New computers come with old software, a situation that, considering the recent slew of critical bug fixes, can be quite dangerous.
To illustrate just how old some of the software is, consider a new Windows XP machine that I got yesterday. The computer, a ThinkCentre A61 tower, was ordered from Lenovo on January 6, 2008. It was delivered to someone on January 16th, exactly who I'll never know. As I wrote about last month, UPS lost my computer. But that's another story.
I've got my new computer routine down pat at this point. First, I run a slew of hardware diagnostics, then I make a disk image backup. Next, I remove the pre-installed software that I don't want, followed by updating the pre-installed software that I'm keeping.
The first update is to Windows itself. I start by manually running Windows Update at www.update.microsoft.com. The Windows Update software is always old. Every new Windows XP computer I've touched required a couple software updates to Windows Update itself before it would even start scanning for missing bug fixes (a.k.a. patches and updates).
The machine was missing 60 fixes to Windows XP. I installed them, re-booted and went back to Windows Update. Experience has shown that Windows Update is far from perfect. Running it a second time often reports a new bug fix that was either missed the first time or is needed because the first go-round installed buggy software. Sure enough, a custom scan shows the machine is missing the .NET Framework version 1.1 Service Pack 1.
After dealing with Windows, I tried the Adobe Flash tester page, which reported that Internet Explorer was using Flash version 7.0.68. This is a really old version of Flash (the latest is 9,0,115,0).
The other popular Adobe product, the Acrobat Reader, was the only reasonably recent software. That said, the pre-installed version, 8.1.0, is missing critical bug fixes that make it too, a security risk.
At this point I turn to the online Secunia Software Inspector to see what other software is missing security patches.
In addition to the ancient version 7 of Flash, the machine also came with the downright pre-historic, and buggy, versions 4 and 6 pre-installed.
Java too, was missing security fixes. Secunia reported that Java was at version 1.5.0_6, which was released about December 2005. The latest version of the 1.5.x family, version 1.5.0_14 is secure, according to Secunia. However, the current version of Java is 1.6.0_4. You can see which version you have at javatester.org.
Lenovo has their own version of Windows Update called ThinkVantage System Update that updates the software they pre-install. It also seems to update other software, but exactly what it targets is not at all clear from the supplied instructions. Just like Windows Update, the first update it finds is to itself.
After self-updating, ThinkVantage System Update finds about a dozen or so software updates, mostly to Lenovo applications. The number would have probably been larger, but I had already un-installed some of the Lenovo software. Interestingly, it offered to install the latest version of the Adobe Flash player, despite the fact that Internet Explorer was already using the latest version at this point, at least according to Adobe's Flash tester page. The updates I chose to accept were 422 megabytes.
Finally, the computer came with Picasa version 2 from Google. The first time I ran Picasa, it wanted to update itself to a newer version.
The hardware in a new computer may be new, but the software never is.
See a summary of all my Defensive Computing postings.
When it comes to antimalware software, the first decision any Windows user needs to make is whether to go with an integrated suite of software or pick and chose specific products, such as a firewall, antivirus, and antispyware software. If a suite came preinstalled, it's certainly a tempting option. Dealing with a single company and not having to install new software has obvious appeal. But, I think it's the wrong way to go.
For one thing, the software suites can be complicated to use. Oftentimes they have been known to slow down the computer. And they cost money, whereas there are many free antivirus, antispyware, and firewall programs to chose from.
Plus, they may be overkill. In what has been called feature creep, they typically include many different types of protective software in addition to the baseline antivirus, antispyware, and firewall. This added complexity can negate the single product simplicity advantage.
Among the extras are antispam software that many people don't need, and, a case can be made that fighting spam is a server side thing, not something best done on your computer.
My colleague from The Personal Computer Show, Alfred Poor, has recommended against software suites many times on the show. He cites "bloatware" as the main reason:
"... the publisher piles on features not because they are practical or useful, but so that they can win the 'battle of the checkbox' where buyers go for the program with the most features. This leads to more software running in the background, which means a performance hit at the very least, and an increased chance of conflicts with other applications. My advice is to buy what you need, and no more."
Another big consideration is that, taken as a whole, software suites don't offer the best protection.
Leo Notenboom, made this argument last week on his Ask-Leo Web site. Quoting from How do I pick the right tools to protect my system?
"Would a bundled application (all defenses in one) be necessarily more effective than several standalone products? In my fairly strong opinion, no. I base that primarily on the four+ years of problem reports and feedback that I've received here at Ask Leo!. It just seems that the combined suites cause more problems and miss more malware or security issues than a well chosen set of individual solutions."
Why don't the suites offer the best protection? Here too, I agree with Leo:
"My theory is that the suites start with a really good single product...in order to create a suite the manufacturer then buys or creates what I can only assume are second-rate additional components..."
The ZoneAlarm firewall is a case in point. I like the free firewall and would buy the commercial version for the additional features. But I can't; at least not without also buying either antispyware or antivirus software from CheckPoint. So I pass.
Interestingly, I disagree with Leo's recommendations for antivirus, antispyware, and firewall software. But, even people who disagree on the specific choices, agree that making specific choices is the way to go.
As for Alfred's point about bloatware, a comparison of the assorted software bundles offered by ZoneAlarm/CheckPoint shows no less than 16 types of defensive software included in the top-of-the-line product.
Another example of an antimalware product being assimilated into a suite comes from Eset.
In his newsletter/blog last week, Scot Finnie discussed the stand-alone NOD32 anti-virus program vs. their suite of anti-malware software called Eset Smart Security. As for the new version of NOD32, Scot writes "...my preliminary impression of Nod32 3.0...was quite positive. That product is available as a standalone upgrade to Nod32 2.7..."
