Windows Vista Review-3

3. Security and safety

3.2 User Account Control

Security-wise, Microsoft touts various improvements in Windows Vista. The biggest and most visible of those is User Account Control; this means that whenever anything tries to do something that requires administration privileges, the user must specifically allow this. Any user, even those with admin rights, run in standard user mode all the time now, meaning that a malicious program cannot just install itself anymore to system directories or similar places.

Is UAC annoying? Yes. Is it any more annoying than entering your password each time you need to do something admin-related in, say, Ubuntu? No. At least Windows Vista allows you to edit system files and directories without launching a file manager window as root; Vista will just prompt you to grant admin rights when trying to edit system directories. Of course you can turn UAC off, but that really is a bad thing to do if you ask me.

If you want to know more about security features in Windows Vista, the related Wikipedia article is a good starting point. Many of the measures are technical changes transparent to the user, which is a good thing.

5. Audio

The audio department is where Windows Vista really is far ahead of any other mainstream operating system. The new audio stack allows for a feature I have only ever previously seen in BeOS: per process control of audio volume. Gone are the days where you could get a heart attack from MSN Messenger when someone sent you a message while you were listening to loud music. In Vista, you just set the volume for Messenger lower than for Media Player, and gone is that problem. A major advance, and surely something I would like to see in OS X and Linux.

8. Mobile computing

On my laptop, Vista is a much better fit when it comes to mobile computing than XP ever was. The biggest improvement is that sleep now actually works; when using XP, waking from sleep would regularly fail. It was a known issue on the Dell support forums, but a working fix was never found (although I must say I stopped monitoring the thread after a few weeks). The problem was not hardware related, as sleep/wake in Linux worked just fine (ironically). It's good that this apparent bug in Windows is now fixed.

In the first look article, I mentioned how the various test and beta builds of Vista had a huge bug in the bcm43xx driver; it would randomly disconnect, refusing to work for literally hours on end. This problem now seems fixed, and wireless networking is working perfectly. A bit of a nuisance, though, is that after waking from sleep reconnecting to a wireless network takes fairly long. My Macs reconnected in mere seconds, while in Vista this process can take up to and well over 30 seconds.

One of the really big mysteries in the final Vista build is the apparent lack of syncing with Windows Mobile devices. I have an iPaq Windows Mobile 2003 device, and upon attaching the device, an autoplay dialog pops up asking me what I want to do (browse device, sync media files, import pictures), but there is no option to actually sync the things that matter: contacts mostly, in my case. I tried to use the Sync Center, but my device refuses to show up.

After asking Google for advice, I found out you needed to manually download the third beta of the Windows Mobile Device Center before you can really do anything with your Windows Mobile PDA and Vista. Installing went fine, and everything seems to work; however, it became clear quite quickly that the Mobile Device Center only supports syncing with Outlook, and not Windows Mail or Windows Contacts. Unacceptable, if you ask me, and something that needs to be fixed before Vista goes to consumers.

Windows Vista Review-2

1.3 Search

Vista's search does what it is supposed to do. It searches files, finds them, and lists them. The biggest problem remains the fact that the actual start menu contents get replaced by your initial search results. If you press enter after entering your query, an Explorer window shows you all the results, including tabs to see the results per file type. You can obviously save the query; however, when you open this query later, Vista will not give you the search pane (which allows you to view by filetype, as mentioned). You'll have to enable it by hand; not a showstopper, but sloppy, still.

1.4 Sidebar

Vista's new sidebar is not at all much different from other, similar implementations in other operating systems. The sidebar can house gadgets (or widgets or applets or replicants or whatever you prefer), but the gadgets can also be dragged onto the desktop.
What I like about it is that the sidebar and its gadgets are always visible, so you are not forced to interrupt your workflow if you want to look them. Apple's Dashboard widgets are only visible after hitting a shortcut key, and this interrupts your workflow (only cli magic enables you to permanently display widgets on the desktop in OS X). In Dashboard's defense, the Microsoft implementation does lack a bring to front shortcut key or button.

Of course Vista's sidebar has one major disadvantages: lack of gadgets. The gadgets database is still fairly empty, and the ones that are there, are of debatable quality (especially in the visual department). I am sure that after the consumer release of Vista, the amount of gadgets will explode, but for us early adopters the sidebar remains pretty empty.

