In todays' New York Times, David Pogue reviewed an updated version of Microsoft's Office Live Small Business, a suite of online services for making Web sites (I'm simplifying a bit).
He failed to point out an important defensive computing aspect of any Web site, divorcing it from the domain name registration. In addition, trusting Microsoft to handle domain registration is not your best option. To fully understand this, some background is required.
A domain name, such as CNET.com or JavaTester.org is a unique name on the Internet, one that is used for both e-mail and a Web site. Conceptually speaking, all domains are registered in a big master file in the sky. Hundreds of companies, called registrars, are authorized to register domains into this huge master file. Registrars offer many services, but simply registering a domain name ranges from roughly $9 to $35 a year.
Associated with each domain is a pointer to the computer running the Web site and a pointer to the computer that receives e-mail sent to the domain. The pointer system is called DNS, for Domain Name System. The pointers are indirect. That is, rather than pointing directly to the computer(s) with the Web site or e-mail, they point instead to server computers running DNS software.* A company that hosts Web sites is obliged to run a DNS server computer to handle the finger-pointing for all the Web sites under its control.
A small business setting up a new Web site is likely to be tempted by the one-stop shopping offered by Office Live Small Business. Many registrars host Web sites and any company hosting a Web site will also register a domain name. But, you are better off getting these services from different companies.
My JavaTester.org Web site, for example, is hosted at a company called A2 Hosting and the domain is registered with GoDaddy. A2 runs a pair of DNS server computers, ns1.a2webhosting.com and ns2.a2webhosting.com, which GoDaddy associates with the domain in the big master file in the sky. (If you want to impress your friends, the ns1 and ns2 computers are technically referred to as authoritative name servers.)
For one thing, using two companies makes it easier to switch Web site hosting companies in the future, should the need arise. More importantly though, it insures the domain is yours.
There have been times when a Web site hosting company registered a domain in their name rather than in the name of their customer. For example, instead of my JavaTester.org Web site being registered to me in the big master file, it would be registered to A2hosting.** In this case, it is not my domain, even though I paid for it. For a small business, this can be a really big deal.
What about e-mail? Companies hosting Web sites can also provide e-mail, as can most registrars. Then again, you don't need either one, you can have a third party handle e-mail for your domain.
Pogue on Office Live Small Business
The first Web site I ever created was hosted on a computer run by a school. The name was something like computerdeptserver.someuniversity.edu/~michael. Everyone in the class was assigned a userid on the server, and that formed the rightmost part of the Web site address.
From what Pogue says, Office Live Small Business does a similar thing, giving out names like bobsfleabag.accommodations.officelive.com (his example) to customers only interested in free services. Using your own domain, instead of one that ends with officelive.com, is what Pogue means when he refers to "customized domains." I point this out because the term "customized domain" has no real meaning--all domain names are unique.
If you want to use your own domain name with Office Live Small Business, Pogue's review said that Microsoft charges $15 per year after the first year. While the price is certainly fair, having Microsoft handle domain registration scares me.
The Defensive Computing Approach
If you are interested in using Office Live (which I have no experience with) to create a new Web site, first go to a registrar and register your own domain. The two registrars I recommend are GoDaddy and DirectNIC. GoDaddy is cheaper ($9 per year) but DirectNIC ($15 per year) is easier to use.
If you already have a Web site, but it was registered by the hosting company, I suggest first moving the registration to GoDaddy or DirectNIC before getting started with Office Live, or start over with a new domain name. For more on this, see my posting from last month on How to fire a Webmaster.
Microsoft's documentation
Registration of a domain is too important to trust to a company, such as Microsoft, that does it as a sideline rather than it being its core business.
Consider what its FAQ page had to say after Pogue's review came out:
"Will I be charged a fee when my domain name comes up for renewal?
Domain names are renewed on an annual basis. Microsoft will automatically renew your domain name for you, and you will not be charged a renewal fee. If you already own a domain name and transfer it to Microsoft Office Live, Microsoft will pay for any future renewals."
This directly conflicts with Pogue's account and I believe Pogue.
Also, it appears that Office Live Small Business domains are renewed on an annual basis. This is an accident waiting to happen. A real registrar can lock it up for many years.
The Microsoft Office Live Small Business FAQ also refers to "redirecting" a domain and "domain redelegation." The two terms are used interchangeably. But for what? I've dealt with domains and Web sites a lot. If you asked me yesterday what these terms meant, I would have given a different definition for the first term and couldn't have guessed at the meaning of the second.
The Office Live Small Business folks use these terms to mean changing the DNS server computers associated with a domain. For an existing domain with an existing Web site, that is how you point the world to the new Web site (at Office Live Small Business).
Good news, bad news
The bad news about changing DNS servers is that the actual procedure differs for each registrar.
The good news is that Microsoft provides instructions for making the change at a number of popular registrars. See How to set up your new Web site with an existing domain name.
The bad news is that the instructions for GoDaddy don't exist. Clicking on the link results in a Page Not Found error. The instructions for register.com are also missing. In fact, all
the "redelegation" instructions are missing. Maybe they were filed under changing DNS servers.
Update. February 16, 2008: The instructions now exist, there are no more "page not found" errors.
