Can't Stop the Music

Sometimes, you've just got to wonder.

In a recent posting on his Recording Industry Vs. the People blog, lawyer Ray Beckerman maintained that the RIAA is now, in the case of Atlantic v. Howell, labeling any copying of music files as copyright violations, whether you share and/or re-sell them or not. ZDNet's Adrian Kingsley-Hughes immediately took issue with him, claiming that the RIAA said the defendant was in violation only when he copied the MP3 files to a shared drive.

In this particular case, Kingsley-Hughes may be right, but it hardly matters. The hostility of both the RIAA the the industries it represents to any copying of music and video files for any purpose at all has a long and shameful history (remember the Sony rootkit fiasco?). For that matter, the RIAA web site (as one of the Talkback responses to the article points out) explicitly states that any copying is unauthorized. And, of course, there are the clueless comments from chairman and CEO of Universal Music Group, Doug Morris, in the latest issue of Wired.

Let's be clear on what this means.

That mix CD you made for your wife's birthday? Bad.

The sound design you did for your local no-budget community theatre? Bad.

The customized Christmas CD you made for your car? Bad.

Let's get real, folks; the RIAA and the industries it represents know they haven't got a snowball's chance in hades of stopping the actual pirates. The entire intent of the various DRM schemes is to force law-abiding consumers to purchase the same material over and over - or to eliminate purchases entirely and make everything a rental. Their model is the software EULA, which basically says that your don't own zip.

So while the RIAA may not be saying all copying is illegal in this particular case, make no mistake: that is their ultimate goal, and they'll pursue it with all the lawyers and lobbyists at their command.

I Fought the Law and the Law Won

Urban Legend has it that when the late Willie Sutton was asked why he robbed banks he replied "because that's where the money is".

If he were around today he'd probably scoff at bank robbery. These days the real money is clearly in spyware.

It shouldn't be news to anyone, of course, that cybercrooks are using spyware to generate big bucks, primarily by stealing credit card and banking information and reselling it to other swine on the 'net. What may be news, however, is the fact that many of the tools used by these characters are completely legal and available at "crazy low prices", if not for free.

The bust of a couple dubbed "the Bonnie and Clyde of identity theft" illustrates the problem. As described in a recent article in Digital Journal (among other places):

Jocelyn Kirsch, 22, and Edward K. Anderton, 25, were living a lavish lifestyle: trips to Paris and London; salon visits costing $1,700 each; a $3,000-a-month apartment in upscale Philadelphia. Kirsch and Anderton didn't earn any of these luxuries – they stole money using a complex identity theft scam.

What's especially interesting about this is that the couple didn't need to invest huge amounts of money or technical expertise to do this. All they had to do was buy a $100 spyware program called Spector Pro (from Spectorsoft). Although widely identified as malware by major anti-virus vendors such as Symantec and Safernetworking.org (the makers of Spybot Search and Destroy, one of the better anti-spyware products around), Spector Pro is also a PC Magazine Editor's Choice award winner and touts itself as a tool for enhancing corporate security by allowing employers to monitor employees' internet activity.

The thing is, the behavior of the program itself is indistinguishable from that of other forms of malware. Here's how Symantec describes it:

Spyware.Spector functions in a manner that is similar to a Backdoor Trojan Horse. When it is installed, it logs all the activity on the system. The person who installed it can then watch all the logged activity.

Spectorsoft president Doug Fowler, of course, disclaims any responsibility for the nefarious use of the product. According to ABC News (where this story originally broke):

"SpectorSoft has never marketed its software as a way to steal from people, to assume another's identity," Fowler wrote in an e-mail. "Any piece of software has the potential to be abused."

If this sounds familiar, it might be because the same justification is offered by anyone who profits from the sale of dangerous and/or deadly items. Be it agribusiness, Big Tobacco, or the NRA, they all insist that it's not their fault if the folks to whom they have aggressively and expensively marketed their products wind up morbidly obese, coughing up a lung, or mowing down a few dozen family members, friends or acquaintances.

Legally, of course, they may be right. Attempts to hold the "Merchants of Death" accountable have largely failed thanks to flotillas of high-priced lawyers and a federal government that never met a corporate lobbyist it didn't like.

