2005 Gear of the Year, part 1

2005 Gear of the Year part 1

By Brian Livingston

I’ve always found it hard to locate trustworthy ratings of Windows products using search engines. Now you don’t have to wade through page after page of e-tailers’ listings — I’ve scoured every available published test to pick the best for my first Gear of the Year awards.

Today, I’m declaring winners in eight big-ticket categories. In part 2 of this feature, to be published in the Nov. 22 newsletter, I’ll reveal standout products in several lower-priced market segments.

I don’t have my own test lab, so instead I analyze everything I can get my hands on from respected testers. It’s often confusing when different reviewers, such as PC Magazine, PC World, and CNET, disagree in their ratings of the same products. But, surprisingly often, the same product does emerge with high scores from two, three, four or more out of the dozens of review sources I follow. Those products earn my Gear of the Year award.

I usually summarize the latest rankings in the newsletter’s Index of Reviews section. We’ve left that section out this issue to make room for the Gear of the Year. You can find every review we’ve indexed in the past 12 months in the Reviews section of WindowsSecrets.com.

		2005 CAMERA OF THE YEAR 7-megapixel shooters get ultracompact A new digital camera seems to appear every day, and no single model is right for every kind of photographer. But one super-compact model that’s won a ton of kudos is the Canon PowerShot SD500 (left), the first Digital ELPH with more than 7 megapixels. It’s won the Ultimate Choice award from Ultimate Mobility Magazine, Editors’ Choice from PC Magazine, tied for top score in PC World, and taken the silver medal in Wired Magazine. More info: Canon Powershot SD500 Link to all ratings and full reviews of cameras
		2005 LCD OF THE YEAR Flat screens redefined at 1920 by 1200 Nothing makes working on a computer more productive than having a lot of real estate to play with. Really big flat-panel LCDs used to be prohibitively expensive. But now a 24-inch monster is available from Dell for less than $1,000 — and it’s a 1920×1200 widescreen, to boot, with a 1000-to-1 contrast ratio. Not only is the UltraSharp 2405FPW (left) top-rated by CNET, CPU Magazine, and PC World. Its smaller 19-inch and 17-inch brothers, the UltraSharp 1905FP and 1704FPT, are also rated the best in their size categories by PC World and Consumer Reports, respectively. More info: Dell UltraSharp 2405FPW Link to all ratings and full reviews of LCD monitors
		2005 LAPTOP OF THE YEAR A notebook for instant DVD gratification The Toshiba Qosmio G25 desktop-replacement notebook computer stands out for its instant-on CD/DVD player and other multimedia features. It’s won an Editors’ Choice award from PC Magazine and a Mobile Choice award from Mobile Magazine, as well as its predecessor, the G15, rating as a Best Buy in Laptop Magazine. More info: Toshiba Qosmio G25 Link to all ratings and full reviews of laptops
		2005 MP3 PLAYER OF THE YEAR Apple still rules the music roost By far the dominant music player at the beginning of this year was the Apple iPod Photo. With its 30 to 60GB hard drive, brilliant color screen, and convenient photo management, this model helped Apple capture 72% of the MP3 player market in America. Today, the slimmer, Flash-only Apple Pod nano (left) earns the Gear of the Year award, and a CNET Editors’ Choice, with the video-enabled 60GB 5th-generation iPod (right) taking our honorable mention. More info: Apple iPod nano Link to all ratings and full reviews of MP3 players
		2005 DRIVE OF THE YEAR Add 250GB to your network with one click Sometimes you absolutely need more storage space, and plugging a new hard drive into your small-office or home network is the way to do it. The Buffalo Technology Linkstation (left) adds 250 gigabytes to your life with little more work than plugging in a cable. It rates a Best Buy from PC World and not once but twice received an Editors’ Choice award from CNET, in February and May. More info: Buffalo Technology Linkstation Link to all ratings and full reviews of hard drives
		2005 PDA OF THE YEAR Windows Mobile 5.0 scores in PDA market It’s been a year of flux in personal digital assistants, with even Palm migrating toward Microsoft’s Windows Mobile operating system. The Dell Axim X30 (right) captured the most awards this year, described as the “best low-cost Pocket PC” by Pen Computing, PDA Buyer Magazine, and PC World as recently as August. But the new Axim X51v (left) — the first Windows Mobile 5.0 handheld, released on Sept. 22 — clearly outranks it and already boasts several Editors’ Choice awards, which we’ll add to the index soon. More info: Dell Axim X51v Pocket PC Link to all ratings and full reviews of PDAs
		2005 PROJECTOR OF THE YEAR Bright, portable projectors drop under $800 The business projector that’s on the greatest number of reviewers’ short lists this year is the Dell 1100MP (left). It’s been favorably reviewed by Ultimate Mobility and Laptop Magazine and is one of five projectors that currently boast an Editors’ Choice from PC Magazine. The 1100MP, however, is the only Editors’ Choice priced under $800, rating just as highly as its $1,000 to $2,000 competitors. (If you want to project videos rather than PowerPoint slides, the Optoma MovieTime DV10, shown at right, which comes with a built-in DVD player, is PC Mag’s current Editors’ Choice for consumer portables.) More info: Dell 1100MP projector Link to all ratings and full reviews of projectors
		2005 PRINTER OF THE YEAR Dell lowers the price point for color Color laser printers used to be unaffordable luxuries for most small offices and homes. That was before the Dell 3000cn, which currently starts at under $320 for 32-bit versions of Windows. Along with the multi-platform 3100cn ($400) — which also supports Mac, Unix, Linux, and Novell — this series of color printers has been top-rated by CNET and PC World (including all-new tests that have just come out in that magazine’s December 2005 issue). More info: Dell 3000cn color laser printer Link to all ratings and full reviews of laser printers

