Unfriendly Updates

With all the viruses and worms wriggling around lately, theres more interest than usual in running Windows Update.

Of course, enterprises dont have to rely on this inefficient end-user service. Businesses can instead use Microsofts official Software Update Service and several third-party patch-management services.

That leaves half a billion home PCs that are running unpatched, insecure Windows installs. These machines are being infected left and right.

Think theyre too small to hurt you? Think again. The rampant SoBig virus has quietly installed zombie programs on thousands of PCs over the past few months. These daemons, which experts say were developed by spammers, have been launching denial-of-service attacks against major anti-spam block lists, including the Spamhaus Project, SPEWS and SORBS. Osirusoft has folded for good, its owner saying the attacks had cost him $10,000.

I have major concerns about block lists, some of which I believe are ineffective and poorly managed. But that doesnt mean I want to let spam gangs decide who can run a site and who cannot.

Many enterprises rely on block lists to help filter out the tsunami of junk mail theyre receiving. If black hats can shut down lists like these, wholl they target next? The federal do-not-call site? Or perhaps your companys servers?

This nightmare scenario is popularizing the idea that home users, at least, should be required to install security patches automatically via Windows Update. Microsoft itself has hinted at this.

The problem is that these updates are already consuming enormous amounts of bandwidth. For some reason, Microsoft marks its update files “noncacheable.” That means files that could be downloaded once by ISPs must be dragged through the pipe over and over.

I asked Microsoft why its files arent set “cacheable.” After several e-mail exchanges, a company spokeswoman still hasnt found anyone with a good answer.

Writer Brett Glass owns a small ISP in Laramie, Wyo. His logs show that on some days 90 percent of his ISPs bandwidth has been used by Windows Update traffic. If people are going to be required to use Windows Update, we cant let it chew up all our Net bandwidth.

We need better figures on this. Im starting a survey of people who have access to raw data on this problem. If you do, let me know by visiting www. briansbuzz.com/contact.

Identity Update

i wrote in this space aug. 11 that loose credit-processing standards mean it wont be long before youll find yourself a victim of identity theft.

I didnt know Id gain experience so quickly. About two weeks ago, someone sought credit cards from a bank and a department store using a name similar to mine and providing one of my home phone numbers. Fortunately, both the bank and the store called for verification and therefore didnt hand out the cards.

Until recently, you couldnt do much to protect yourself against this kind of ID theft. But since April, youve been able to call just one credit bureau to get all the major credit bureaus to flag your files with a fraud alert. Once this is done, creditors arent supposed to issue credit unless you are personally contacted. This guards against impostors using your name.

I tested this by calling Experians toll-free anti-fraud number, (888) 397-3742. This line allows you to request a fraud alert 24 hours a day.

This has worked with Experian and Trans Union, which sent me a free credit report. Equifax, however, sent a letter saying I needed to submit more information. Oh well, I need to write to all three bureaus, anyway, for long-term protection. A verbal fraud alert is good for only three to six months. After you receive confirmation, a written letter is required to extend the protection for seven years. Computer professionals at financial services companies should develop better procedures to prevent ID theft, but at least one step is available to people today.

Brian Livingston is editor of BriansBuzz. com and co-author of “Windows Me Secrets” and nine other books. His column appears every other week in eWEEK. To send tips, visit www.briansbuzz.com/contact. Send your comments to eWEEK@ziffdavis.com.