrous’s description of how he brought a hard drive in his mother’s PC back from the dead, I started to think I’d been watching too many scary movies:

• “My mom’s laptop recently croaked. The two-year-old 60GB hard drive decided it had had enough and the platter quit spinning. I hooked it up to a 2.5-inch USB adapter after removing the cover, negating any and all out-of-date warranties, etc. When energized, the indicator LED — normally green — was red and the platter didn’t move.

  “There were a few files my mom hadn’t backed up — sigh, she’s 86 years old — but decided she desperately needed. With tweezers, I manually rotated the platter on the hub, not touching the disk. I noticed it was difficult to turn, so I figured, ‘What the hell?’

  “I purchased a container of butane — the stuff you refill a cigarette lighter with — and dispensed some of it (frequently) onto the bottom bearing. When energized, the platter spun up and I managed to get all the pertinent data from the drive! And with continued application of the butane, I ended up copying all the data from the (now) ex-drive.”

I’m going to take Scotty’s word that this tip actually worked — but kids, don’t try the butane-on-the-bearing trick without adult supervision! (I can’t help wondering what Scotty tried on the sick drive before he turned to lighter fluid.)

The Known Issues column brings you readers’ comments on our recent articles. Dennis O’Reilly is technical editor of WindowsSecrets.com.

Giving up on society? Get one of these!

By Katy Abby Every few years, a product comes along that is inexplicably popular. Despite tedious advertising, a questionable concept, and mediocre value, consumers hand over their hard-earned dollars with reckless abandon to own the next hot-ticket item. One such phenomenon is the subject of this hilarious infomercial parody. Before you start thinking about snuggling up on the couch with one of these plush pieces, listen carefully to what the narrator’s saying. Your self-esteem — and social life — may depend on it! (Warning: the video contains strong language.) Play the video

Make sure your PC's BIOS supports USB

By Fred Langa USB drives, mice, keyboards, and other peripherals are great — when they work. Unfortunately, some PCs have problems recognizing and using USB devices at boot time.

New USB keyboard won’t work without Windows

Sam Stamport ran into trouble getting his PC to recognize a new USB keyboard at boot time, before Windows loads. His problem sounds specific, but the solution applies to a whole raft of low-level USB issues, such as the inability to boot from an external USB drive:

• “Fred Langa’s recent discussion of backups reminded me that I haven’t made an image backup in a while, so I tried to make one today, only to find out that my new USB keyboard is not recognized. (I can’t type anything into the low-level imaging software, [which runs] outside of Windows.) I don’t have another keyboard, so I need a way to make this work.”

That’s a hardware problem, Sam. Although most newer hardware can recognize and work with USB devices right at boot time — before the operating system loads — some older machines have no USB support built into the system board’s firmware. On those systems, USB devices work only after the OS provides the necessary USB drivers.

A third group of machines — neither new nor ancient — may have varying levels of USB support built in. Getting USB devices to run at boot time on these systems can be hit-or-miss. Usually, you can check to see whether your system supports USB directly rather than depending on the OS by checking the PC’s BIOS settings.

BIOS stands for Basic Input/Output System; it controls some of the lowest-level operations in your computer and is also one of the first things activated when you turn on the PC’s power. When you start up, you’ll almost always see a BIOS message on your screen that includes the BIOS maker and instructions for entering the BIOS setup program.

In some BIOSes, you press F1 or F2 as the system starts; in others, you hit Esc, Del, or some other key combination. Whatever the specifics, pressing the appropriate key(s) at boot time stops the PC from loading the operating system, as it would in a normal boot, and opens the BIOS setup program instead.

Microsoft MVP Michael Stevens has written a nice article with lots of information on how to access the BIOS settings on PCs from many different manufacturers.

If you’ve never poked around your BIOS before, the settings can be intimidating; there’s lots of jargon and other arcana. But if you explore the settings under Peripherals, Boot Options, or some similar heading, you’ll probably find an entry related to built-in USB support. If it’s there, follow the on-screen instructions to enable support — if it’s not already enabled.