More to come next issue

It’s likely that no one will completely agree with the above selection of products. That’s fine. In fact, that’s why I created the Index of Reviews in the first place, so different rating systems with all kinds of criteria could be brought together in one place.

You might actually prefer a product that rated only 2nd or 3rd place. Just look though our reviews pages, mull over the last 12 months of ratings from various sources, and reach your own decision.

The Gear of the Year awards will continue with part 2 in the next issue. Until then, good hunting!

——————
For non-U.S. sources of information on a product reviewed above, enter the model name into a search box at one of the following links: Canada / U.K. / Elsewhere

Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.

To defrag or not? NOPE

By Woody Leonhard

That is the question.

Whether ’tis nobler in the mind to suffer the slings and arrows of outrageous fortune, or to… Oooops, wait a sec. Wrong century.

I’m amazed at the number of “experts” who advise you to frequently defragment your hard drive. In the good old days — certainly in Shakespeare’s day — that qualified as good advice. Nowadays, defragmenting almost always rates as a colossal waste of time.

How your disk gets fragged

You probably know that files on your hard drive get spread out over time. Fragmenting occurs because of the way Windows recycles unused slots on your disk.

Every disk is organized into fixed-size cubbyholes called “clusters.” Windows maintains a list of available clusters — ones that aren’t being used. When you (or a program) need more room on a disk, Windows consults its list of available clusters, hands over as many clusters as necessary to accommodate the request, and take those clusters off the available list. Conversely, when you (or a program) delete a file or part of a file, Windows doesn’t actually delete the data. Instead, it puts the appropriate clusters back on its available list.

When you first start using a hard drive all of your files, more or less, occupy contiguous cubbyholes. Over time, though, files get scattered all over the disk, like a patchwork quilt. In geek speak, that scattering is called fragmentation.

Defragmenting — de facts

When drives were slow and all children scored above average, fragmentation put a real dent on computer performance. While your hard drive jumped to the far ends of the earth, gathering noncontiguous clusters like flowers in May, you sat and twiddled your fingers. And toes.

