THE

LIST

This newsletter tracks new information, and improvements in existing information, on www.aumha.org, my website supporting Windows desktop systems and leading application software. I also include small, useful items that might not find a permanent place on the site, but that I would like to pass along.

Click here to subscribe. If you subscribe, you will receive email notification when there is a new edition of the newsletter. (You will not receive the newsletter itself by email. That's why I call it low-tech.) My intention is to provide a new and further way to serve the 50,000 people per month who visit my site. Previous newsletters are available online, and their content searchable through this site's search engine. Enjoy! — Jim Eshelman

CONTENTS of this Issue

1. NEWS & VIEWS
2. TIPS
3. KNOWLEDGE BASE Articles: Error Messages
4. KNOWLEDGE BASE Articles: Internet Explorer & Outlook Express
5. KNOWLEDGE BASE Articles: Memory (RAM)
6. KNOWLEDGE BASE Articles: Windows XP
7. KNOWLEDGE BASE Articles: Windows Setup
8. MY FAVORITE FREEWARE

NEWS & VIEWS

WELCOME to HUNDREDS OF NEW READERS

Welcome to all the new readers of The E-List. Make yourselves at home.

Until this week, The E-List page was hit so few times it didn't even appear on my site stats. This week, however, over 500 hits appeared in one 24-hour period, and over 700 hits over the course of three days. Even allowing for revisiting, this means that there are a lot more of you just starting to read this e-letter this week. I'm happy to have you with us. (For some reason, it is more gratifying to write something that you know someone actually will read!)

I suspect that much of this is due to a certain chilly friend named Koldbear, who gave The E-List some publicity this week. (Thanks, Koldie!) It also seems, from letters I have received, that the long “News & Views” article on Distributed Denial of Services (DDoS) attacks in the last issue was a major draw. Although I have a follow-up article on this topic below, let me assure the disinterested that I'm not planning to make this a standard factor of the newsletter! On the other hand, because of the strong draw of the article, I want to ask all of my readers: Is this type of article something you would like to see here on a regular basis? In addition to the Knowledge Base link updates, freeware alerts, tips, and notices of new additions to www.aumha.org, are you interested in this sort of news, or discussion of controversial computer issues, or semi-popularized technical discussions? If so, let me know. If not, let me know.

Feedback

MICROSOFT SUPPORT LIFECYCLES

As you may already know, after December 31, 2001, Microsoft will provide no more support for Windows 95. However, this site, www.aumha.org, will keep on providing it, at no cost.

In February, Microsoft announced the end of Windows 95 active support as the product is faded into the background. In its online Windows Desktop Product Lifecycle Guidelines, MS details “plans to make Windows desktop operating system... assisted support offerings available for four years.” The clock on Win95 has run out. Win95 entered the Extended Support Phase on December 31, 2000. On December 31, 2001 it will enter the Non-Supported Phase. See the article linked above for the details.

A related web page is Microsoft's Client Operating Systems Lifecycle Announcement. Recently updated, it provides Hotfix Availability and Product Support Discontinuance tables that will keep you up to date on when the formal support cycle for older MS products will be expiring. In addition to the Win95, MS-DOS (all versions through 6.22), and 16-bit Windows (through 3.x) extended support expiration at the end of this year, an eye-opening deadline is the expiration of standard (i.e., non-paid) support for Office 97 on July 31, 2001. Again, check the tables in the article for further information.

Everything runs its course. I am aware, though, that thousands of visitors to my site still use Win95. I plan to continue, therefore, all of my current Win95 support features. Please visit as often as you like for ongoing Win95 support. Also, check out such peer-support newsgroups as Windows 95 General Discussion.

Feedback

WHO IS SPOOFING WHOM?
Further information & views on the DDoS attack problem

Let me tell you a story about one of those moments when I knew that I had the right tool for the job at hand, and it did its job just the way it was intended.