Legality and morality are hardly identical, however, and the ethical situation is far less clear. My take on this is that if you are selling a product that you know, beyond a doubt, is going to be used for a moral wrong, you better be certain that said product isn't designed primarily for that purpose and/or that you're serving a greater moral good by offering it.

For example: a hammer can certainly be used to commit murder, but that's not even remotely what it's designed to do. And in any case you're helping someone build something by selling it. Weapons, on the other hand, face a far higher hurdle since their principal purpose is to kill.

By that standard, Spectorsoft is treading on potentially thin ice. Yes, their software can be used by businesses to prevent unethical behavior by their employees, but Spectorsoft doesn't just market to businesses. Indeed, two of their products (the aforementioned Spector Pro and eBlaster) are targeted at individuals who want to spy on each other, including parents who want to spy on their children.

If it walks like a duck, quacks like a duck, and gobbles up your keystrokes like a duck, shouldn't we conclude that it's fair game during Duck Season?

Money (That's What I Want)

What would you call a business that secretly spies on its customers, threatens them with massive lawsuits if they refuse to re-purchase a product they've already bought, and generally assumes that they're all crooks out to steal merchandise?

Apparently, you'd call it the music business.

Many of you may already know about Sony's infamous rootkit scandal from 2005, in which the media giant was caught installing spyware on the PCs of everyone who bought their CDs - without, of course, bothering to ask permission first. Cybercrooks quickly figured out how to exploit the malware and Sony was faced with a raft of lawsuits, which are still wending their way through the legal system.

That was bad enough. Around the same time, however, the industry trade group The Recording Industry Association of America, began launching thousands of lawsuits against individuals who had shared songs they had already bought via Peer to Peer (P2P) networks such as Napster. The claim was that this was an effort to combat piracy and claims were made (wildly inflated, in my view) of the amount of revenue lost by the industry - despite the fact that industry profits remained spectacular.

It's an odd claim, considering that the victims of these lawsuits weren't actually making any money from their infringement. If piracy of copyrighted material is an issue why not go after the big international pirates who are selling the stuff for a profit, largely overseas?

The answer - if a recent “Justice” Department ruling is any indication - is that it's cheaper to take every last cent of song sharers here in the USA than it is to go after the big-time international crooks who are really eating your lunch. Taking a couple hundred grand from some poor schlemiel who shared tunes with his buddies is easy money when you already have an army of lawyers on retainer.

Will this have a deterrent effect of P2P music sharing? Probably. Will it have a deterrent effect on the big-money pirates? Almost certainly not. But if you've already decided that suing your customers is a valid business model, maybe you don't want the pirates to stop selling your stuff for $4.00 in Beijing. You've already given up on that, and having them around allows you to continue to make exaggerated claims about how much money you're losing.

Pay no attention to those massive profits behind the curtain. Government of the corporation, by the corporation, and for the corporation shall not perish from this earth.

Blue Christmas

'Tis the season to be generous. That means lots folks are logging on to the web sites of non-profits like CARE and the Red Cross to make donations, either for themselves or as gifts to friends and family who already have all the electronic gizmos and consumer crud they need.

Unfortunately, some of those good-hearted souls are going to find a lump of coal in their Christmas stockings in the form of stolen email addresses and passwords. As reported in Computerworld on November 28th the FBI is investigating a data breach at Convio Inc., a firm that specializes in recruitment and fund raising software and services for the non-profit sector. According to the report, criminal hackers managed to lift information on 92 non-profit organizations (including The Red Cross and CARE) and were preparing to help themselves to data on another 62 when Convio discovered the leak in their data dike and plugged it.

How did this happen? Here's a Convio spokesperson, as quoted in Computerworld:

The intruder obtained a log-in and password belonging to a Convio employee," wrote Dave Crooke, a company staffer, on a mailing list used by nonprofit professionals. "It appears that their PC was compromised, but we are still investigating".

Those of you who read my earlier blog entry on the importance of keeping your PCs secure will not be surprised to discover that I rolled my eyes as I read that. A chain is only as strong as it weakest link. A company's data is only as secure as its most clueless employee's PC. Your personal data is only as secure as your own PC. Why is it so hard for some people to comprehend this?