After changing any BIOS setting, you have to follow the on-screen instructions to save the modifications and then reboot to see the effects. If a changed setting doesn’t work or makes your PC perform less well, simply reboot, re-enter the BIOS setup program, and restore the setting to what it was before.

Here’s one of my favorite BIOS tricks: I use a digital camera to take snapshots of every page and setting in the BIOS. Once the images are saved in a secure location, I refer to them if I’m not sure what the original settings were or if I need to revert to the factory setup.

Many BIOSes also have a “reset” or “return to default” option, but these settings sometimes differ from the way the manufacturer shipped the machine to you. Having digital photos to refer to removes all ambiguity as to what the original settings were.

If you poke around in the BIOS and can’t find anything relating to USB, your system simply may not offer built-in USB support. Check the PC vendor’s site; you may find free BIOS updates available there, along with a description of what features the new BIOS adds or modifies.

Some third-party vendors also sell upgrade and replacement BIOSes. You’ll find a ton of ’em by searching in your favorite engine for the phrase replace upgrade bios.

Finally, if these steps are too much hassle, just connect an old-school PS/2-type keyboard and mouse when you need to do low-level maintenance on your PC. Almost all older systems that don’t have built-in USB support do have built-in PS/2 support and will work fine with the old-style keyboards and mice. You can get a basic PS/2 keyboard for under $10 and a basic mouse for even less!

Calling the final shot re: Vista vs. XP

Mark Atkins needs to buy a truckload of laptops and has to pick an OS:

• “I’m replacing approximately 150 notebooks for my company in the second quarter and am torn between XP Pro and Vista. Realizing that we won’t see Windows 7 until sometime in 2010, what would you recommend? Do you think there will be an easy upgrade path from XP to Windows 7?”

Most of Vista’s teething pains are over, Mark, especially for brand-new hardware. I recently got a new notebook myself, and it runs Vista like a proverbial charm: smooth, fast, and good-looking; and because the notebook was designed for Vista, I’ve had zero driver issues. Everything just plain works.

Plus, XP is in its final stages of full support from Microsoft. Making a major investment in XP now will tie you to a rapidly aging OS.

Looking ahead, Windows 7 should be a relatively easy upgrade from Vista; the technology hurdle from Vista to Win 7 will be smaller than the one between XP and Vista. Having Vista hardware in place when Win 7 arrives will probably make your future support/upgrade work easier, as opposed to skipping Vista and doing a double jump from XP straight to Win 7.

That said, there are two special factors to watch out for in a corporate setting. One is legacy infrastructure, both hardware and software. If you’re dragging along Bronze Age printers or critical software written in cuneiform, neither Vista nor Win 7 may be entirely happy. You’ll need to check that such legacy issues will work out OK.

The other consideration for organizations is the added support costs. Vista and Win 7 are both different enough from XP and earlier Windows versions that there is a short adjustment period. Some things are named differently or are located in different places.

This is nothing major, and most of the changes make sense once you step back and think about them. Vista’s built-in help system is also excellent, which makes self-answering the “How do I …?” questions a lot easier. But expect a few extra support calls as users make the switch.

If I were you, I’d go with Vista for new hardware, for sure.

Allow or deny ‘act as a server’ requests?

You get them, I get them: obscure messages from our firewalls asking whether some software component or another should be let loose online. Maurice Carson ran into a problem with a program that wanted to act as a server:

• “I was wondering whether someone could write about programs ‘wanting to act as a server?’ I have ZoneAlarm as a firewall and it seems almost every program I open wants to act as a server: Windows Explorer, Adobe, Excel, Spybot, etc.”

“Act as a server” is a vague term meaning simply that the software wants to serve up information in response to external requests rather than use the standard “client” mode, where you receive information from other sources.

Sometimes, as with some forms of two-way video or audio communication, the reason for needing server status is obvious. But many times, the need is a lot less apparent.

