We receive lots of correspondence from you, and we take those comments and act on them, whether it means pulling a tip off the site, double-checking a fact, passing along feedback to our writers and just trying to improve the overall quality of our content. Now, we want you to be able to see the comments of your peers -- and we hope that you will write in more often.
We'd also like to see more of you write quick opinion pieces about industry issues: Spout off, make predictions, or debate the merits of a security issue in the news. Use this space to create your very own opinion page.
We've created two formats for these letters: You can enter your letters into our new Letters to the Editors Forum directly or comment on other entries; Or you can simply review our monthly article, which will highlight the best Letters to the Editors from the previous month such as what you'll see below. (Be sure to include your full name and title. If you're writing to critique an article or tip, please include the headline and url of the content in question for easy reference.)
We hope you enjoy this new site feature. If you don't, well, you know where to tell me!Best regards,
APRIL LETTERS TO THE EDITORS
Thanks for the timely information. Your Klez story references a patch that has been available for some time from Microsoft for Outlook. What patch? A reference would have made your article superior. I went to the MS web site in an effort to track down exactly which patch I would need and was unable to do so.
--Charla Jensen, EMS Authority
Click here to read the article
(Note from Ed Hurley, SearchSecurity news writer)
Great suggestion! We will try to include links to patches in future virus stories. Here is a link that Panda Software has on its site. It should take you to the Microsoft site featuring the patch.
I would like to correct an inaccuracy in your definition of MD5. MD5 is a HASHING algorithm, not a digital signature algorithm. The hash value resulting from MD5 can be encrypted to create a digital signature, but MD5 doesn't actually create digital signatures. It creates a hash value. Thanks!--James Gage
Click here to read the MD5 definition
Giving Symantec, er, the dual boot?
This is an FYI rather than a tip. I have long been a believer and supporter of Symantec products, even though most have always produced some quirky problems that required work-arounds. Now I've come across a problem that will probably send me searching for a replacement from a competitor (unless Symantec rectifies this bug soon).
Neither Norton Internet Security nor Norton Personal Firewall supports dual booting. The problem? LiveReg & Product Update force themselves into two folders on the system partition (unlike the main programs which allow the user to choose the installation folder). The result? On my computer, the Firewall will not let me connect to the Internet when booting to WXP Professional; everything's fine when I boot to W2K Professional. Symantec says that problems will manifest themselves differently on each dual-booted computer, but in general, the product will not work as it is supposed to. Incredulous!
I could describe for you a whole slew of other problems associated w/Symantec's NIS & NPF. Seems like these products need an extra label on their boxes that specify only one OS & one user account, unless all accounts are Administrator accounts. Additionally, if installing to a FAT32 partition that's subsequently upgraded to NTFS & you've chosen NOT to include the parental control feature, then you (the Administrator & everyone else) will be locked out of changing or setting anything, & all settings will be set to their lowest (riskiest). With NO free tech support, you'll pay $35 to have a Symantec tech rep point to one file (Nisum.dat) to delete (In fairness to Symantec, they have corrected this problem w/an update).