The situation isn't going to get any better. Cybercrooks are getting smarter as operating systems become more secure. Windows and OS X are too locked-down to be easily exploited? No problem - there are plenty of individual applications (like QuickTime, Windows Media Player, Firefox and - of course - Internet Explorer) with vulnerabilities. The corporate love affair with outsourcing application development to countries (such as China, Brazil and Russia) that are havens for cyberthieves, combined with the tendency for developers to consider security as less important than bells and whistles, provides fertile ground for a bumper crop of exploits. And, of course, good old-fashioned social engineering, phishing, and other techniques based on the notion that there's a sucker born every nanosecond will continue to be useful to what The Saint referred to as “The Ungodly”.

But don't take my word for it. Take a look at the SANS Institute's Top 20 2007 Security Risks report. According to them, “[t]he number of attempted attacks for some of the large web hosting farms range from hundreds of thousands to even millions every day.” If computer security is an arms race (which it is), the Bad Guys are 'way out in front.

With apologies to The King: You'll be doin' all right with your Christmas of white, but security pros will have a blue, blue Christmas.

Absolutely Free

Well, it's now official: there will be no free wireless Internet access for the city of St. Louis. Originally conceived as a city-wide service, municipal Wi-Fi (wide-are wireless service) will now be confined to a downtown-only “pilot project”.

In the technology business, “pilot project” is often a euphemism for “consolation prize” - although in this case it might just be a realistic alternative for the near term. Condo developments are sprouting like dandelions in downtown St. Louis right now (see the Urban St. Louis site for some examples ), so a municipal Wi-Fi network there might actually be profitable.

There's no need to go into the gory details behind the failure of the original plan as they're available on line, although it is rather surprising that it took so long for somebody to notice that there's no power running to city street lights in the daytime - thereby killing the plan to mount Wi-Fi antennas on them. Anyone who has spent any time in the city after dark has surely noticed that lights go on or off in blocks rather than individually.

St. Louisans need not feel stigmatized by the evaporation of this particular techno-mirage, though. As The Economist magazine noted in an August 30th article, “many municipal Wi-Fi projects have since been hit by mounting costs, poor coverage and weak demand”. Chicago has killed its muni Wi-Fi project, as has Springfield (IL) and even San Francisco. Meanwhile, existing networks, from Tempe (AZ) to Taipei, have failed to fully live up to expectations.

Some of the problems are technological. The outdoor transmitters don't generally have the power to penetrate walls effectively, or examples, so indoor coverage is spotty. But the main barriers to the spread of municipal Wi-Fi networks appear to be economic.

Building the basic infrastructure that would provide seamless, wireless Internet access is expensive. A 2005 Jupiter Research paper estimated that price at $150,000 per square mile. An October 27th, 2007, article in the St. Louis Post-Dispatch estimated the cost at closer to $200,000. Even in a relatively small geographic area like the city of St. Louis (62 square miles), that's a lot of money invested up front with no real guarantee of a profitable return.

One solution, as municipal WiFi advocate Esme Vos suggests in a recent interview, might be for cities to provide the basic network access infrastructure - the wireless transmitters and related back-end hardware and software - in much the same way they now provide physical infrastructure such as roads and sewer systems. They could open up these networks to the Internet service providers, who would sell the actual Internet access to subscribers just as they do now over existing telephone lines. Cities could pay for the network investment via a combination of taxes and payments from the Internet carriers.

This might also have the advantage of making the hurdles lower for ISPs who might want to sell to the folks connecting to the municipal network. As Vos points out, this is what has happened in “Nordic countries” where this “socalist” approach has actually resulted in more consumer choice than here in the USA, where our options are usually limited to either the cable monopoly or the telecom monopoly.

That's because free-for-all capitalism tends to devolve into a small group of non-competing monopolies. But that, I suppose, is another blog post.

Hey Bartender

I'm still not dead yet!

See, there are two ways you can approach this whole blog thing. Way 1 is to write something every day or thereabouts regardless of whether you have anything to say or not. Way 2 is just to write something whenever the mood strikes you.

Way 1 probably gets you more readers, but Way 2 produces better articles. Given that there are already too many bloggers gassing on about too many things, I have chosen Way 2.

