News Blog

On December 22, I wrote about problems updating the Flash player in Firefox, where I mentioned that the Adobe un-installer program for the Flash player does not always un-install the Firefox plug-in DLL version of the Flash player. Simply put, Adobe is not aware of all the places that Firefox looks to find the Flash player. The un-installer would run fine, but Firefox would nonetheless continue to use an old version of the Flash player, even after installing a newer version.

At the time, I reported this as a bug to Adobe (using this form). It is now two weeks later, and Adobe never responded, either to me or by updating the un-installer.

Realizing their press people might want to be aware of this, I also contacted the public relations department at Adobe (using this form). No response.

And then there is the whole issue of needing a special Flash player un-installer in the first place. Did you know this was necessary? Do your friends?

From where I sit, it doesn't seem that Adobe has done a good job of communicating this. And it's a necessary communication, removing the Flash player using the standard Add or Remove Programs applet from the Windows XP control panel doesn't work, and may or may not indicate that it doesn't work.

Speaking of communication, did you know that versions of the Flash player prior to "9,0,115,0" have serious security bugs (aka vulnerabilities or holes)? Secunia calls these bugs "highly critical." The tech support page for Flash doesn't mention them at all.

Then there are the recent stories about Adobe spying on how their customers use their CS3 software.

-- Adobe, Omniture in hot water for snooping on CS3 users
    by David Chartier December 31, 2007

-- Wear tinfoil hats when using Adobe products
    by Nicholas Carlson December 27, 2007

The CS3 software makes an outbound connection to something specifically designed to deceive. The connection is to a computer by name, but the name was chosen to look like a safe IP address. Specifically, the CS3 software communicates with 192.168.112.2O7.net.

Many people know that IP addresses that start with 192.168.x.x are for internal use only. That is, they are special IP addresses that do not exist on the Internet, but are instead reserved for use on local area networks. Adobe and tracking firm Omniture tried to use this commonly known fact to trick people who are not real techies.

Nerds know that this is 207.net, but many people no doubt see it as 192.168.112.207 and think it is a safe, internal-use-only IP address. Pretty sneaky.

By the way, Omniture owns two 207.net domains, one with the middle character the letter "O" and one with the middle character a zero.

Finally, there is another wrinkle to the problem of not fully removing the Firefox plug-in DLL version of the Flash player. Originally, I noted that Adobe's un-installer failed to remove the program from
C:\Program Files\Mozilla Firefox\plugins\

Recently, I worked on a computer that had Netscape Communicator installed (the e-mail program continued to be viable long after the Web browser fell by the wayside). On this machine, the Flash player DLL was in
C:\Program Files\Netscape\communicator\program\plugins

The un-installer missed this too.

If you know someone at Adobe, you might want to pass this on. They won't speak to me.

Update: Someone from Adobe contacted me on January 7th. They are investigating this now. Apparently many/most/all Adobe employees take off from December 24th until early January.

See a summary of all my Defensive Computing postings.

Installing a new version of software should be trivial thing--especially for popular software such as the Adobe Systems' Flash player, which is used by millions of people every day. But no.

For one, the Flash player does not play well with the other kids in the sandbox. That is, trying to remove the currently installed version via the Windows XP Control Panel Add/Remove applet is a waste of time. The first three machines I tried this on resulted in three different outcomes, and the software was not removed on any of the machines. Instead, Adobe has an uninstaller for the Flash player.

And why do I bring up removing old versions in the first place?

Because the Flash installer has never removed older versions of the program. The first time I ran the Secunia Software Inspector I almost fell off my chair at the huge list of old versions of the Flash player that were hanging around. Those old versions were flagged by Secunia because they had security vulnerabilities (a nice word for bug, which is itself, a nice word for a mistake by a programmer).

As I blogged about yesterday, this is now an important issue because the latest version of the Flash player fixes nine bugs, some of them critical (Adobe's term, not mine). Simply viewing a Web page can infect your machine, so removing the old buggy versions of Flash is important.

Unfortunately the bugs in Flash extend beyond the player itself, as I learned the hard way while trying to update a handful of machines to the latest version.

Two versions of the Flash player

Even in the best of times, the Flash player is particularly annoying to upgrade because it has to be done twice, once for Internet Explorer and then again for Firefox. The player comes packaged as an ActiveX control ("control" is nerd talk for "program") for IE and as a "plug-in" for Firefox.

You can see this is the screenshot above from the Secunia Software Inspector, which shows both versions of the latest Flash player. The .ocx file at the top is the ActiveX version; the .dll file at the bottom is the plug-in version. As you can see, both files normally reside in
    C:\WINDOWS\SYSTEM32\Macromed\Flash\

The problems described below were only with the Firefox plug-in version.