* That the Internet grew to the extent it has over the years is due, in part, to the distributing of the responsibility for maintaining these pointers. No one company can screw everything up.
** I don't know that A2Hosting does this, I haven't tested it. This is only an example.
See a summary of all my Defensive Computing postings.
The new MacBook Air laptop has one killer feature, the non-removable battery. Killer as in deal-killer. As in why would anybody use a laptop that has to be shipped back to the vendor to replace the battery? It boggles the mind. Here's why.
Have any sensitive files on your computer? Files you'd rather other people not see. Many of us do. Do you like the idea of your sensitive files sitting in a package on a UPS truck? Or being in the hands of a company Apple sub-contracted repairs to? Of course not.
Remembering to remove all the sensitive files from a MacBook Air before mailing it is only the first problem. Problem two is not making a mistake and missing a couple files.
Speaking of a UPS truck, laptop computers are fragile. And, computers disappear during shipping. Defensively speaking, I'd make a disk image backup of the hard disk before mailing back a MacBook Air.
(Credit:
Malabooboo)
What if your perfectly working MacBook Air gets damaged on its way to Apple? According to the company:
"Service may not be available if your MacBook Air has been damaged due to accident or abuse. Please review Apple's Repair Terms and Conditions for further details."
But suppose all goes well. The MacBook Air gets shipped to Apple for a battery replacement and arrives in perfect condition with all sensitive files removed. You can still get screwed. On their battery replacement FAQ page Apple says:
"Will the data on my MacBook Air be preserved?
Don't rely on it being preserved. Many repairs require Apple to replace or reformat the hard disk, which will result in the loss of your data ... Apple and its AASPs are not responsible for any damage to or loss of any applications, data, or other information stored on your MacBook Air while performing service."
To me this means you not only need a disk image backup before sending a MacBook Air back for a new battery, you also need a backup of the backup.
Apple now charges $129 in the U.S. to replace the battery on the MacBook Air. Who cares? No one needs a battery replaced now. The question is, what will Apple be charging in two years when the first Air users need a replacement? Apple may decide to charge whatever the market will bear, which could well be more than $129. Air owners will have no leverage, they'll have to pay whatever Apple feels like charging in their time of need.
Some people use their computers for a long time. Will Apple still offer to replace the battery in 6 or 7 years?
While the battery is being replaced, you have no laptop computer.
Finally, there is the obvious.
The whole idea of a 3-pound laptop computer is to use it while traveling and this often means computing for hours away from electrical outlets. Many people carry an extra battery. Fellow CNET blogger, Gordon Haff recently wrote that he carries two extra batteries when he travels with his ultra-portable laptop. As a Seinfeld fan, let me put it this way: no spare battery for you, MacBook Air owners.
All in all, the non-replaceable battery seems like a really bad idea.
Update. January 24, 2008. I left out another drawback. There are times when a laptop computer gets so screwed up that the only way to reset it is to remove the battery. No can do with the Air.
Update. January 21, 2008. A fellow CNET blogger, one who refuses to provide his/her name had this to say about the battery in the Air:
Let's face it: Apple's done letting you get a new battery when the stock one won't hold a charge anymore and having you milk your device. Their philosophy is that you should be turning these suckers over every two years or so, partially because that's the rate of significant advancement for components. In two years, it's going to be out of date. You may not like that philosophy, but the Macalope's found it fits his personal buying pattern anyway so no big whoop.
Wow. Talk about drinking the Kool-Aide.
See a summary of all my Defensive Computing postings.
I could write a whole blog about correcting computer articles in newspapers, pointing out mistakes and omissions. Many times I have corrected and expanded on articles in the Wall Street Journal by Walter Mossberg, but I've also griped about mistakes in the other newspaper I read regularly, my hometown New York Times. Back in May, on my previous blog, my comments on an article that David Pogue wrote in the Times about data cartridges for backing up computer files prompted a surprising rebuttal from Mr. Pogue.
Beats me why major newspapers don't hire computer techies to write about computer topics. Even worse, neither newspaper has the computer nerds on staff review articles for technical mistakes. Puzzling.
With that in mind, todays topic is an article about Wi-Fi security by Joseph De Avila that appeared on page D1 of the Wall Street Journal on Wednesday January 16th. See Wi-Fi Users, Beware: Hot Spots Are Weak Spots.
The vast majority of the article is well done, but not the last paragraph. It offers the following advice from someone named John King, who "... avoids Wi-Fi at hotels in favor of high-speed connections that plug into his laptop. He says he uses Wi-Fi to check email and stock listings if that's the only means available, but only if he's sure of the signal. 'I won't go on a wireless access point that I'm not confident in,' he says."
Who can argue with the main point being made here, that wired Internet connections are safer than wireless?
I can. Or, perhaps more to the point, Steve Gibson of GRC, SpinRite and the Security Now podcast would if he were writing this blog.
Before going into the technical aspects, let's start with the people. The Wall Street Journal describes Mr. King as "... a 46-year-old engineer from Livermore, Calif., [who] works for a company that mines computers for evidence in legal cases. He travels a lot for business..." Nothing about this description makes me think Mr. King is a networking security expert.
As for Steve Gibson, I have enough of a technical background in the subject and have listened to enough of his Security Now podcasts, to confidently state that he is a networking security expert. I doubt that any of my fellow nerds would disagree.