I feel compelled to touch on the originality issue often being referred to on the net. Is Sidebar similar to Dashboard? Yes. Is Dashboard similar to Konfabulator? Yes. Are all of those similar to Microsoft's Longhorn sidebar, which I first used in 2003? Yes. Are all of those similar to BeOS's replicants? Yes. You get the idea.

2. New and upgraded applications

Obviously, Vista comes with the latest release of Internet Explorer, version 7. I have already expressed my thoughts on Internet Explorer 7, and those complaints generally remain for Windows Vista. It is not a bad browser per se; it just is not my thing, and this is mostly caused by the highly confusing interface. The browser is my most-used application, and hence I want an interface that leaves me with little to desire (to give you an idea of how far this obsession goes, the fact I cannot remove the 'Go' arrow in Firefox 2.0 was almost a breaking point for me).

Windows Mail, however, is a completely different story. This is a really good email client, and it inherits the best feature Microsoft ever devised from Outlook 2003: the vertical preview pane; I refuse to use email clients that do not have this feature (save for BeOS's BeAM). For the rest, Windows Mail has a very clean interface, which focuses completely on the task at hand: reading and sending email. Contacts and emails are now individual files, meaning you can manage both using Explorer. Annoyingly, emails are given gibberish numeric names, meaning you can only know what an email is about by hoovering over the .eml file, showing a tooltip which will give you the subject field.

Problems remain with Outlook Express, err, Windows Mail; especially creating rules directly from a message is very cumbersome (it refuses to copy the information from the selected message, meaning you have to manually enter all your filtering conditions). Another annoyance is that even though I tried to set all fonts on incoming messages to a standard font, lots of messages still display custom fonts. Other than that, the junk mail filtering is a bit too enthusiastic at times.

Windows Photo Gallery is nothing to write home about; it does what it is supposed to do, and that's it, basically. It is surely no match for Apple's iPhoto, so let alone it being a match for Google's Picasa2 (the best in its class, if you ask me). Picasa2 is faster than Windows Photo Gallery, it has a cleaner interface, and it supports Picasa Albums; the choice is easy if you ask me. Photo Gallery badly misses export features; it cannot export photos to the popular photo sharing sites (Flickr, Picasa Albums, etc.). This is really a bad thing, and I hope Microsoft improves upon this issue in a service pack or update.

Windows Media Player 11 shines on Vista. The application is to the point, and centrered around what really matters: content. Where I could easily get lost in pre-11 version of the application, Media Player 11 is much more user-friendly and usable. Nothing revolutionary (it's just a media player), but I enjoy using it much more than iTunes 7 (which is, I'm sorry to say, a really bad application (slow, buggy, and just plain weird), especially compared to the outstanding version 6).

Since this is Ultimate I am using, I also have the new Media Center installed. Windows XP Media Center Edition may very well have been Microsoft's best product user-interface wise (Office 2007 might be better though), and this trend continues in this new version. It is very difficult to explain exactly why MCE is such a good interface; the only way of ever understanding this is to actually use it for a while. It simply makes so much sense.

Windows Vista Review-1

Please note that I will not discuss each of the points presented in that Wikipdia page, therefore my paragraph numbers will be incomplete. Other than that, some sections overlap one another. I will use the page as a guide to, well, guide us through Windows Vista. Let's start.

As you will notice, I did not attach any screenshots to this review. There are so many good screenshot galleries out there that I find it rather over done to duplicate all those.

The machine used for this review is a Dell Inspiron 6000 with a Pentium M 1.73Ghz, 512MB of DDR2 RAM, and an Ati Radeon x300 with 128MB of dedicated video RAM. For notes on the installation of Vista on this machine, please read the first impressions article.

1. User Interface

1.1 Windows Aero

I have already said quite a bit about the flashy effects that come with Windows Vista. Microsoft has clearly restrained itself with the effects; they are not used during every little task, and they are unobtrusive. After only a few hours of usage, you actually forget they are there; however, as soon as you switch 'back' to XP or something similar, you do miss the effects. This is because unobtrusive as they may be, the effects do add visual cues as to what is happening on the screen. For instance, when you close a window in Vista, it dissolves while falling slightly backwards. This is an extra visual aid.