Here’s a way to sort through the confusion: when software wants to act as a server and you can’t think of a reason why it should, deny it access but don’t make the denial permanent yet. Just say no this one time and see what happens.

Remember, almost all Windows PCs are able to run just fine as standalone computers, unconnected to a network. Therefore, denying some software Internet access or server rights shouldn’t hurt anything. At worst, the software will operate as if you were offline; maybe you’ll lose some functions, such as auto-updating.

If you find that denying “act as a server” permission causes a meaningful problem, you’ll then know to let that given software act as a server in the future and can set it as a permanent rule.

On the other hand, if you find that denying “act as a server” makes no discernible difference at all — the program does all it should, updates normally, etc. — then you know that for your particular situation, “act as a server” isn’t needed and you can safely make the denial a permanent rule.

So when the risks are very low, a little trial-and-error can go a long way toward sorting things out.

Voicing an opinion on text-to-speech software

A reader calling himself (herself?) “Bad Dog” offered this tip, which made me sit up and beg:

• “I recall some mention of a program that would read out loud from the computer. I have been using the free DSpeech (more info) for some time and have to say it accepts rather large files, compared to the free ReadPlease program (more info) that I used to use. DSpeech does more, but to keep this short, I’ll just say check it out!”

Thanks, er, Bad Dog.

Vista and XP both have Narrator (more info), a bare-bones, very limited text-to-speech (TTS) reader as well as the slightly more capable Speech Recognition (more info), which uses automatic speech recognition (ASR). Both are more trouble than they’re worth. Other TTS products require less effort to use and yield better results.

Like our canine cohort, I also was a long-time ReadPlease user. I especially liked the program’s customizability and the high-quality voices it supported. But I had tons of trouble migrating ReadPlease to Vista.

Lately, I’ve been using NaturalSoft’s Natural Reader program for basic TTS (more info). Natural Reader comes in handy for proofreading and having what I’ve written read back to me. The company offers free and commercial versions, and both are extremely easy to set up and use. If your main goal is simply to hear written text spoken aloud, it would be hard to beat Natural Reader.

But as Bad Dog barks, DSpeech does more, handling both TTS and ASR. You can use DSpeech not just to read back text but also to control your PC with spoken commands.

DSpeech even supports a basic built-in scripting language that enables a form of hands-free, two-way interaction with your PC: you issue voice commands, and the scripts tell the machine what to do and what to reply. You can even have rudimentary conversations with your system!

Because DSpeech does a lot more than Natural Reader, it’s a lot more complicated to use. The author of DSpeech is not a native English speaker. This has no effect on the quality of his work nor the software voices you hear, but his instructions for setting up and using his software are sometimes difficult to follow.

Still, if you want a free, feature-rich TTS/ASR tool, DSpeech is a very attractive option.

Thanks for the tip. Good dog! Sit. Stay.

Fred Langa is editor-at-large of the Windows Secrets Newsletter. He was formerly editor of Byte Magazine (1987–91), editorial director of CMP Media (1991–97), and editor of the LangaList e-mail newsletter from its origin in 1997 until its merger with Windows Secrets in November 2006.

Microsoft claims Windows 7 UAC flaw is by design

By Woody Leonhard Changes to User Account Control are designed to make Win7 less annoying, but they also make the OS vulnerable, according to a prominent researcher. A very simple Visual Basic script — which in many cases runs without any prompts — can disable UAC completely, without warning.

Attempts to enhance UAC make it vulnerable

On Jan. 30, Windows über-geek Long Zheng posted a detailed explanation of a security flaw he had discovered in the Windows 7 beta, along with working proof-of-concept code. The next day, Microsoft responded with a lengthy riposte, declaring “[t]his is not a vulnerability” and refusing to fix the problem when Windows 7 ships later this year. And therein lies a story …

Anyone who has used Windows Vista for any time at all has encountered UAC, the vilified but effective security feature that dims the screen and forces you to click, click, and click again before you’re allowed to make changes to your PC.