The Important Part
The critical point here is that a wired Ethernet connection is not necessarily a safe haven from the insecurity of Wi-Fi wireless networks.
Exhibit A supporting this claim is Episode #29, Ethernet Insecurity, of Steve Gibson's Security Now podcast. (transcript, 64K audio, 16K audio). This podcast, which explains the security problems inherent in a wired Ethernet network, was a huge eye-opener to me when I first heard it.
By way of background, Ethernet is a set of hardware and software rules/standards/protocols that computers on a Local Area Network (LAN) use to communicate. Ethernet used to have competition in the marketplace, but those days are over.
While the term LAN may invoke a small network, such as that in a house or apartment, a LAN can encompass an entire building, such as a hotel. When you plug a computer into an Ethernet jack in a hotel room, you are on the same network as all the other guest rooms. And that can be dangerous.
As Steve Gibson explained in the podcast, the Ethernet protocol was designed long ago. Before the Internet. Before security was on anyone's radar screen. "Essentially, there is absolutely no security with Ethernet. The assumption always was that it would be used in a LAN setting where you knew and trusted everybody on the network. You were one big happy company..." he said.
The explanation of the vulnerabilities gets somewhat technical and includes terms such as ARP, MAC addresses, IP addresses, malicious ARP replies, NICs, man-in-the-middle attacks, ARP Poison Routing, ARP spoofing, sniffing and promiscuous mode. In simple terms, a bad guy can get in the middle of all Internet conversations (us nerds call this "traffic"). Web pages, email messages and everything else coming and going to the Internet can be intercepted and logged.
As Steve put it "... one bad person in a hotel could arrange to, without much work, literally intercept all the traffic going to and from the hotel's gateway so that all of the email conversations, all of the traffic of any sort that is being transacted by every other hotel guest, they're able to monitor and intercept."
I don't think the danger can be overstated. Wired connections to the Internet in a hotel are not, by their very nature, more secure than wireless connections.
And Ethernet is not the only weak link in the security chain. The podcast describes software that can decrypt some normally encrypted data. "And in some cases, where you have weakly authenticator protocols, like Windows Remote Desktop that really doesn't provide any kind of authentication, man-in-the-middle and complete decryption attacks are easily performed. I mean, it is really bad." said Steve Gibson.
I first listened to this podcast episode while traveling to another city where I was planning on using a wired Ethernet connection in my hotel room. The podcast scared me to the point that I installed a VPN on my laptop. VPNs, while typically used by large corporations, are available to anyone and are the best protection from this sort of thing.
If anyone you know, ever intends to use a wired Ethernet connection at a hotel, then tell them to read this posting. And get a VPN.
You don't read PC magazine for mutual fund advice, and you shouldn't read the Wall Street Journal for computer advice.
Update. February 18, 2008: For more on this see Defending against insecure hotel networks with a VPN.
See a summary of all my Defensive Computing postings.
Once again, Walter Mossberg has offered incomplete and potentially dangerous computer advice in The Wall Street Journal. The December 6, 2007 edition of Mossberg's Mailbox had a question from someone whose lone hard disk was divided into two partitions; a small C disk that was almost full and a large D disk with lots of available space. The questioner asked about merging the two partitions together. Mr. Mossberg said that Partition Magic can be used for this purpose and that it "works well."
It is malpractice to suggest changing partitions in any way shape or form without first making a disk image backup. When things go wrong, as they inevitably do, you can lose access to all the files in a partition.
I jumped on the Partition Magic bandwagon early. In the late 1990s, before the availability of virtual machines on PCs, we used it in an R&D lab to run multiple operating systems on a single computer. For years I have used it on my personal machines for a host of reasons.
Partition Magic has its fair share of quirks and problems, not the least of which is that it appears to have been abandoned by Symantec. The Partition Magic gripes at my computergripes.com site are consistently the most popular topic on the site.
Among the operations that can be performed on partitions, combining two of them is perhaps the most dangerous. It is more complex than resizing a single partition and is a relatively new feature. Personally, I never attempted it, both because of the risk and because there are other ways to accomplish the same thing.
In this case, I would shrink the D partition to the minimum allowable size (plus a small fudge factor for good luck), then enlarge the C partition to include the space just given up by the D partition.* Next, I would copy all the files from D to C, then wipe out the D partition and, finally, expand the C partition so that it takes up the whole hard disk.
But, before combining partitions, I would look to avoid the whole thing by moving files from the C disk/partition to the D disk/partition.
Some of the poorly chosen Windows defaults that I mentioned last time, can be tweaked to free up space. For example, the Recycle Bin defaults to 10 percent of the partition in Windows XP and System Restore claims 12 percent by default. The minimum for System Restore in XP is 200 megabytes, give it 300 or 400 and you will probably reclaim many gigabytes. Internet Explorer also consumes large quantities of hard disk space. I doubt you will notice any change if you limit the IE cache to 30 or 40 megabytes.
Windows Update creates folders in the C:\Windows folder with names like $NtUninstallKBxxxxxx$. The total uncompressed size of these folders was 245MB, 285MB and 536MB on three different Windows XP machines that I checked. These folders can be moved out of the C disk/partition, as they are used only to uninstall bug fixes. If there is a large collection of pictures, music and/or videos, they can certainly be moved to free up space. Finally, there is the Disk Cleanup feature of XP that exists for just this purpose (get the Properties of the C disk, it's a button on the General tab).