Also on that label, Symantec should state that all rebate requests require personal follow-up, & usually require resubmittal of the required paperwork. This has happened to me three times now, the most recent because the rep did not accept an Internet receipt...?--Joe Davis
Partition to harden Unix servers tip
This is so fundamental that it is hard to believe this is offered as a tip. Any UNIX administrator worth his/her salt will have had this concept dinned into them from day one. This looks like a tip from an MS administrator aimed at other MS admins moving into UNIX. I teach UNIX admin - this material is covered in day one.--Peter Coleman
Click here to read the tip
Strom off the mark on nmap NT
I generally like and enjoy David Strom's Security Toolshed column. Even if it isn't the first word I head concerning a particular security tool/utlity, Strom's column is usually a decent second opinion/second-take I'd rather have than not have. His 03 Apr 2002 article on nmapNT was surprisingly not up to usual standards. Strom clearly points out that nmapNT requires installation of polito.it's WinPcap TCPIP packet capture library in order for nmapNT to work. Unfortunately, no where in the article did Strom mention than WinPcap does not support SMP NT/2K/XP. In fact, the WinPcap FAQ ( http://winpcap.polito.it/misc/faq.htm ) *explicitly states* that WinPcap should not be run on SMP machines -- the only exception being, re-booting the OS and *forcing* the OS into *uniprocessor* mode. Otherwise, system hangs, data corruption and/or BSODs may result. Newer versions of WinPcap will not even load on SMP systems. This is a show-stopper for SMP boxen. A second, more minor, gotcha is that WinPcap does not work with any DialUp adapter, due to NDIS issues. IF there was a *robust* and *reliable* and *SMP compatible* TCP/IP packet capture stack for W32, that could be used as a substitute for WinPcap, then nmapNT could be a very cool and compelling tool. Without it, those with SMP boxen are left SOL. It would also be nice if this WinPcap replacement fully supported DialUp Networking interfaces, too. ... Thanks for your time and attention.--W.T. "Woody" Ichiyasu
Click to read David Strom's review
Mobile Security Webcast (Whadjasaysonny?)
I registered and 'attended' an on-line seminar featured through your website on Mobile Security. The speaker was Kevin Burden of IDC. I'd like to see some major improvement in the clarity of the speaker. He spoke very fast and did not keep close to the microphone. The only time we could really understand him was when he asked for the next slide! It was a miserable situation trying to hear what he had to say. Also, really didn't learn anything on the specifics of mobile security - only what items are on the market and where the concerns are. Thank you for letting me 'spout off'. I hope the other on-lines will be much clearer and present useful information...--Linda Herzog
Countermeasures to key logging
It is with amazement that I have followed the development of this threat, and the complete inability of the computer industry to counter it. A colleague and I founded NetSafe security software to counter this threat *in software* with patented technology in 1995. This threat is as old as the PC - there are numerous websites that provide hundreds of thousands of pre-written viruses and trojans to capture keypresses using all types of media (e.g. launched from a mail memo or even hidden in the File Allocation Table of a harddrive, safe from even a low-level format!).--Patrick Rose
Click here to read the tip
How long will it be until some keystroke-capturing device will also be able to record exact timing information? This would be an effective counter-countermeasure against keystroke dynamics barriers like BioPassword. And I can also see legitimate uses for the addtional timing info: (a) easier collation of user input and software output, (b) psychological experiments, and probably others. So a point could be made to build and sell such things. Additionally, even incorporating additional input devices into the authorization process won't be any good, since (in principle) they all can be captured. Conclusion: (1) If you want to protect against keystroke-(etc.)-capturing effectively, make sure no unauthorized person will be able to install a capturing device (i.e., restrict physical access to the hardware). (2) Where this is not possible, something like a smartcard will be needed, so the authentication data exchanged will change with every authentication process. (Computer sends challenge to smartcard - smartcard algorithmically computes answer and sends it to computer - computer uses a complementary algorithm to verify the answer matches the original challenge.) Of course, each user will need a personal card that could be lost or stolen, but that is another problem. (3) So, while both products mentioned in the tip are interesting (for different reasons), the connection isn't terribly useful (IMHO). Best regards.--Ingo Tomahogh.
Click here to read the tip
There are software programs that can be installed locally to a workstation to accomplish the same thing. In the case of software the user is very unlikely to know it was ever installed.If you are prone to doing things that go against company policy, ethics and good business practice then you are the kind of person that will use the argument that you privacy is being invaded. If you go to work to earn your paycheck and realize that this equipment and resources belong to your employer, your time while at work essentially also belongs to your employer unless of course you want to give back that paycheck you receive or doing your job.
I'm so tired of the self righteous proclaiming invasion of privacy at work. If you are doing your job you have nothing to fear. If your employer has employed appropriate security of the tool and its use, they are not watching you, they are maintaining the environment and managing its performance. Don't give your employer an excuse to look at the logs to see what you have been doing.--Ken M. Shaurette
Click here to read the tip
(Remember, please go to our Letters to the Editors forum if you would like to comment on any of these posts. Be sure to include the headline or the url so that we know which one you are referring to.)