This topic is locked, you cannot edit posts or make further replies.  [ 26 posts ]  Go to page Previous  1, 2
Getforum.org`s Exclusive Whitepapers 
Author Message
Support Team
Support Team
User avatar

Joined: Fri Dec 28, 2007 3:56 am
Posts: 1200
Post Re: Getforum.org`s Exclusive Whitepapers
Four job-hunting tips for bad times
agentok Senior Editor of getforum.org Whitepapers.

Quote:
It’s hard not to freak out a little when you’re unemployed and the mortgage is due. But as the old commercial used to say, “Never let ‘em see you sweat.” Here are some tips to keep in mind when you’re interviewing during less-than-ideal circumstances.


Don’t be late, but don’t be early

It goes without saying that arriving late for a job interview is a kiss of death. But the opposite is also true: By arriving too early for an appointment, you might as well just announce how desperate you are. Also it gives the impression that you’re not respectful of the time the hiring manager put aside for you. Although sometimes getting somewhere early can’t be helped (you didn’t know how long it was going to take to find the place), you should just wait in your car until about ten minutes before your interview. Nothing creeps existing staff people out more than to see a stranger sitting in the reception area for an hour.

Leave your worries (and your bitterness) at the door

I’ve said this before: It does no good to unload all your frustrations with your past employer at the feet of a prospective employer. And for the love of pete, don’t mention your financial situation and how if you don’t get a job soon, someone’s going to repossess your children. Desperation is not attractive. Perseverance through tough obstacles is.

Don’t lower your standards, at least not obviously

In the course of the interview, you may learn what the salary is. If you plan on accepting it anyway if it’s offered to you, don’t make a big deal out of how the salary is much lower than what you’re used to. That does nothing but tell the interviewer that you’re going to be secretly disgruntled from the get-go. Nobody wants that baggage.

Know the line between eagerness and zealotry

Wait a few days after the interview to follow up on where things are. And if you don’t get the person himself or herself, leave a message on voice mail. And since so many people have caller ID, don’t call a million times if you don’t get a live person. You don’t want to look like a stalker.

_________________
Thank's For Trusting GetForum.org

Please NO pm`s & Please use the search before you post a question(s).

NOW OPEN - MyHealth Trac-On-The-Go http://my-health-on-the-go.com/

Weather forecast for tonight: Dark. Continued dark overnight, with widely scattered light by morning.


Fri Apr 24, 2009 7:15 am
Profile WWW
Support Team
Support Team
User avatar

Joined: Fri Dec 28, 2007 3:56 am
Posts: 1200
Post Re: Getforum.org`s Exclusive Whitepapers
Don't let the bad economy banish 'no' from your vocabulary
agentok Senior Editor of getforum.org Whitepapers.

Quote:
If you blindly accept any duty or project that comes along, you’re not doing yourself or the company any favors. If you’re spread too thin, someone or something will suffer for it. Learn how to say no.


One of the casualties of the bad economy is that fewer people will use the word “no” in the workplace. With the real or imagined specter of the layoff boogeyman lurking in every hallway, employees feel that turning down any project or responsibility will mark them as dispensible, so they keep taking on new duties until they’re turning in 60- or 70-hour workweeks.

Even the self-employed are not immune. Even though you may sense that a prospective client will be more trouble than he’s worth, something — fear of poverty, perhaps — propels you to take that client on anyway.

But, for your own sanity and the quality of your work, you must learn to say no (occasionally, you understand, and when it’s in your own best interest to do so). I’m not saying that you should learn the word “no” in 12 different languages so you are prepared to reject every suggestion directed your way. That would definitely get the attention of your manager and not in a good way.

At the same time, as a manager myself, I must say that I really need my staffers to tell me no when I’m making an unreasonable request or if the requested task pushes bandwidth too far. If they don’t, then I’ll just keep piling it on until the day one of them climbs a watchtower.

Don’t mislead your manager by blindly accepting an assignment and then missing the deadline because you bit off more than you can chew. When people say yes to everything, something is going to suffer.

Let me just say here that I’ve come to realize over the years that many of you work for ogres who would eat their young and that “no” may not seem like an option. But there’s a way to do it. Here are some tips:

1.) Be polite but direct and stick to your guns. Don’t feel like you have to run down a laundry list of your other duties just to justify the turn-down.

2.) Avoid self-deprecation. If you decline by saying you’re not the right person for the job, the requester is just going to insist that you are in order to make you feel better.

I read a piece in Forbes magazine a couple of years ago that said:

Quote:
Most people overestimate the fallout from denying a request, and underestimate the consequences of agreeing.” Remember that the next time the ogre stops by.

_________________
Thank's For Trusting GetForum.org

Please NO pm`s & Please use the search before you post a question(s).

NOW OPEN - MyHealth Trac-On-The-Go http://my-health-on-the-go.com/

Weather forecast for tonight: Dark. Continued dark overnight, with widely scattered light by morning.


Fri Apr 24, 2009 7:18 am
Profile WWW
Support Team
Support Team
User avatar

Joined: Fri Dec 28, 2007 3:56 am
Posts: 1200
Post Re: Getforum.org`s Exclusive Whitepapers
Why do people write viruses?
agentok Senior Editor of getforum.org Whitepapers.

Quote:
Why do people write viruses and other mobile malicious code? The answer isn’t as simple as it used to be


The image of virus writers as intelligent kids with too much time on their hands resorting to digital vandalism to entertain themselves persists. Years ago, making such a guess about why people write viruses might have been accurate most of the time, but the world has moved on. The writers of viruses and other mobile malicious code are many and varied, and their reasons are as wide-ranging as they are, themselves.

The forms of replicating mobile malicious code are multifarious, too. The most common forms are viruses, worms, and trojans, though non-replicating equivalents are gaining prominence as well. Cross-site scripting is an example of non-replicating code that serves much the same purpose as self replicating malicious code; it can affect millions without having to actually “infect” the victim’s computer at all.

I can’t claim to know why everybody who writes malicious code does so. I haven’t met them all. I can make some generalizations about reasons people might do so, though.

Anger Issues: There are those who, for whatever reason, just do destructive things for the sake of their destructiveness. They may be malicious narcissists, psychopaths, or just so self-centered in their impression that the whole world is against them that they will blindly lash out at anyone and everyone when they get the chance. For such people, who I believe are a thankfully rare breed, the harm they cause others has no point beyond the harm itself. They are unreasoningly destructive, and that’s pretty much all there is to it. They might think they’re misunderstood, and want to communicate with the world by harming it in some way — and maybe they’re right, that people just don’t understand them deep down. When they react to this state of affairs by maliciously setting out to harm anonymous strangers, however, I don’t think I want to understand them beyond the minimum required to track them down and put a stop to their antisocial behavior. Your mileage may vary, especially if you’re a criminal psychologist.

Do It For The Lulz: Some still do it for the “fun” of destruction. They may get a thrill out of reading news items about their work causing people trouble, or they may just take a fire-and-forget approach, creating destructive, self replicating programs for the joy of it without much caring whether they ever see the consequences themselves. Mostly, I’m sure they find it funny to read about people being inconvenienced by what they’ve done. In short, some people write mobile malicious code for the same reasons vandals break windows and spray paint garage doors that belong to people they don’t even know.