Besides, I'm lazy.

So: what vital concern moved me to get off my virtual duff and compose this entry? Is it a dire new threat to the Internet like the latest attack by the "Storm" worm? A cool new technology like the Linux-based iPhone killer? An egregious bit of stupidity like the Wall Street Journal's "Ten Things Your IT Department Won't Tell You" article (a.k.a. "How to Get Yourself Fired and Break the Law in Ten Easy Lessons")?

Nah, none of the above. The Storm worm is just an old threat in a new package, Linux has a long way to go to match iPhone's cachet, and intellectual dishonesty is just business as usual at the Journal.

What got me to finally update this blog is the demonstration, by the folks over at Tom's Hardware, of the value of beer (Molson Canadian, to be exact) as a CPU coolant. According to their test protocol (which, in all fairness, seems to have been devised after imbibing some of the coolant), the only thing that out-performs a brewski is SilverStone Thermal Fluid - and then only by a fraction of a degree.

There's no mention of how Silverstone performs against Molson in a taste test, alas.

Such are the thoughts of an IT geek's fevered brain after three weeks of a killer heat wave.

The Dark End of the Street

"I'm not dead yet!"

Yes, despite the fact that I haven't written anything in this blog for a couple of months, I'd not dead yet. I feel happy! I feel like - dancing!

Besides, I haven't been silent. Stage Left, the blog from the other half of my brain, has been pretty lively lately because of all the shows I reviewed in June. And I'm working on a new op-ed piece for the St. Louis Post-Dispatch. It'll be published on July 8th and I'll have a link to it here by the 9tth or thereabouts. My May musings for that publication can be found here. There's a March column as well, but it has been moved to their paid archives. Killjoys.

Still, the main reason there's been nothing here for a while is that there's been so much technology news lately that it's hard to keep up: Apple's iPhone and new MacBook Pros, Microsoft's coffee table computer (which looks suspiciously like the open-source ReacTable, not that I'm suggesting anything) and, of course, the daily flood of malware news.

I'll leave comments on the latest Bright Spaklies for another column. This time I want to expand on some advice from my ten-point Internet safety check. At the time, I advised you to "think before you click" on a link in an e-mail or at a web site. The idea was to avoid sites that were clearly dangerous or which might mimic legitimate sites.

Now, it seems, things have got even more complicated. According to a June 18th article in Computerworld a "phenomenal" number of web sites - mostly in Italy, so far - have been compromised by a gang using a Russian-made exploit kit called MPack. The hacked sites are used to download malware - mostly keyloggers, designed to grab user names and passwords - to unprotected computers that visit these otherwise legitimate web sites.

This is bad news, to say the least. It means that even if you're careful to avoid the dark end of the virtual street, you can still get mugged. Trend Micro network architect Paul Ferguson, quoted in the Computerworld article, puts it this way: "The usual advice we give, 'Avoid the bad neighborhoods of the Web,' just doesn't hold water anymore. Everywhere could be a bad neighborhood now."

Oh, joy.

Could be worse, of course. If you followed my advice back in February and installed multiple anti-virus and anti-spyware products, you're still likely to be protected from hacked sites. But this does ratchet up the paranoia level and raises an unpleasant question: just how risky does doing business on the Internet have to become before large numbers of computer owners decide it's not worth the trouble? And what will the economic impact be if that happens?

When Will They Ever Learn?

Well, folks, don't say I didn't warn you. In July of 2006, when the Fedabobble Gummint started work on anti-spyware legislation, I expressed my usual curmudgeonly cynicism over the likely results. Among other things, I noted that the FTC had already told Congress it didn't need any additional legislation (a fact reinforced by recent successful actions against spyware offenders) and that at least one major spyware vendor was backing the effort, making it all of questionable value at best.

Comes now blogger Ed Foster at InfoWorld with evidence that my crystal ball was, at least in this case, in good working order. H.R. 964, the so-called Spy Act, carves out major exceptions for ISPs, software vendors, and pretty much anybody else who can claim you're doing business with them. Worse yet, the bill preempts stricter state laws and states that "no person other than the Attorney General of a State may bring a civil action" in such cases.

