Monday, October 26, 2009

Improve your P2P security

There are a number of reasons why you need to take extra security precautions when using Peer-to-peer (P2P) software. The most obvious is that you are having to trust a whole bunch of people you don't know and can't hold responsible if something goes wrong. Then there are all the P2P parasites, spammers, fake files and poisoners. It's a hacker's dream and a user's nightmare.
Why not P2P?
I'm not trying to sow fear, uncertainty and doubt: but this is a cautionary tale. Especially since many ISPs don't like P2P traffic because it uses up a lot of bandwidth (which we pay for) but they don't want to have to pay for. So they climb on the bandwagon and claim that P2P traffic is mostly illegal, when in fact what they really mean is that P2P traffic is mostly unprofitable. Some ISPs make it a violation of their Terms of Service to do P2P traffic of any kind, others just filter the traffic or interfere with it.
You can download malware or viruses on a P2P network like BitTorrent or eMule. I personally avoid downloading anything that looks like bootleg software, patches or installation CDs. If you can't download it legitimately from or from the manufacturer's web site, it's probably not worth using anyway. Most software I buy or test has a free trail period. The only exception I can think of is SpinRite, which has a no-questions-asked money back guarantee. There is also enough Open Source software out there that you can usually find something close to what you need anyway. So software on P2P is a security and quality risk: it's just not worth it, no matter how tempting it may be.
Many people use P2P networks to find music and movies. Again, you have no idea what kind of quality you are getting, and the bandwidth costs can be a factor. Downloading a compressed bootleg DVD can use up anything upwards of 700MB. Since I'm paying R99 per GB and I can rent most DVDs for R25, it just don't see the point. Also, many movie formats can include scripting and other security nasties, so you are taking your PCs health in your hands.
Music is less risky, and the music industry is finally beginning to understand that the sky won't fall in if they sell MP3 files or just give them away. I don't like stealing from the "artists" (actually its the record companies that are robbing them blind) but if I already own the record or cassette tape them I have no qualms about obtaining a digital copy of those songs, especially if they aren't available as an MP3 download.
Why use P2P?
I do have a problem with audio books. I spend over $50 per month on new audio books, but the book industry just doesn't have a clue about digital media, and they have tied themselves up in arcane contracts as badly as the movie industry. We bought all the Harry Potter books, but the digital downloads are still not for sale in South Africa. I can rent the CDs read by Stephen Fry, but not Jim Dale, and haved one so. But I also admit that I downloaded all the Jim Dale versions "illegally" via P2P networks like LimeWire and eMule. Some of the copies were dreadful, but I eventually managed to listen to the entire audiobook series, whether J K Rowlings' publishers like it or not. I bought the print versions, and I would have bought the audio versions on CD if they hadn't been 5 times the price, and if they had been available for purchase.
Again, there are economics involved. If the size of the book is greater than 1GB then its cheaper to buy a legal copy than download a bootleg one. I always try to find a legal copy anyway, because I'm not a leecher and am happy to pay for my hobby. Audible, Borders Audiobooks, Simply Audiobooks and AudioBooksForFree have all sold me books. The last 3 have sold more because they allow me to download MP3 files more often than not.
There are also legal stupidities involved. Diana Gabaldon's "Outlander" series now has 7 titles. You can buy books 1-4 and 7 in unabridged form, but I couldn't find books 5 and 6 for sale unabridged at all. Not even the CDs. But some kind soul on BitTorrent allowed me to download both. If I could pay for these copies I would prefer to. When the lawyers and the publishers decide not to boycott their customers, maybe I'll be able to.
Protect Yourself!
Aids activists all say you should use a condom. There are electronic equivalents for your computer: turn of uPnP on your router/modem, turn on your PC firewall, and use a good antivirus like NOD32. But that's just the beginning. I use a facility that block a whole load of bad web sites in my hosts file. It's called HostsMan and it cuts down on annoying ads and malware in browsers. But it can't block bad IP addresses.
For that you need PeerBlock, another free program. It monitors your P2P connections and makes sure you don't connect to any know bad IP addresses. You can get it to block HTTP traffic too, but it also stopped my NOD32 updates from downloading. This wasn't intentional, and I could fix it by using a different download server. Just weird.
eMule also has an IP blocking facility, but the standard ipfilter.dat file is only updated once a month or so, and doesn't stop the spam and fake files. You can update it more often using BlockList Manager, but it's a bit tricky to set up. It was originally designed to work with PeerGuardian, but PeerGuardian has been superseded by PeerBlock, which works well. I use both BlockList Manager and PeerBlock, to be sure, to be sure (Irish joke).
Beat ISP Filtering
My greedy ISP "blocks" all P2P traffic, usually during weekdays from 8am to 6pm. I'm not sure exactly how they do it, other than that eMule stops working properly and loses all its connections. So much for the "S" in ISP. The only way to get round this is to use a Virtual Private Network (VPN) service, such as ItsHidden. This sets up a secure tunnel between your PC and their servers, and the traffic between these two points cannot be analysed or decrypted, and looks just like any other VPN connection. It isn't illegal to use a VPN, and companies do it all the time. ItsHidden has a free VPN as well, so you can try it out and see how it works. Once you have used it for a while, you'll probably want to upgrade to their $9.99 per month paid service, which is faster and offers additional security features.
Their servers are in the Netherlands, so your PC appears to be operating from there. It's weird because when you do a Google search your default Google server is and the buttons are in Dutch. You can set your Google preferences to English quickly enough.
Don't confuse a VPN with a Proxy service. Proxies don't work the same way, and your ISP can still interfere with your traffic. A VPN effectively "relocates" your PC to another country. Its weird, but it works. The connection is a little slower than normal, but at least there is a connection.
Update 20 Sept 2011: I found a really reliable VPN service called SwissVPN that has been a great help. It can use the normal VPN software that comes with Windows, or you can use their OpenVPN client. Fortunately my ISP is being more reasonable with my traffic at present.