Espionage: I’m not talking about sabotage here; I’ll address that later. By “espionage”, I mean attempts to gather information through underhanded means for reasons other than identity fraud and other directly, criminally profitable purposes. Viruses, worms, trojans, and even backdoors and other malicious code slipped into your software by the vendor may serve the purposes of espionage. People worry about the potential for Chinese manufactured computers having some kind of hardware backdoor built into them, conspiracy theories about commercial software vendors being required to provide backdoor access to the NSA run rampant, the government of India famously demanded that Blackberry provide universal decryption keys for all Blackberry devices sold in the country, and the NSA’s Dual_EC_DRBG NIST encryption standard may itself include a backdoor of sorts.

Considering the fiasco of federal warrantless wiretapping violations of the law during the Bush Administration’s tenure, and the worse violations hinted at by several officials’ carefully phrased testimony that such worse violations weren’t a part of this particular program, it would be foolish to assume that government agencies never spy on people via software. How many of you remember ECHELON?

Online Gangs: It probably sounds like something out of a 1980s vintage techno-thriller like Bruce Sterling’s Islands in the Net, but it is disturbingly becoming a reality — there are actual “gangs” of angry, or just plain ignorant, kids who engage in digital vandalism as part of a misdirected urge to enhance group identity and personal pride in a fractious, underground community. Such groups may target each other or, more often, some third party whose troubles at the hands of such a gang of vandals will be easily noticed and identified. With dramatic names like “Team Holocaust” and “Phalcon SKISMs“, such “cybergangs” may occasionally claim a higher purpose (like YAM), but may also have no pretentions of purpose other than claiming a strong group identity — like being a Denver Broncos fan, except they mark their territory with digital vandalism instead of by painting their torsos orange and waving giant foam fingers in the air.

The Hacker Instinct: Keep in mind the difference between a hacker and a security cracker. With that in mind, people with a hacker mindset usually find themselves eventually drawn to specific fields of interest. In some cases, that interest might revolve around understanding self replicating mobile malicious code. Sometimes, the best way to understand something is to experiment with different ways to create examples of it. Sometimes, the best way to test something you’ve created is to see it operating under real world conditions. Some immoral or amoral hackers with an interest in self replicating mobile malicious code may test their creations by releasing them into the wild and seeing how they do.

Money Money Money: Most writers of malicious code in the wild these days seem to fall into this category; people who are in it for the filthy lucre. Viruses and worms often carry payloads that open up avenues of intrusion into a system, providing a means for either security crackers or their automated tools to slip past the system’s defenses. Such automated tools can harvest authentication information and other sensitive data (such as for reasons of identity fraud), set themselves up as automated spam generators, or contact a centralized control mechanism of some sort such as an IRC chatroom to create a botnet of thousands, or even millions, of unwitting users’ computers, all of which can be controlled simultaneously by a single security cracker. It is increasingly common for botnets to be offered for rent, for any of a vast number of reasons.

Political Agitation: Sometimes, digital vandalism — whether accomplished by a virus, a worm, a DDoS attack, or some other means — can be accomplished for the purpose of making a statement. Whether the reason for something like that is directly political in the sense of addressing matters related to government or more indirectly political such as unignorably interfering with certain types of Websites and other operations of some class of people with whom one disagrees somehow, the point is sometimes to make people who aren’t directly responsible for whatever’s being targeted aware of one’s own disapproval of those targets. DDoS and other attacks against Microsoft or Yahoo! might fall into this category.

Depending on their specific choices of targets and their motivating issues, some such political agitators (as in the case of those targeting, and protesting, Chinese and Australian national firewall policies) might even be admirable for their principles and the courage of their convictions to some degree. In extreme cases on the other hand, such as where large numbers of innocent bystanders are materially harmed (having their checking accounts wiped out to make a political statement, perhaps), action taken on behalf of this kind of motivation might reasonably be called “terrorism”.

Romance And Drama:Some may be drawn in by the perceived romance and drama of a criminal life itself. Just as some people may start out seduced to a life of crime by the power they perceive in street pushers in their neighborhoods, the exploits of cat burglars in movies, or the rare reports of some criminals who always seem to get away with their criminal acts in the news, the artificial mystique manufactured by the media around “Computer Hackers” can inspire the aspirations of the amoral youth with technical talents. Because of the character of certain online communities, it can be much easier sometimes to feed one’s own delusions of the romance and drama of being a “Computer Hacker” for a long time than in most other criminal enterprises where the physically gritty, and petty, reality of what they do becomes quickly inescapable. Once fully absorbed within such an insulated, self-reinforcing fantasy life, I don’t know how easy it is to overcome the illusion and realize that one has become nothing but a criminal security cracker, that being a real hacker is about skill and not 1337 h4xx0r nicknames, without being forcibly disillusioned by getting caught, prosecuted, and imprisoned for one’s crimes.

Sabotage: Sometimes the purpose of malicious code might be directly targeted at disrupting the operations of some class of people one doesn’t like. While this sort of behavior might seem superficially similar to that of “terrorism” as described in the Political Agitation paragraph above, or to vandalism as described above, it’s not terrorism, and it’s more personal than typical vandalism. It is a simple criminal act, aimed at a specific target, more akin to assault. People with business interests may do this not for profit or for political purposes, but to damage other businesses’ ability to compete, at least temporarily. Government agencies may do so to try to bully another government into doing something it doesn’t want to do, as appears to have been the case in the Estonian “cyberwar”. The motivation to sabotage may even be based on something as petty as personal revenge.

If I had to guess, I’d say that the most common reasons by far these days are at least somewhat profit-motivated. The I Love You email virus was kind of a watershed incident, in that it was the point where a lot of people really started noticing the growing trend in profit generating mobile malicious code.

Any attempt to explain away all virus, worm, and other malicious code writing using a single generalization is unreasonably simplistic, though. Virus writers are people, too — at least in that they may have any of millions of different motivations for what they do — even if they’re often subhuman in some respects as well (notably their ethical development). Most are probably motivated by some combination of more than one of the above suggestions, in fact, and perhaps by other reasons as well.

_________________
Thank's For Trusting GetForum.org

Please NO pm`s & Please use the search before you post a question(s).

NOW OPEN - MyHealth Trac-On-The-Go http://my-health-on-the-go.com/

Weather forecast for tonight: Dark. Continued dark overnight, with widely scattered light by morning.


Sat Apr 25, 2009 12:38 am
Profile WWW
Support Team
Support Team
User avatar

Joined: Fri Dec 28, 2007 3:56 am
Posts: 1200
Post Re: Getforum.org`s Exclusive Whitepapers
Co-worker 'idea theft' is often not deliberate
agentok Senior Editor of getforum.org Whitepapers.

Quote:
If a co-worker has ever taken credit for one of your ideas, you know how frustrating it can be. But it may help to know that the idea theft might not be intentional.


In a recent blog, I wrote about employee sabotage in the workplace. The resulting discussion and ensuing e-mails describing specific instances of co-worker sabotage depressed me to no end. Apparently, the world is just a bad made-for-TV movie.

One of the most common acts of sabotage among workers seems to be stealing credit for ideas. I’ve had this happen to me on a number of occasions. For example: I’ll mention an idea in a meeting with one person, and then a week or so later that person will state the idea as if he’d just thought of it. In my cases, however, these “idea thefts” are not intentional.

I belong to a LinkedIn discussion group called Office Politics, Workplace Politics, and Organizational Politics. In a discussion about idea theft in the workplace, one of the posters, Alan S. Koch, owner of ASK Process, Inc., and a computer software consultant, made a great point:

Quote:
One must take care in accusing anyone of “credit theft.” Ideas are funny things — difficult to manage, and even hard to prove ownership of.