Partition Magic is also expensive. Similar software, GParted, is available for free in Linux (download from CNET Download.com or see sample screenshots). You can boot your computer using a Linux Live CD and run GParted that way. I have done this with Ubuntu and Knoppix but many other Linux versions/distributions also include partitioning software.
You don't read PC magazine for mutual fund advice and you shouldn't read The Wall Street Journal for computer advice.
* I'm simplifying things a bit. There is actually another necessary step: after shrinking the D partition, it has to be moved to the right before the C partition can be be expanded. Also, if after this shrink/resize operation all the files from the D partition don't fit onto the C partition, then another round of shrink/resize would be needed. Backup, backup, backup.
See a summary of all my Defensive Computing postings.
On October 18th in The Wall Street Journal, Walter Mossberg wrote his annual PC Buyers Guide. Using his article as a springboard, I weigh in on some of the issues faced when buying a new computer.
Vista security
The first choice anyone makes in purchasing a new computer is the operating system. In judging the relative merits of Vista over XP, Mossberg calls Vista "better than prior versions of Windows, because it has a stronger security system under the hood."
But, according to CNET's Security Watch columnist Robert Vamosi, "most of the security enhancements touted in Windows Vista don't appear in the Home Premium and Basic editions" (see "That $200 Windows XP service pack called Vista"). Specifically, Device Lockdown, Network Access Protection, Enhanced Authentication Model and the Encrypting File System (EFS) are missing. Vamosi also takes issue with security features in the Business editions.
A new security feature in Vista is outbound protection in the Windows firewall. Sounds great on the surface, but as Vamosi describes it, it's a sham (my word, not his). A good firewall that provides outbound protection will, by default, deny everything and let you specify the allowable applications. To avoid nagging too often, some firewalls are aware of common Internet applications and allow them to make outbound connections.
In contrast, the Vista firewall requires you to create a rule for each malicious application known to mankind. Outbound connections from applications that don't match an existing rule in the firewall are, by default, allowed. This pretty much renders outbound protection ineffective.
Microsoft is making the same rookie mistake it made when Windows XP was first released. At the time, they could brag that XP came with a firewall, but, by default, it was turned off. Wrong choice (from a Defensive Computing perspective). It took them about four or five years to enable it by default.
The UAC security feature (User Account Control) in Vista probably gets the most publicity. The initial design asks so many questions that some people turn it off entirely. And Vamosi points out that unlike other operating systems, Vista allows an administrator to make system changes without having to enter a password. Thus one wrong OK click and you're infected with malicious software. Are you too busy or too inexperienced with Windows to read or understand the UAC message? There goes your protection.
What Vamosi calls the biggest improvement in Vista over XP is a feature in Internet Explorer 7 that runs ActiveX controls in a sandbox. Still, he says, you are safer using Firefox or Opera, an opinion I agree with.
In making a case for Vista security, Microsoft points to the included Windows Defender anti-spyware program. But it is available as a free download to Windows XP users. More importantly, though, it's not very effective, at least according to CNET. Vamosi says: "In testing done last spring by CNET Download.com, Windows Defender missed some of the test spyware, finishing well behind other antispyware programs on the market today."
FUD
In choosing between XP and Vista, Mossberg says "buying Vista may be the better choice for the long run. Over time, more and more products will be released that are tailored to the new system."
FUD is a term known to many of us computer nerds. It refers to sales practices used when a product is not good enough to sell itself. The letters stand for fear, uncertainty and doubt. If a software vendor resorts to this, it's a red flag their product can't stand up to an objective evaluation. Mossberg here is slinging the FUD for Microsoft.
Since, he says, Vista "may" (note the use of "may" instead of "will") be the better choice in the future, buy it now. In other words, choose Vista now out of fear that XP won't be compatible with future hardware and software. FUD personified.
James Fallows, who writes for The Atlantic, fell victim to this logic. He eventually wiped Vista off his computer and returned to Windows XP.
If the day arrives when Vista is more compatible with hardware and software than XP is, it will be a very long time from now. And a case can be made that such a day will never come.
Windows XP has been around for quite a while now--six years and counting. There are way too many copies of XP in use for any software or hardware vendor to dare come out with a product that works with Vista but not XP. If you ran a hardware or software company, at what point in the future would you produce a Vista-only product?
Consumers
While Vista is the rule at retail computer outlets, Mossberg notes that "PC makers are still offering XP on a few new consumer PCs."
Where is written that a consumer has to buy a computer marketed to consumers? It's not. No matter who you are, you are free to purchase a machine marketed to businesses, and I recommend doing so.
Flavors
Regarding the different flavors of Vista, Mossberg said "the best choice for average consumers is a version called Home Premium." In some ways though, it's a poor choice.
If your needs are simple or money is tight, Vista Home basic has the advantage of being the cheapest option both in terms of paying for the OS and in terms of the necessary hardware horsepower to support it. At a randomly selected Fujitsu notebook computer, Vista Business cost $100 more than Vista Home basic. And, as noted above, there's those missing security features in the home editions of Vista.