Fighting to upgrade

One computer in particular desperately resisted being updated to the latest version of the Flash player. I eventually got it working, however. So if anything similar happens to you, you may find a helpful tip below. The problematic machine was running the latest version of Firefox (2.0.0.11) and Windows XP with all bug fixes applied.

I mentioned yesterday that Adobe has what I refer to as a "tester" page for Flash, a Web page that displays the currently installed version of the Flash player.

When I approached the machine this morning, the Flash tester page showed that Firefox was running the old version 9.0.47* but Internet Explorer 6 was running the latest version 9.0.115. I dutifully ran the Adobe Flash uninstaller (the version from December 3, 2007) and then went back to the tester page to see what it had done. The ActiveX version for Internet Explorer was successfully removed, but the Firefox plug-in version remained.

I cleared the Firefox cache, rebooted and tested again. Still, the Adobe tester page reported that Firefox was using the old version.

I got a second opinion from the Secunia Software Inspector: it said there was no plug-in version of Flash. Who to believe, Adobe or Secunia?

My first guess was to believe Secunia since all they do is look for files in folders, a simple process that shouldn't break. Sure enough, when I checked, there was no NPSWF32.dll file in C:\WINDOWS\system32\Macromed\Flash.

But I figured the acid test was to visit a Web site that uses Flash, so I browsed around Yahoo.com a bit. Lo and behold, Firefox was able to display the Flash-based ads. Both the Adobe uninstaller and Secunia had failed to locate the copy of the Flash player that Firefox was using. Nice work, guys.

But, if the NPSWF32.dll file was not in it's official folder, Firefox was nonetheless picking it up from somewhere. To find out where, I ran a Secunia "thorough system inspection," something I suggested at the end of my previous posting.

Sure enough, it found three instances of the Firefox plug-in version of the Flash player.

A portable version of Firefox on the M disk was using Flash version 9.0.47, another portable version of Firefox on the Z disk was using Flash version 9.0.45 (the Adobe Flash tester page confirmed this). But the interesting file was on the C disk:
    C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll
This was probably the file Firefox was using.

At this point I figured I'd just install the new Flash player and be on my way to the next machine. So I went to the Flash player download center and downloaded an EXE to install the plug-in version of Flash for Firefox. The install ran successfully as shown above (I can't show all the messages because the window is not re-sizeable).

Not trusting anything, I verified that the official folder C:\WINDOWS\system32\Macromed\Flash did, in fact, contain a file called NPSWF32.dll and that its properties showed it to be version 9.0.115.

I cleared the Firefox cache and restarted the browser. You could have knocked me over with a feather when the Adobe tester still showed that Firefox was using the old version 9.0.47 instead the just-installed latest version, 9.0.115.

Determined not to be defeated by Adobe's incompetence at the simple task of installing and uninstalling its own software, I renamed the NPSWF32.dll in C:\Program Files\Mozilla Firefox\plugins\ to NPSWF32.DONTUSE.ME.dll, cleared the Firefox cache again and restarted the browser.

It was still using version 9.0.47!

This I truly did not expect. After all, I had uninstalled the Flash player, installed it successfully and renamed the file it might have been picking up by mistake. Despite all this, it kept using the old version. But from where? Can you guess?

Fortunately there was no need to guess. The excellent Process Explorer can display the DLLs loaded by any running process.

A picture is worth a thousand words, so take a look at the screenshot of Process Explorer above. Despite renaming the NPSWF32.dll file and despite that it does not reside in the official folder, Firefox is still using it. Now I'm annoyed with Mozilla, too.

The next step was obviously to delete the NPSWF32.DONTUSE.ME.dll file, and, finally, this activated the new 9.0.115 version of the Flash player.

A parade of bugs

Let me wrap up by summarizing the virtual parade of bugs I ran into:

Adobe bug: Its uninstaller program did not uninstall the Flash player being used by Firefox. It missed the player used by both the normally installed copy of Firefox and by two portable versions of Firefox.

Secunia bug: Firefox was using an old buggy version of the Flash player, but its regular inspector didn't find any instance of Flash to report on, let alone object to.

Adobe and/or Mozilla bug: After successfully installing the new version of the Flash player, Firefox didn't use it.

Firefox bug: Using a DLL despite having the wrong name.

Firefox bug: There should be one and only one location that Firefox uses for plug-ins. The use of two folders for plug-ins fooled both Secunia and Adobe.