Although intentional theft of ideas is common, unintentional theft may be even more common. Consider: I have advocated a certain idea on multiple occasions when “Bob” was in the room. He may have been listening, or he may have been absorbed in his Blackberry. Either way, the idea was tucked into his memory.

Later, in another context, that memory was triggered by circumstance, and combined with new information, it suddenly made sense to him. He presents it as his idea because he doesn’t consciously remember the seed that was planted way back when.

I don’t see a way to “prove” credit theft, so an ego-less approach makes more sense than trying to confront a wrong that the perpetrator may not perceive.


He’s right. You could resort to carrying around a recording device with you at all times, slap it down on the table when someone co-opts one of your ideas, and announce, “I have taped evidence that on November 8, 2008 I said those exact words in a meeting with you.” Of course, that won’t work — especially if you ever want people to speak to you again.

In today’s competitive work environment, it’s hard to not get credit when you deserve it. But IT is, in most cases, a team-driven environment, so if everyone pitches in to make an idea work, it really doesn’t matter where it originated.

In my next blog, I’ll talk more specifically about the role of credit recognition in a team-driven environment.

_________________
Thank's For Trusting GetForum.org

Please NO pm`s & Please use the search before you post a question(s).

NOW OPEN - MyHealth Trac-On-The-Go http://my-health-on-the-go.com/

Weather forecast for tonight: Dark. Continued dark overnight, with widely scattered light by morning.


Sun Apr 26, 2009 2:50 am
Profile WWW
Support Team
Support Team
User avatar

Joined: Fri Dec 28, 2007 3:56 am
Posts: 1200
Post Re: Getforum.org`s Exclusive Whitepapers
Phishing: Is that Web site real or not?
agentok Senior Editor of getforum.org Whitepapers.

Quote:
The phishing is good, probably not what you wanted to hear. Let’s take a look at why and figure out what to watch out for.


Phishing attacks rely on deception, pure and simple. Using realistic looking, but fake Web sites was one of the first techniques used by phishers. Eventually that approach became somewhat ineffective. Web sites didn’t look exactly right or the URL was wrong, alerting us to the deception.

The real thing

Phishers still use fake Web sites, but have developed a better mouse trap by altering official Web sites. How you say? It’s simple; phishers leverage the same vulnerabilities that are used for Web site defacement and various other attack vectors. It’s a good idea, since there’s no need to create anything, just alter what exists. Besides it’s the perfect deception, the site obviously looks right and the correct URL is displayed.

The “how and why” Web sites are exploited is well documented, with leveraging weaknesses in PHP to gain a foothold on the Web server being one of more preferred methods. An example of this would be the vulnerability discussed in the National Cyber-Alert CVE-2008-3239:

“Unrestricted file upload vulnerability in the writeLogEntry function in system/v_cron_proc.php in PHPizabi 0.848b C1 HFP1, when register_globals is enabled, allows remote attackers to upload and execute arbitrary code via a filename in the CONF[CRON_LOGFILE] parameter and file contents in the CONF[LOCALE_LONG_DATE_TIME] parameter.”


What makes this vulnerability unique is the developer’s insistence that there’s nothing wrong with the code. So they aren’t going to change anything:

“Tough we do not intend to release a security fix for this issue at this time, we want to remind our users of the importance of disabling the “REGISTER_GLOBALS” option of their system. This option will not only enable this vulnerability to be exploited but will also open multiple breaches into your system. Note that if your system is configured properly (with “REGISTER_GLOBALS” disabled), this vulnerability does not apply to your website.”


Kind of a strange statement from a vendor, but it’s exactly what the bad guys like to see. As proof, I did a simple search and found several Web sites advertising exploit code for this vulnerability. I’ve linked one example that’s published at the Milw0rm site.

Current research

I’ve just finished reading a paper written by researchers Tyler Moore (CRCS Harvard University) and Richard Clayton (Computer Laboratory, University of Cambridge) titled “Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing“ (pdf). Don’t worry about the title; the paper is a good read shedding light on the effectiveness of Web sites altered to steal sensitive information. For example, one interesting statistic was the mix of compromised Web sites versus fake Web sites:

“By far the most common way to host a phishing Web site is to compromise a Web server and load the fraudulent HTML into a directory under the attacker’s control. This method accounts for 75.8% of phishing.


A simpler, though less popular approach, is to load the phishing web page onto a ‘free’ web host, where anyone can register and upload pages. Approximately 17.4% of phishing web pages are hosted on free web space.”

Locating vulnerable Web sites

OK, we now know that phishers prefer to alter real Web sites and how they do it. The next question begging to be asked is how they find vulnerable Web sites. In reality, phishers don’t have too much trouble. They use readily available scanners designed to check for PHP weaknesses. One example is the Web Vulnerability Scanner by Acunetix:

“The best way to check whether your web site & applications are vulnerable to PHP security attacks is by using a Web Vulnerability Scanner. A Web Vulnerability Scanner crawls your entire website and automatically checks for vulnerabilities to PHP attacks. It will indicate which scripts are vulnerable so that you can fix the vulnerability easily.”


Still, most would admit that this type of scanning is slow and very inefficient, especially considering the number of Web sites in existence. Moore and Clayton’s paper again sheds light on what phishers are using to make the locating process easier:

“An alternative approach to scanners, that will also locate vulnerable websites, is to ask an Internet search engine to perform carefully crafted searches. This leverages the scanning which the search engine has already performed, a technique that was dubbed ‘Google hacking’ by Long.


He was interested not only in how compromisable systems might be located, but also in broader issues such as the discovery of information that was intended to be kept private. Long called the actual searches ‘googledorks’, since many of them rely upon extended features of the Google search language, such as ‘inurl’ or ‘intitle’.”

The article that the above quote refers to is written by Johnny Long and titled “Google Hacking Mini-Guide“. It’s a treasure trove of information on how to maximize Google search instructions to get sensitive details about Web sites.

Let’s see if it works. If you remember the PHP vulnerability described by CVE-2008-3239, the key search phrase would be “PHPizabi 0.848b C1 HFP1″. I entered that phrase in Google search and after some digging to get past all the entries referring to this exploit.

Side bar: It’s not Google’s fault


In researching this article, I quizzed some of my friends and walked away a bit surprised. A few remarked that Google is partially to blame for this. I totally disagree with that attitude and hope that you would as well.

Google provides a service that makes finding and retrieving data a whole lot easier. As you know I get on Google’s case about storing this information safely, but totally acknowledge that their search engine is the best bar none. In my opinion, the problem lies elsewhere.

Nothing new

Using search engines to find vulnerable Web sites isn’t new. What is new is the way Moore and Clayton were able to statistically link the Web search results with the probability of a specific Web site becoming compromised. They accomplished this by using Webalizer, a program that creates reports from Web server logs. Of special interest to the researchers was the recorded search terms used to locate the Web site:

Quote:
“In particular, one of the individual sub-reports that Webalizer creates is a list of search terms that have been used to locate the site. It can learn these if a visitor has visited a search engine, typed in particular search terms and then clicked on one of the search results.


Key points of the report

So what’s it all mean? In a convincing fashion, Moore and Clayton have figured out how to pull all of the important data together and assemble it in a usable format which has turned up some interesting results. The following points are two of the more notable ones:

1.) 90% of the Web sites in the study group were compromised almost immediately after suspicious search terms were found in the Webalizer report.

2.) One surprising statistic was the rate of being compromised multiple times. The report showed that almost 20% of infected Web servers were likely to become re-infected, but when Webalizer found suspicious search terms directed at a particular Web site, the chance on becoming re-infected jumped to 48%.