Had this bill been law when Sony installed its infamous rootkit on the PCs of unsuspecting consumers, there would have been no legal remedy available to individuals. Only a state AG could have taken action, and s/he wouldn't have in any case because the law would have made that rootkit legal.

Time to notify your Congresscritters that they should be spending more time cleaning up Bush Jr'.s mess in Iraq and less time pushing special interest legislation for their corporate cronies.

Chinese Rock

When it comes to technology issues, does this country's right hand know what the left hand is doing? Reading the on-line IT trade journals, the only possible answer I can come up with is a resounding “no”.

The latest example: a U.S. House of Representatives probe into hack attacks on government servers that appear to have originated in China.

To anyone following computer security issues, this is about as surprising as the discovery that the sun appeared to rise in the East this morning.

In America's corporate board rooms, however, the sun must be rising somewhere else, because, by an amazing coincidence, the hot new place to which corporate America is shipping IT jobs and company data as fast as it can is - China.

Maybe I'm just old-fashioned, but it strikes me as just a wee bit suicidal to be cheerfully sending confidential data to a country which:

• Is run by an autocracy that hasn't changed its hostility toward human rights since the Tiananmen Square massacre
• Has an attitude towards intellectual property protection that is (to say the least) indifferent, and
• Now appears to be hosting criminal attacks against our infrastructure.

But, hey: why let a little thing like homeland security stand in the way of a quick boost in corporate profits and the resulting hike in executive bonuses? We need to keep our priorities straight, after all!

Of course, the fact that attacks have originated from servers that appear to be in China doesn't necessarily mean that those attacks are orchestrated or condoned by the Chinese government. Indeed, why bother to attack American assets at all when American corporations are giving them away in return for cheap, obedient labor and a political system that makes independent trade unions impossible?

Spies in the Night

In my last post, I went on at some length about that alarming tools available to criminal hackers as revealed at the March 2007 Black Hat Conference.

Shortly after that, I came across something even more alarming, if that's possible: a pre-publication draft of a study by Phil Howard and Kris Erickson of the University of Washington entitled A Case of Mistaken Identity? News Accounts of Hacker and Organizational Responsibility for Compromised Digital Records, 1980–2006. The paper reviews major media reports of 550 security breaches that took place during the period in question and it seems that 60% of them were the result of corporate incompetence. To quote from their abstract: "in terms of incidents, 9 percent were an unspecified type of breach, 31 percent of the incidents involved hackers, and 60 percent of the incidents involved organizational mismanagement: personally identifiable information accidentally placed online, missing equipment, lost backup tapes, or other administrative errors."

So it turns out that, even if you do implement my 10-point security check, your personal information could still end up in the hands of the Russian Mafia because corporations simply don't adequately safeguard their customers' data.

That's no reason to give up the security fight, but it's a darned good reason to insist on more accountability by the companies that hold our personal information. So far, most legislation and public policy has been driven by the companies themselves, and we can see where that has gotten us.

"I think", said Howard in an interview for Computerworld, " it is easier when your company loses a lot of client data to put an immediate spin on it and blame it on a hacker or some external guy using some ingenious hacking technique."

Besides, that money you saved by not investing in proper safeguards in the first place has been earning you some nice interest in the meantime. It's always easier to shell out for PR and spin afterwards.

The Monster Mash

There's some pretty scary stuff on the screens at your local googleplex cinema these days. You've got you choice of serial killers (Zodiac, Hannibal Rising), a nutter with numerical obsessions (The Number 23), and a super-anti-hero in touch with his Inner Satan (Ghost Rider) to name just a few.

But if you're a propeller beanie type who has to deal with computer security issues, you don't need supernatural pyromaniacs or cannibalistic mass murders to keep you awake at night. No, in this business all you need are reports from the Black Hat security conference.

For the benefit of those of you who don't spend your days worrying about things like rootkits and Remote Access Trojans, Black Hat is a company that provides briefings and training on security issues to both private and public sector clients of all sizes. It brings together, according to its web site, “the best minds from government agencies and global corporations with the most respected independent researchers and hackers” to provide state of the art information on how to defend your company from criminal hackers, identity thieves, and related virtual outlaws. The Black Hat conferences, which take place four times a year, provide an opportunity for security professionals to meet, greet, and compare notes.