Not to mention the nine bugs in the Flash player that kicked off this endeavor. And not being able to use the Control Panel Add/Remove Programs applet in Windows XP to remove the Flash player. It works for everyone else, why not for Flash? All this is made even worse by the fact that Flash and Firefox are mature, popular products.

They don't make programmers like they used to.

Update: January 30, 2008. For more on this topic see A heads-up on the Adobe Flash player from January 26, 2008.

Update: January 6, 2008. There is yet another location that Firefox will pick up the Flash player from that the Adobe un-installer ignores. See Black eyes for Adobe.

Update: January 10, 2008. Based on this blog posting, Secunia is changing how their online inspector works. The below is from an email message from them to me:

By default the Secunia Online Software Inspector will only search default install directories, to our knowledge the default plug-in directory for Flash in Firefox has previously been: %ProgramFiles%\Mozilla Firefox\plugins
However, with a recent update they (Adobe or Firefox) changed the Firefox Flash plugin directory to be: %SystemRoot%\SYSTEM32\Macromed\Flash
This is why a default inspector (non-thorough) wouldn't pick up any Flash files from the Firefox plug-in directory.
However, based on your findings we have chosen to re-insert the default Firefox plug-in directory again, so it should now pick-up Flash plug-ins located in both directories.

Update: April 11, 2008. For the latest on the Flash Player see Time to update the Flash player. Here's how.

* The full version numbers are 9.0.47.0 and 9.0.115.0 but I'm leaving out the last zero so your eyes don't glaze over and because it's not relevant to the point at hand. Adobe also uses commas in the version number instead of periods. I'm using periods here because that's the standard for version numbers.

See a summary of all my Defensive Computing postings.

Software can be made pretty reliable, lots of people and companies know how to do so. The auto-pilot on an airplane comes to mind, as do the computers that run financial markets. Then there's mainframe computers, perhaps the classic example of reliability (I spent many years working in a mainframe environment). But chances are that the computer you are reading this on is not as reliable as it could be.

Impolite Waiter

Let's start with an analogy. How would you feel if you were in a restaurant, in the middle of your meal, and the waiter takes your food away? It's a breach of the rules; food isn't supposed to be removed while the customer is eating.

Windows XP is that waiter. It lets you delete a file while an application is using it.

I ran into this recently while viewing an image with the popular IrfanView program. I was cleaning up files and deleted some pictures only to realize later that IrfanView was still running, minimized in the taskbar, and viewing one of the just deleted pictures.

This should never be allowed to happen, and it doesn't on a mainframe.

Windows knows full well what picture IrfanView is using. IrfanView didn't scan the sectors on the hard disk by itself to figure out which ones constitute the picture. It asked Windows to grant it access to the file. But when it comes time to delete a file, Windows has amnesia.

IrfanView is only one example. Windows XP will delete pictures while they are being used by a running copy of both Paint and the Windows Picture and Fax Viewer too.

Adding insult to injury is that Windows makes the opposite mistake too. Many times when I'm finished using the files on a USB flash drive, the Windows "Safely remove hardware" function won't let go because it thinks one or more of the files are still in use.

Multiple Updaters

Open a file in WordPad. Then open the same file in Open Office. Now both programs updating the same file at the same time. How come no one at Microsoft ever saw this as a problem?

To be clear, the gripe here is about Windows XP, not WordPad or Open Office. The operating system is in charge of the files. It has the responsibility for integrity, so it should not allow two programs, any two programs, to update the same file at the same time. Anyone with a database background knows what comes next.

Open a plain text file with Notepad and then open the same file with AbiWord (again the specific applications are not the issue). Make a change to the file with Notepad, save it and close Notepad. Open Notepad again and you will see the change that it just made. Now make a change with AbiWord and save the file. The change that Notepad made is gone. Disgraceful.

Ubuntu Linux

There's no gloating in Linux land either.

In a virtual machine running Ubuntu 7.04, I double-clicked on an image and opened it in the default application, Eye of Gnome. Here too, I was able to delete the image while viewing it. I also tried opening an rtf file in Open Office v2.2. Again, I could delete the file while an application was using it.

Ubuntu fared no better with multiple editors. I was able to open a file in both gedit and Open Office v2.2 at the same time. Changes made in gedit and saved, were wiped out by later changes made in Open Office. Just like Windows XP.

Java

This brings to mind my initial experience with the Java programming language back in February of 2001. The first thing I did was to write a simple program that added two numbers and printed the result.

To explain why I chose this as my first Java program, let's suppose that all numbers are limited to a single decimal digit. Then, if you add 1 and 1 you get 2. But, if you add 4 and 8, you should get an error since the result is larger than a single digit.