The fact that there are servers being compromised multiple times is something that I don’t understand at all. That needs to be fixed. To that end, let’s look at what the researchers are suggesting Web hosts do to reduce their risk.

Room for improvement

I hope Web hosting services take what the researchers learned seriously, especially the following suggestions:

1.) Obfuscating targeted details: Suspicious searches would be less effective if identifying information such as version numbers of the software being used by the Web server were not publicized.

2.) Suspicious search penetration testing: Motivated defenders could run searches to locate Web sites that appear vulnerable, warning their owners of the potential risk.

3.) Blocking suspicious search queries: An alternative approach is for the search engines to detect suspicious searches and suppress the results.

4.) Lower the reputation of previously phished hosts: In addition to flagging active phishing URLs, mark previously compromised hosts as risky due to the high likelihood of being compromised again.

What can we do

There are a few things that we as Internet users can do to protect ourselves. I’ve been suggesting that everyone use McAfee SiteAdvisor, even Moore and Clayton mention it in their report. It works by installing a browser add on:

Quote:
“With SiteAdvisor software installed, your browser will look a little different than before. We add small site rating icons to your search results as well as a browser button and optional search box. Together, these alert you to potentially risky sites and help you find safer alternatives.”


An alternative that’s not as user-friendly is to visit the PhishTank Web site if there’s any question as to whether a particular Web site is real, fake, or possibly compromised:

Quote:
“PhishTank is a collaborative clearing house for data and information about phishing on the Internet. Also, PhishTank provides an open API for developers and researchers to integrate anti-phishing data into their applications at no charge.”


The Anti-Phishing Working Group has a Web site that’s full of good information and specifics as to what’s going on in the world of phishing:

Quote:
“The Anti-Phishing Working Group (APWG) is the global pan-industrial and law enforcement association focused on eliminating the fraud and identity theft that result from phishing, pharming and email spoofing of all types.”


Final thoughts

All of us, businesses and individual users alike are becoming very reliant on the Internet. So when something like phishing disrupts that trust, I tend to take it personally. Finding out that Web sites get exploited a second and third time just adds to the frustration. It’s just not right.

_________________
Thank's For Trusting GetForum.org

Please NO pm`s & Please use the search before you post a question(s).

NOW OPEN - MyHealth Trac-On-The-Go http://my-health-on-the-go.com/

Weather forecast for tonight: Dark. Continued dark overnight, with widely scattered light by morning.


Mon Apr 27, 2009 2:34 am
Profile WWW
Support Team
Support Team
User avatar

Joined: Fri Dec 28, 2007 3:56 am
Posts: 1200
Post Re: Getforum.org`s Exclusive Whitepapers
Reviewing your pandemic plans has just become job #1
agentok Senior Editor of getforum.org Whitepapers.

Quote:
With the focus on bird flu in recent years, it’s sort of unexpected to hear that the latest pandemic might, in fact, not come from flying descendents of dinosaurs but might be the result of a combination of human, bird and swine influenza viruses that have evolved inside pigs and into a new virus capable of human to human transmission. Regardless of the viruses origins, now is the time for organizations to review pandemic plans to make sure that information is current and actionable. It might even be time to take minor steps in preparation for a more serious outbreak.


As of this writing, the recently detected swine flu has killed 81 people in Mexico and cases have been confirmed in New York City, Kansas, California, Ohio and Texas as well as in France and New Zealand. This most recent flu outbreak is of the H1N1 variety, the same variety that was responsible for an estimated 40 to 50 million deaths worldwide in 1918. Although health officials have yet to determine a number of facts, including the origin of the disease and its virulence, the outbreak should spur renewed conversations regarding contingency plans in the event that the current outbreak turns into something more serious.

Many organizations have developed contingency plans based around concerns regarding the bird flu, so there is probably already at least a framework in place, if not a full plan. A contingency plan put into motion for a pandemic is likely to be different from many other business continuity-type plans. For example, if headquarters is wiped out by a tornado, setting up operations at an alternate site makes a lot of sense. However, when it comes to something that, quite frankly, scares people away from the office, such as a virulent disease, the path isn’t always as clear. In cases like this, in order to maintain operations, the organization would need to maintain at least a skeleton staff and significantly enhance remote worker capabilities for those that need to work but that, for whatever reason, can’t or won’t make it to the office.

At Westminster College, we do have campus plans for what to do in the event of a pandemic or significant public health emergency. However, for the kind of campus we are - very traditional with no online classes and all courses taught on site - we don’t maintain regular significant remote access capabilities so our normal operations don’t include what we’d need in the event of, well, an event.

With the news continuing to come out regarding the spread of confirmed cases of swine flu, my staff and I are taking a few relatively minor steps in preparation for a possible problem:

1.) First, we’re verifying our VPN services to make sure that we have enough licenses and capacity for increased volume. We don’t currently have many VPN users. Again, we’re a very traditional, very residential campus, with VPN used primarily by those that travel on college business.

2.) We’re also going to prep a couple of additional servers as terminal servers. Through this and VPN, users will be able to continue to easily run their normal applications from anywhere.

3.) A part of a campus-wide plan calls for staff that will stay on site for long periods of time in the event of a pandemic. Given that my staff has endured a lot of turnover since the campus pandemic plan was developed, we’ll have conversations regarding this point.

4.) We will verify with our service providers, including Internet and electrical service providers, our points of contact in the event of a pandemic. Although we have this information in our campus pandemic plan, periodic review is essential to keep the information current.

At this point, we won’t go overboard in preparing for what could turn out to be a whole lot of nothing. Even if the whole thing fizzles out right now - and I hope it does - it’s a valuable reminder that we need to stay vigilant with regard to our disaster and pandemic planning and make sure that we’re ready for whatever comes our way.

_________________
Thank's For Trusting GetForum.org

Please NO pm`s & Please use the search before you post a question(s).

NOW OPEN - MyHealth Trac-On-The-Go http://my-health-on-the-go.com/

Weather forecast for tonight: Dark. Continued dark overnight, with widely scattered light by morning.


Mon Apr 27, 2009 3:11 am
Profile WWW
Support Team
Support Team
User avatar

Joined: Fri Dec 28, 2007 3:56 am
Posts: 1200
Post Re: Getforum.org`s Exclusive Whitepapers
Principles vs. Magic
agentok Senior Editor of getforum.org Whitepapers.

Quote:
What do economics, evolution, and IT security have in common? They are all complex systems that require a scientific, principles based approach to understand them.


The Austrian school of economics is a praxeological school of thought: it holds that human action can and should be studied as a science, theorizing about the principles that guide and found the complex system of an economy, and testing the theories in practice. In the application of the Austrian school to economic study, both inductive and deductive reasoning are used to arrive at general principles of action, based on observation of the self and the world around oneself as well as on logical reasoning about causal relationships between motive, action, and emergent properties of the complex system as a whole.

When I write about IT Security here at Getforum.org Whitepapers, I have a tendency to try to tie things in with basic principles of security. I believe that, as with economics, one should take a principles based approach to security, first identifying fundamental principles, then reasoning from them to arrive at logical conclusions about why things happen the way they do and how to deal with circumstances that affect security. I believe that, given well-founded principles of security and a keen mind, one can achieve a very high rate of accuracy in the conclusions one reaches while reasoning about security.