But regarding the suite he says "I looked pretty extensively at Eset Smart Security in late beta, and I didn't think much of the firewall at all. Plus I have no use for Eset's antispam solution. So I am definitely recommending *against* the new $60 Eset Smart Security (ESS)."
Finally, a note from the school of hard knocks.
After reading some good reviews of F-Secure Anti-Virus a while back, I installed it on a couple machines. On one machine, when I later installed Spy Sweeper, the antispyware product from Webroot, I learned about an incompatibility with F-Secure Anti-Virus.
Another machine had the free ZoneAlarm firewall installed. When I tried to install F-Secure Anti-Virus, it complained about ZoneAlarm, basically saying it's either us or them. The F-Secure product would not install unless the ZoneAlarm firewall was removed.
What possible conflict could there be between an antivirus program and a firewall? My guess is that F-Secure had a single installation program for both their software suite and their standalone antivirus, and they hadn't customized the antivirus installation to not bother checking for firewall software. Just a hunch.
The debate over individual antimalware products will continue until Windows truly becomes secure. Until that day, fight assimilation and opt for standalone antimalware products.
See a summary of all my Defensive Computing postings.
As a computer nerd, I hold this truth to be self-evident:
All new software contains bugs and design flaws
Thus, from a defensive computing standpoint, the latest is never the greatest. Someone who depends on his or her computer, in a serious way, is always best served by avoiding software that has just been released. With that as a backdrop, here are some thoughts as to what this means to you, in terms of current software choices.
Mac OS X Leopard 10.5
For one thing, it means don't buy a Macintosh computer--at least not now. I have nothing against Apple or Macintosh computers. People whose opinion I trust who use both Macs and Windows all say Macs are better. Fine. But the newly released Leopard is too new to trust. If you can get a Mac with Tiger installed, fine.
With Leopard, Apple has shown it is a typical software company, meaning it can't be trusted to release reliable software. The initial version of Leopard seemed like a beta. Problems with two features in particular generated a lot of bad publicity--the firewall and the Time Machine backup program. Both are brand new and featured more than their share of bugs and design flaws. This is not to pick on Apple in particular, it is just the latest example of the self-evident truth about new software.
ZoneAlarm
I like the ZoneAlarm firewall and have been using it constantly for many years, despite griping about it. My gripes have decreased as the product has matured because the basic firewall has not been drastically overhauled.
ZoneAlarm (just the firewall, not the whole software suite) is now at version 7, specifically, the fourth release (7.0.408.000) of version 7. I mention the release number because ZoneLabs (the original company behind ZoneAlarm, which is now part of Check Point) also showed itself challenged at quality assurance. Every new version of ZoneAlarm was plagued with bugs to the point that my personal policy was not to upgrade from the prior to the new version until the third release of the new version. In the worst instance, a bug fix release came out a mere six days after a new version; in another case it was 10 days. I'm happy to miss out on some new features for a little while, so that other ZoneAlarm users can help the vendor debug the software.
Maturity
Apple was responsive with Leopard, issuing a slew of bug fixes only three weeks after its initial release. Microsoft never moves that fast.
And speaking of Microsoft, its latest operating system, Vista, is also too new. If you are buying a new Windows computer, you are better served with XP as opposed to Vista.
When is software sufficiently mature or debugged to be considered reasonably reliable (again from a Defensive Computing perspective)? Reasonable people can disagree; it's a matter of opinion.
Java version 1.5 may have looked mature and debugged after eight releases (version 1.5.0.8), but then came versions 1.5.0.9, 1.5.0.10, 1.5.0.11, 1.5.0.12, 1.5.0.13, and 1.5.0.14.
I don't have the experience with Macs to make an educated guess when Leopard might be ready for prime time. With Vista, I would wait either 2.5 years from its release date or until service pack 2, whichever comes last. And keep in mind that nothing is lost by waiting even longer, as many businesses will do.
My Vista opinion is more conservative than most. In part, it stems from the fact that Vista was a long time coming. Thus more is new about it, more new code and more design changes; both reasons to wait. Apple has unquestionably done a better job of managing its operating system development--shipping new versions of OS X often enough that the changes in each release are far less drastic than the changes between XP and Vista.
Office Software
When it comes to choosing Office software, I would again avoid the latest rendition from Microsoft, Office 2007.
The prior version, Office 2003, has four years of bug fixes applied to it, making it more stable. The prior version has a user interface that is an unofficial, grooved-in standard and uses a file format that is as mainstream as mainstream gets.
In contrast, the new Office 2007 has a new user interface that is very different from the one in Office 2003, 2002/XP, and previous versions. As with any interface change, some people will like the new interface and others won't. The design mistake that I see, is that Microsoft forces the new interface on you; there is no option to fall back to the tried and true and familiar. They tried this with Internet Explorer 7 and eventually backtracked a bit and restored the menu bar.
Office 2007 also introduced a new file format, meaning that users have to tell it to use the old file formats if they want to exchange files with 98 percent of the computing world. If files are saved in the new formats, then people using older versions of Office can't read the files without installing additional software from Microsoft. Users of very old versions of Office are totally out of luck when it comes to the new file formats. Mac users running the Mac version of Office were also unable to handle the new file formats for the longest time. A purposeful zing at Apple perhaps?
Unquestionably, Office 2003 is the better choice when compared with Office 2007. Of course, Microsoft has stopped selling Office 2003. Thanks for nothing.