The two flavors of Vista business may have an ace in the hole - the ability to fall back to XP, should the need arise. I say "may" because each computer manufacturer has the option, not the requirement to offer this. Many will provide an XP Recovery CD for their customers who purchase, or have purchased, a business version of Vista. See "The XP alternative for Vista PCs."
The charge for the XP Recovery CD varies by manufacturer, but in general it is provided at cost. In the cases I've seen, it is less than purchasing XP at retail and much easier to install too, as it comes with the necessary drivers, is preactivated and lays down a disk image rather than requiring you to actually install XP.
Video
Unlike Windows XP, Vista has two different user interfaces (separate and distinct from the many flavors of the operating system itself). The Home basic edition only supports one interface, the one that requires less computing horsepower to produce. The other flavors of Vista can use a flashier interface known as Aero.
Regarding the hardware needed to support Aero, Mossberg says "Vista's flashy graphical interface works best with a separate, or 'discrete,' graphics card that has its own memory."
There is a hidden gotcha here that he doesn't go into. Graphics cards come with varying amounts of video ram (also referred to as on-board memory), usually 32, 64, 128 or 256 megabytes. To run Aero, Microsoft says in one place that Vista needs at least 64 megabytes of video ram (for resolutions with less than 1.3 million pixels, give or take), but in another place Microsoft says the minimum is 128 megabytes of video RAM. Go figure.
No matter which number you chose to believe, you next have to deal with the labeling and marketing of video cards which is, unquestionably, designed to mislead. Recently Dell sent me a catalog in the mail, and the fine print at the back contains this description of a video card in one of the computers they offer:
In other words, this 128MB video card cannot run Aero because it has only 32 megabytes of video ram. Not to pick on ATI exclusively, Nvidia does the same. The Dell fine print also contained this:
This truth-in-labeling issue seems to apply to ATI Hypermemory cards and to Nvidia TurboCache models.
The Trivial
Another feature Mossberg cites as an advantage for Vista is better integrated searching. This is very much a matter of opinion. Personally, I don't want any integrated searching. But anyone who does want it can chose from many different XP-compatible products, both free and commercial. Either way, I find it hard to imagine someone switching from XP to Vista and citing the ability to find files on your own computer as a big factor in the decision.
Advice
Walter Mossberg would have probably liked to say more on some of these points but he is limited by the space requirements of his column, which literally is a column (how quaint). This does both him and his readers a disservice. Bloggers are fortunate in being able to take as many words as necessary to say what we have to say.
You don't read PC Magazine for mutual fund advice and you shouldn't read The Wall Street Journal for computer advice.
Many people love iTunes, but installing the software on a Windows computer that you depend on is a mistake, from a Defensive Computing standpoint. I say this for two reasons. For one, iTunes is a large complex program and installing any such program is risky, Windows being what it is. In addition, iTunes includes QuickTime, which has been fraught with security bugs. And personally speaking, the fact that I must use iTunes to play music purchased from Apple, rules the whole system out for me.
So, when I heard about Amazon's new MP3 Download store selling normal, ordinary, plain vanilla MP3 songs, I tried it out. The "store" is in beta though, and it shows.
The good news is that I did end up with a couple non-copy-protected MP3 songs. The bad news is that Amazon expects you to install software.
Any time you install software on a Windows machine, there's a risk, one larger than many people realize. So, defensively speaking, I always prefer not to install software. Especially beta software. Then too, if you're using a computer that belongs to your employer, it may be against the rules, or impossible, to install software.
So, I didn't install Amazon's "MP3 Downloader" software, and found my shopping options limited. The most glaring limitation is that without the software you can't purchase an album--all you can do is purchase individual songs. And, if you're looking at a list of songs in an album (or any list of songs for that matter) you can't purchase multiple songs at the same time. Purchasing three songs, for example, requires three different transactions.
User experience
When I first entered the MP3 store, I was greeted with "Hello, Michael Horowitz. We have MP3 Downloads Recommendations for you." But, clicking on the link resulted in: "Sorry, we have no recommendations for you in this category today." Such is beta software.
Initially, I wanted to purchase songs from a particular rock group, and finding the group was easy enough. But they have been performing for years and their portfolio of songs numbers 412. Navigating through these 412 songs was brutally cumbersome.
One of the songs I wanted had an original version from 1971, a remastered version from 2001 and a host of live recordings. I would have happily purchased a studio and a live version, but Amazon works against you here. You can't list the songs in alphabetical sequence--which is needed to sample each rendition and pick a favorite or two. The only possible sort sequences are "best selling" and price, which means endless paging back and forth to find all the instances of a song. Fuggedaboutit.
To get around this, I tried limiting the list to just one song, but this isn't possible. If, for example, you search for "teacher" you get songs with the word teacher anywhere in their name, not just those named simply teacher. In addition, you get artists such as the Moravian Teachers Choir and albums with the word teacher in their title.
Then it occurred to me not to search "MP3 Downloads" (it's the default) but rather to search "Song Titles". Alas, beta software being what it is, this returned many songs without "teacher" anywhere in their name. And, as you might have guessed by now, searching for "teacher" within Album Titles returned all the albums by the Moravian Teachers Choir, regardless of the album title.