The alternative is to engage in rote memorization of what other people tell you to do in each individual case and, when faced with unfamiliar circumstances that aren’t covered by what you’ve memorized, trying whatever you’ve memorized as “best practices” for whatever circumstance you feel like using as your basis, regardless of differing details. Once you’ve flailed about, trying things the way a computer might be programmed to do so — doing things pseudorandomly, without applying abstract reasoning to the situation — you can see how thoroughly your selections have failed you and adjust them to try again, if you survived the previous round.

Without a principles based approach, your only guidance in making decisions is the set of solutions to other problems that you’ve already encountered. People who advance the state of the art do so by way of epiphany based on principles, or by rigorous principles based reasoning; people who eschew a principles based approach entirely only repeat the actions of those who came before them, by rote, without understanding why they’ve worked in the past or why they fail now. Without trying to identify guiding principles of a field of study or endeavor, your approach to problem solving is akin to what Steve McConnell called Cargo Cult Software Engineering.

The need to identify fundamental principles before one can really begin to understand the workings of a complex system applies to IT security, evolution, and economics, equally. Without trying to identify those guiding principles that give rise to the emergent properties of the system, all you can do is either make wild guesses or base your reasoning entirely on wishful thinking.

This is why I find it so saddening when someone attacks a principles based approach to understanding complex systems — such as the praxeology of the Austrian school of economics, evolutionary theory, or a principles based approach to IT security — so sad. These attacks usually involve deriding the approach as “abstract theory”, as if having a theory of the system is a bad thing. Such a statement is, ironically, usually followed closely by statements in support of an alternate theory. The difference is that the alternate theory is one whose “principles” are the product of wishful thinking and confirmation bias rather than of logical reasoning. In terms of being, in essence, theoretical, there is no difference at all.

The Austrian school of economics is one of the most obvious examples of a principles based approach to understanding a complex system that is often dismissed on the basis of its reliance on understanding guiding principles. When someone dismisses the Austrian school of economics as “theory”, implying that it has no relation to the real world, what that person is actually saying — whether he or she realizes it or not — is:
Quote:
The operation of this complex system is not based on, nor is it governed by, any real principles we can logically identify and use. It is a magical system, operating only by arbitrary rules without underlying principles, that doesn’t make any logical sense as a whole.


1.) I, for one, do not subscribe to the notion that complex systems can only be “understood” via statistics interpreted through the lens of confirmation bias, by divining arbitrary rules, or by wishful thinking:

2.) I find the urge some people have to imply a mystical approach to economics by deriding the “theoretical” nature of the Austrian school destructive and anti-intellectual.

3.) I find denials of the applicability of natural evolutionary processes to the real world by categorical statements that amount to claims a complex system like the Earth’s biosphere could not have arisen without intelligent micromanagement willfully ignorant.

4.) I also find the urge some people have to assert all operating systems are created equal, pointing out the relative security levels and popularity of certain operating systems and ignoring all other correlated factors, suboptimal to say the least. The claim that, simply because one operating system is both much more popular and much more susceptible to security breaches than others security must be a function of obscurity, is a simply wrong-headed perspective that is fundamentally inimical to good security practice. It may be an appealingly easy conclusion to reach, but it ignores many other factors, such as the principle of security through visibility.

The ultimate point is that an intelligent IT security professional should be able to achieve greater successes, by identifying relevant principles of security and deriving appropriate responses to circumstances based on those principles, than by simply observing the most obvious correlations and assuming they imply a strictly causal relationship. Without understanding principles that underly our respective fields of expertise, we do little more than wave chicken bones over our problems and chant meaningless incantations in the hopes the problems will magically go away.

_________________
Thank's For Trusting GetForum.org

Please NO pm`s & Please use the search before you post a question(s).

NOW OPEN - MyHealth Trac-On-The-Go http://my-health-on-the-go.com/

Weather forecast for tonight: Dark. Continued dark overnight, with widely scattered light by morning.


Mon Apr 27, 2009 6:16 am
Profile WWW
Support Team
Support Team
User avatar

Joined: Fri Dec 28, 2007 3:56 am
Posts: 1200
Post Re: Getforum.org`s Exclusive Whitepapers
Hacker vs. cracker
agentok Senior Editor of getforum.org Whitepapers.

Quote:
The word “hacker” gets used in a pejorative sense by journalists an awful lot. Some people think this is perfectly reasonable; others find it offensive, and recommend an alternative term for that meaning. Read on to find out why.


In mainstream press, the word “hacker” is often used to refer to a malicious security cracker. There is a classic definition of the term “hacker”, arising from its first documented uses related to information technologies at MIT, that is at odds with the way the term is usually used by journalists. The inheritors of the technical tradition of the word “hacker” as it was used at MIT sometimes take offense at the sloppy use of the term by journalists and others who are influenced by journalistic inaccuracy.


Some claim that the term has been unrecoverably corrupted, and acquired a new meaning that we should simply accept. This descriptivist approach is predicated upon the assumption that there’s no reasonable way to communicate effectively with the less technically minded without acquiescing to the nontechnical misuse of the term “hacker”. I believe it’s still useful to differentiate between hackers and security crackers, though, and that terms like “malicious security cracker” are sufficiently evocative and clear that their use actually helps make communication more effective than the common journalistic misuse of “hacker”.

I think it’s useful to differentiate especially because there are many situations where “hack”, and its conjugations, is the only effective term to describe something that has nothing to do with malicious violation of security measures or privacy. When you simply accept that “hacker” means “malicious security cracker”, you give up the ability to use the term to refer to anything else without potential confusion.

Both are distinct from people whose interest in technical matters is purely professional, with no desire to learn anything about the subject at hand other than to advance a career and make a living. Many hackers and security crackers turn their talents toward professional ends, of course, and some security crackers got where they are only through professional advancement, but one definitely need not have a professional interest to pursue the path of either a hacker or a security cracker.

A hacker, in the classic sense of the term, is someone with a strong interest in how things work, who likes to tinker and create and modify things for the enjoyment of doing so. For some, it is a compulsion, while for others it is a means to an end that may lead them to greater understanding of something else entirely. The RFC 1392: Internet Users’ Glossary defines “hacker” as:

Quote:
A person who delights in having an intimate understanding of the
internal workings of a system, computers and computer networks in
particular. The term is often misused in a pejorative context,
where “cracker” would be the correct term. See also: cracker.


The Jargon Wiki’s first definition for hacker says:

Quote:
A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.


A security cracker, meanwhile, is someone whose purpose is to circumvent or break security measures. Some security crackers end up using their powers for good, providing penetration testing services or otherwise making efforts on the side of the angels. Many others use their powers for evil, however, as we are all too painfully aware. Both RFC 1392 and the Jargon Wiki provide definitions of “cracker” that support this use of the term.

Maintaining distinct terms for distinct phenomena is an important aspect of communication, as demonstrated in the incident I described in Managers and technologists live in different worlds, where a company executive and I used the same term to refer to two different things and failed to communicate effectively as a result. When two different phenomena acquire the same label, as in the case of hackers in the classic sense on one hand and malicious security crackers on the other, either something has to give or discussion is bound to suffer from confusion that could easily have been avoided.

The more easily relabeled of the two uses of the term “hacker” is the malicious security cracker: it is not only the more recent phenomenon to acquire that label, but also the one whose meaning is most easily evoked by an alternative term. This is why, when you read an article of mine that talks about malicious security crackers, I use the term “malicious security cracker” — and in an article that talks about hackers in the classic sense of the term, I try to differentiate clearly between these two uses of the term “hacker” before using it myself.