PC pioneers recognized the problem, and wrote programs that sucked files off hard drives, pulled the pieces together, then laid the files back in contiguous cubbyholes. Defragmenting made a big difference in overall system performance. Geeks ran defrags every few weeks, as part of a hard drive workout regimen.

Times change. Hard drives now run ten times as fast as they did then. More importantly, hard drives commonly sport large, faster buffers that feed data directly to the computer at memory-transfer speeds. Look-ahead intelligence built into the buffers runs rings around the old, dumb and slow drives of a decade ago. Heck, a typical hard drive these days packs an 8MB buffer: the buffer alone holds more data than an entire drive from the early days.

As for the effect of defragmenting on system performance… Far as I can tell, there is none. I’ve defragmented several drives recently, including one that looked like a chessboard sprayed with buckshot. I had no noticeable speed improvement at all. Your mileage may vary, of course, but the days of quick and dirty speedups with defrags are long gone.

There are some benefits to defragging. Data-recovery people say that you’re more likely to recover data on dissed disks if the files are located in contiguous clusters. Data backup people argue that backups run faster on defragged drives. Some claim that your computer will run cooler with the clusters in order — presumably because the disk arm doesn’t have to move as far. I’m skeptical. As usual.

Running a defragger

Windows XP ships with a very capable defragger. To use it, click Start, My Computer, right-click the drive you want to defragment, click Properties, Tools, then click the button marked Defragment Now. In the Disk Defragmenter dialog, click Analyze. Nine times out of ten, Windows will tell you that you don’t need to defragment your drive — and I suggest you take its advice.

If Windows recommends that you run a defrag, you can decide for yourself if it’s worth the hassle. In any event, wait and run it overnight. Yes, you can run a defrag and do other work at the same time, but your PC will act like a slug. Better to let the defrag run at its own pace.

Bonus tip: Don’t partition your hard drive. You’ll only slow it down. If you really want a “partition” to store, say, all of your data files, create a folder called “C:Data”. Partitioning is dead. Get over it.

Woody Leonhard‘s latest book is Windows XP Hacks & Mods For Dummies, published by Wiley.

Debate: To defrag or not? SURE

By Brian Livingston

Woody’s low opinion of disk defraggers, above, is discouraging enough that I feel the need to take the other side, just to play devil’s advocate.

This debate got started with a reader’s comment in our Oct. 27 issue, questioning the value of defragmenting today’s fast hard drives. Since that time, I’ve found some usable performance data.

My findings on the benefits of defragging

1. Defragging can reduce boot time, file opens, and file saves. The most recent defrag tests by PC Magazine were published on May 4, 2005, and June 8, 2004. In the earlier set of tests, writer Neil Rubenking found that Windows XP with a badly fragmented, 85% full 60GB drive required 3 minutes and 10 seconds to boot up. This dropped to about 2:20 after using XP’s own defragger or either of PC Mag’s current Editors’ Choices, Diskeeper 9 or PerfectDisk 7. Opening a 225MB bitmap in MSPaint dropped from 4:32 to 2:40 after using Diskeeper.

2. Defragged disks can get re-fragmented fast. A PDF white paper by Joe Kinsella for Windows IT Pro Magazine, underwritten by Diskeeper, shows that merely installing Windows XP or XP Service Pack 2 on a newly defragmented drive creates more than 1,000 fragmented files. Saving a 30MB document in Microsoft Word drops from 46 seconds to 4.6 seconds after using Diskeeper on a fragmented drive, according to Kinsella.

3. Server databases and MS Exchange may benefit greatly from regular defragging. For information on defragging Exchange 2000 Server and Exchange 2003 Server, see Microsoft’s Server System Tips. However, be sure to configure Windows Server 2003 so defragging doesn’t delete older "shadow copies," as described in Knowledge Base article 312067.

4. Freeing up disk space can improve performance, too. Neil Rubenking found in his PC Magazine tests that freeing up 24GB of his fragmented 60GB hard drive resulted in performance benefits as great as defragmentation. In general, you should never fill a hard disk nearly full. Besides performance problems, full disks can in rare cases corrupt small NTFS volumes, according to KB 909360.