This leads to OpenOffice.org, which is a reasonable choice for Office software. For one thing, it's a mature product, now at version 2.3. Plus, it can read/write the old format of Office documents and uses the classic user interface. Plus, it's free. It has its quirks though, and is not as fully functional as Office, but it makes sense to try it first and, if it doesn't meet your needs, move on to something else.
If you get a new computer this holiday season, it's possible that your old one(s) may be more dependable.
P.S. If you know of a retailer still offering Office 2003 (for less than $450), please leave a comment below. Thanks.
Update: November 27, 2007. Fellow CNETer Rafe Needleman wrote a very similar story today - 6 upgrades that are downgrades. Regarding Vista, Rafe writes "The obvious number one product for this list. Vista is the new shiny operating system Microsoft released to replace Windows XP. Except it hasn't, because it's a poor upgrade. It's slower, bigger, and buggier. "
The first part of this posting on dealing with software crashes covered preventing the leakage of personal information, portable applications, and controlling the programs that run automatically when Windows starts up. Here we look at dumps, event logs, and disk checking, but first, we pick up on the topic of drivers.
Driver Verifier
In Windows, the term "driver" refers to software used by the operating system to control the hardware in the computer. Each piece of hardware (sound, video, printer) has an associated driver program.
The last topic in the previous posting was an airplane analogy to illustrate the potential for problems with Windows drivers. They run alongside the most critical parts of Windows itself and a bug in the driver can crash Windows.
Considering this, it should come as no surprise that Microsoft has a utility program designed to weed out bugs in drivers. The program is called Driver Verifier, and it is included in all recent versions of Windows (Windows 2000 and later).
Driver Verifier does extra checking on the actions of drivers, while they are running, looking for potential problems. Think of it as super-debugging mode. Quoting Microsoft: "Driver Verifier monitors kernel-mode drivers and graphics drivers to detect illegal function calls or actions that might corrupt the system. It can subject the drivers to a variety of stresses and tests to find improper behavior."
I bring this up because it can be a useful thing for debugging. When working with a tech-support person, ask them if drivers are a possible cause of the software problem you are experiencing (video drivers were a suspect in the problem described in The Wall Street Journal story). If so, then ask if Drive Verifier would be helpful. If nothing else, use Driver Verifier to gauge the reaction of the person assisting you.
There is a performance cost to the extra error checking Windows does on the drivers being verified. If verification is turned on for all drivers, Windows may be noticeably slower. Hopefully, the tech-support person can limit the verifying to a small number of drivers.
But, every PC has a different set of drivers. Fortunately, Driver Verifier can list the installed drivers, their version number, and the company that produced them. To run it, open a Command Prompt window (aka DOS window) and type "verifier" without the quotes. You can then close the Command Prompt window. In Vista, a security dialog will ask for permission.
I suggest starting with the radio button that displays existing settings. If this is the first time Driver Verifier has been used, there should be no drivers listed in the right side of the resulting window.
This window also shows different types of tests that will all be set to "No" initially. Windows XP offers eight types of verification tests; Vista has a few more.
Click the back button, turn on the radio button to create standard settings, and then click the Next button. If you "Select driver names from a list," you can see all the installed drivers.
Unless you are a serious Windows techie, driver verifier does not produce any output that is of use to you. It is best used when working with assistance from professional tech support.
Minidumps
Another thing to look for when Windows software crashes is a minidump--a snapshot of the state of the system at the time of the failure.
Dumps can be invaluable to a tech-support person. I spent many years doing technical support and can attest that verbal descriptions of a problem over the phone are not much to go on. Dumps and event logs (the next topic) give a picture of the problem that no person can.
Windows dumps are only useful to someone familiar with the internal working of the operating system. Normal users can't even look at the contents of a dump, Windows does not include the necessary program (Dumpchk.exe) to format it.
Minidumps are small (88K) so sending them to tech support should not be a problem. If you're not asked to look for, or provide, a dump, it would make me wonder how capable the support person is.
By default, Windows XP writes dumps to folder C:\WINDOWS\Minidump. If this folder is empty on your computer, consider yourself lucky.
You can control a number of dump-related options. To do so in Windows XP, start at the Control Panel, then System, then the Advanced tab, and finally click on the Settings button in the start-up and recovery section.
In the system failure section (the bottom half of the resulting window, shown above), I suggest enabling the option to write an event to the system log and turning off the option of automatic restart.
In the write debugging information section, "small memory dump 64K" is the default and should be fine. Only if a tech-support person says this small/minidump doesn't provide enough information, would I chose one of the other options.
The small dump directory defaults to %SystemRoot%\Minidump, which normally translates to C:\WINDOWS\Minidump. There is no need to change it.
Minidumps have a file type of .DMP. The format of the filename is MiniMMDDYY-99 where the last two numbers are a sequence number. For example, Mini110407-01.dmp is the first dump taken on November 4, 2007.
Event Logs
Event logs provide a history of problems and thus can be very helpful in debugging software problems.
To look at the event logs in Windows XP, start at the Control Panel, select Administrative Tools, then Event Viewer. There are at least three different logs: Application, Security, and System. Each log is separate file. To determine the filename and location, right-click on the name of the log, get the Properties, and look for the "Log name." By default, the Application, Security, and System log files are respectively:
C:\WINDOWS\system32\config\AppEvent.Evt
C:\WINDOWS\System32\config\SecEvent.Evt
C:\WINDOWS\system32\config\SysEvent.Evt
A tech-support person should be interested in some, if not all of these files. Event logs shouldn't be that big; in XP they max out at 512K by default.
Check Disk
A corrupted file system may play a part in any software failure. One of the first steps to take when dealing with a software crash should be to run the Windows Check Disk utility.