Along these lines, Java has a numeric data type called "integer" which is used for integer numbers up to 2,147,483,647 (let's call it 2.1 billion for the sake of argument). In my first Java program, I added two integer numbers and stored the result in a third integer - the code is below:

int var1, var2, var3;
var1 = 2111000333;
var2 = 1000222333;
var3 = var1 + var2;
System.out.println("var3=" + var3);

This adds 2,111,000,333 and 1,000,222,333. The result--roughly 3.1 billion--is too large to fit in an "integer" variable. I wanted to see how Java handled this. The result was:

var3=-1183744630

Not only is the answer wrong, but Java didn't crash, as I expected it would. Mainframe programs crash when they encounter this type of error - better to fail than produce wrong results.

Java didn't even issue an error message.

Update: October 22, 2007. I was asked by CNET if the above Java issue still exists. It does. Using Sun's JDK version 1.6.0_03 on Windows XP, I was able to re-create the problem. A screen shot is below.

Microsoft has crossed the line. They have been disliked by many techies, for arrogance, incompetence and more. But, this wasn't a universal opinion and reasonable people could have disagreed. Now however, the question of Microsoft's corporate character has left the realm of opinion and landed firmly in fact.

They are bad guys.

If there was any doubt, the final straw came today, in the September 13 edition of the Windows Secrets newsletter where the lead article by Scott Dunn (Microsoft updates Windows without users' consent) ended the debate.

According to Scott, "Microsoft has begun patching files on Windows XP and Vista without users' knowledge, even when the users have turned off auto-updates."

Wow. Updating Windows without your being aware of it? And after telling it not to? That's what spyware does. It's what the bad guys do. And now, it's what Microsoft does. They seem to think that they own Windows, and you and I are just renting our copies. Maybe we should read the lease.

There's a saying in the computer security field that if a bad guy gets physical access to your computer, it's not your computer anymore. If Microsoft can silently update Windows against our will, whose computer is it?

Over at ZDNet, Adrian Kingsley-Hughes has Confirmation of stealth Windows Update. He describes a Windows XP machine that was set to download new bug fixes and notify the user, but not to automatically install anything. Yet, install it did.

He writes "I just don't like the idea of having updates foisted upon systems without being aware that they are coming in and having the option to postpone them. Why? Simple. IT'S MY PC!!!" No, Adrian, it's not your computer anymore. It has been assimilated into Microsoft's collective. Rather than being an individual, your copy of Windows does what the Queen tells it to do.

Windows is now malware and our computers are zombies.

The changes Scott describes affect Windows Update. Anyone who runs Windows Update manually, as I prefer to, has been forced to install new versions of it over and over and over again. So why the secrecy this time? And speaking of secrecy, Scott says "To make matters even stranger, a search on Microsoft's Web site reveals no information at all on the stealth updates."

It's inconceivable to me, that any other software company would do exactly what their customers told them not to do.

Exhibit Two

Exhibit two against Microsoft's corporate character is Windows Update.

Many Windows users still have a dial-up Internet connection. The bug fixes to Windows are often large, and a dial-up user may find them too big to download, especially after falling way behind in applying them. Nothing new here, it's been true for years.

So why doesn't Microsoft sell, at cost, a CD containing Windows bug fixes? They did once, briefly, in reaction to a torrent of publicity about security problems in Windows. Why was this the exception and not the rule?

Next time, defending yourself against Microsoft--how to really turn off Automatic Updates. Then back to surge protectors.

---

Update: September 14, 2007. Integrated Adrian Kingsley-Hughes topic into the posting.

In my last posting about DropMyRights, I used the Trend Micro Transaction Guard utility as an example of a Java applet installing software while running inside a restricted instance of Firefox.

Transaction Guard was only used to illustrate a point, the reference was not an endorsement of the product, which I have hardly any experience with. Since writing the last posting, I have tried to use Transaction Guard many times from three different Windows XP machines over the space of two days. Not once have I been able to install it. It consistently fails with the "network connection not available" error shown below.

But that's only the beginning.

Just days after describing how a restricted mode Web browser can run Java applets, I run into the warning below, issued when Transaction Guard starts to download and run a Java applet from within Firefox.

This is not true. The installation of a Java applet does not require administrator privileges. How can Java programmers not know the conditions needed to run the applet they programmed? And if you're not sure, it's pretty easy to verify (or in this case disprove). How can Trend Micro make a mistake like this?