For purposes of clarity when communicating with others about security issues, I recommend you do the same.

_________________
Thank's For Trusting GetForum.org

Please NO pm`s & Please use the search before you post a question(s).

NOW OPEN - MyHealth Trac-On-The-Go http://my-health-on-the-go.com/

Weather forecast for tonight: Dark. Continued dark overnight, with widely scattered light by morning.


Mon Apr 27, 2009 6:22 am
Profile WWW
Support Team
Support Team
User avatar

Joined: Fri Dec 28, 2007 3:56 am
Posts: 1200
Post Re: Getforum.org`s Exclusive Whitepapers
How secure is your bank card?
agentok Senior Editor of getforum.org Whitepapers.

Quote:
Personal Identification Numbers, or PINs, are supposed to provide secure authentication for bank cards. Unfortunately, they are increasingly failing to do so.


Most of you have probably heard about ATMs with skimmers mounted over the card slot that can read your card on the way in and out of the machine, with carefully placed cameras to read your PIN as you type it in. The person setting up this little trap can then clone the card with the skimmed data, and with the pin gets access to your bank accounts. The first time I remember hearing about that method for cracking PIN security on bank cards was in the early ’90s, so it’s not exactly a new technique.

More recent developments in bank card security cracking include malicious phishing Websites, cross-site scripting, and legitimate Websites that have been directly compromised by security crackers. It’s an especially disturbing phenomenon because bank cards don’t usually have the same zero liability protections as credit cards — a fact most users of debit cards don’t think about when they use their bank cards the same way they’d use credit cards.

A new, and even more disturbing, security vulnerability for bank cards has arisen.

A research fellow at the French National Institute for Research in Computer Science and Control (say that five times fast) named Graham Steel wrote a paper in 2006 that addressed vulnerabilities in the hardware security modules that tie the bank card authentication network together. The paper, submitted to British HSM manufacturer nCipher, provided guidelines for hardware security module configuration that would help mitigate the vulnerability of the devices to attack, but it also pointed out that other aspects of HSM vulnerability were inherent to their design. To really and truly fix the problem of HSM vulnerability, the devices would have to be fundamentally redesigned in a manner that is not backward compatible. Payment processing networks across the globe would have to be reimplemented using a different, improved standard.

HSM manufacturers such as Thales-eSecurity maintain that they address the security vulnerabilities addressed by Steel’s paper, but thus far they seem to be taking an approach remarkably similar to the way Microsoft OSes are “secured” against viruses. Other reassurances that HSM manufacturers are seeing to our security involve statements about how the devices are delivered in a very secure configuration by default, which is all well and good if you don’t need them to actually do much. Unfortunately, most payment processing transactions require functionality to be enabled that exposes the devices to significant potential for compromise. As Brian Phelps of Thales-eSecurity put it, according to the Wired article PIN Crackers Nab Holy Grail of Bank Card Security:

Quote:
It’s a very difficult challenge to protect against the lazy administrator. Out of the box, the HSMs come configured in a very secure fashion if customers just deploy them as is. But for many operational reasons, customers choose to alter those default security configurations — supporting legacy applications may be one example — which creates vulnerabilities.


He went on to confirm Steel’s estimation of the scope of the problem, saying that redesigning the payment processing system to comprehensively address the current vulnerabilities due to legacy systems compatibility needs “would require a mammoth overhaul of virtually every point-of-sale system in the world.” If this doesn’t send a chill down your spine, either you aren’t paying attention, or you don’t actually use a bank card.

It is only recently that verifiable incidents of PINs being skimmed from HSMs, either gathered unencrypted from the device’s volatile memory or picked up as encrypted PIN blocks and decrypted. In some cases, at least, the decryption is made possible by the fact that the HSMs themselves contain decryption keys, and once one encrypted PIN block is decrypted it becomes much easier to decrypt the rest of them.

At first glance, one might think that the idea of storing decryption keys on devices scattered around the country that relay PINs from point to point using a model conceptually similar to Internet routing itself should have been immediately recognizable as a bad one, thanks to the example of the inherently flawed concept of digital DRM. Of course, the design of payment processing hardware security modules predates the AACS key for HD-DVDs, the Sony DRM rootkit, and Microsoft’s WGA. HSM designers get a free pass on learning from the mistakes of others, although the fact the mistake was made in the first place should have been avoidable.

For the most part, the problem is the way HSMs pass PINs around, tend to have scads of unnecessary features enabled at any given time, and contain the keys needed to decrypt the encrypted PINs. A couple of key points include:

1.) End-To-End Encryption: The PINs should be encrypted and decrypted only at the end-points. Encrypting and decrypting anywhere between those points just increases the options for unauthorized interception.

2.) Private Key Encryption: Using standardized encryption keys is tantamount to criminal negligence in this age of private key cryptography. Each and every end-point, including the bank cards themselves and the receiving systems that need to authenticate a request, should have a private and public key set. This way, you’d only be able to read data if you’re one of the unique end-points that is supposed to have access to it.

As things currently stand, however, the likelihood of the system being overhauled is pretty slim due to the immense cost that would be involved in replacing an entire global payment processing network with an incompatible standard. As a result, this problem is likely to be addressed only in a superficial, “it works right now and that’ll have to be good enough” manner. In many cases, it may not even be secured that well. Be extremely careful where you use your bank cards in the future. While liability protection for credit cards tends to be better than for debit cards, even there you should be wary of the potential threat.

I, for one, prefer to use cash anyway. Credit card and ATM transactions often impose fees on the user, and even when they don’t, it’s usually because one financial institution or another involved in a given transaction just “eats” the cost. Such behind the scenes payments contribute to price inflation, depressing the value of my money, which I tend to consider a bad thing.

With the revelation of incidents in the wild where the vulnerabilities discovered by Graham Steel (and others) are exploited to harvest PINs directly from payment processing networks around the world, I have one more reason to prefer cash transactions.

The PCI Security Standards Council has stated that it will begin a hardware security module testing program that focuses on “security properties that are critical to the payment system.” I hope the problem turns out to be more easily solved than the evidence thus far seems to suggest, but I’m not holding my breath. The problem appears to be endemic to the system itself, as it is currently designed and implemented.

_________________
Thank's For Trusting GetForum.org

Please NO pm`s & Please use the search before you post a question(s).

NOW OPEN - MyHealth Trac-On-The-Go http://my-health-on-the-go.com/

Weather forecast for tonight: Dark. Continued dark overnight, with widely scattered light by morning.


Mon Apr 27, 2009 6:26 am
Profile WWW
Support Team
Support Team
User avatar

Joined: Fri Dec 28, 2007 3:56 am
Posts: 1200
Post Re: Getforum.org`s Exclusive Whitepapers
10 tips for secure computer disposal
agentok Senior Editor of getforum.org Whitepapers.

Quote:
If you’re in charge of IT resources at an organization with more than a handful of computer users, you might need this advice for secure equipment disposal.


Even in the best of times, computers get rotated out of use and we have to figure out how we should dispose of them. In a recession economy, people get laid off, systems running software with high licensing costs get decommissioned, and system breakdowns may lead to consolidation of functionality rather than repairs, perhaps increasing the rate at which we dispose of computer equipment. This can expose us to security threats if we aren’t careful about how we do it.

Take the following list of ten tips for secure equipment disposal to heart:

1.) Ensure that you eliminate any accounts or other access control facilities that are associated with the decommissioned equipment. You don’t want an ex-employee still getting into his old workstation after he’s not supposed to have access to it any longer, and you don’t want lingering network access accounts used to remotely connect to the computer providing more “target surface” for security crackers when you don’t need the account at all any longer. You should generally do this first.