To do so, open My Computer and get the properties of the C disk. Then go to the Tools tab and click on the Check Now button. This opens a windows with two Check Disk options; I suggest turning on both options. When you click the Start button, Windows will say it can't check a disk that's in use and ask if you want to schedule the checking for the next restart. Say yes and then restart Windows.
Checking a disk can take a long time and Windows does not stop when it's done to let you view any messages. But there is no need to watch the thing run since a summary of the disk checking is written to the Application log. Just after Windows starts up, look at the top of the Application log (where the most recent events should be) for an event with a source of "Winlogon" and a type of "Information." Double-click on it to see the results of the disk check. In my experience, minor inconsistencies are the rule rather than the exception.
May your Minidump folder be forever empty.
Software crashes all too often, and since misery loves company, computer users often swap horror stories. Back on Halloween, Lee Gomes did so publicly in the Wall Street Journal. His problem was with the Adobe Premiere Pro, a video editing program and, while I found it interesting, the article didn't offer advice for avoiding or dealing with software crashes. That's what I hope to do here. First though, defending your privacy.
ERROR REPORTING
When applications crash, a window often pops up asking if you want to report the problem to Microsoft. Gomes writes that the Microsoft employees who get these crash reports are "scrupulous ... about respecting user privacy". Perhaps, but the last company I would trust with personal information is Microsoft (just behind Marshalls and TJ Maxx). What's the connection between failed software and personal privacy?
Suppose Word crashes while you are working on a document that you don't want others to see. It's safe to say that pieces of that document are included in the information about the error that's sent to Microsoft. And it is possible, though I don't know how likely, that information from other running programs may also be included.
While just saying no, when asked about reporting the error to Microsoft, is easy enough, it's also easily forgotten. Fortunately, you can configure Windows to never report software failures to Microsoft by turning off the error reporting feature. In Windows XP this is done with:
Control Panel -> System -> Advanced tab -> Error Reporting button
I suggest disabling error reporting but still getting notified of critical errors.
CONFLICTS
The root cause of the problem in the article was all too common, a conflict with other software installed on the computer. Apparently the other software had mis-labeled something and "that slip-up cascaded throughout Windows...".
It doesn't have to be this way. In a perfect world, each application would be isolated from other applications.
Getting to this ideal is one of the reasons for the popularity of virtualization. For example, important applications can be run inside a virtual copy of the operating system and be the only software installed in that instance of the operating system. Virtualization software lets you run multiple operating systems concurrently on a single computer, so if need be a single machine can run multiple applications with no chance of their stepping on each others toes. Another option, often used with servers, is to limit one computer to a single application. Both are non-trivial steps to take, but when the application is important enough it makes sense.
There is also software, such as Thinstall, to virtualize a single application rather than the entire operating system. Here too, the idea is to isolate an application from the proverbial other kids in the sandbox that may not play well together.
The simplest way, however, to get application isolation is to use portable applications.
The name portable derives from the fact that the application can be run in any instance of it's supported operating system(s) without being formally installed. A portable program designed for Windows XP, for example, will run on any copy of Windows XP and from any disk drive letter, but the portability does not, in and of itself, imply that it will also work on Vista or Windows 2000.
The classic use of portable applications is to run them off a USB thumb drive, but they work just as well running off the C disk. I do this all the time. Whenever possible, I prefer to use portable applications (see this about portable Thunderbird).
An excellent source of portable applications is John T. Haller's portableapps.com. The interesting thing about this site is that Mr. Haller converts applications that were not designed to be portable in the first place. Some applications are portable even though they may not be described as such on their web site. For example, I often use the free EditPad Lite text editor from Just Great Software which is not touted as being portable, but is nonetheless. The same is true of the free, open source, AbiWord word processor. (Both are also available at download.com: AbiWord EditPad Lite)
AUTOMATICALLY RUN PROGRAMS
Complexity is at the heart of many software failures and, as the article pointed out, the complexity of Windows is frequently added to by a whole host of programs that insist on automatically running when Windows starts up. Auto-started programs are a long standing problem because:
- They make Windows start up slower
- They make it more likely that Windows will fail to start up
- They consume RAM and processor resources
- The more programs running in the background, the more that can go wrong
Windows XP has a built-in function (MSCONFIG) for controlling the programs that run automatically at startup time, but it's poorly designed. I am a big fan of a free program called Startup Control Panel, by Mike Lin. I install it on every computer I work on, feel lost without it and never had it cause a problem.
Both programs display a checkbox next to each auto-started program and you control if a given program will be auto-started the next time Windows boots by simply checking or unchecking the box. That's where the similarity ends though, Startup Control Panel is easier to use than MSCONFIG and more complete in its reporting.
For one thing, it's easier to find. Whereas MSCONFIG is one of those things you have to know about to run, Startup Control Panel creates a Startup icon in the Control Panel, just where a function like this logically belongs. Also, after modifying the list of auto-started programs it doesn't produce a confusing warning window the next time Windows starts up.
Windows has many different lists of programs to run automatically and Startup Control Panel shows five of those lists, each in its own tab. As for completeness, MSCONFIG shows 11 programs that are auto-started by Windows on the computer I'm writing this on. Startup Control panel shows 36.
There are two versions of Startup Control Panel. The normally installed version creates an icon in the Control Panel, the standalone version does not need to be installed. The advantage of the standalone version is that it's portable, the program is a single EXE file. The advantage of the installed version is that it's easy to find in the Control Panel (except that you have to use Classic View).
At download.com the Editor's review gave it only three stars, I would have rated it higher. Voters there agree, it is rated 4.5 stars (out of 5) by 229 CNET users.