Another mistake in the sentence is that the word "applet" is not capitalized. For reference see What is Java? by Sun Microsystems and Wikipedia. Also, "Java" and "applet" are two words, not one, but we all make typos (no spell check?).

Other instructions in the Transaction Guard Install Help window are also wrong. (See a full-size screenshot.) When it comes to authorizing their applet to run, it says "Click 'yes' or 'always' to allow this JavaApplet run on this computer." But the two buttons in the Security Warning window displayed by Java 1.5.0_12 when run by Firefox version 2.0.0.6 are labeled Run and Cancel.

In fact, the whole Security Warning window looks nothing at all like the sample. I made a side-by-side screenshot showing the sample on the left and the actual window on the right. It's not even close.

Trend Micro is a fairly large company, with either "over 2,000 employees" or "over 3,000 employees," depending on which of their Web pages you read. Yet, they are writing Java applets and, literally, they can't spell it.

ActiveX in Internet Explorer

When Transaction Guard is run from Internet Explorer, it uses ActiveX instead of Java. The instructions say "Installation of ActiveX requires administrator privileges." True enough.

What it doesn't say however, is that without administrator privileges, the installation of the ActiveX control will hang. No errors are issued; it just stops.

I'm not an ActiveX programmer, but it doesn't have to be this way. That is, the inability to install an ActiveX program (normally called a "control") can be detected and the user told about the problem in an informative way. For example, PC Pitstop has an ActiveX test page that immediately detects that a restricted instance of Internet Explorer does not support ActiveX.

Finally, despite the fact that the utility is called Transaction Guard, the name of both the ActiveX control and the Java applet is TmHcmsX, not the most user-friendly name.

All in all, a quality improvement opportunity.

Update: August 21, 2007. I tried to install Transaction Guard again today and it failed with the same "Network connection not available" error. Even worse, it hung Firefox 2.0.0.6 such that Windows XP said it was not responding and it had to be killed with Task Manager.

This is a continuation of Tuesday's posting (Everybody likes Mozy--except me. Part 1), which introduced the Mozy online backup service and software and where I started offering my opinions. Since Tuesday, I came across two more positive Mozy reviews.

In April, Serdar Yegulalp, writing for InformationWeek, reviewed Online Vault, Carbonite, eSureIT, iBackup and Mozy (Five Online Backup Services Keep Your Data Safe, April 9, 2007). He concluded that "The all-around winner for regular users and small business from this bunch was definitely Mozy, both for its plan structure and its unobtrusive client."

Also in April, BusinessWeek had a short article by Arik Hesseldahl about the beta release of Mozy for the Mac where he said "I've used Mozy on the Windows machine at the office, and actually came to like it a great deal" (Mozy Comes To Mac Today! April 25, 2007).

Encryption

Anyone considering backing up sensitive files has to be concerned with security and encryption. Walter Mossberg barely mentioned security, but David Pogue warned:

"Then there's the security thing. All four companies insist that your files are encrypted before they even leave your computer. But if you still can't shake the image of backup-company employees rooting through your files and laughing their heads off, then this may not be the backup method for you."
Note: He was referring to the idea of off-site backups, not specifically to Mozy.

At first glance, Mozy security sounds impressive--files are encrypted on your PC using 448-bit Blowfish encryption and then transferred over the Internet to Mozy using 128-bit Secure Socket Layer (SSL) encryption. But let's take a step back.

• Mozy software encrypts the files on your computer
• To do this, the Mozy software needs to know the encryption key (basically a password)
• Mozy stores your files on Mozy's computers

The problem here is that Mozy is doing everything. In effect, Mozy makes the key, the lock and the safe.

How files are transferred between the PC and Mozy has nothing to do with the real security issue, as I see it. The SSL encryption used during the transfer offers protection from interception while the files are in transit, but no protection from Mozy.

There are two ways the Mozy software learns the encryption key/password--either you pick one and type it into the program, or the program will chose a password on its own. As they explain:

"You have the option of using a Mozy key, or your own private key to encrypt your data. Note, that if you use your own private key, you must be very careful about not losing it, because if you do, we won't be able to help ... Most users opt to use the Mozy key, but it's up to you."
Note: "key" can be thought of as a password and "private key" can be thought of as you're choosing the password.

Using a key/password generated by the Mozy software may not sound so bad, but it means your sensitive files are not secure.

In Part 1, I quoted Walter Mossberg as saying "Both companies encrypt the backed-up files and say they don't view them." Not that they can't view them, but that they don't view them. And the Mozy warning--do not lose your key/password or they can't help you--implies that when their software chooses the password, they can help you. They must know the password.