Compare all this to all the new technological gadgets on the new Mercedes S class, more specifically, the night view cameras. The S class has two night vision cameras on the front of the car, which will, at night (obviously) display its images on a screen right behind the steering wheel, greatly enhancing what you can see on the road, making it much easier and safer to drive at night. Now, this is typically one of those features which many people will claim are pointless, but at the same time, all the people who actually used it, will say they never want to go back to a car without this extra safety precaution. Vista's Aero effects fall into the same category.
Microsoft actually put more thought into Aero than many anti-Microsoft people will want us to believe. For instance, when an application is incompatible with Aero (all applications using Java, such as Azareus), Windows will automatically turn Aero off, switching back to Aero Basic. When you close the application, Windows will turn Aero back on. Nice touch.

The main drawback, of course, of Aero is that it requires a DirectX 9 compatible card. A substantial group of people will need a new graphics card for this, but I do not see this is a problem, since most people will get their hands on Vista via OEM channels anyway (meaning, when they buy a new computer).

1.2 Shell

The new Explorer interface is, as far as I'm concerned, the least successful change in Windows Vista. Explorer is a very messy application to use now; buttons and widgets everywhere, and it is kind of hard to find out which does what. To give you an idea, the sidebar on the left side can show two things: a directory tree, or a 'Favourites' section (links to common folders such as Pictures and Music). The problem: they can overlap. When you open the tree view, which is basically a drawer opening upwards, it draws over the favourites section, which is just, well, weird. Why not do what everyone else is doing, and simply give a drop-down menu or tabs or something, so that you can select which of the two you want, instead of trying to cram both of them into the same tiny space?

Another problem, as noted in the superficial look, is that for one reason or the other, almost every folder on your computer will default to a detailed listview, which is just plain overkill; it makes the individual folders too hard to distinguish, and it shows way too much irrelevant information, which will distract you from whatever you want to do (manage files, probably). This also makes dragging a box around multiple items problematic, since clicking whatever point in the row of an item will make you drag the item, instead of drawing the selection box.
Basically, I want an option which will allow me to set the icon size/detail level system-wide, after which I can tune individual folder's settings. And lo and behold, it's there: click the 'organize' button on the toolbar, click 'folder and search options', go to the 'view' tab, and click 'apply to all folders', which will make every folder look like the one currently open. Good.

The 'breadcrumbs' style location bar is a definitive improvement, as it makes navigating through deep directory structures much easier. The 'stacks' feature, which allows you to create stacks of files based on whatever you want (i.e. stacks of pictures based on date taken), is not what I had expected of it. When I tested the really early Longhorn builds in 2003, this feature actually had visual cues in the stacks (the more files in the stack, the larger it was), but in Vista, this is not the case. The stacks are basically glorified directories. Not a feature as useful as it could've been.

Password cracking

A password is a type of authentication. It is a secret word or phrase that a user must know in order to gain access. A pass-phrase is a correspondingly larger secret consisting of multiple words.

Passwords have been used since Roman times. The Romans were some of the first large armies where people didn't recognize each other by sight. In order to gain entry into the camp, a Roman soldier would have to know the secret password.

Internal to the computer, password information is constantly being checked. If you were queried for the password each and every time, you would find that computer would become unusable. Therefore, the computer attempts to "cache" the password so that internal prompts during the same session do not cause external prompts to the user.

All systems cache passwords in memory during a login session. Therefore, if a hacker can gain access to all memory on the system, he/she can likely sift the memory for passwords. Likewise, hackers can frequently sift pagefiles for passwords.

To crack a password means to decrypt a password, or to bypass a protection scheme.

When the UNIX operating system was first developed, passwords were stored in the file “/etc/passwd”. This file was readable by everyone, but the passwords were encrypted so that a user could not figure out what a person's password was. The passwords were encrypted in such a manner that a person could test a password to see if it was valid, but couldn't decrypt the entry.

However, a program called "crack" was developed that would simply test all the words in the dictionary against the passwords in “/etc/passwd”. This would find all user accounts whose passwords where chosen from the dictionary. Typical dictionaries also included people's names since a common practice is to choose a spouse or child's name.