5. The defragging debate has religious aspects. Susan Bradley posted some defrag information on her site recently and received wildly varying comments for and against regular defragging.

6. Individuals don’t need to defrag daily. Running the built-in Windows defragger once a month should give you most of the performance benefits of a well-tuned hard disk.

7. Businesses can benefit from background defragging. A "set it and forget it" utility, such as various versions Diskeeper makes, requires almost no adminstrative time but can make database access noticeably faster.

Woody talks back on defrag results

I allowed Woody to provide a rebuttal to my research. Here’s what he said:

• “In my counter-counter-point, I would note that the PC Mag test was on a ‘badly fragmented 60GB hard drive’ with 51GB occupied. That’s not a typical situation, by a long shot. While it’s interesting to see what effect a defrag has on an almost-whacked-out system, it’d be much more interesting to see what effect defrag has on randomly chosen, everyday machines.

  “If you’re accumulating a lot of Web temp files, either use Firefox (which sips at temporary file space) or tell IE to use less space for its temp files. I have one machine with a 30GB hard drive, where IE grabbed 3GB just for its temporary files. To tell IE to back off, click Tools, Internet Options, click Settings, run the slider down to 20 or 30MB, or maybe 100MB if you have a really slow dial-up connection. Defrag your machine once, and forget about it. …

  “The Windows IT Pro study (which, as you note, was sponsored by a defrag software company) tested a 20GB drive that was artificially fragmented. The author says he ‘could not rely on naturally fragmented hard drives.’ PC Mag relied on a naturally fragmented hard drive, and it isn’t at all clear to me why IT Pro couldn’t do the same. There’s no mention of disk cache memory in the IT Pro article. (Was it disabled to exaggerate the effect of defragmenting?) Perhaps most importantly, the author didn’t run his baselines against a drive that had been defragmented just once with the built-in Windows XP utility. That’s a bit like testing a mouse without taking it out of the box.

  “In summary, if Windows XP says you should defrag, then by all means run a defrag. But there’s no reason to defrag incessantly — and no reason to run out and spend fifty bucks for a utility that performs only marginally better than the free defragger inside Windows. Run the Windows defragger every few months, and save your bucks for a second hard drive.”

Tip: By the way, I also want to respond to Woody’s remark, above, that separate disk partitions are not required for Windows. That may be true for workstations, but servers, including Exchange Server 2003, often require two or more partitions.

The next two items are from readers responding to the original Oct. 27 broadside.

Let idle CPU cycles defrag your drive

For those who use disk defragmenters, why not have an application that you can “set and forget”? Reader Dan Juroff writes:

• “On my personal machine, I use Ashampoo Magic Defrag, which runs as a service in the background, immediately defragging when the computer is idle for a few seconds. The process is interrupted as soon as you touch the mouse. This is the slickest defragger I’ve ever used, I must say, and I actually like it better than Diskeeper. For a novice user, Magic Defrag is probably better, since it really requires no special configuring, and no maintenance later. Just install it and forget it.

  “In the past, I’ve tried to measure the difference between defragging and not defragging by timing the speed of antivirus or antispyware scans before and after defragging. It appeared that I could shave as much as several minutes off a scan in some cases. Again, results vary according to how fragmented the drive is to begin with.”

Magic Defrag is $12.99 direct and can run automatically even when a PC user is not logged on to the machine.

Disk thrashing due to fragmented drives

Windows, by default, doesn’t allocate space for your swap file in contiguous clusters. Instead, the swap file is fragmented across your disk like any other file.

If your computer is running on limited RAM, worsened by a fragmented swap file and file system, disk thrashing is likely to hurt your performance. Disk thrashing is the result of the hard drive continually reading and writing to the swap file due to a shortage of RAM.