Startup Control Panel works with Windows 95, 98, ME, NT4, 2000 and XP. According to the author it is not needed in Vista: "Windows Vista, after all these years, finally has a very good startup manager built-in; go to Control Panel > Performance Information and Tools, and then click on Manage Startup Programs on the left."
AUTORUNS
While Startup Control Panel is great for non-techies, us nerds are better served by another free program, Autoruns. Originally developed by Mark Russinovich and Bryce Cogswell of Sysinternals, the program is now available from Microsoft which purchased Sysinternals a while back.
Autoruns is even more complete than Startup Control Panel. According to the author it has "the most comprehensive knowledge of auto-starting locations of any startup monitor..." It's so complete as to be intimidating if you're not familiar with things like Explorer shell extensions, browser helper objects and Winlogon notifications.
There are two types of auto-started programs in Windows and both MSCONFIG and Startup Control Panel only show one type. The other type, services, is included in Autoruns. It's extensive list of auto-started programs can be pared down by opting to Hide Signed Microsoft Entries (under Options on the menu bar).
Autoruns has been helpful to me in tracking down assorted malicious software. The bad guys want their software to run automatically when Windows starts up, so Autoruns is bound to have an entry for it. In addition, it has shown some auto-loaded drivers that make for interesting stories that I'll discuss in future postings.
Autoruns is portable and works with all versions of Windows.
FIRST CLASS
When Windows crashes with the infamous Blue Screen of Death (BSOD) the offending program may not have been written by Microsoft.
Windows is internally structured like an airplane with first class and coach sections. The applications we use on a daily basis sit in, and are restricted to, coach. First class is where the guts of Windows (referred to as the kernel) sits. But anyone with enough money can get a first class ticket.
To illustrate, software from Andrea Electronics, Meetinghouse Data Communications, Atmel Inc, Analog Devices, Conexant Systems, Parallel Technologies and UPEK Inc. is sitting in first class on the computer I'm using to write this. Technically, these companies wrote driver software, as did three other companies that refused to identify themselves at all.
Once you're in first class you can wander around anywhere. Driver programs, from these companies and others, can thus muck up any part of Windows. And many of them have.
How often is Microsoft at fault when Windows crashes? According to Mr. Gomes, they know, but won't say. That tells me two things: 1) it's often their fault and 2) it's nice to be a monopoly.
Part 2 covers Driver Verifier (a utility built into Windows for debugging drivers), dumps, event logs and disk checking.
November 14, 2007: Updated to reflect the topics in Part 2.
November 9, 2007: Updated to reflect the two different versions of Startup Control Panel.
My last posting described a situation in which the Java programming language knowingly produces wrong results. In the example I gave, Java added two positive numbers, produced a negative result and didn't consider it an error. Specifically:
2,111,000,333
+ 1,000,222,333
---------------
-1,183,744,630
I write this blog for a general audience, so I opted to leave out the technical details of how and why this happens. But, if you're not a computer programmer (the official term now being "developer") it may be inconceivable that a programming language can't do addition. Here, in a brief detour into nerdville, I'll try to explain it.
You can think of the problem as two pounds of baloney in a one pound bag (the reference being to an episode of the Honeymooners where Ralph gets stuck between two large pipes).
There are two types of programming languages, typed and non-typed. In a typed language, such as Java, programmers are required to specify data types for each variable. The numbers in the example were assigned to the "int" (short for integer) data type (the actual Java code is in the prior posting).
A number of the "int" type in Java can range from -2,147,483,648 up to 2,147,483,647. Another type, called "short" is used for integers up to 32,767. Smaller integer numbers can be assigned to the "byte" type which maxes out at 127. See Primitive Data Types for more.
Java stores "int" variables using 32 binary digits (bits). A binary digit is either a zero or a one. Everything to do with computers boils down to a bunch of bits at the lowest level.
The leftmost bit of a Java "int" variable represents the sign, the remaining 31 bits are the number itself. If the leftmost bit is zero, the number is positive, if it's a one, the number is negative. To illustrate, this is what a positive three and a negative three look like.
positive three: 00000000000000000000000000000011
negative three: 11111111111111111111111111111101
For the sake of simplicity, we can ignore the details of how negative numbers are represented, other than the fact that they start with a one bit.
At this point you can see that the mistake Java makes is easily detectable. If you add two "int" type numbers where the bit on the left is zero, then the result must also have a zero in the leftmost bit. At least the correct result has a zero there. If you add two positive numbers the result is also positive.
Where exactly did Java go wrong?
In the decimal number system the largest value that fits in three digits is 999, which is also 10 to the 3rd power minus one. The same formula applies to the binary number system. The largest value that fits in 31 binary digits is 2 raised to the 31st power minus one.
You can see this using the calculator built into Windows. Change the view from standard to scientific. It's helpful to also turn on digit grouping, another option under the View menu.
Click on 2, then the pink x-to-the-power-y button, 31, and equals. Subtracting one yields the largest possible integer in a Java "int" variable: 2,147,483,647.
Now click the Bin (for binary) radio button. The calculator shows 31 binary digits, all ones (see above). This is the binary equivalent of all 9s in the decimal number system.
To see the two pounds of baloney in the one pound bag, add one to this binary number.
Much like adding 1 to 99 results in 100 (an extra digit is needed and the low order digits are all zero), this results in a number that needs an extra binary digit on the left, and the remaining binary digits are all zero.
This is where Java goes wrong. While it does the addition exactly like the Windows calculator, it then maps the result back to the "int" data type. Thus, it considers this sequence of bits a negative number because the bit on the left is a one.