The file sources of encrypted passwords typically include the following:
• /etc/passwd from a UNIX system
• SAM or SAM._ from a Windows NT system
• .pwl from a Windows 95/98 system
• sniffed challenge hashes from the network

The "crack" program is a useful tool for system administrators. By running the program on their own systems, they can quickly find users who have chosen weak passwords. In other words, it is a policy enforcement tool.

Password crackers are utilities that try to ‘guess’ passwords. One way, also known as a dictionary attack, involves trying out all the words contained in a predefined dictionary of words. Ready-made dictionaries of millions of commonly used passwords can be freely downloaded from the Internet.
Another form of password cracking attack is ‘brute force’ attack. In this form of attack, all possible combinations of letters, numbers and symbols are tried out one by one till the password is found out. Brute force attacks take much longer than dictionary attacks.

The snapshot below is of a popular password cracking utility called Brutus. Brutus has both dictionary attack as well as a brute force attack capabilities.

Email related crime: part 2nd

2. Spreading Trojans, viruses and worms

Emails are often the fastest and easiest ways to propagate malicious code over the Internet. The Love Bug virus, for instance, reached millions of computers within 36 hours of its release from the Philippines thanks to email.

Hackers often bind Trojans, viruses, worms and other computer contaminants with e-greeting cards and then email them to unsuspecting persons. Such contaminants can also be bound with software that appears to be an anti-virus patch. E.g. a person receives an email from information@mcaffee.com (this is a spoofed email but the victim does not know this). The email informs him that the attachment contained with the email is a security patch that must be downloaded to detect a certain new virus. Most unsuspecting users would succumb to such an email (if they are using a registered copy of the McAffee anti-virus software) and would download the attachment, which actually could be a Trojan or a virus itself!

3. Email bombing

Email bombing refers to sending a large number of emails to the victim resulting in the victim’s email account (in case of an individual) or servers (in case of a company or an email service provider) crashing.

A simple way of achieving this would be to subscribe the victim’s email address to a large number of mailing lists. Mailing lists are special interest groups that share and exchange information on a common topic of interest with one another via email. Mailing lists are very popular and can generate a lot of daily email traffic – depending upon the mailing list. Some generate only a few messages per day others generate hundreds. If a person has been unknowingly subscribed to hundreds of mailing lists, his incoming email traffic will be too large and his service provider will probably delete his account.

The simplest email bomb is an ordinary email account. All that one has to do is compose a message, enter the email address of the victim multiple times in the “To” field, and press the “Send” button many times. Writing the email address 25 times and pressing the “Send” button just 50 times (it will take less than a minute) will send 1250 email messages to the victim! If a group of 10 people do this for an hour, the result would be 750,000 emails!

There are several hacking tools available to automate the process of email bombing. These tools send multiple emails from many different email servers, which makes it very difficult, for the victim to protect himself.

4. Threatening emails

Email is a useful tool for technology savvy criminals thanks to the relative anonymity offered by it. It becomes fairly easy for anyone with even a basic knowledge of computers to become a blackmailer by threatening someone via e-mail.

In a recent case, Poorva received an e-mail message from someone who called him or herself ‘your friend’. The attachment with the e-mail contained morphed pornographic photographs of Poorva. The mail message said that if Poorva were not to pay Rs. 10,000 at a specified place every month, the photographs would be uploaded to the Net and then a copy sent to her fiancé. Scared, Poorva at first complied with the wishes of the blackmailer and paid the first Rs. 10, 000. Next month, she knew she would have to approach her parents.

Then, trusting the reasonableness of her fiancé she told him the truth. Together they approached the police. Investigation turned up the culprit – Poorva’s supposed friend who wanted that Poorva and her fiancé should break up so that she would get her chance with him.

5. Defamatory emails

As has been discussed earlier cyber-defamation or even cyber-slander as it is called can prove to be very harmful and even fatal to the people who have been made its victims.

6. Email Frauds

Email spoofing is very often used to commit financial crimes. It becomes a simple thing not just to assume someone else’s identity but also to hide one’s own. The person committing the crime understands that there is very little chance of his actually being identified.

In a recently reported case, a Pune based businessman received an email from the Vice President of the Asia Development Bank (ADB) offering him a lucrative contract in return for Rs 10 lakh. The businessman verified the email address of the Vice President from the web site of the ADB and subsequently transferred the money to the bank account mentioned in the email. It later turned out that the email was a spoofed one and was actually sent by an Indian based in Nigeria.