Even if you choose the encryption password, you are trusting the Mozy software not to externalize it, either on purpose or by accident. When it comes to backing up sensitive files, there is no place for trust in the equation.

This situation is not at all unique to Mozy. Other online storage companies also provide software that encrypts your files. I suggest using a backup scheme where software from one company does the encryption while an unrelated company stores the files.

Restoring Files

When it comes to restoring files, Mozy can be slow. You can't simply go to their Web site, navigate to your needed files and download them. Instead, you have to request all the files you need up front (don't forget any) and wait. In Mozy's own words:

"Depending on how large the restore is, it could take a few minutes or a few hours for Mozy to prepare the data for you. When it's ready, you will be emailed letting you know you can download it. When you get the email, go to your Account page and from there you can download the restored data."

If you can imagine a situation where you need to access your off-site backup files quickly, Mozy might not be an optimal fit. Joe Hruska at Ars Technica described his experience restoring files using the Web-based interface: "When I requested a restore build as a free user, it took Mozy 36 hours to make my restore file available versus only 18 minutes when I requested the same service as a paying customer."

Only 18 minutes? With the nothing-special backup service I use, it takes less than 18 seconds to start downloading files, and e-mail is not involved at all. And 36 hours seems excessive, even for a free service.

More Gripes

There are a couple things I don't like about the way Mozy backs up files.

For one, their software copies open and locked files. No thanks, I prefer my files closed and unlocked when they are backed up. Why they do this, I don't know. What problem are they solving? Since the Mozy software runs all the time, there should be very little delay between when a file is closed and when it's sent off-site. I prefer backup software that issues a warning when it tries to copy an open or locked file.

Part 1 of this blog had a discussion of why Mozy is motivated to store as little data as possible. This may explain why Mozy doesn't always back up entire files. They try to be smart about it and only back up the pieces of a file that changed, a feature they call "block level incremental backups". I'm a pessimist, and this strikes me as just something else that can go wrong. I prefer my backups simple, and backing up pieces of files and later putting all the pieces together, is complicated.

The Ars Technica review had this gripe: "Unlike several of the other programs we tested, Mozy doesn't offer a 'Backup this file' option when an item is right-clicked inside Windows Explorer."

Being a computer nerd, I'm comfortable using FTP to transfer files. Mozy does not allow uploads or downloads via FTP.

Warranty

Ed Foster writes The Gripe Line column for InfoWorld. Back in February, he wrote a memorable article called Backup Service EULAs Warrant a Closer Look (alternate link). A reader of his column reviewed the terms of service for Mozy, Iron Mountain, Carbonite, Xdrive, and SOSonlinebackup. According to Ed, "All disavowed that the product had to actually function at all except Iron Mountain, which in its warranty promises to at least try to fix bugs..."

The unnamed Gripe Line reader said it well: "The availability of data, in essence, completely defines the service itself. Yet, all of the online backup companies I surveyed expressly disclaim any responsibility for actually delivering on the service they claim to offer." Three of the companies, Mozy being one of them, disavow damages for their own negligence.

And here's an analogy that really puts it in perspective: "Who would buy life insurance if the carrier's terms of service has a clause that says that if you die, they have no real obligation to pay the claim?"

Finally, on a (much) lighter note, some people may have a hard time complying with parts of Mozy's End User License Agreement. In the LIMITATION OF LIABILITY section it says:

"FURTHERMORE, YOU AGREE TO USE THE SOFTWARE OR SERVICE
EXCLUSIVELY FOR GOOD AND FOR AWESOME."

Talk about restrictive. And then there is this, in the next paragraph:

"DO NOT TAUNT HAPPY FUN BALL."

Wikipedia has an explanation of Happy Fun Ball. As lawyer jokes go, this one is pretty good.

To end on a legal note, that's my case.

For a company in the boring business of online file storage, Mozy gets more than its share of press coverage, and from what I've seen, it's all been positive. Mozy attracted attention back in December 2006 when they started offering unlimited file storage for $5 per month or $55 per year (rounded off).

The first Mozy review I ran across was by Walter Mossberg in The Wall Street Journal ("These Services Make Backing Up Your Files Safe and Inexpensive", December 14, 2006). He liked Mozy, so I spent some time reviewing them for a class I teach on backing up your computer. My opinion differed from Mr. Mossberg's, not for the first time.

Then in January 2007, David Pogue, writing in The New York Times, also liked the service ("Fewer Excuses For Not Doing A PC Backup", January 4, 2007). I blew that off too. But a couple weeks ago the tech Web site Ars Technica published a review of online storage providers by Joel Hruska that recommended Mozy as the best of the bunch ("Online backup solutions: a review", July 16, 2007). For me, that was the final straw. Time to speak up.