Yeah — I hate UAC, too.

Windows 7, which is expected to ship as early as this summer, takes great strides to reduce the number of clicks required to perform many common tasks. If you use an administrator account, Win7’s Action Center lets you set a slider to choose among four levels of UAC intrusiveness, er, accountability (see Figure 1).

Figure 1: Windows 7 provides four levels of User Account Control.

• Level 1 always brings up the full UAC notification when a program tries to install software or make changes to the computer that require an administrator account. It also generates the UAC pop-up when you try to make changes to Windows settings that require an administrator account, even if you’re already using such an account.

• Level 2 brings up the UAC notification when a program attempts to change your computer in a way that requires an administrator account — just as with Level 1 — but not when you make changes to Windows settings. This is the default setting in Windows 7.

• Level 3 is the same as Level 2, except the UAC notification doesn’t take over the PC and dim the screen. Dimming is only part of the equation: when the screen isn’t dimmed, UAC isn’t in complete control of your computer and a running program can “send keys” or otherwise monkey with the UAC prompt.

• Level 4 disables UAC: programs can install other programs or make changes to Windows settings. This level lets you change anything you like without triggering any UAC prompts. Note that Level 4 doesn’t override other security settings: for example, if you’re using a Standard account, you still need to provide an administrator ID and password before you can install a program that runs for all users.

This description sounds pretty simple, but the details are quite complex. Win7’s help system says that if your computer is at Level 2 — the default setting — “[y]ou will be notified if a program outside of Windows tries to make changes to a Windows setting.”

How does Windows 7 tell when a program is “outside of Windows” and thus whether actions taken by the program are worthy of a UAC prompt at Levels 2 or 3? Tough question, as you’ll see shortly.

Long’s view: cracking Win7’s UAC is too easy

Long Zheng’s article, titled “Sacrificing security for usability: UAC security flaw in Windows 7 beta,” shook many of us who are testing Windows 7. Crediting a post on WindowsConnected.com and discussions with developer Rafael Rivera, Long explains that the UAC level rules are interpreted according to a special Windows 7 security certificate.

Programs signed with that certificate are deemed to be part of Windows. Programs that aren’t signed with that specific certificate are “outside of Windows” and thus trigger UAC prompts if your computer is set at UAC Levels 1, 2, or 3. Long notes that the act of changing the UAC level counts as “a change to Windows settings” — not surprising — and thus does not trigger a UAC response at Levels 2, 3, or 4.

Here’s the surprising part: Long and Rafael wrote a very simple VBScript that you can copy and run for yourself. The script changes the UAC level in Windows 7 from 2 to 4. The four lines of the cracker program that change the UAC level are these:

WshShell.SendKeys(“{TAB}”)
WshShell.SendKeys(“{DOWN}”)
WshShell.SendKeys(“{DOWN}”)
WshShell.SendKeys(“{DOWN}”)

This is the simplest security-busting program I’ve ever seen.

If you run that program with your UAC level at 2, UAC will check to see whether the program is “outside of Windows.” In this case, the VBScript is calling something named WScript.Shell, which is part of Windows and signed with a Windows 7 security certificate. Since the cracker program is perceived as being inside Windows, it runs without generating any UAC prompt.

If you run the script on your computer, you’ll see that Windows has to restart in order to turn off UAC entirely. As Long notes, it’s pretty easy to write a program that restarts Windows.

Bottom line: it’s almost trivially easy to write a program that disables User Account Control entirely when it’s run using a Windows 7 administrator account. Long recommends that Microsoft fix the problem before Windows 7 ships.

Microsoft is tap dancing as fast as it can

Microsoft’s response to Long includes the following statement:

• “This is not a vulnerability … The intent of the default configuration of UAC is that users don’t get prompted when making changes to Windows settings. This includes changing the UAC prompting level … The only way [the UAC level] could be changed without the user’s knowledge is by malicious code already running on the box … In order for malicious code to have gotten onto the box, something else has already been breached (or the user has explicitly consented).”