They also provide the rest of us with fodder for digital nightmares. The latest conference, which concluded March 1st, included briefings on the threat of rootkits, the risks posed by the widespread use of RFID tags, vulnerabilities in the ways databases communicate with each other, various ways that web applications can be hacked (and how to stop those hacks), and a presentation on what's referred to as “data seepage”.

This last one was of particular interest to me, since it touches on an issue I referred to in an earlier blog entry: the foolish and often reckless ways in which the average computer user cruises along the Information Superhighway. Data seepage refers to the little bits of personal information our laptops, handhelds and even smartphones are broadcasting to the world at large – and therefore to criminal hackers – when we use those nifty free wireless networks at the local coffee shop or airport.

The problem, you see, is that those networks are unsecured. That means that anything you do at your laptop can be picked up by others on the same network using “packet sniffers” or other network monitoring applications. They can determine what type of hardware and operating system you're using, what other wireless hotspots you've connected to in the past, what web sites you're visiting and any personal information you've been foolish enough to enter. At the very least, the bad guys can pick up enough information to make you and/or your employer the target of a “spear phishing” attack. At the worst, they might gain the ability to read your e-mail, steal your on-line identity, and even plant spyware on your computer.

This isn't just theoretical. Even at Black Hat conferences – where you'd assume everybody is pretty cyber-savvy – there's a Wall of Shame (actually a large video monitor) displaying, in real time, personal information being sent unencrypted on the conference wireless network. During their presentation on data seepage last week, in fact, experts from Errata Security “were able to use [their network monitoring application] Ferret to intercept an e-mail sent to a reporter working in another conference session. The message included one of her applications' passwords”, according to ComputerWorld columnist Matt Hines' report from the conference.

Fortunately for her, Hines doesn't sniff and tell.

There are ways you can protect yourself from this kind of exposure, of course. You can make sure your laptop is as secure as possible (I refer you to my ten-point safety check for details) and you can subscribe to a VPN (virtual private network) service for those times when you really need to use one of those “free” wireless networks. That old saying “there's no such thing as a free lunch” applies in cyberspace as well, you know.

Look for this data seepage issue to get worse before it gets better, especially with towns and cities rushing to implement municipal WiFi networks. For the well-equipped cybercrook, the only thing more attractive than an airport full of laptops cheerfully leaking personal information is an entire city full of them. It's like shooting phish in a barrel.

Now THAT'S scary!

More Sunday Driving

Lest you think that nobody could be clueless enough to do some of the things I warned you about in my last blog posting, allow me to direct your attention to this recent entry at Shark Bait, Computerworld’s discussion forum focusing on Stupid User Tricks.

Yes, I know, we techie types can lack people skills and come off as a bit arrogant at times, but when faced with behavior this foolish, it’s difficult to by diplomatic.

Shark Bait is well worth reading on a regular basis, by the way. Even the relative beginner in the computer world will find many of the stories reported therein highly amusing, and you technorati will really get a kick out of it.

Sunday Driving

Are you cruising along the Information Superhighway sober, sane and safe - or drunk, deranged and dangerous? Following these steps won't guarantee you complete immunity from the digital equivalent of a 50-car pileup - the only way to do that is to disconnect your computer from the network and turn it off - but it will make disasters less likely and recovery much easier.

Unless otherwise indicated, all software recommended here is either part of the basic operating system (Windows or Macintosh OS X) or is open source and/or freeware. I'm trying to make this as painless as possible.

I have no association of any kind with any of the web sites or products I'm referring you to here; I've just found them very useful and/or reputable. Think of this as a ten-point safety check for your virtual car.