I'm careful about catching computer viruses. I have virus protection in place, and I practice online “safe sex” (or, as correspondent Heather Figueroa reminded me it is more commonly called these days, “safe hex”). This doesn't mean I'm perfect at it or impervious. I'm as vulnerable to targeting as anyone else. And I make mistakes. One day last summer I was targeted and I made a mistake, opening an attachment I knew better than to open, thereby contracting an “infection” that was too new for my anti-virus program to catch. It was one of those lovely infections that dials your telephone when you aren't looking, and ships itself off to all of your friends packaged pretty as can be in your own wrapping paper so that your friends will all assume you are sending them something nice.

Late that night, I woke to hear my modem dialing out. I knew that whatever was happening shouldn't be happening. I got up and wandered into my office, where I saw that my recently installed best friend, ZoneAlarm, had popped open to ask me if I really wanted Microsoft Word (!) to be dialing out on the Internet. ZoneAlarm was patiently awaiting my answer. It would have been waiting if I hadn't checked in until the next morning. It had stopped the virus' attempt to dial out and do its dirty business behind my back. I clicked on “No,” then downloaded the new virus definition files just posted, and sterilized the sucker.

What's the point of the story? It's that none of us is impervious to this sort of thing if we live some significant portion of our lives on the Internet. I'm not the single most cautious person alive, but I have far better than basic protection in place, and use far better than basic prudence. That's all necessary, but it isn't enough. If I hadn't had a personal firewall on my computer — one that effectively handles outbound traffic as well as inbound traffic — my mistake could have been costly to the few hundred people close enough to me that their email addresses were in my address book. My error would have cost them.

Did you ever have the youthful experience of sitting in a county health department office being admonished that you were the one who had to tell some people close to you that, uh, well, just maybe, they should, uh, go see a doctor because, well, see, you had this test and, um, it said that, well, they should have one too? I was in that situation once, way back in my “untouchable youth.” I remember how it felt (I mean, in addition to the needle, and what they did with that swab during the test). I would have felt the same if I had needed to notify a couple of hundred people that I probably inadvertently infected their computers with a virus, and that, when they weren't looking, it had probably infected all of their email friends as well.

The virus that hit me last summer was a minor annoyance. However, in the last issue of The E-List, under the title “Whose Server is Your 13-Year-Old Disabling Tonight,” I wrote of a more serious problem that arises from the same type of source. That problem is the increasing presence of malicious “Denial of Service” (DoS) attacks, the kind that bring down web sites, flood a network causing a paralyzing traffic jam, and otherwise deny legitimate access to a network's services. (See the next article below for more information on this type of attack.) Steve Gibson of grc.com has brought strong computer media attention to the problem, being himself in the middle of a serious string of disabling attacks. It has been the talk of much of the Internet community for the last couple of weeks. If you didn't see my article on this in the last issue of The E-List, I encourage you to read it for background. Even its main points are too lengthy to repeat here.

As that article makes clear, these distributed DoS (DDoS) attacks are a lot like the virus I caught, not only because of their clever and malicious intention, but because, for them to work, they rely on somebody like me — or you — or the person next door who would never think of owning an anti-virus program, and opens every email attachment gleefully with the hope that it will be something wonderful. These attacks rely on us to have our defenses down and get infected. Our computers then become hijacked, and used under our noses to launch massive attacks against their targets.

That's the scoop. It's real. It's happening so frequently it almost isn't news any more. What is controversial, though, and has been subject to much discussion this last week, is Steve Gibson's warning that things are about to get a lot worse — that with the release of Windows XP next Christmas season (soon thereafter to become the standard operating system on nearly every new PC sold), these attacks will increase in sophistication and we will be completely defenseless against them. This worsening of the problem is not due to a flaw in Windows XP; it will be due to the fact, Gibson alleges, that the XP home computers on which these “zombies” will be dropped will have more sophisticated capabilities that can be hijacked by the malicious code, and additional abilities to hide the origin points of the attack, which will cripple our ability to defend against those DDoS attacks that are presently defensible.