In other words, Java adds the two numbers as if they were 32 bit numbers. But they are not, they are 31 bit numbers with a sign bit on the left. Oops.
This is Java addition at the breaking point:
2,147,483,647
+ 1
----------------
-2,147,483,648
You can see this dynamically at the Inner Int Java Applet by Bill Venners, author of Inside the Java Virtual Machine.
To be clear, this is a Java issue. The results are the same on Windows, Linux, Mac OS X and the many other operating systems that provide a Java Runtime Environment (JRE).
What was the mindset when Java was being developed that thought returning wrong results was better than raising an error condition? Java treats division by zero as an error, but willingly allows integers to overflow such that you can add two positive numbers and get a negative result.
At the very least, computers should be able to compute.
One of the advantages of Apple Macintosh computers is that simply by not being Windows, they are immune to the plague of malware (malicious software) that constantly strikes at Windows based machines. Linux has this advantage too, plus it's cheaper. A computer running Linux can cost around a fifth as much as a Mac (more on this later).
The classic knock on Linux, when compared to Windows and Macs, has always been that it was harder to use, and indeed it was. But release after release it kept getting easier. How easy is it, now, for a Windows user to move to Linux? According to one blogger, it's easy enough for his mother. See Why My Mom Can Use Ubuntu.
My consulting practice puts me in contact with people with little computer experience, some who struggle just to use Windows, let alone deal with the care and feeding of anti-virus and anti-spyware software. Linux offers the opportunity to use an operating system where the user doesn't need to to deal with anti-anything software.
Another advantage that Linux has over a Macintosh is that many versions ("distro" is the nerd term) can run from a bootable CD. That is, you can run Linux on a computer that doesn't even have a hard drive. For one of my clients, a couple of senior citizens, this was just what the doctor ordered.
I was called because their copy of Windows 2000 was terribly infected with malware. But the machine was old, and since removing malware can be a time consuming and ultimately fruitless endeavor, we opted not to bother. Buying a new computer however, takes time and they really needed email. Linux to the resue.
Like any good computer nerd, I travel with a Linux Live CD (a copy of Linux on a bootable CD) in my little black bag. After booting their machine using Knoppix all that was needed was a quick introduction to Firefox. They were familiar with webmail, so Firefox was all they needed. Knoppix never had a problem automatically detecting their broadband modem and connecting to the Internet. To my amazement, they chose to live with Knoppix for months before eventually buying a new Windows computer.
Installing
There is however a big difference between using Linux and it's initial setup, which can be much too difficult.
For example, I recently installed Ubuntu Linux on a computer connected to a KVM switch. The switch probably got in the way of Ubuntu detecting the monitor and the system booted using a 640x480 screen resolution. Making matters worse, the GUI interface wouldn't change the resolution. I searched around the Internet for solutions but found nothing simple enough for a non-Linux expert (me) to deal with.
The mom in the story got her computer with Ubuntu Linux pre-configured by someone expert enough in the matter who "... set up the few codecs, a proprietary video driver, a quick EasyUbuntu...". Not to mention installing mom's printer, software to replace Microsoft Publisher and, hopefully, a firewall.
But once it's installed, the learning curve going from Windows XP to Linux is probably about the same as going from Windows XP to Vista. Ironically, the time and effort Microsoft put into the Vista user interface just plays into the hands of Apple and Linux.
20 Percent
My earlier claim that Linux can cost 20% as much as a Macintosh, assumes not only getting the operating system for free, but also running it on an old computer. The ability to run on a wide variety of hardware is a big advantage of Linux compared to Macs.
At what passes for press time in the blogging world, CompGeeks.com was selling a refurbished IBM NetVista desktop computer with a Pentium 4 processor running at 1.8GHz, 512megabytes of ram, a 40 gigabyte hard drive and no operating system for $105 (plus tax and shipping). It can't read DVDs and the USB ports are probably version 1, but it's capable of running a current version of Linux. In all, CompGeeks is selling twenty seven Pentium 4 based machines for under $200. This is not an endorsement of CompGeeks. I'm just using them as an example of a retailer selling old, refurbished computers capable of running Linux.
If you feel more comfortable dealing with a major computer manufacturer, the clearance section of HP's website offers refurbished machines with a one year warranty. Today they offered a handful of HP DX2250 machines for under $300. For example, a machine with 512 megabytes of ram and an 80 gigabyte hard drive could have been had for $223 (plus tax and shipping).
Software
Finding software for a new operating system that is equivalent to the software you already use, is obviously critical to any changeover. Some obvious Linux choices are Firefox for web browsing, Thunderbird for email and Open Office for word processing, spreadsheets, drawing, presentations and database. Adobe has a version of their Acrobat Reader for Linux. They also offer Flash v9, but it is only supported on two versions of Linux. All this software is free.
For the more adventurous, some Windows applications can be run directly on Linux. The first time I tried this it seemed like magic. Just today I learned of the free IEs 4 Linux which lets you run Internet Explorer version 6 on Linux, for the few websites that require IE. Wine is a step up, it lets you run dozens of Windows applications on Linux. Wine is included in some versions of Linux, but it can always be downloaded and installed if need be. Wine is free, and forms the foundation for the commercial Crossover Office which specializes in running Microsoft Office under Linux.
But what if you (or your mother) needs to run a Windows program that is not supported by Wine or Crossover Office?
A big plus for the new Intel based Macs is that they can run both the Mac OS X and Windows side by side using virtual machine software from either Parallels or VMware. This lets you run any Windows application on a Macintosh. Linux can do this too.