Thursday, October 22, 2009

The Pro Shop gives amazing service

Regular readers of this blog will know that I have an allergic reaction to direct marketing, especially SMS spam and cold calling. Today I experienced something quite amazing: a company that cares: the Pro Shop.
I received an unsolicited SMS this morning, but at least they had spelt my name right. I complained to their web site email as well as HelloPeter, and expected to hear nothing further, because most companies don't give a rip. To my delight and surprise I got a call from Marius Myburg and later from John Muller, both apologising and assuring me that they don't use marketing lists. Later Marius was able to tell me exactly how my name was added, and since I know the person who added my name to their database, I am sure it was a genuine mistake.
The way they responded was friendly, helpful and professional. They "got it" and didn't try to duck my questions. They gave straight answers and I am seriously impressed. Perhaps they should open a "marketing and customer service academy" next to their golf academy, and show the rest of South Africa how to do marketing RIGHT. If I ever take up golf I know where I will buy my stuff from. I may even get a gift voucher for my Father-in-Law from them. Mmm ...

Tuesday, October 20, 2009

Access97 Security in Forms and Reports

One of my clients just showed me a giant loophole in their Access application, which I wrote. (blush!) When he right-clicks on a report in preview mode, he can export the report to a Word document. Why is this scary? Well, the report happens to be an invoice and in Word you can edit the invoice, something you aren't supposed to be able to do!
How do you disable the right-click facility in a report preview? It's connected to the report.ShortcutMenuBar property. Set this property to a menu macro, and it appears instead of the default one.
In forms it's even easier: set the form.ShortcutMenu property to False, and the right-click doesn't work. This is particularly important for login forms where you don't want the user to be able to change to Design View. Of course in a .mde file that doesn't work anyway, but let's rather be safe than sorry.

Saturday, October 17, 2009

Copyright Criminals

This promises to be an interesting documentary, if the lawyers don't manage to ban it first.

Thursday, October 15, 2009

Eskom Sabotages the Economy

Eskom wants to increase tariffs by 45% per year for 3 years. That's on top of the "39%" increase earlier this year, plus load shedding expenses. Do they really think the economy will sustain this kind of nonsense? Clearly they have no idea.
I know of a ceramics factory in Joburg that will probably close at the end of the year because the existing electricity tariffs have made the business marginal, and further increases will force its closure. So that's 50 people out of work, and we aren't even counting the people who make a living selling the ceramics.
Last month our electricity bill more than doubled, and we are being overcharged by City Power. I guess further action will be required. They aren't going to like it.

Thursday, October 01, 2009

Don't Copy That Floppy!

In 1992 they told us that copying floppies would lead to the end of the computer age. It was BS then and it's BS now. I'm happy to pay for good software and to keep my programs legal, but don't lie to me about why I should do so.

Now they are trying the same stunt again, but please explain to me how copying free software hurts the industry? I make some of my best programs available for free, and I'm busier than ever. Companies like "News Corporation" (did you see their ad in the video?) are complaining about losing money by having free web sites. Why then do they even bother with web sites if they are so unprofitable? If they can't sell ads on their web sites then their content must really suck.
It's ironic that these videos are available online for free. Shouldn't they be charging me to watch it? They could go out of business!

Warning: The NSA and 4 million other sick weirdos with "security clearance" have intercepted this page and know that you are reading it.