During the last week, I have received over a hundred emails on this subject, and participated in online discussions with people who know much more than I do. These people are far more knowledgeable than I concerning all sorts of technical topics weighing on this issue, and they have generously shared their knowledge and their points of view. I don't always agree with their conclusions. They often don't agree with each other. They shouldn't be held accountable for my opinions below. But they deserve and have my thanks for their contribution to my understanding and evolving thoughts on the subject, so I must thank publicly at least three of them: MS-MVPs Ovidiu Popa, Felix Kasza, and Kent England. I also corresponded with Steve Gibson, confirming a shared passion for this issue and the need for an industry and public addressing of it. I also have studied Microsoft's public response to Gibson's allegations, reinforced by private email from a contact inside of Microsoft.

My views on this subject have evolved. Here is the form they now take:

Steve Gibson was wrong on one critical technical point. He stated that “spoofing” an IP address is not possible in Windows 9x or NT, and was only introduced in Windows with version 2000 and its pending successor, Windows XP. I have learned this is not the case. IP spoofing is also quite possible in Windows 9x and NT. It's hard. But it's possible. I've corresponded with half a dozen people in the last week who know how to do it. The fact that it is hard should not give us any security. Utilities are in circulation that let anyone do it. Furthermore, just about anyone with the capacity to write the original code of a “zombie” also will have the skill to drill down into the Win 9x stack and spoof an IP address. The fact that they generally have not done this until now is not due to an inability to do so.

On the other hand, I think Gibson is absolutely right to raise a ruckus about this problem and just how vulnerable we are. In saying that one of his technical premises is wrong, I do not say his conclusions are all wrong. Far from it. He has drawn attention to one of the most important issues before us in the next one to two years.

Microsoft posted its formal response to Gibson's allegations in a TechNet article, Hostile Code, not the Windows XP Socket Implementation, is the Real Security Threat. Microsoft has taken a different approach to the problem. The company believes that its “war on hostile code” campaign has matured to a point where they are ready to provide substantially increased measures to prevent hostile invasions of a computer. They are not as concerned about what a “zombie” would be capable of doing once it landed on a Windows XP computer, as they are in preventing it from ever getting there in the first place. Windows XP comes with a native firewall which, by default, is turned on (one of the suggestions I made last issue). “In sum,” Microsoft concluded, “it doesn't matter what networking functions are available as part of an operating system if an attacker's code never gets the opportunity to run on it.”

In a separate TechNet article, Security Considerations for Network Attacks, Microsoft summarized, “Microsoft’s TCP/IP stack... has been tested and proven reliable against many attacks and in its default state handles the most common types.” They also recommend 10 steps that can be taken to lower the vulnerability of a website to DDoS and other network attacks. (Thanks to MS-MVP Ron Martell for this tip.)

The scope of Microsoft's security efforts already in place in Windows XP is much stronger, we now know, than anything previously announced by them. This is an exceptionally good sign. The sky is most definitely not falling. On the other hand, I think they still have their heads a little bit in the sand. Increased security on each Win XP machine does not bring the problem to a halt. Severely retarding the ability of hostile code to reach Windows computers is insufficient. Some hostile code will get in somewhere, somehow, perhaps mostly through naive users, but possibly through sophisticated users as well. We all make mistakes sometimes. And far less than 1% of all Windows XP computers will be sufficient to launch all the DDoS attacks anyone ever would want to launch.

I do not believe that the threat of DDoS attacks will worsen as a consequence of Windows XP's release. I do believe, though, that it is already a serious problem, and that it will worsen with the natural passage of time, at a quick rate. I feel we must prepare ourselves at once, as if the problem were going to grow to be just as big as Steve Gibson predicted. It almost certainly will.

The sky isn't falling. But there are an awful lot of old satellites in seriously decaying orbit. A parasol isn't enough.

Philosophically, I note that our collective response to these attacks actually may stimulate a variety of community maturation — even a spiritual maturation. They require a different type of thinking. You see, the most productive steps we each can take are not those by which we necessarily will make ourselves more immune from attack. Rather, we have to take steps that will protect everyone else — protect them from attacks that our computers might launch. Our spirit must be one of working to make a safer and more secure Internet world for everyone. Acting selfishly, and for one's own self-protection, won't accomplish anything. You won't be a nickel safer. It will only work if you watch everyone else's back — and can count on them to watch yours.