In another famous case, one Mr. Rao sent himself spoofed e-mails, which were supposedly from the Euro Lottery Company. These mails informed him that he had won the largest lottery. He also created a website in the name of the Euro Lottery Company, announced on it that he had won the Euro Lottery and uploaded it on to the Internet. He then approached the Income Tax authorities in India and procured a clearance certificate from them for receiving the lottery amount. In order to let people know about the lottery, he approached many newspapers and magazines.

The media seeing this as a story that would interest a lot of readers hyped it up and played a vital role in spreading this misinformation. Mr. Rao then went to many banks and individuals and told them that having won such a large sum of money he was afraid for his safety. He also wanted to move into a better house. He wheedled money out of these institutions and people by telling them that since the lottery prize money would take some time to come to him, he would like to borrow money from them. He assured them that the loan amount would be returned as soon as the lottery money came into his possession.

Lulled into believing him (all thanks to the Income Tax clearance) most of these people loaned large amounts of money to him. It was only when he did not pay back the loan amounts to the banks that they became suspicious. A countercheck by the authorities revealed the entire scheme. Mr. Rao was arrested. Later, it was found that some of the money had been donated for philanthropic causes and also to political parties!

Email related crime

Email has fast emerged as the world’s most preferred form of communication. Billions of email messages traverse the globe daily. Like any other form of communication, email is also misused by criminal elements.

The ease, speed and relative anonymity of email has made it a powerful tool for criminals. Some of the major email related crimes are:

1. Email spoofing
2. Sending malicious codes through email
3. Email bombing
4. Sending threatening emails
5. Defamatory emails 6. Email frauds

1. Email spoofing

A spoofed email is one that appears to originate from one source but has actually emerged from another source. Email spoofing is usually done by falsifying the name and / or email address of the originator of the email.

Usually to send an email the sender has to enter the following information:

i. email address of the receiver of the email
ii. email address(es) of the person(s) who will receive a copy of the email (referred to as CC for carbon copy)
iii. email address(es) of the person(s) who will receive a copy of the email (referred to as CC for carbon copy, but whose identities will not be known to the other recipients of the e-mail (known as BCC for blind carbon copy)
iv. Subject of the message (a short title / description of the message)
v. Message

Certain web-based email services like www.SendFakeMail.com, offer a facility wherein in addition to the above, a sender can also enter the email address of the purported sender of the email.

Consider Mr. Siddharth whose email address is siddharth@hotmail.com. His friend Girish’s email address is girish@yahoo.com. Using SendFakeMail, Siddharth can send emails purporting to be sent from Girish’s email account. All he has to do is enter girish@yahoo.com in the space provided for sender’s email address. Girish’s friends would trust such emails, as they would presume that they have come from Girish (whom they trust). Siddharth can use this misplaced trust to send viruses, Trojans, worms etc. to Girish’s friends, who would unwittingly download them.

Info on cyber crime types

This would include cheating, credit card frauds, money laundering etc.

Cyber pornography

This would include pornographic websites; pornographic magazines produced using computers (to publish and print the material) and the Internet (to download and transmit pornographic pictures, photos, writings etc).

Sale of illegal articles:

This would include sale of narcotics, weapons and wildlife etc., by posting information on websites, auction websites, and bulletin boards or simply by using email communication. E.g. many of the auction sites even in India are believed to be selling cocaine in the name of ‘honey’

Online gambling:

There are millions of websites; all hosted on servers abroad, that offer online gambling. In fact, it is believed that many of these websites are actually fronts for money laundering.

Intellectual Property crimes

These include software piracy, copyright infringement, trademarks violations, theft of computer source code etc.

Email spoofing

A spoofed email is one that appears to originate from one source but actually has been sent from another source. E.g. Pooja has an e-mail address hh@yahoo.vom Her enemy, Sameer spoofs her e-mail and sends obscene messages to all her acquaintances. Since the e-mails appear to have originated from Pooja, her friends could take offence and relationships could be spoiled for life.

Forgery

Counterfeit currency notes, postage and revenue stamps, mark sheets etc can be forged using sophisticated computers, printers and scanners