Reader Charlie Roderick writes:

• “What about ‘disk thrashing’ and the ‘wear and tear’ on the heads when a file is fragmented and data is located all over the HD? From what I remember from my operating systems course, disk thrashing is not good!

  “Disk thrashing can result in permanent failure of the hard drive; as the data is transferred back and forth, the hard drive’s read/write heads are subjected to considerable wear and tear.”

Whether or not disk thrashing would cause your drive to actually fail, it’s something to avoid none the less. Here’s how:

Step 1. Open the Windows Task Manager. (To do this, right-click an empty area of the Task Bar, then click Task Manager.) The Performance tab shows how much physical memory is in use. Check this when you’re running your typical applications. If available memory is small, add as much RAM as you can to your system. Memory-intensive applications such as Photoshop CS2 run best with as much as 1GB of RAM installed, but your applications probably don’t consume this much.

Step 2. Defrag your drive (or don’t, if you don’t think defragging makes any difference).

Step 3. Set your swap file to a fixed rather than a variable size. This helps the swap file to be contiguous and prevents Windows from ever enlarging and reducing the file, which can take time.

Many people recommend creating a fixed swap file that’s twice the size of your installed RAM, as described in a G4TechTV tutorial. If you have 1GB of RAM or more, however, I don’t believe a Windows swap file larger than 2GB would do you any good.

Uninstalling XP WordPad to use the Me version

We had a tip last issue on copying the Windows Me version of WordPad to XP. The older version can save files in Word 6 .doc format, whereas the XP version cannot. But you can’t simply delete the XP version because it re-creates itself.

Reader Crystal Chadwick explains how to effectively uninstall the Windows XP version of WordPad.

• “It is possible to uninstall the XP version of WordPad. You’ll have to ‘Show hidden files and folders.’ [Right-click My Computer, Explore, Tools, Folder Options, View.] Then go to C:Windows, then the inf folder. Locate the Sysoc.inf file and navigate to this line:

  MSWordPad=ocgen.dll,OcEntry,wordpad.inf,HIDE,7

  “Remove HIDE [including the comma], changing the line to this:

  MSWordPad=ocgen.dll,OcEntry,wordpad.inf,7

  “Then click File, Save.

  “Go to Control Panel, Add/Remove Programs, Add/Remove Windows Components, Accessories, Details, uncheck WordPad, and follow the prompts to uninstall.

  “For those who wish to use an older version of WordPad, this is an easy way to do so.”

Firmware upgrade resets defaults on Linksys

Whenever upgrading to a newer BIOS or firmware revision, it’s always a good idea to double check your settings before and after the upgrade. New firmware and BIOS versions often bring with them new settings and functionality, as well as the possibility of overwriting or removing previous settings.

Reader Rick Kaye writes:

• “I installed the firmware upgrade for the Linksys WRT54G wireless router as you recommended in your Oct. 13 issue. As a side-effect of the upgrade process, all of the router’s settings were reset to their default values.

  Since I didn’t have any wireless devices in operation at the time I upgraded, I wasn’t aware of the reset. All the computers that were connected by wire worked fine. This had the effect of opening up a large security hole in my system since the router’s password was reset to its default.

  It was only when I turned on my laptop, a day later, that I realized the reset had occurred. Please tell your readers that after upgrading the firmware they need to make sure that they restore all their security settings. Also, the process will be much easier if they make a record of all their settings before starting the upgrade process.”

Readers Juroff, Roderick, Chadwick, and Kaye will receive gift certificates for a book, CD, or DVD of their choice for sending me tips that I printed.

^

Sony CDs install PC rootkit

By Chris Mosby

What if I told you the new audio CD you’ve been playing on your PC has installed software without your knowledge — and has used hacker techniques to hide that software so you won’t find out?

What if I also told you that this same software is also watching every program that you’re running on your PC, taking up system resources even if you aren’t listening to that audio CD?

On top of all that, what if I told you that this software also doesn’t come with an uninstall program and if you try to manually take it off, you could disable parts of Windows if you aren’t careful.