In other words, Microsoft doesn’t see this as a security breach and won’t be fixing it.

The online community has exploded with a barrage of opinions on all sides. Clearly, if you intentionally run a program and that program does something bad to your computer — change the UAC level or reformat the C: drive, for example — you’re the one who tempted fate and reaped the consequences.

Just as clearly, a program that runs at a low level of security — causing no prompt at all for a typical administrator account in Windows 7 — and that turns off UAC with no warning whatsoever gives most people the willies.

Finding the best mix of security and convenience

So who’s right, Long or Microsoft? They both are. And they’re both wrong. Let me explain:

Looking at the behavior from the point of view of a typical Windows 7 user — someone who barely understands the difference between an administrator and a standard account — the problem certainly seems, well, shocking.

But it isn’t just the n00bs who should be concerned. Many of us who have dealt with Windows administrator accounts for years were quite surprised to learn that a silent program could zap UAC. I don’t know about you, but labeling a homegrown VBScript that calls Windows Shell an “inside Windows” program stretches my definition of “inside” beyond the breaking point.

That said, what Microsoft asserts is true as well. Changing the UAC level is certainly altering a Windows setting. If you leave your computer at UAC Level 2, you’re allowing “inside Windows” programs to change Windows settings without warning.

More importantly, if you’re running a program that zaps your UAC setting, that program can do all sorts of bad things. Any such program must’ve arrived via some security breach.

In the end, I agree with Long that Microsoft should make a small change to Windows 7’s current behavior:

• “There is a simple fix to this problem [that] Microsoft can implement without sacrificing any of the benefits the new UAC model provides, and that is to force a UAC prompt in Secure Desktop mode whenever UAC is changed, regardless of its current state. This is not a fool-proof solution (users can still inadvertently click ‘yes’) but [rather] a simple one I would encourage Microsoft to implement.”

Don’t be fooled; we’re looking at a stopgap. Windows 7 won’t be secure until it can tell — reliably — which actions were initiated by the user and which were started by a program. The OS must also provide security prompts accordingly.

I wrote about this approach more than two years ago in a Woody’s Windows column that took Microsoft to task over implementation of UAC in Vista. Getting that level of security in some future version of Windows will require a major rewrite. I won’t hold my breath.

(As we were going to press, Long Zheng posted details about a second Windows 7 UAC security flaw. The problem Long describes has its roots in the “inside Windows”/”outside Windows” dilemma discussed above. It remains to be seen how Microsoft will respond. In the interim, Long recommends that Win7 users set their UAC prompt to Level 1. I’ve done exactly that on all my Windows 7 machines.)

Woody Leonhard‘s latest books — Windows Vista All-In-One Desk Reference For Dummies and Windows Vista Timesaving Techniques For Dummies — explore what you need to know about Vista in a way that won’t put you to sleep. He and Ed Bott also wrote the encyclopedic Special Edition Using Office 2007.

Conficker/Downadup woes may not be over

By Susan Bradley Though the Conficker worm’s infection rate appears to have peaked, the millions of now-compromised PCs constitute a potential botnet bonanza. Most Conficker-infected PCs are in China, Russia, and Brazil, where pirating is prevalent and patching is rare; the U.S. infection rate is much lower.

MS08-067 (958644)
Waiting for the Conficker botnets to strike

The spread of the worm known as Conficker, Downadup, and Kido is slowing, according to a study by virus research firm F-Secure, but the malware’s damage may not be over. As reported by Windows Secrets contributing editor Woody Leonhard in his Jan. 22 Top Story, the defense against this worm is to install the patch described in MS08-067 (958644).

The F-Secure research indicates that more than 4 out of 10 of the PCs infected with this worm are in China (15.1%), Russia (13.9%), and Brazil (11.9%). Only slightly more than 1% of infected PCs are associated with IP addresses in the U.S.