To find a single song, the closest you can come is to search for both the artist and the song title. If, however, the song title is also an album title, the search results include all the songs from the album.
Dangerous design decision
To close on a defensive note, the process of purchasing an individual song was too easy. By this I mean that after clicking the "Buy MP3" button for a song, I purchased the song without having to enter my Amazon user ID and password, let alone a credit card number. This was a first for me--all the many Amazon purchases I've made over the years required entering at least a user ID and password.
The danger here, of course, is that anyone can walk up to your unattended or unlocked computer and buy music charged to you. If you have an Amazon.com account, you may want to log off whenever you're done making purchases. To do so, go to the Amazon home page and near the top where it says "(If you're not Michael Horowitz, click here)" click there. The price of security is always inconvenience.
Update: October 2, 2007. For more on the issue of making purchases at Amazon without having to enter a password, see Defensively shopping at amazon.com
Update: October 8, 2007. Brian Krebs in the Washington Post wrote about a new set of bug fixes for QuickTime. See QuickTime Security Update for Windows. Defensively speaking, I wouldn't install QuickTime on a computer used for important work.
On Thursday August 30th Walter Mossberg repeated his prior recommendation of the Mozy online backup service. While Mozy can fit the needs of some people, there are two sides to every coin and there is a downside to Mozy too. For the rest of the story, see my recent postings:
This is a continuation of Tuesday's posting (Everybody likes Mozy--except me. Part 1), which introduced the Mozy online backup service and software and where I started offering my opinions. Since Tuesday, I came across two more positive Mozy reviews.
In April, Serdar Yegulalp, writing for InformationWeek, reviewed Online Vault, Carbonite, eSureIT, iBackup and Mozy (Five Online Backup Services Keep Your Data Safe, April 9, 2007). He concluded that "The all-around winner for regular users and small business from this bunch was definitely Mozy, both for its plan structure and its unobtrusive client."
Also in April, BusinessWeek had a short article by Arik Hesseldahl about the beta release of Mozy for the Mac where he said "I've used Mozy on the Windows machine at the office, and actually came to like it a great deal" (Mozy Comes To Mac Today! April 25, 2007).
Encryption
Anyone considering backing up sensitive files has to be concerned with security and encryption. Walter Mossberg barely mentioned security, but David Pogue warned:
"Then there's the security thing. All four companies insist that your files are encrypted before they even leave your computer. But if you still can't shake the image of backup-company employees rooting through your files and laughing their heads off, then this may not be the backup method for you."
Note: He was referring to the idea of off-site backups, not specifically to Mozy.
At first glance, Mozy security sounds impressive--files are encrypted on your PC using 448-bit Blowfish encryption and then transferred over the Internet to Mozy using 128-bit Secure Socket Layer (SSL) encryption. But let's take a step back.
- Mozy software encrypts the files on your computer
- To do this, the Mozy software needs to know the encryption key (basically a password)
- Mozy stores your files on Mozy's computers
The problem here is that Mozy is doing everything. In effect, Mozy makes the key, the lock and the safe.
How files are transferred between the PC and Mozy has nothing to do with the real security issue, as I see it. The SSL encryption used during the transfer offers protection from interception while the files are in transit, but no protection from Mozy.
There are two ways the Mozy software learns the encryption key/password--either you pick one and type it into the program, or the program will chose a password on its own. As they explain:
"You have the option of using a Mozy key, or your own private key to encrypt your data. Note, that if you use your own private key, you must be very careful about not losing it, because if you do, we won't be able to help ... Most users opt to use the Mozy key, but it's up to you."
Note: "key" can be thought of as a password and "private key" can be thought of as you're choosing the password.
Using a key/password generated by the Mozy software may not sound so bad, but it means your sensitive files are not secure.
In Part 1, I quoted Walter Mossberg as saying "Both companies encrypt the backed-up files and say they don't view them." Not that they can't view them, but that they don't view them. And the Mozy warning--do not lose your key/password or they can't help you--implies that when their software chooses the password, they can help you. They must know the password.
Even if you choose the encryption password, you are trusting the Mozy software not to externalize it, either on purpose or by accident. When it comes to backing up sensitive files, there is no place for trust in the equation.
This situation is not at all unique to Mozy. Other online storage companies also provide software that encrypts your files. I suggest using a backup scheme where software from one company does the encryption while an unrelated company stores the files.
Restoring Files
When it comes to restoring files, Mozy can be slow. You can't simply go to their Web site, navigate to your needed files and download them. Instead, you have to request all the files you need up front (don't forget any) and wait. In Mozy's own words:
"Depending on how large the restore is, it could take a few minutes or a few hours for Mozy to prepare the data for you. When it's ready, you will be emailed letting you know you can download it. When you get the email, go to your Account page and from there you can download the restored data."
If you can imagine a situation where you need to access your off-site backup files quickly, Mozy might not be an optimal fit. Joe Hruska at Ars Technica described his experience restoring files using the Web-based interface: "When I requested a restore build as a free user, it took Mozy 36 hours to make my restore file available versus only 18 minutes when I requested the same service as a paying customer."
Only 18 minutes? With the nothing-special backup service I use, it takes less than 18 seconds to start downloading files, and e-mail is not involved at all. And 36 hours seems excessive, even for a free service.