I bet you’d be pretty mad if you found out something like this. Well you wouldn’t be the only one.

There were a lot of mad people in the security community when they found out that Sony BMG — and First 4 Internet, who wrote the software for Sony — had included software on their Audio CD’s that does all of the above.

The end doesn’t justify the means

This controversy all started when Sysinternals’ Mark Russinovich and F-Secure both posted information about Sony BMG. Several of the company’s CDs, they reported, use digital rights management (DRM) software that’s not mentioned in any EULA agreement. The software, they found, monitors the use of all executable programs on a computer (whether an audio CD is being played or not) and uses hacker-style rootkit technology to hide itself from most system and security tools.

How was this done? Sony started requiring its own media player to be installed to enable people to listen to their CDs on a computer or make limited digital copies of songs. When the media player software is installed, it also loads a Windows device driver. This driver hides files, folders, and registry keys from Windows APIs by adding $sys$ to their name. This allowed Sony to install its little spyware program and make it completely invisible to the average user in an attempt to prevent illegal copying of the company’s CDs.

If this weren’t bad enough, the First 4 Internet developers (whose code Sony uses) sloppily wrote the rootkit device driver. Anything that has $sys$ at the beginning of its name will be hidden from view, not just certain specified objects.

There’s even more bad programming involved. There’s no uninstall routine for this rootkit software. Worse, manually deleting the files or certain Registry keys that the software installs can disable a PC, as described by The Register. (At least three dozen CDs install the rootkit, as explained by EFF.)

Hackers are already exploiting the Sony rootkit

Sony BMG Music vigorously claims its DRM software "is not malicious and does not compromise security." But hackers who play the popular online game World of Warcraft are already using the Sony DRM rootkit, according to Security Focus. This exploit allows these gamers to cheat at the game. The cheating can be hidden from Blizzard Entertainment’s own controversial spyware-like cheat-catching software that the company recently added to the game. This software, called “The Warden,” works in a similar way as the Sony rootkit. It monitors processes running on a player’s PC in an effort to catch and report players who are using cheating tools.

An exploit called BKDR_BREPLIBOT.C has already been reported by Trend Micro. No distribution "in the wild" has been seen yet, but it’s only a matter of time before attacks like these will be flowing across the Internet.

This problem will get worse before it gets better, as hackers learn to utilize similar technology and take further measures to hide their malware from unsuspecting computer users.

Consumer pressure forces a Sony ‘update’

As news of Sony’s new DRM tactics spread across the Web, more and more security professionals expressed their disappointment and rage over Sony’s use of hacker tactics in a vain effort to protect their works.

The response to this DRM software was so overwhelmingly negative that Sony was finally pressured into issuing an update that removes the cloaking technology from a PC. At the same time, Sony still vigorously denies that this DRM software is in any way malicious or that it compromises the security of the computers that it’s running on. Russinovich, for his part, published an update on Nov. 9 saying the Sony patch "decloaks in an unsafe manner that can crash Windows."

I don’t know where the people over at Sony get their definition of security, but it’s definitely different from mine.

How do I check for these rootkits?

All this talk about rootkits probably has you wondering how you’d even know if you had one on your PC, since they are by definition hidden from view?

What to do: Your best options are to use Sysinternals’ RootkitRevealer or F-Secure’s BlackLight. Both of these tools detect the Sony DRM software. Personally, I recommend RootkitRevealer, as it’s completely free and is a well-respected tool among security professionals.

I also highly recommend downloading one of these tools and running a scan on your computer. Remember that Russinovich himself only found the Sony rootkit on one of his machines by accident. You never know what you’ll find, and you might be saving your computer from problems down the road.

I just did a scan on my home machine and found some hidden items there myself. With a little research, I wound up finding them to be legit, so I’m OK. But the little lurkers could have been malicious, which is why you want to check.