Here are some ideas toward reducing DDoS vulnerability:

• It must become standard practice for every person on the Internet to install and use a personal firewall program — one that not only protects us from inbound penetration, as the native Win XP firewall does, but which also provides outbound protection. ZoneAlarm does this, as do Norton Personal Firewall and Tiny Personal Firewall. (The popular BlackIce firewall was never designed to trap outbound traffic, so shouldn't be relied on for this purpose.)
  
  
• Existing “safe hex” practices need to be continued and intensified. The vast majority of all system invasions can be prevented by simple precautions that are already known to most people (and should be known to, and practiced by, all). See “Safe Hex” from the www.claymania.com site, a collection of safe-computing tips arising from the continuing cooperative efforts of alt.comp.virus newsgroup participants.
  
  
• In addition to taking our own precautions, we must turn to the ISPs for most of the solution to this problem. It is in their hands more than any other hands. Historically, the large ISPs have had no interest in taking the necessary actions, either to block these attacks or to assist in tracking down those involved. It most likely will take enormous public pressure even to begin to budge them. But the technical changes are trivial for the ISPs to make. (Smaller ISPs, such as those under the care of Felix Kasza, have already employed such methods for quite some time.)
  
  These measures are becoming increasingly vital to the public welfare. If a few too many well-placed business sites go down, we may be looking at the unhappy specter of government intervention on the issue. I don't look forward to that. Voting with our checkbooks, and letting our ISPs know that we want them to actively step in on this issue, is a much more attractive approach. But if that doesn't work, the next step would be to write to our Senators.
  
  
• Educate, educate, educate! Discuss, discuss, discuss! Education won't solve everything — but it's the foundation of solving anything!
  
  
• This is a social issue as much as it is a technological issue. Unfortunately, it is a social issue comparable to that of teenage vandalism, or even more serious youth crime. I don't have easy answers — society has been looking for these answers for a long time. My present role is more to point the way toward the question. Parent interest, education, and involvement surely must be a significant part of any social solution.
  
  
• Don't relax. Don't be scared or obsessed with the subject, but do understand that the problem will get much worse before it gets better, and that it won't get better at all unless we do something about it. There are technologies forthcoming that will make fiercer attacks possible while making defense against launched attacks vastly more difficult. Fortunately, we also have emerging technologies that purportedly will make it more difficult for an attack to be launched. It's an “arms race.” If we educate ourselves and others, act responsibly and prudently, and mobilize involvement of the ISPs, we will be well advanced toward the goal of meeting these DDoS challenges.

I welcome your own additional suggestions and insights. TIA.

Feedback

SO, EXACTLY WHAT IS A DoS ATTACK?

The E-List is written for users at a variety of knowledge levels. Articles such as the foregoing have to be aimed at least somewhat at a popular, rather than technical, audience. Nonetheless, for those interested, a more complete description of Denial of Service (DoS) attacks seems warranted. I am grateful to MS-MVP Ovidiu Popa (one of the smartest networking professionals I know), for the following:

Generally, a Denial of Service (DoS) attack is an attempt to prevent legitimate users from using a particular service. This may include:

• Flooding a network, preventing legitimate network traffic
• Disrupting connections between machines, preventing legitimate access to a particular service
• Disrupting a particular service required by another legitimate system on the network
• Generally, preventing any legitimate individual from accessing a particular service

The “service” may be WWW, POP3, SMTP, FTP, NNTP, routing, or other services.

Not all service outages, even those that result from an attack, are necessarily DoS attacks. On the other hand, DoS may be only a part of a larger and more complex attack. Illegitimate access of resources may also result in denial of services; for example, an intruder may use your anonymous FTP area as a place to store pornography, consuming disk space and perhaps generating a huge network traffic!