More Gripes
There are a couple things I don't like about the way Mozy backs up files.
For one, their software copies open and locked files. No thanks, I prefer my files closed and unlocked when they are backed up. Why they do this, I don't know. What problem are they solving? Since the Mozy software runs all the time, there should be very little delay between when a file is closed and when it's sent off-site. I prefer backup software that issues a warning when it tries to copy an open or locked file.
Part 1 of this blog had a discussion of why Mozy is motivated to store as little data as possible. This may explain why Mozy doesn't always back up entire files. They try to be smart about it and only back up the pieces of a file that changed, a feature they call "block level incremental backups". I'm a pessimist, and this strikes me as just something else that can go wrong. I prefer my backups simple, and backing up pieces of files and later putting all the pieces together, is complicated.
The Ars Technica review had this gripe: "Unlike several of the other programs we tested, Mozy doesn't offer a 'Backup this file' option when an item is right-clicked inside Windows Explorer."
Being a computer nerd, I'm comfortable using FTP to transfer files. Mozy does not allow uploads or downloads via FTP.
Warranty
Ed Foster writes The Gripe Line column for InfoWorld. Back in February, he wrote a memorable article called Backup Service EULAs Warrant a Closer Look (alternate link). A reader of his column reviewed the terms of service for Mozy, Iron Mountain, Carbonite, Xdrive, and SOSonlinebackup. According to Ed, "All disavowed that the product had to actually function at all except Iron Mountain, which in its warranty promises to at least try to fix bugs..."
The unnamed Gripe Line reader said it well: "The availability of data, in essence, completely defines the service itself. Yet, all of the online backup companies I surveyed expressly disclaim any responsibility for actually delivering on the service they claim to offer." Three of the companies, Mozy being one of them, disavow damages for their own negligence.
And here's an analogy that really puts it in perspective: "Who would buy life insurance if the carrier's terms of service has a clause that says that if you die, they have no real obligation to pay the claim?"
Finally, on a (much) lighter note, some people may have a hard time complying with parts of Mozy's End User License Agreement. In the LIMITATION OF LIABILITY section it says:
"FURTHERMORE, YOU AGREE TO USE THE SOFTWARE OR SERVICE
EXCLUSIVELY FOR GOOD AND FOR AWESOME."
Talk about restrictive. And then there is this, in the next paragraph:
"DO NOT TAUNT HAPPY FUN BALL."
Wikipedia has an explanation of Happy Fun Ball. As lawyer jokes go, this one is pretty good.
To end on a legal note, that's my case.
For a company in the boring business of online file storage, Mozy gets more than its share of press coverage, and from what I've seen, it's all been positive. Mozy attracted attention back in December 2006 when they started offering unlimited file storage for $5 per month or $55 per year (rounded off).
The first Mozy review I ran across was by Walter Mossberg in The Wall Street Journal ("These Services Make Backing Up Your Files Safe and Inexpensive", December 14, 2006). He liked Mozy, so I spent some time reviewing them for a class I teach on backing up your computer. My opinion differed from Mr. Mossberg's, not for the first time.
Then in January 2007, David Pogue, writing in The New York Times, also liked the service ("Fewer Excuses For Not Doing A PC Backup", January 4, 2007). I blew that off too. But a couple weeks ago the tech Web site Ars Technica published a review of online storage providers by Joel Hruska that recommended Mozy as the best of the bunch ("Online backup solutions: a review", July 16, 2007). For me, that was the final straw. Time to speak up.
The good reviews
In his review Walter Mossberg compared Mozy to Carbonite, another online storage company. He found Mozy "easy to set up and easy to use" and seemed impressed that using the Web-based interface he could restore files on a Macintosh computer. Security is an obvious concern with off-site storage and addressing it he said, "Both companies encrypt the backed-up files and say they don't view them." Finally, he notes that "you can back up multiple computers--but you have to pay extra for each additional machine."
Pogue also found Mozy more flexible than Carbonite, citing as an example the fact that backups can either be continuous or run at specified times and dates. He pointed out that Mozy can back up only changed portions of files, and he liked that you can review 30 days of backups (more on this below). His only criticism was minor, he felt that Mozy might not be the best choice for beginners as some of its options are "novice-hostile."
Writing for Ars Technica, Joe Hruska reviewed Xdrive, Backup/PC, Mozy and Carbonite and concluded: "Of the services we tested here, Mozy Online struck the best balance between functionality and flexibility and is our overall top pick for an online backup service."
My opinions
To start with, I don't like any backup service whose software has to run constantly in the background. The more software running on a computer the greater the chance of something going wrong. I prefer a backup scheme where the backups happen on a schedule and/or on demand. Thus, 99 percent of the time there is no backup software running. I don't like my computer doing stuff without me knowing about it.
And, if I had to go with background software that never shuts down, my preference would be for a mature product. Something that's at version 11 and has been around for years. Mozy is a relatively new company; it was founded in 2005. In December of 2006 when Mr. Mossberg wrote his review, the Mozy application software only ran under Windows XP. Now it also supports Windows 2000 and Vista and they have Mac software in beta testing. This is all too new for me to trust it with something as important as file backups.