Chris Mosby is a contributor to Configuring Symantec Antivirus Corporate Edition and is the Systems Management Server administrator for a regional bank. In his spare time, he runs the SMS Admin Store.

Are you sure you can recover?

By Ryan Russell

What’s your plan for catastrophic PC failure?

It’s one thing to plan for dead hardware. If your budget can take the hit, some of you might even welcome an excuse to have to replace some aging machine. The real problem is all of your data. Do you have everything categorized, backed up, and stored properly?

Let’s start with a few horror stories

Please humor me while I regale you with a few disasters in an attempt to get you to do your backups. I’m still called upon on a regular basis to lay hands on the PCS of friends and family. Except for the occasional hardware failure of a hard drive (and they have no backups), the only problem I get called about anymore is spyware. In some cases, the spyware can be bad enough that the quickest route to functionality is a reinstall. (Though at least I can usually get the data files off, because of course they have no backups.)

Not scared yet? OK, it’s not so bad yet, but it may be getting worse. One recent disturbing trend is “ransomware.”

Here’s a recent example, analyzed by the Kaspersky guys. They provide a free tool to deal with this particular case of ransomware, but of course there are probably some that aren’t so easily defeated. Other examples are reported to use strong public-key encryption to lock away the owner’s files, with the private key under the attacker’s control.

Even the traditional spyware, the kind that just wants to pop ads at you, or maybe steal your credit-card number, is getting nastier. In the last several months, we went from seeing initial reports of rootkit-like behavior on some spyware, to it being a common occurrence.

A couple of friends of mine who run the Rootkit.com site tell me there’s even a favorite rootkit, the FU rootkit. Several spyware authors are shipping the binary, downloaded from the Rootkit.com site, as-is. The implication is, of course, that the spyware authors are lame for shipping a known (detected by tools) binary instead of customizing their own. But I find even the lame attempt rather frightening.

You may already have the Sony rootkit

Forgive me if I’ve got rootkits on the brain recently. There’s been a lot of activity in that area lately.

You can get rootkits from spyware. You can then get the latest book on rootkits. (This book is authored by my aforementioned friends from Rootkit.com site, so I’m biased. Sadly, I get no money if they sell more copies, but it is a good book.)

And of course, if you read Chris’s article, above, you now know you can get a free rootkit with your Sony BMG music CDs.

Chris does a great job covering the Sony/First4Internet rootkit, but I can’t help but throw in my two cents. I haven’t done nearly as complete a job at analyzing this rootkit as Mark Russinovich did. But I have loaded it up in my disassembler of choice, IDA Pro. I wasn’t at all pleased by what I saw.

I find evidence of “phone home” behavior, even though Sony denies it or downplays it. Evidence suggests that it may be minimal in the rootkit itself, but I see more extensive data collection in the ActiveX control that F4I hosts on their site to “upgrade” the rootkit. It appears that the “removal” tools that F4I provides only removes small portions of the functionality. Most of the objectionable pieces remain behind.

Sony also claims that there is no malicious behavior, nor any backdoors. I disagree.

I’m aware of a number of vulnerability researchers who are actively looking at this rootkit, and I already know of several vulnerabilities in it. I’m not going to publish any details, and as far as I know, there’s not yet a working remote-shell exploit. But I’ve seen crash examples and, yes, there does appear to be a viable remote exploitation vector. I don’t see any intentional backdoors — but does it matter?

I can’t yet say witrh certainty that the Sony rootkit is remotely exploitable. The research hasn’t been finished. And it would be nice if I were wrong.

Unfortunately, looking at the (lack of) quality in this code, I’m not hopeful. If you suspect that you might have this rootkit, then I encourage you to get rid of it now. If you’re pretty technical, Russinovich’s blog entry about it is enough information for manual removal. If not, then keep your eyes open for removal tools. I suspect that we’ll see some very soon for free.

To its discredit, as of this writing, Sony really doesn’t seem interested in helping you get rid of this outrageous security risk. So I’m afraid you can’t yet trust any tool from them for this purpose.