Many of the PCs in countries where Conficker infection is rampant, including India and Ukraine, run pirated copies of Windows. These systems are much less likely to be patched on a regular basis, which makes them vulnerable to this and other malware.

If you’re unsure whether you’ve installed the patch that thwarts Conficker, click Start (Start, Run in XP), type appwiz.cpl, and press Enter. In Windows XP, make sure Show updates is checked at the top of the Add or Remove Programs window. In Vista, click View installed updates in the top-left pane. Look for Security Update for Microsoft Windows (KB958644).

Just because your PCs are patched against this worm, don’t think it can’t sting you. According to a Computerworld article, researchers are impressed with the technical skill of Conficker’s developers. The antivirus vendors anticipate a follow-up attack that will download more malware to the infected PCs or use them to send spam or to launch denial-of-service attacks.

A recent article in the Register described a hospital in Sheffield, U.K., that was hammered by Conficker. I feel for any mission-critical computing environment that has to balance the need for patched systems with the pain that patching causes, but I think there’s more to this story.

The worm infestation was reportedly aggravated by the IT staff’s decision in December to disable automatic updates because a computer rebooted during surgery.

I’m going to speculate that the IT staff was not empowered to set an appropriate patching policy. When I walk into a hospital on a Patch Tuesday, I hope that no vital system is attached to the Internet, getting updates willy-nilly.

I advise everyone to set Windows’ Automatic Update to Download updates but let me choose whether to install them and then wait a day or two before installing them, just in case the update causes more problems than it solves. Scott Dunn’s Aug. 14, 2008, Top Story provides step-by-step instructions for changing Windows’ update settings.

951847
Just say no to this .NET 3.5 update

The most recent batch of updates from Microsoft included one for my favorite Windows component: .NET Framework 3.5 SP1. Now, if you could see me, you’d notice the big smirk on my face. That’s because patches for the .NET platform are definitely not among my favorite things.

The fix described in KB 951847 is pushed to any PC that has .NET 2.0 or greater. If you’re offered this patch — regardless of whether you have .NET 3.5 installed — you will end up with .NET 2.0 SP2, .NET 3.0 SP2, and .NET 3.5 SP1. The only application — or platform, in this case — on my system that uses .NET 3.5 is Small Business Server 2008. QuickBooks 2008 and 2009 still use .NET 2.0.

Personally, I’m not pleased that this .NET 2.0 patch has been bundled into a .NET 3.5 upgrade. It feels a bit too much like bait and switch to me.

How can you determine which applications use which versions of .NET? Microsoft states that you can substitute .NET 3.5 for all versions of .NET down to Version 1. In reality, you can’t.

I support line-of-business applications that run only with the older .NET versions. I recommend against installing .NET 3.5 and uninstalling all previous versions, particularly if a line-of-business application such as QuickBooks has installed the older versions.

If you encounter any problems after installing this .NET patch, use Aaron Stebner’s .NET cleanup tool to remove the update (download page). Then reinstall the .NET update you just removed.

.NET family update (951847)
A cautionary tale of a .NET patching mess

You already know I’m not a fan of .NET patching, and recently I learned all over again why I don’t like it. I decided to install the patch described in KB 951847, a .NET family update for those who already have .NET 2.0 on their system. The update includes .NET 2.0 SP2, .NET 3.0 SP2, and .NET 3.5 SP1. The Vista PC I was using shipped with .NET 2.0.

This system also uses Peter Schmidt’s RibbonCustomizer utility for Office 2007 (more info). This utility adds to the suite the classic Office toolbar as well as a productivity toolbar that helps workers in our office use standard forms. As it turns out, the program conflicts with the .NET family update.

“No problem,” I thought, “I’ll just remove the .NET family patch.” Not so fast.

My first mistake was to remove .NET 3.5 SP1 via Vista’s Programs and Features applet in the Control Panel. I was sure this would solve the problem. It didn’t. So I downloaded Aaron Stebner’s .NET cleanup tool (more info), expecting that I’d be able to remove .NET 2.0 SP2, which I suspected of being the offending patch.