Mr. Mossberg's description of the Web-based interface failed to point out that it can't be used for making backups, only for restoring files. As he said, Mozy charges extra for each additional computer that you back up from. The online backup service that I use, which I'm not going to mention both because it's not perfect and this blog is not an ad, allows me to back up files from an unlimited number of computers using their Web interface. This should be a prerequisite for any online storage service you may be considering.
Big sin
Mozy's biggest sin wasn't mentioned in any of the reviews. (Doesn't anyone read the fine print?)
An obvious reason for making backups is to be protected from accidentally deleting files. If your fingers slip while typing, you can wipe out dozens of files and not realize it. Or someone else using your computer might delete them. Or there may be a glitch in the file system and Windows loses track of some files.
If you delete a file by accident and don't notice it, Mozy will delete the backups of the file too. I kid you not.
This is a quote from Mozy.com (as of July 29, 2007): "If you delete the working copy on your machine and then run a backup, Mozy will assume that you no longer need a backup copy, since you got rid of the working copy, and will mark the file to be removed from our system in 30 days...After 30 days, you cannot get these files back."
Pogue made a bad thing seem like a good thing when he wrote: "You can view 30 days' worth of backups, too--a feature that prevents you from deleting a file from your PC accidentally and then finding its deletion mirrored in your latest backup." Mr. Pogue is assuming both that you know a file was deleted by accident and that you try to recover it within 30 days. But if you are not aware that a file is missing until 31 days after it disappeared, it's gone. With my online backup company I could accidentally delete a file, not know about it for years and still be able to recover the last backed-up copy.
Perhaps you know someone who has had to reinstall Windows? Or had their laptop computer stolen? With Mozy there is a chance it may treat missing files as being deleted on purpose, and delete the backups in 30 days. I have no idea how likely this is, but if something can go wrong, it will. And again, there's that issue of relatively new version 1 software to consider.
Why does Mozy do something that seems so wrong? I think I know.
In their free service Mozy offers 2GB of storage space to anyone who feels like asking for it. The less space someone uses, the better it is for them. In their paid service, Mozy offers unlimited storage for $55 per year. Here, too, the less space a customer uses the better it is for Mozy. In this context, it makes sense for them to delete as many files as possible. It's a natural outgrowth of their business model.
In contrast, Mozy's competitors charge more as their customers use more storage space. It's reasonable to assume that these companies make more money the more data they are storing. Thus, they are not motivated to delete files. In my opinion, you're better off using a company with this business model.
Mozy customers are, in effect, trying to get something for nothing with unlimited storage for only $55 per year. It's too good to be true.
I'm far from done. More tomorrow...
Update. February 9, 2008. In an attempt to generate commissions someone made a comment to this article suggesting that mozyonlinebackup.com offered impartial reviews. It does not. The site is run by John Pontillo of Fishkill, New York. That the links to Mozy look like
http://www.mozy.com/?ref=99999999&kbid=99999&m=9&i=99
is a giveaway of the true purpose of the site - generating commissions.
See a summary of all my Defensive Computing postings.
Today, July 10th, the web site of The Wall Street Journal is free, sponsored by Dell. Normally the vast majority of the site is available only to paying customers - of either the web site or the hard copy paper.
I mention this to draw attention to an editorial that appeared in the paper on July 3, 2007 entitled Google v. Microsoft.
Background
Windows Vista includes desktop search functionality out of the box and Google offers a free desktop search application that anyone can download from their web site and install. Google complained to Microsoft's antitrust regulators at the Justice Department that there isn't a level playing field when it comes to competition for Vista desktop search applications.
Mistakes
The editorial says
"Web-based applications like desktop search are increasingly central to Google's business prospects...".
The "web-based" description is off base. Desktop search is a desktop application and is not based on the Web. Google's own desktop search application can be installed and run just fine on a computer with no connection to the Internet.
At first I thought this might be just a typo. But the mistakes continued. Quoting again:
"In the original Clinton Administration case against Microsoft, the company was deemed a monopoly because it made 100% of operating systems called Windows..."
Yikes. By that logic, Apple is a monopoly because it makes 100% of the operating systems called OS X. And IBM was a monopoly way back when it made each copy of OS/2. And strike three:
"It is easy for a business with a superior service to peel away the customers of everyone else. That's what accounts for the success of Google's basic Internet search in the first place."
Google never pulled away a single "customer" back in its early days. It converted users of other search engines, such as Alta Vista and Hotbot. I see two differences between "customers" and "users".
For one, users of other search engines never paid for the service. Also, they had very little invested in Alta Vista and the other search engines. That is, there was pretty much no learning curve involved when switching from one search engine to another.
This is very different from say, the competition between Windows and the Mac OS X operating system. Switching involves paying a non-trivial amount of money to get a copy of OS X and a large learning curve to get proficient using both the new operating system and new application programs required to do the same work that was previously done under Windows.
Whatever the advantages of OS X may be, the cost of switching is huge, both in financial terms and time. Switching operating systems could not be more different from switching search engines. To quote myself:
"You don't read PC magazine for mutual fund advice and you shouldn't read the Wall Street Journal for computer advice."
When I said this in the past I was often referring to Walter Mossberg who, in my opinion, has on multiple occasions offered bad computer advice. But this editorial was written by someone who doesn't understand computers at all. It is more off base than Mr. Mossberg ever was.
- prev
- 1
- next