The good reviews

In his review Walter Mossberg compared Mozy to Carbonite, another online storage company. He found Mozy "easy to set up and easy to use" and seemed impressed that using the Web-based interface he could restore files on a Macintosh computer. Security is an obvious concern with off-site storage and addressing it he said, "Both companies encrypt the backed-up files and say they don't view them." Finally, he notes that "you can back up multiple computers--but you have to pay extra for each additional machine."

Pogue also found Mozy more flexible than Carbonite, citing as an example the fact that backups can either be continuous or run at specified times and dates. He pointed out that Mozy can back up only changed portions of files, and he liked that you can review 30 days of backups (more on this below). His only criticism was minor, he felt that Mozy might not be the best choice for beginners as some of its options are "novice-hostile."

Writing for Ars Technica, Joe Hruska reviewed Xdrive, Backup/PC, Mozy and Carbonite and concluded: "Of the services we tested here, Mozy Online struck the best balance between functionality and flexibility and is our overall top pick for an online backup service."

My opinions

To start with, I don't like any backup service whose software has to run constantly in the background. The more software running on a computer the greater the chance of something going wrong. I prefer a backup scheme where the backups happen on a schedule and/or on demand. Thus, 99 percent of the time there is no backup software running. I don't like my computer doing stuff without me knowing about it.

And, if I had to go with background software that never shuts down, my preference would be for a mature product. Something that's at version 11 and has been around for years. Mozy is a relatively new company; it was founded in 2005. In December of 2006 when Mr. Mossberg wrote his review, the Mozy application software only ran under Windows XP. Now it also supports Windows 2000 and Vista and they have Mac software in beta testing. This is all too new for me to trust it with something as important as file backups.

Mr. Mossberg's description of the Web-based interface failed to point out that it can't be used for making backups, only for restoring files. As he said, Mozy charges extra for each additional computer that you back up from. The online backup service that I use, which I'm not going to mention both because it's not perfect and this blog is not an ad, allows me to back up files from an unlimited number of computers using their Web interface. This should be a prerequisite for any online storage service you may be considering.

Big sin

Mozy's biggest sin wasn't mentioned in any of the reviews. (Doesn't anyone read the fine print?)

An obvious reason for making backups is to be protected from accidentally deleting files. If your fingers slip while typing, you can wipe out dozens of files and not realize it. Or someone else using your computer might delete them. Or there may be a glitch in the file system and Windows loses track of some files.

If you delete a file by accident and don't notice it, Mozy will delete the backups of the file too. I kid you not.

This is a quote from Mozy.com (as of July 29, 2007): "If you delete the working copy on your machine and then run a backup, Mozy will assume that you no longer need a backup copy, since you got rid of the working copy, and will mark the file to be removed from our system in 30 days...After 30 days, you cannot get these files back."

Pogue made a bad thing seem like a good thing when he wrote: "You can view 30 days' worth of backups, too--a feature that prevents you from deleting a file from your PC accidentally and then finding its deletion mirrored in your latest backup." Mr. Pogue is assuming both that you know a file was deleted by accident and that you try to recover it within 30 days. But if you are not aware that a file is missing until 31 days after it disappeared, it's gone. With my online backup company I could accidentally delete a file, not know about it for years and still be able to recover the last backed-up copy.

Perhaps you know someone who has had to reinstall Windows? Or had their laptop computer stolen? With Mozy there is a chance it may treat missing files as being deleted on purpose, and delete the backups in 30 days. I have no idea how likely this is, but if something can go wrong, it will. And again, there's that issue of relatively new version 1 software to consider.

Why does Mozy do something that seems so wrong? I think I know.

In their free service Mozy offers 2GB of storage space to anyone who feels like asking for it. The less space someone uses, the better it is for them. In their paid service, Mozy offers unlimited storage for $55 per year. Here, too, the less space a customer uses the better it is for Mozy. In this context, it makes sense for them to delete as many files as possible. It's a natural outgrowth of their business model.

In contrast, Mozy's competitors charge more as their customers use more storage space. It's reasonable to assume that these companies make more money the more data they are storing. Thus, they are not motivated to delete files. In my opinion, you're better off using a company with this business model.

Mozy customers are, in effect, trying to get something for nothing with unlimited storage for only $55 per year. It's too good to be true.

I'm far from done. More tomorrow...