Today, VMware sells Fusion for the Mac for $60, but a $20 mail-in rebate reduces that, eventually, to $40. Parallels sells their Mac based virtual machine program (Parallels Desktop 3.0 for Mac) for $80.
Linux users have two very different choices. They can get the free VMware player to run existing virtual machines, but, unlike the Mac products, the VMware player can not create new virtual machines. For this, VMware offers their full featured Workstation product. However, VMware Workstation is expensive ($190 to download, $210 in a box) and the intended audience is techies.
Running virtual machines under Linux requires additional horsepower and likely rules out the cheap computers mentioned above. VMware says their Workstation product only needs 512 megabytes of RAM, but doubling this is probably the better way to go.
Downside
If you're going to move your mother off Windows, be aware that the big downside to Linux is technical support. This is an area where Apple excels, their technical support is constantly rated the best in the industry. Free versions of Linux, like all free software, come without technical support.
If your mom doesn't know a computer nerd, she can opt for a commercial version of Linux (typically selling for $50 to $100) that includes tech support. Or, you can buy her a computer with Linux pre-installed.
If you want to learn more, there is a Linux vs. Windows comparison on my personal web site.
Update: October 7, 2007. Major revision to the software topic.
Many people love iTunes, but installing the software on a Windows computer that you depend on is a mistake, from a Defensive Computing standpoint. I say this for two reasons. For one, iTunes is a large complex program and installing any such program is risky, Windows being what it is. In addition, iTunes includes QuickTime, which has been fraught with security bugs. And personally speaking, the fact that I must use iTunes to play music purchased from Apple, rules the whole system out for me.
So, when I heard about Amazon's new MP3 Download store selling normal, ordinary, plain vanilla MP3 songs, I tried it out. The "store" is in beta though, and it shows.
The good news is that I did end up with a couple non-copy-protected MP3 songs. The bad news is that Amazon expects you to install software.
Any time you install software on a Windows machine, there's a risk, one larger than many people realize. So, defensively speaking, I always prefer not to install software. Especially beta software. Then too, if you're using a computer that belongs to your employer, it may be against the rules, or impossible, to install software.
So, I didn't install Amazon's "MP3 Downloader" software, and found my shopping options limited. The most glaring limitation is that without the software you can't purchase an album--all you can do is purchase individual songs. And, if you're looking at a list of songs in an album (or any list of songs for that matter) you can't purchase multiple songs at the same time. Purchasing three songs, for example, requires three different transactions.
User experience
When I first entered the MP3 store, I was greeted with "Hello, Michael Horowitz. We have MP3 Downloads Recommendations for you." But, clicking on the link resulted in: "Sorry, we have no recommendations for you in this category today." Such is beta software.
Initially, I wanted to purchase songs from a particular rock group, and finding the group was easy enough. But they have been performing for years and their portfolio of songs numbers 412. Navigating through these 412 songs was brutally cumbersome.
One of the songs I wanted had an original version from 1971, a remastered version from 2001 and a host of live recordings. I would have happily purchased a studio and a live version, but Amazon works against you here. You can't list the songs in alphabetical sequence--which is needed to sample each rendition and pick a favorite or two. The only possible sort sequences are "best selling" and price, which means endless paging back and forth to find all the instances of a song. Fuggedaboutit.
To get around this, I tried limiting the list to just one song, but this isn't possible. If, for example, you search for "teacher" you get songs with the word teacher anywhere in their name, not just those named simply teacher. In addition, you get artists such as the Moravian Teachers Choir and albums with the word teacher in their title.
Then it occurred to me not to search "MP3 Downloads" (it's the default) but rather to search "Song Titles". Alas, beta software being what it is, this returned many songs without "teacher" anywhere in their name. And, as you might have guessed by now, searching for "teacher" within Album Titles returned all the albums by the Moravian Teachers Choir, regardless of the album title.
To find a single song, the closest you can come is to search for both the artist and the song title. If, however, the song title is also an album title, the search results include all the songs from the album.
Dangerous design decision
To close on a defensive note, the process of purchasing an individual song was too easy. By this I mean that after clicking the "Buy MP3" button for a song, I purchased the song without having to enter my Amazon user ID and password, let alone a credit card number. This was a first for me--all the many Amazon purchases I've made over the years required entering at least a user ID and password.
The danger here, of course, is that anyone can walk up to your unattended or unlocked computer and buy music charged to you. If you have an Amazon.com account, you may want to log off whenever you're done making purchases. To do so, go to the Amazon home page and near the top where it says "(If you're not Michael Horowitz, click here)" click there. The price of security is always inconvenience.
Update: October 2, 2007. For more on the issue of making purchases at Amazon without having to enter a password, see Defensively shopping at amazon.com
Update: October 8, 2007. Brian Krebs in the Washington Post wrote about a new set of bug fixes for QuickTime. See QuickTime Security Update for Windows. Defensively speaking, I wouldn't install QuickTime on a computer used for important work.
There is only one email program for Windows users. No, I haven't lost my mind, and yes Windows users can chose from many client side email programs. But this is a Defensive Computing blog and speaking defensively, that is, with the hope of avoiding problems in the future, there is only one choice when it comes to email programs (webmail is another topic entirely - if you use webmail exclusively you can stop reading here).
Outlook
Outlook is out because it stores all your email in a single file. You don't need to be a techie/nerd to know how dangerous it is to have all your eggs in one basket. A single bad hard disk sector will suck up your time, money and/or email. And because the basket can get very large, backing it up is a pain. Not to mention it's expensive (OK, I did mention it).