2.) Don’t assume that taking hard drives to the landfill is secure. If there’s sensitive data on your drives, you need to get rid of it before taking it away. Even if you don’t think there is any sensitive data on the drive, consider whether you’re willing to bet the business on that — and, if not, do more than just chuck the drive in the trash. Even reformatting or repartitioning a drive to “erase” the data it stores isn’t good enough these days (if it ever was); tools such as the shred utility can help you delete files more securely. Encrypting the data on the drive before doing any deletion can help make data even more difficult to recover later.

3.) In the most extreme cases, storage devices may need to be physically destroyed to ensure that sensitive data isn’t leaked to whoever gets the drives next, even within your own organization. In such cases, you probably shouldn’t destroy them yourself. There are experts who can do this for you, and are probably a lot better at safely and effectively rendering any data on your drives unrecoverable than you would be. If your needs are so stringent that you can’t trust this to an outside agency that specializes in secure destruction of storage devices, you should have a specialized team within your organization that has the same equipment and skills as such an outside contractor.

4.) Keep a checklist for the decommissioning process to make sure you don’t forget a step at any point. This can be especially important when dealing with many, many computers at once, such as when an entire department is shut down — but it’s important the rest of the time, too. Don’t rely on the checklist to do your thinking for you, though. Consider every detail of the system in question, its uses, and any potential dangers for security that come to mind. Add new measures to the checklist when you come up with a threat you have to deal with that may be relevant again at a later date; not everything on the checklist has to apply in every case for it to be a valuable addition to the checklist.

5.) Make sure you have clear, physical indicators of whether a system has been fully decommissioned in a secure manner, and that they don’t consist of something easily misplaced or overlooked like a sticky note. It’s best if computers that haven’t been fully decommissioned are kept in a specific location, while decommissioned equipment goes somewhere else, so that habits you develop will help you avoid making mistakes. For instance, perhaps workstations should be kept on desks and servers in racks until they’re cleared (and they should probably stay there until they’ve had their drive contents shredded, at least, because they’re already set up with power and whatever interface is normal for that system). Doing so can lend a sense of urgency to the need to securely decommission the equipment, too, because you’ll feel the pressure of wanting to clear the space for other uses.

6.) Whoever is responsible for decommissioning a machine should sign off on the completion of the process, if there’s more than one person who might be assigned such a responsibility. This way, if something goes wrong, you know who to talk to when it comes time to find out what happened and how bad the mistake really is. Log the time and date of completion, too. Just keep meticulous records in general, including the specifics of equipment components that have been processed, where they’re going from here, and (when appropriate) their depreciated value and replacement cost.

7.)Don’t store equipment in need of secure decommissioning. Make it a priority to get it done, so the equipment doesn’t end up being neglected for weeks, months, or years, until someone gets an opportunity to compromise your security by making use of sensitive data stored on it. Don’t leave it running unnecessarily, either; you don’t want yet another system running on your network, waiting to get compromised by a security cracker or malware, when you don’t actually have any use for the system.

8.) Clear configuration settings on networking equipment. Managed switches, authenticating serial console servers, and other “smart” network infrastructure devices can provide clues to a clever security cracker on how best to break into your network and the systems that reside on it.

9.) Establish clear guidelines for who should have access to any equipment in need of secure disposal, and track a “chain of custody” so you’ll be better able to ensure nobody who shouldn’t have access to it before disposal won’t get his or her hands on it.

10.) Track the physical contents of every computer and piece of network infrastructure equipment in your organization, so you won’t make the mistake of overlooking a storage device. Remember that even volatile RAM can serve as a “storage device” for sensitive data under very limited conditions. Ultimately, you should just adopt an attitude of practical paranoia about sensitive data storage, and act accordingly.

Don’t fall into the trap of meticulously securing your running systems, then getting compromised or having sensitive data recovered because you didn’t put any thought into securing the systems slated for disposal. The need for good security practice doesn’t go away when you turn off the computer.

_________________
Thank's For Trusting GetForum.org

Please NO pm`s & Please use the search before you post a question(s).

NOW OPEN - MyHealth Trac-On-The-Go http://my-health-on-the-go.com/

Weather forecast for tonight: Dark. Continued dark overnight, with widely scattered light by morning.


Mon Apr 27, 2009 6:35 am
Profile WWW
Support Team
Support Team
User avatar

Joined: Fri Dec 28, 2007 3:56 am
Posts: 1200
Post Re: Getforum.org`s Exclusive Whitepapers
10 questions to consider when planning a Windows 7 upgrade
Agentok Senior Editor of getforum.org Whitepapers.

Quote:
Whether you’re eagerly awaiting the upgrade to Windows 7 or you just want to know what to expect if and when you do, there are lots of factors to keep in mind. Agentok Senior Editor of getforum.org Whitepapers addresses some of the biggest concerns, from hardware requirements to driver compatibility to upgrade paths.


Windows 7 hasn’t even been released yet, but the buzz around it indicates that many individuals are chompin’ at the bit to upgrade as soon as it hits the market.

Despite this enthusiasm, however, much has been made of a recent survey by Dimensional Research. According to the survey, 84% of 1,100 IT professionals surveyed said they don’t plan to upgrade to Windows 7 in the next year, 16% do intend to upgrade in the next 12 months, and 42% expect to upgrade within 12 to 24 months. In addition, 43% said the current economic downturn is one of the reasons they will delay upgrading to Windows 7. That would seem to indicate that improvement in the economy over the next year might change the upgrade numbers. It’s also possible that this month’s discontinuation of mainstream support for Windows XP, which most of the companies are currently using on the desktop, may influence some to upgrade more quickly than they might otherwise.

Sooner or later, it’s likely that most home users and businesses will be upgrading from their current operating system to Windows 7. In this article, we’ll address 10 issues to keep in mind when you begin planning an upgrade to Windows 7.

1: Do I need to buy new hardware?

Many people equate upgrading the operating system to the need to buy a new computer or, at the very least, add RAM and perhaps a bigger hard drive to their present systems. That’s because traditionally, each new version of Windows has needed more disk space and memory than its predecessor.

Will you need to buy new hardware if you want to use Windows 7? That depends. Microsoft’s recommended hardware specifications for Windows 7 Release Candidate include a 1 GHz processor, at least 1 GB of RAM, DirectX 9.0 support, 16 GB of free disk space, and 128 MB of graphics memory (for Aero). Those requirements are pretty much the same as the published system specs for Vista Home Premium/Business/Enterprise/Ultimate (the only difference is that the Vista specs list 15 GB of disk space). Many beta testers report that Windows 7 runs faster on their low-powered machines (512 MB of RAM) than does Vista.

Rule of thumb: If your computer is powerful enough to run Vista acceptably, it will probably run Windows 7 as well or better. If you’re currently using XP on a computer with less than 512 MB of RAM or a processor that’s slower than 800 MHz, you’ll need to upgrade your hardware.

2: Can I upgrade directly from XP?

Many folks who are still running Windows XP want to know whether they can upgrade to Windows 7 without losing all their preferences and settings. The answer is, well, sort of. Microsoft is not providing a direct upgrade path from Windows XP to Windows 7. An in-place upgrade is available only if you’re running Vista SP1 or later. If you’re running XP, even if your hardware is sufficient, you’ll have to do a clean installation of Windows 7. However, you can use the Microsoft Deployment Tool 2010, which includes the User State Migration Tool, to transfer your user settings for the desktop and applications to the new Windows 7 installation.