Update. February 9, 2008. In an attempt to generate commissions someone made a comment to this article suggesting that mozyonlinebackup.com offered impartial reviews. It does not. The site is run by John Pontillo of Fishkill, New York. That the links to Mozy look like
http://www.mozy.com/?ref=99999999&kbid=99999&m=9&i=99
is a giveaway of the true purpose of the site - generating commissions.

See a summary of all my Defensive Computing postings.

The NOD32 antivirus program from ESET has its share of enthusiasts. After a long, detailed review of the field, Scot Finnie in February called it the best antivirus product of 2007.

Based on Mr. Finnie's reviews and recommendation, I've been installing NOD32 on the computers of some of my clients. I've also lived with it a bit on one of my computers and had no major gripes.

Until yesterday.

NOD32 is using 88% of the CPU after having been shut down. Click for full-size image.

I was about to run Microsoft Update on a Windows XP machine for the third or fourth time, and was getting tired of waiting for it complete. So this time, I turned off ("Quit") NOD32 beforehand.

It didn't seem to make much of a difference, as Microsoft Update still maxed out the CPU while checking for new patches and seemed to take forever to complete.

But while I was waiting, I took a look at the system using Process Explorer, a great free program, now from Microsoft but formerly from Sysinternals. Surprise, surprise. NOD32 was using 88 percent of the CPU cycles. Despite the disappearance of the system tray icon, it never really shut down.

In the screen shot above (click for a full-size image), the highlighted line is nod32krn.exe, and you can see from the CPU History that it has been using a good portion of the processor horsepower.

NOD32 version details. Click for full size image.

I've been down this road before. This isn't the first time the user interface of an application says that it is not running but the underlying Windows service is still running (in Windows XP: Control Panel -> Administrative Tools -> Services). Windows Update is like this. So, too, is the Windows Security Center.

But NOD32 won't let you shut down its Windows service. The Stop option is disabled. I've seen enough episodes of ''Star Trek'' to know how important a manual override is. NOD32 doesn't have a manual override.

The version of NOD32 in question is the current version, 2.70. Click on the screen shot at the right to see the full details on the version of NOD32 being used at the time.

---

UPDATE (July 17, 2007)

Randy Abrams, the Director of Technical Education for ESET, the company behind NOD32, explained why NOD32 only partially shuts down.

"As for the inability to completely shut down NOD32, that is necessitated by the nature of security software and the threats we face. NOD32 implements technologies designed to prevent malicious software from disabling it. While NOD32 offers the user the ability to partially turn off NOD32 services, in order to allow the user to completely do so we would have to allow malware to easily disable NOD32. Additionally, the low level at which anti-virus software runs means that system stability may be compromised if it is completely removed - making it potentially dangerous to completely remove the software without a reboot. The anti-stealth technology in NOD32 that is designed to be able to detect active rootkits must operate at a system level at least as low as the rootkits it is detecting."

And he goes on to explain that NOD32 can be totally shutdown after a reboot:

"To temporarily disable NOD32 without uninstalling it on a Windows XP System, I would recommend using MSConfig and temporarily disabling the startup item NOD32KUI and the service NOD32 Kernel Service.

Although you can't stop the NOD32 Kernel Service, you can change it from the normal startup mode of Automatic to Manual or Disabled. Addressing the CPU usage observed with NOD32 half shut-down Mr. Abrams says:

"Typically when NOD32 is disabled the resource consumption will go down to about zero. There can be very strange cases where the exact combination of hardware and software create conflicts. These conflicts can be a real bear to track down."

Being a programmer, I feel his pain. And NOD32 in normal usage is not a resource hog at all.

I asked Mr. Abrams about other defensive software (antivirus, antispyware, firewalls and the like) that asks for confirmation from a human being when it gets a request to shut down. On this point he said:

"There are definitely a variety of approaches that can be taken. Each will have trade-offs in terms of security implications. Malware that can shut down a security program can also intercept messages. It is a calculated risk. "

And, on a lighter note, Mr. Abrams adds:

"Remember, in Star Trek the ultimate manual override still required a senior officer's verbal confirmation and was not valid for all starships (we hope). Ultimately, NOD32 can be uninstalled without difficulty, but we wouldn't want any random Trible (hey, they are great at replication) to be able to come along and disable every copy of NOD32."

You've got to love a company with a sense of humor. :-)

Finally, let me put this in perspective. NOD32 has been a well reviewed product, which motivated me to try it in the first place. At my computergripes.com site I often gripe about software that I continue to use and recommend. Nothing's perfect. But you'll never see me griping about, for example, Microsoft's antivirus product because it has been so poorly reviewed, I won't bother with it.