Some news on Microsoft’s Antispyware

On the positive side, it looks like Microsoft is putting some additional effort into its own MS Antispyware tool. It’s now called Windows Defender. (An independent developer who signed away to Microsoft the rights to the name isn’t happy about it, according to the Seattle Post-Intelligencer, but that apparently won’t stop the name change.)

Microsoft is saying it’s expanding the tool to cover additional threats. “We will provide visibility and control, as well as protection, detection and removal from other potentially unwanted software, including rootkits, keystroke loggers and more."

The Redmond company also says it’s going to make a system service out of it, and have it be updated via the standard Microsoft update channels. This means that if you use a Microsoft solution for patch or systems management, you’ll probably automatically pick up updates for Windows Defender, which is nice.

We still don’t know for sure what the licensing will be (i.e., will it stay free, like the beta). I’m hoping Microsoft will keep it free. Microsoft has taken a little ribbing over the fact that the current Antispyware beta is written at least in part in Visual Basic 6, which Microsoft has end-of-lifed. This is a carryover from when the software was developed by Giant Software Company, which Microsoft acquired last year. Presumably, Microsoft will take care of the language issue before it becomes a system service digging around in the kernel after rootkits.

Overall, I find even the current beta to be a decent tool, especially for a free one. Coverage isn’t comprehensive, but no antispyware tool is at present. A bit more troubling is the fact that Microsoft apparently has agreed to “delist” certain spyware (as Brian Livingston reported on July 14). Guys, it’s still spyware, even if someone “authorized” it in theory. They still don’t want it there, and I still want you to find it, and get it off the disk. Honest. Let’s define spyware by behavior, and not license agreement, please?

I almost always use multiple antispyware tools, and I’m pleased that there are several good free ones. You really still need multiple tools to get any kind of decent coverage. It’s not like antivirus, where you can count on one tool to find 90% or more.

You can find our recent roundup of antispyware in the Sept. 29 newsletter and a small update on Oct. 27.

Follow-up on the race against time

I want to briefly reinforce a couple of points from my previous two columns.

I made the point in my Oct. 13 column that Microsoft lets the cat out of the bag when they release a patch, because then everyone can look at the binaries and see what the vulnerability is. Turns out a good example of this just happened recently. Cesar Cerrudo tells how he found another exploitation path based on a patch Microsoft released. Microsoft grudgingly acknowledges that he is correct in a posting in the Security Response Center blog. Cesar was nice enough to give them a second chance to fix it before pointing it out to the rest of the world.

One thing you can take away from this example is that you should be looking at what services and functions are getting patched. You should see if something is enabled and attackable that doesn’t need to be.

Also, here’s a bit of followup on the good news that there’s only one critical security patch from Microsoft this month. You may recall that I pointed out in my Oct. 27 column the trend that many vulnerabilities don’t affect Windows XP SP2 and Windows Server 2003 SP1. If you look closely at the affected OS matrix for this month’s patch in the MS05-053 executive summary, you’ll see that two of the problems don’t exist on XP SP2 and Windows Server 2003 SP1. Two out of three ain’t bad.

Are you backing up yet?

Yes, I will admit that my personal backup procedure isn’t great yet, either. Tapes got left in the dust long ago. My home machine has several hundred gigabytes of storage. You want how many thousands of dollars for a drive and tapes to back that up? Please. Optical? Let’s see… that’s around 1,000 CD-Rs… OK, how about 200 DVD-Rs?

Right, there’s no chance you’ll back up everything. Your best bet it to have good data segregation. Have the important stuff in one spot that you can backup because it only takes a few discs. Better yet, do like I do and have an external 200GB drive connected via USB 2.0.

I wish I could say that modern equipment was reliable enough that you didn’t have to worry about failure anymore, but we all know that’s not true. Plus, hardware failure may not be your biggest threat anymore. Someday, you may have to recover from a virus while your hard disk is still spinning just fine.

Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias "Blue Boar." He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.