1. Use smart passwords
   • Never use the default password that comes with any piece of hardware or software; always create your own.
   • Use passwords that aren't obvious; Cornell University has a guide on creating strong passwords that's worth reading.
   • If you have trouble remembering your various passwords, store them in a secure, encrypted file or program. Macintosh users can use Keychain Access, which is part of Mac OS X. Windows users should check out Password Safe.
2. Keep your system software updated
   • Windows: make sure Windows Update runs automatically.
   • Macintosh: Set your Software Update utility to check on a daily basis. You'll find it under Preferences - System - Software Update.
3. Use anti-virus software
   • Windows: Free anti-virus options include ClamWin and AVG. Commercial products are available from McAfee, Norton and Trend Micro, among others.
   • Macintosh: Viruses for OS X are relatively rare, as are free anti-virus programs. ClamXav is the Macintosh version of ClamWin. Commercial products are available from McAfee, Norton, and Intego.
   • No matter what product you use, make sure you have it set to automatically update your virus definition files. Out of date anti-virus software is as bad as none at all.
4. Use anti-spyware software - Anti-virus packages won't necessarily catch all the bad stuff out there
   • Windows: Spybot Search and Destroy, Ad-Aware SE Personal Edition, and Windows Defender are all worth having and all free.
   • Macintosh: OS X has, so far, been largely ignored by the spyware creators, so there's not much in the way of anti-spyware software out there. MacScan is one of the few available, but it's not free.
5. Practice e-mail safety
   • Don't open a file attached to e-mail unless it's one you're expecting from a trusted sender. Hostile program are often disguised as apparently innocuous documents.
   • Don't reply to or click on links in unsolicited e-mails asking you to verify personal data at financial institutions or on-line merchants. These are likely to be fraudulent.
   • See this article at wiredsafety.org for more solid recommendations on e-mail safety.
6. Practice safe browsing
   • Think before you click on a link! Hackers will try to sucker you into visiting web sites that will download viruses and spyware to your computer without your knowledge, or con you into entering personal information at a web site that looks (but isn't) legitimate.
   • Secure your web browser. The US Computer Emergency Readiness Team (CERT®) has some good practical advice for both Windows and Macintosh users.
   • Use Mozilla Firefox instead of Microsoft Internet Explorer. We propeller beanie types can debate the reasons why until everyone's eyes glaze over, but the bottom line is that Internet Explorer is the preferred target of the network's bad guys. Download Firefox and make it your default browser.
7. Use a personal firewall
   • A personal firewall program provides an additional layer of protection from Internet threats, and can alert you if a spyware program is trying to "phone home".
   • Windows: Windows XP has a built-in firewall. See this article from Microsoft on how to make the best use of it.
   • Macintosh: OS X has as built-in firewall. See this article from Apple on how to make the best use of it.
8. Avoid peer-to-peer file sharing programs
   • Programs such a Kazaa, Grokster, and Limewire are major distribution channels for viruses, worms and spyware - to say nothing of copyright violations.
   • If you must use one of these programs, disable file sharing. Here's an article on how to do that.
9. Lock your car. Take your keys.
   • Limit access to your computer. Unless you really need to share your files and programs with others, turn off file sharing. Here's information on how to do that in Windows XP, Macintosh OS 8 or 9, and Macintosh OS X.
   • Windows has a guest account enabled by default. Who needs it? Here's how to disable it.
10. Think before you download
    • Avoid web sites or e-mails offering "cracked" versions of commercial products such as Microsoft Office. You might or might not wind up with the product in question (and if you did, you'd be breaking the law), but you'll almost certainly wind up with a mother lode of spyware, viruses and worms.
    • Freeware downloads are OK (as is shareware IF you do the right thing and pay the shareware fee), but make sure you get them from reputable sites such as download.com.
    • Bottom line: downloading files from questionable web sites is the 'net equivalent of trying to beat a veteran card sharp at three-card Monte - a sucker bet.

Want to know more? Here are some useful web sites:

• So You Think You've Got Spyware? - a good primer on detecting and removing spyware from PC Week
• 10 things you should do to a new PC before connecting it to the Internet, from TechRepublic
• 10 things you should know about securing wireless connections, from TechRepublic
• CERT® on Home Network Security
• Top 10 Tips for Wireless Home Network Security
• CERT® on Home Computer Security
• Dark Reading is an on-line publication pitched more at the techie crowd, but many of the articles are jargon-free and the writing style is lively. Besides, any site that has a column by someone called Tim the Enchanter (a.k.a. site editor Tim Wilson) has definitely got my vote.
• Security Watch in an on-line division of eWeek magazine that will keep you up to date on the latest security news as well.
• Spywareinfo.com is a great source for news about spyware/malware threats and how to defend yourself from them.