Outlook Express
Outlook Express starts with two big advantages, it's free and pre-installed in Windows XP and earlier versions of Windows. And it stores each folder as a
separate file, avoiding the
big Outlook design flaw. I never liked it, in part because it
uses Internet Explorer to display HTML formatted email and thus inherits the
security problems of IE. But don't rule it out for this reason alone.
A few days ago, Leo Notenboom wrote that Outlook Express is dead. At his
Ask-Leo website someone asked about un-installing and re-installing Outlook Express, a classic tactic for
a problematic application. No can do. Quoting Leo: "With the introduction of
Internet Explorer 7, Outlook Express has apparently been put out to
pasture, at least if you're on Windows XP."
There never was a standalone download of Outlook Express, it was
always married to IE5 and IE6. When you updated Internet Explorer, you
also updated Outlook Express, like it or not. With the
introduction of IE7, Outlook Express was thrown overboard,
it's no longer included with the browser.
Thus, if you're currently using Outlook Express on Windows XP, or an earlier version
of Windows, you'd better hope it doesn't start acting up. Leo
describes a number of ways to try and fix a broken copy of Outlook
Express, but none are mainstream operations (I suggest reading the article to see
if the fixes are things you're comfortable doing). And his suggested
fixes are all Windows things, not Outlook Express things. In my opinion, you're better off using an email program that is not an integral part of the operating system.
Windows Mail
Windows Mail is the replacement for Outlook Express in Vista (it only runs in Vista). According to Leo, there is no stand-alone download of Windows Mail, so it too can't be easily un-installed and re-installed and is, perhaps, too much a part of the operating system. Also, it's new and thus likely to be buggy.
Windows Live Mail
Leo Notenboom updated his posting September 1st to include Windows Live Mail, an email program that neither he nor I was aware of. It's a new version of Outlook Express that runs on both Vista and XP with Service Pack 2.
First off, I can't believe the name. Microsoft learned nothing from the confusion they caused non-techies by similarly naming two totally different email programs (Outlook and Outlook Express). My guess is that it will eventually be referred to as Live Mail, both because the "Windows" is superfluous and to help differentiate it from the Vista-only program (which they should have called Vista Mail).
Whatever it's name, the software is in beta, so the jury is still out. Except, that is, when choosing defensively. Beta software is out of the question when it comes to applications that really matter to you.
Thunderbird
I recommend Thunderbird from Mozilla, the same organization
behind Firefox. According to Leo Notenboom "Thunderbird is free,
fairly similar to OE to use, and actually somewhat more powerful. It's
free, downloadable, it's being updated, works on Windows XP and Vista
as well as the Mac and Linux, and there are many add-ons available for it."
To this I'll add that Thunderbird, like
Firefox, is very good about updating itself with bug fixes. Keeping
your applications up to date is a great defense against malicious
software. And since Thunderbird does not use Internet Explorer under
the covers to display HTML formatted email, it's safer still.
The
safety provided by Thunderbird comes at virtually no cost. Not only is
the software free, but it's easy to use. I say that not based on my own
use of the program but based on the reaction of many of my non-techie
clients.
You can download Thunderbird from Mozilla or from download.com where the Editor's review gave it 5 stars (out of 5) and where 511 users (as of September 1, 2007) rated it 4.5 stars.
Eudora
Eudora is liked by many techies but it's in transition and thus I'd
be wary of trusting it with my email. The official website says "The Paid mode commercial versions of Eudora are no longer available as of May 1st, 2007. The Sponsored mode versions of Eudora continue to be
available for download. An open source version of EudoraŽ is being developed by Mozilla and will be free of charge."
To translate, "sponsored mode" refers to a free ad-supported version. While free is good, abandoned is not. The new open source version of Eudora is called Penelope and the first beta was released August 31, 2007. Any brand new software is likely to be buggy for a while. I'll pass.
Lotus Notes
Perhaps the most hated email program to ever walk the face of the earth.
Updated September 1, 2007: Added Lotus Notes, Windows Live Mail, link to download.com for Thunderbird and Penelope.
Earlier I had a trilogy of postings about DropMyRights (Part 1, Part 2 and Part 3) that included the warning to run Microsoft Office applications in restricted mode in case a file (Word document, Excel spreadsheet, etc.) carried a virus or some other type of malicious software.
But what do you do if a Word document or Excel spreadsheet doesn't display or work properly when the application is run in restricted mode? A decision needs to be made whether to trust the file and open it in unrestricted mode.
If the file was sent to you by e-mail, you'll no doubt be tempted to judge it based on the person who sent the message. Don't.
For one thing, you can't trust that the reported sender of an e-mail message is the actual sender. It is trivially easy to forge the From address in an e-mail message. And even if the message really did come from the person in the From address, and you trust that person, you still should not assume the file is safe. The sender's computer could be infected with malicious software that sent the e-mail message on its own, without human involvement. But what if the trusted person actually sent the file on purpose? It still could be infected with malware without him or her knowing it.
What to do?
The safest thing, of course, is to delete the file. But if you want or need to use it, then I suggest using the Virus Total and/or Jotti Web sites. Each site lets you upload a file to be scanned by multiple antivirus programs.
The last time I used Virus Total, a free service from Hispasec Sistemas, it scanned my suspicious file with 29 different programs. The list included popular antivirus software from Symantec, Kaspersky and Clam, some less well-known products such as NOD32, Avast and Panda, and a host of products that I had never heard of such as DrWeb, Ikarus and TheHacker. That's the good news.
The bad news is that there probably won't be a consensus opinion. Each time I submitted something suspicious to Virus Total, the results were all over the map. For example, in this screenshot from July 10, you can see that 7 of the 29 programs felt the file was malicious. Democracy is great in other contexts, but here, I'd rather be safe than sorry.