One problem: you can’t remove .NET 2.0 from Vista because the framework is built into the operating system. I tried to turn back the clock by using System Restore: click Start, type rstrui, and press Enter to launch the program.

I selected a time before the application of the .NET patches and began the restoration, which completed as expected. However, when I went to log back into the computer — and ultimately to the domain at the office — I was informed that I had broken the domain trust and could not log back into the office network.

Fortunately, I had kept a local account on the Vista workstation to log back in, but even after Vista loaded, it was painfully obvious that the OS was not happy with the aborted change.

What’s the lesson to take from this? Whenever you make a change to your system, have a backup handy and be ready to roll the machine back. Don’t assume that you can uninstall patches. And the next time I see a .NET patch trying to worm its way onto my PC, I’m going to run the other way!

QuickTime needs this security patch pronto

Why not mark the 25th anniversary of Apple’s Macintosh (as described by CNN) by updating the QuickTime players on your Windows PCs and Macs? Many of the holes patched in the latest update (as listed in an Apple article) appear to be great vectors for malware.

I haven’t seen any reports of virus attacks exploiting this yet, but I expect QuickTime to be the target of future malware assaults.

Note that on a Windows XP SP3 machine with only the QuickTime player installed, the Apple installer checked the option to install new versions of iTunes and QuickTime but did not precheck the option for Safari (see Figure 1 below). If you don’t want iTunes, be sure to uncheck this option when patching QuickTime.

Figure 1: Apple’s update installer wants to load new versions of iTunes and QuickTime, but you need only the QuickTime update.

BitTorrent downloads can lead to back doors

Where you get your software and updates matters. If you download programs from a reputable site, you can be pretty sure the file is free of malware. But as the recent release of the Windows 7 beta showed, many folks bypass Microsoft and other trusted software sources and instead download programs from BitTorrent sites.

Many Macintosh users discovered a chilling side to this trend, however. When they visited BitTorrent sites hosting the new version of the iWork office suite, they ended up with infected machines. As reported by SANS: Internet Storm Center, the download included a back-door Trojan.

This is one of the reasons I continue to recommend that you get your updates and patches from Microsoft directly. Don’t ever download patches or hotfixes from any other Web sites (with the exception described below). These sites may mean well, but the risk that the updates are infected is too great.

Bottom line: install Windows patches only from Microsoft’s official update sites or via a service, such as Secunia’s Online Software Inspector (free for personal use only), that uses the Microsoft update servers. The free Shavlik Patch Google Gadget (download page; scroll to the bottom) likewise downloads Windows updates from Microsoft’s servers. Similarly, when patching Apple software, use only the Apple Software Update tool or download the fixes directly from Apple’s site.

Internet Explorer 8 Release Candidate 1 debuts

Amid the recent buzz on the MSDN IE Blog — about the new WhiteHouse.gov site not displaying correctly on machines running the Windows 7 beta — were hints that Internet Explorer 8 Release Candidate 1 is almost here. The IE 8 team’s general manager was interviewed regarding the release candidate on the Defense in Depth blog as well.

As a release candidate, IE 8 is very close to being finalized. I recommend that you install this version of the browser only on computers you don’t rely on. IE 8 will be distributed incrementally to consumers, just as IE 7 was released in waves.

For businesses, a tool to block IE 8 was announced on the program’s blog. However, when IE 8 does show up among Microsoft’s Updates, you can easily decline the update until such time as I sound the “all clear” for installing the new version.

Watch for an important Home Server update

Very soon, Windows Home Server users will receive an update to fix a problem with the repair of abnormalities detected in the home computer backup database. As discussed on the Windows Home Server blog, the patch described in KB 958926 should be offered within the next several days to PCs running Windows Home Server. If you’re a Home Server user, install this fix as soon as possible.

By the way, the HP versions of Home Server were recently in the news for including software to backup Macintosh clients as well as native Windows ones. Looks like even HP is jumping on the Apple bandwagon these days.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.