3: Can I do a Vista in-place upgrade?

If you’re running Windows Vista, note that you must install SP1 or SP2 before you can do an in-place upgrade to Windows 7. If you attempt to upgrade a Vista computer that doesn’t have a service pack installed, you will get a message informing you that “to upgrade to Windows 7, the computer needs to be running Vista with Service Pack 1.”

4: Can I upgrade from Windows 7 beta to final release?

Many people are currently running either the public beta of Windows 7 (build 7000) that was released in January or one of the subsequent builds that has been leaked to various peer-to-peer sites since then. Many of them are wondering whether they’ll be able to do an in-place upgrade to the RC and/or final release.

Microsoft has recommended that beta testers go back to Vista and upgrade from it to the final release, but that’s something many will resist. Another option is to do a clean install, but again, many folks are using Windows 7 now on their mission-critical desktops and notebooks, and they don’t want to have to start all over. In deference to them, Microsoft representatives have said that it will be possible to upgrade from the beta, but it won’t be easy; it will involve a number of steps. The installer will tell you “no” when you attempt to do an upgrade from an earlier build of Windows 7. There’s a procedure to bypass the version check so you can do the upgrade anyway.

Microsoft asks that you do this only if you “absolutely require” it. It’s likely that you’ll have a much more stable OS if you do a clean installation.

5: Will there be driver compatibility issues?

A big complaint about Windows Vista was driver incompatibility. Too many people upgraded their OS from XP to Vista only to find that a favorite peripheral, such as a printer or scanner, would no longer work. Vista also introduced a new display driver model, WDDM, which required video card vendors to write completely different display and video miniport drivers. And security enhancements in Vista affected how the OS handles drivers. Even though Vista was in development for five years, many hardware vendors did not have Vista drivers ready for all of their products when the OS was released.

Now that Vista has been out for more than two years, most hardware vendors have updated their drivers to work with it. Because Windows 7 uses the same driver models as Vista, the vast majority of hardware devices that work with Vista will work with Windows 7. For Vista drivers that won’t install on Windows 7, you can usually solve the problem by installing in Compatibility Mode. To do this, right-click the driver’s setup file, select Properties, click the Compatibility tab, enable compatibility mode, and select the appropriate operating system from the drop-down box.

6: Will there be application compatibility issues?

As with drivers, most applications that run on Windows Vista will run on Windows 7. You may need to enable Compatibility Mode on some applications, as described above. Interestingly, some applications that ran on XP and would not run on Vista will run on Windows 7. Microsoft reported in March that it had identified at least 30 old applications that will run on Windows 7 although they failed to do so on Vista. These are being referred to as “rescued applications.”

7: What if I have apps that won’t run on Windows 7, even in Compatibility Mode?

There may be some XP applications that you can’t get to run on Windows 7, even using Compatibility Mode. In the past, that might have been considered a reason not to upgrade. However, you may still be able to enjoy all the benefits of Windows 7 without giving up your favorite apps, thanks to a new compatibility feature called XP Mode. XPM is a host-based virtualization solution that will reportedly be made available at no cost to users of Windows 7 Professional, Enterprise, and Ultimate editions.

XPM includes a fully licensed copy of XP that runs in a virtual machine on your Windows 7 computer. This differs from just installing XP on Virtual PC or VMware. The virtualized applications appear like local applications on the Windows 7 desktop because they’re published to the Win 7 host operating system. With XPM, you will be able to run any XP application on Windows 7.

8: Should I wait for Windows 7 release to buy a new computer?

Some individual computer users may be wondering if they should wait until Windows 7 is released to buy a new computer, to ensure that the system will work with the new OS. An advantage of waiting is that after Windows 7 is released, you’ll be able to buy a computer that has it preinstalled, so you won’t need to upgrade.

However, if you need a new system now, there is no need to suffer with an outdated, slow, or defective system. A Vista system purchased now will in all likelihood run Windows 7 with no problems. But even though you don’t need to wait until the final release, you might want to wait until June 1 to make your purchase. Buying a Vista system after that date will make you eligible for a free Windows 7 upgrade license. (This applies to Vista Home Premium, Business, or Ultimate editions.)

9: Which edition of Windows 7 should I choose?

A big complaint about Vista is that there are too many editions to choose from. Windows XP offered only two retail editions: Professional and Home. (XP Media Center edition and Tablet PC edition were available only to OEMs.) But Vista offers a large and sometimes confusing array of options: Home Basic, Home Premium, Business, and Ultimate. (Starter is available only in “emerging markets,” and Enterprise is available only to volume licensing customers.)

Windows 7 will also have both Home Basic and Home Premium editions. The equivalent of Vista Business edition will revert to the Professional moniker. As far as we can tell, Enterprise and Ultimate editions will be the same, except that the former is sold only through volume licensing. There will also be a Starter edition, which will be installed on low-powered netbooks.

A major change is that each successive Windows 7 edition will include all features of the lower cost ones. Many Vista Business and Enterprise users were annoyed that they didn’t get Windows Media Center, DVD Maker, and other consumer-oriented features that came in Vista Home Premium. Since Home Premium couldn’t join a domain and lacked support for EFS and some other business-oriented features, if you wanted both, you had to buy Ultimate. Windows 7 Pro will include everything that’s in Windows 7 Home Premium, and Enterprise will include everything that’s in Business edition. Companies will be able to easily block the consumer features when they deploy Pro (or Enterprise) on their networks.

Most people will find that either Home Premium or Pro will fit their needs. If you need BitLocker or the ability to boot from a VHD, you’ll want Enterprise or Ultimate.

10: What are the main reasons to upgrade to Windows 7?

Why upgrade to Windows 7 rather than stay with Windows XP or Vista? If you’re still running XP, an important consideration is the fact that Microsoft ended mainstream support for XP on April 14. Although critical security updates will still be provided at no cost until 2014, additional support is provided only to customers who pay for a support contract with Microsoft.

Windows 7 also provides the improved graphical user interface (Aero) you get with Vista. Search is improved, and consumers with children will appreciate the parental controls feature. The most important reason to upgrade from XP is security; both Vista and Windows 7 provide much better security.

If you’re using Vista, some of the new features and functionality you’ll get with Windows 7 include a more streamlined GUI with a more functional taskbar that features Jump Lists; new and more sophisticated versions of Paint, Wordpad, and Calculator; easier windows management with snap-to docking; elimination of the sidebar (while maintaining support for gadgets); and new built-in troubleshooting tools. While Windows 7 still focuses on security, User Account Control (UAC) is far less in your face and more user-configurable than in Vista. Windows 7 also has built-in support for touch (if you have a touchscreen monitor). Keyboard fans will find a number of new keyboard shortcuts to help you avoid use of the mouse in many situations.

For administrators, Windows 7 offers new tools such as PowerShell v2, improved Group Policy, and VHD image management and deployment.

_________________
Thank's For Trusting GetForum.org

Please NO pm`s & Please use the search before you post a question(s).

NOW OPEN - MyHealth Trac-On-The-Go http://my-health-on-the-go.com/

Weather forecast for tonight: Dark. Continued dark overnight, with widely scattered light by morning.


Thu Apr 30, 2009 12:22 am
Profile WWW
Display posts from previous:  Sort by  
This topic is locked, you cannot edit posts or make further replies.   [ 26 posts ]  Go to page Previous  1, 2

Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by STSoftware for PTF.

phpBB SEO