DoS attacks may come in various forms. Some examples:

• Bandwidth consumption — typical is the SYN flood attack.
• Crafted UDP packets, designed to connect the echo service on one machine to the chargen service on another machine. As such, the two services would consume all the available network bandwidth.
• A large number of packets directed to your network. Typically, these are ICMP echo packets, but other types may be used as well. Again, all the network bandwidth is consumed.
• Resource altering. Example: if the attacker penetrates a router, he may alter the routing table. Your network becomes instantly unavailable to your users.
• Filling the inherent limited number of data structures (for a particular operating system implementation) with (usually) self-replicating structures. Even if the OS doesn't crash, it will slow down significantly. Legitimate users may lose access to services.

Feedback

TIPS

Ctrl-Z CIRCUMVENTS MS WORD'S AutoCorrect & AutoFormat FEATURES ON THE FLY

If you use MS Word, you are surely familiar with the AutoCorrect and AutoFormat features (even if you didn't know that this is what they are called). For some of us, they are a great help; for some, they are the source of enormous frustration. It's great to have small typos corrected on the fly, caplock errors adjusted, smart quotes added automatically, and double hyphens changed to elegant m-dashes. On the other hand, it gives new meaning to the word PITA when you are trying to keep a “dumb quote” for an inches sign or to represent a character in an irregular font; when every time you type Tao Teh Ching it switches to Tao The Ching when you aren't looking; or when you can't put a number at the front of a paragraph without turning the next one into an auto-formatted numbered list.

Of course, you can always go turn these features off. But, then, you lose their power. A lot of us like them a lot — except for those moments when we don't like them.

There's an easy way to have your cake and eat it too, in this case. It is the Ctrl+Z keystroke, the Word keyboard shortcut for Undo. Here's the principle: The keystroke you make, and the correction Word makes, are buffered as two separate keyboard actions. If you press Ctrl+Z immediately after Word makes an unwanted change, it gets undone — and stays that way.

Feedback

KB ARTICLES: Error Messages

Remember I told you, a couple of weeks ago, that Microsoft's review of Knowledge Base articles goes in cycles? This week, it was Internet Explorer's turn. Hundreds of KB articles on IE were reviewed and, in many cases, revised this week. If you have unresolved IE issues and have, in the past, not been able to find a solution in the Microsoft Knowledge Base, this is the time to check again. Additionally, there are many new, helpful pages. I harvested links to the following ones this week, on IE-related error messages, to add to my Error Messages page:

EXPLORER or IEXPLORE causes Invalid Page Fault in WININET.DLL Win98 SE; IE 5 for Win95/98
When typing in the Start Menu's Run box, or in Internet Explorer's Address box, you may experience in Invalid Page Fault error condition in WININET.DLL. The cause is likely that Explorer's AutoComplete feature is trying to use corrupted information in the History folder. This article tells how to fix the problem.

IEXPLORE error conditions in KERNEL32.DLL or MSHTML.DLL Win ME; IE 5.5 for Win95/98
These can occur if you have Gator software (by Gator.com 2000) installed. The solution is to uninstall Gator, and contact Gator.com 2000 for version 1.5.2.5. See this KB article for more details.

IEXPLORE causes Invalid Page Fault in <unknown> or in KERNEL32.DLL Win ME; IE 5.x for Win95/98
If you have Aureate Radiate installed, you may get this error message when exiting the last or next to last instance of multiple instances of Internet Explorer. You may not know if you have Aureate installed — since it “comes along for the ride” with over 250 different shareware programs. If you want to keep it running and solve the error message problem, Microsoft recommends that you contact Aureate to inquire about a fix.

IEXPLORE or WAOL causes Invalid Page Fault in MSHTMLED.DLL Win ME; IE 5.5 for Win95/98/2000
Despite those letters “AOL” in one variation of this error message, this is actually a Hotmail problem. This error message can occur while composing email using the Hotmail web-based interface. (I hate web-based email!) This article provides two solutions. One is to go slower — that is, to wait until the entire web page has loaded and the Rich Text Format check box has become enabled (it turns from gray to white) before you start to compose a message. The other solution is to use Outlook Express (ah, a real email client!) for your Hotmail account.

IEXPLORE causes Invalid Page Fault in URLMON.DLL Win98; IE 5 or 5.01 for Win95/98
If you get this error message while trying to launch Internet Explorer, you probably have a Registry problem. The specific problem is that there are multiple Registry entries for QuickView Plus. The article tells you how to fix this problem manually.

