DC Metro operator filmed texting while operating subway

A Metro transit operator in Washington DC was suspended for texting on the job while operating a train on June 5, about two weeks before the fatal Metro crash.

The YouTube video URL is here.
The embed code was disabled.

There is a detailed story on the DC Examiner here which does have the video embedded in the story.

Other transportation accidents, such as in California, have occurred because of texting or cell phone use on the job.

Personal transportation safety and technology safety intermingle.

Serious ActiveX vulnerability in Microsoft IE reported; no patch yet

Terrence O’Brien at Switched.com has a story today about a serious vulnerability in Active X controls of Internet Explorer that would allow hackers to control the PC’s of people who had visited certain infected websites, usually supplied with links in spam. The link for O'Brien's story is here. The problem seems to affect Windows XP users but not Vista; this may be a reason to upgrade; are “newer” operating systems always safer? They usually are. Internet Explorer 8 may have less vulnerability than earlier versions, according to Symantec.

Media reports did not immediately identify which versions of IE are affected (7 or 8), or whether all are affected.

Microsoft is planning an emergency patch soon, but in the mean time it has actually been encouraging visitors to disable ActiveX, generally necessary for watching video on some sites (such as Netflx, which, it would seem, could see a drop in visits to instant play because of this problem). The disabling procedure seems to require a bit of knowledge of the operating system, particularly knowledge of the registry.

Surfers may prefer to use Firefox or Google Chrome for browsing until a fix is found. It isn’t absolutely known yet if McAfee, Norton or Spysweeper could intercept the problem. However McAfee has an information page “Microsoft DirectShow MPEG2TuneRequest Stack Overflow Vulnerability” here. McAfee also says that coverage is provided in DAT 5668, as of July 6, 2009. (As of July 7, DAT 5669 was available.) McAfee users might want to consider running manual scans after such updates. It wasn’t clear from the documentation if the McAfee Firewall would prevent the remote exploit.

Microsoft has a security bulletin advisory (972890) here.

A group called Sans.org has a technical description of the ("drive-by") vulnerability (in msvidctl.dll) here. I don't know how many visitors know how to read this kind of code!

The problem has been known since about beginning of July.

Can Microsoft "compete" as a security vendor for its own operating systems

Brian Krebs has a recent story in the Washington Post on Microsoft Security Essentials. The underlying question, it seems to me, would be: if you buy a modern PC with Vista, will it really come equipped properly with what it takes to maintain safe computing. Do you still have to go to major outside vendors (McAfee, Norton, or the upstart Webroot Spysweeper, which is starting to look good to me)

Brian Krebs (in his "Security Fix" online column) writes in a story of Microsoft Security Essentials from late June (24), here, and leaves unresolved whether it will affect the anti-virus market as a whole.

Krebs is still critical of Microsoft (“Microslop”), for introducing software that the bad guys can always find holes in. There are probably some legitimate questions about the constant proliferation of very large automatic updates, any one of which could introduce a problem inadvertently. This raises an existential question about “conflict of interest” and whether Microsoft can be “trusted” do defend its own products.

There is a lot of advice going on that it is safer to switch to the Mac and use Boot Camp or multiple sessions to run things that really require Microsoft operation systems (like most of Expression Web). But that would seem to put the PC owner in a position of still needing all the attention to security as before. Therefore, someone in the market for a “modern” business or entertainment PC (even, say, a filmmaker or film editor, or a business envisioning a web application that benefits from Expression Web) still could do well to consider staying in the PC world and just “doing it right.”

I checked the Microsoft Beta site and right now it is not accepting more participants.

There is a related story July 1 on my "Information Technology Job Market" blog here.

Picture: notice the "Streetcar Named Desire" on the glassware.

"Myspace case" conviction "tentatively" overturned

A federal judge “tentatively” overturned the conviction of Lori Drew in the Myspace suicide case.

Judge George Wu said that if the conviction could stand, then anyone could be prosecuted ex post facto for a minor terms of service violation with his or her ISP.

This seems to have constituted a case of “creative prosecution”, no matter how objectionable the defendant’s behavior was.

States will be busy passing cyberbullying laws given this tragedy, and they should be.

The CNN story is here.

EFF offers discussion of https protocol and wireless security

Electronic Frontier Foundation has a very instructive article by Peter Eckersley about the significance of the https protocol. The link for the URL is here.

The article praises Google for encrypting gmail, and notes that you can’t normally do Internet searches through https (it just reverts to http).

EFF points out that https and its certificate verification protocols make “dragnet surveillance” by advertisers and governments (hint: Iran) much more difficult. The article also suggests that secure wireless networks (which normally one has to pay subscription to use) are not as “secure” as thought and that there are some attacks on “wired equivalent privacy.”

I wonder how secure an https sign-on is over a public unsecured network, such as with a laptop in a coffee shop or hotel. I see people using these all the time to conduct personal business, but this is the converse problem.

Beware those last minute automatic updates from Microsoft and McAfee; and run RegCure frequently

Well, I really spoke early that Microsoft’s last push might have fixed the nVidia and possibly spyware problems on my old computer. Last night, after it had been off a whole day for a Digital Media conference, I had to try about four times to get it to work. It would go through everything until McAfee started, and then would come up with the gray box “Your computer is not fully protected.” And then, after maybe opening one site on Google Chrome, the mouse would either freeze, or the computer would stop responding. It wouldn’t even respond to ctl-alt-del.

Finally, I got RegCure going before doing anything else. Even it stalled once. But once it ran – it found about 12 HKEY errors and a number of blank entries – and it took longer than usual – the computer started working normally. It seems that with a Registry Repair program, you have to run it frequently, particularly before shutting it down (or before the next big thunderstorm if you’re in an exposed area).

Then, there was the laptop, a 2006 Inspiron with XP Pro. I took it to the Digital Media conference yesterday in northern VA, and I found that at the last minute Microsoft has the habit of pushing huge updates – this one to the .NET environment – and the cancel didn’t work. So I was half an hour late – missed breakfast. Then at the conference the laptop wouldn’t turn on without being plugged in to a hidden wall outlet – even though the battery says it has 80% less charge. I guess it takes more juice to turn it on than to keep it running. Sometimes it would want to apply the update when turning off, sometimes it wouldn’t. Finally, at home, it did apply the .NET install, which took almost half an hour to load. I wish Microsoft wouldn’t push things just as you walk out the door. Same with McAfee, which loves to replace its entire Security Center frequently.

Techie mag issues "10 ways to avoid viruses and spyware"

Once again, Tech Republic has a valuable “10 Things” download, this time “10 ways to avoid viruses and spyware”, by Erik Eckel. The leadoff link is here.

One of the interest points in the PDF report is to consider anti-virus, anti-spyware, and anti-malware protection separately. Large security companies like McAfee and Norton offer all in one package, but some companies are better with specialized problems. Geek Squad has told some customers about SpySweeper, which seems to identify potential spyware that McAfee allows to pass.

Another recommendation is safe surfing, and using a service like McAfee SiteAdvisor or Web of Trust to identify potentially risky websites.

The paper also recommends disabling AutoRun and implementing OpenDNS.

Again, these recommendations may matter particularly for small businesses that have outside contractors working on their computers.