Feedback

KB ARTICLES: Internet Explorer & Outlook Express

Continuing with new or revised Internet Explorer articles:

Outlook Express Cannot Gain Access to a Store Folder in Outlook When You Import or Open Messages
Microsoft's KB team made a small error in the title. It should read “Outlook Express,” not “Outlook.” But they got the rest of it right. The problem discussed is that, when you try to open or import messages in Outlook Express, you may not be able to gain access to one of your store folders (.DBX files). Neither renaming FOLDERS.DBX nor trying to copy this file and then import it has any effect. This occurs when the .DBX file is damaged. This article explains what your options are for recovering from this. (Based on the work of MS-MVP Steve Cochran.)

Differences Between Outlook and Outlook Express
An oldie but goodie. Says what it does, and does what it says.

Internet Explorer Starts When You Click a Hyperlink Even if Netscape Navigator is the Default Browser Win ME; IE 5.5 for Win98 SE or Win 2000
Something for the Netscape users in the audience. Unfortunately, there is no fix, just a work-around — which is to cut-and-paste the hyperlink into a Run box. See the article for a couple more details.

Feedback

KB ARTICLES: Memory (RAM)

Negative Hard Disk Free Size Reported on Virtual Memory Tab in System Properties Win98, Win98 SE, Win ME
This is only a data display problem. Nothing else is really wrong with your computer or with Windows. There is, however, a supported fix that you can get directly from Microsoft.

Feedback

KB ARTICLES: Windows XP

Hostile Code, not the Windows XP Socket Implementation, is the Real Security Threat
This is Microsoft's formal response on this issue, posted on TechNet. (It's one of the pages I mentioned in the DDoS article above.) A link to this article now has a permanent home on my Windows XP KB article page.

Feedback

KB ARTICLES: Windows Setup

General Windows 95 Setup Questions & Answers
I think this one is new, first appearing on June 6. It is a helpful FAQ and companion page to other Win95 setup troubleshooting pages listed on the Windows Setup KB Articles page.

Feedback

MY FAVORITE FREEWARE

SECOND THOUGHTS ON NEOTRACE

NeoTrace Express is staying on my freeware page because of the things it, in fact, does well. But I have to update you on my assessment of one of the (initially) most attractive features of the program — which turns out not to work very well.

When I introduced NeoTrace in the last issue of The E-List, I used, as an example, a trace I ran on www.best.com. The trace terminated somewhere in Colorado. Now, best.com is owned by Verio, with corporate headquarters in Englewood, CO. But, as MS-MVP Bob O'Brien wrote me the next day, those servers aren't in Colorado. They are in best.com's Mountain View, CA location.

What's up? Well, apparently NeoTrace pulls the WhoIs registration information on each node it encounters, and extracts the mailing address registered for the node. This is often not where the node is actually located! (It's often a national corporate office.) Which means, the map can't be trusted. NeoTrace is still a great tool for a quick traceroute, and for simultaneously pulling up WhoIs registration information (available from the Registration) button. And the map is a lot of fun. It just isn't right.

Feedback

Happy computing, everyone!

Jim Eshelman

(Comments about The E-List can be sent to: elist@aumha.org)

THE NECESSARY LEGAL STUFF
DISCLAIMER: Any information given in this newsletter, or on any other part of the www.aumha.org website, is researched by me and believed to be accurate. However, I cannot guarantee, and do not guarantee, that all the information provided will work on all computer systems, for all users, all the time. Also, I sometimes make mistakes (that's life!), and it is possible I made one or more of them here. All information herein is offered as-is and without warranty of any kind. In other words, I rely on the best information sources I can, and do my best to get it to you accurately; and, thereafter, you take your life in your own hands if you trust me on it. Neither James Eshelman, this site, outside contributors to this site, people quoted on this site, nor my cat is/are responsible for any loss, injury, or damage, direct or consequential, resulting from application of any information presented here.

The E-List. Copyright © 2001 by James A. Eshelman. All Rights Reserved.