All posts by Craig Murphy

General

M16 are hiring…

You would be forgiven if you missed it last week, what with Prescott, Clarke and Hewitt taking the limelight, but for the first time in its history, M16 are publicly recruiting staff.

On Thursday 27th April, The Times ran this advert:

M16 Advert1.gif

A day later they ran Pass notes No 160: MI6 RECRUITMENT DRIVE

Interestingly, M16 is now also known as the Secret Intelligence Service (SIS), as this post confirms.

Amongst other positions, they’re looking for software folks with these skills: OO languages such as J2EE, Java/HTML, Oracle SQL, C# and .net. and must be able to operate in Windows XP, Windows 2003 Server and/or Linux/Unix. If you fancy a change of scenery, sign up here. If that doesn’t work, try this.

Opinion

Do you send personal e-mails using your employer’s computer?

2 Comments

According to a piece in today’s Times newspaper, employers may find themselves having to record their employee’s personal Internet usage (including e-mail) or both parties may face a “new” stealth tax. Stealth, because it was sneaked in to the recent budget without any hullabaloo, blink and you might have missed it.

Unless the personal usage is “not significant”, in which case the tax is ignored, both employee and employer will be taxed. Obviously there is clear debate about the use of the term “not significant”, however it is unlikely to be within the bounds of reasonableness, a word clearly not in the Labour Party’s dictionary, as events surrounding Prescott’s Promiscuity, Clarke’s Convicts and Hewitt’s Heckles, all of which are now in the public domain, can confirm.

Personally, I use my employer’s e-mail facility to manage what I need to do “as a whole”. I send e-mails from my office to my personal desktop such that I can manage my time better. I don’t want to find myself reading newsletter after newsletter whilst I’m at work. I receive notification of the newsletters at work, sift through them at a content-level (i.e. scan them), then I forward the relevant ones to my home PC where I can spend a little more time reading them and surfing. Now, if Gordon Brown wants me to read the newsletters whilst I’m at work, that’s fine, but he should find some way of compensating my employer for around 6-8 hours per week. IT is a fast moving game, how else can we keep on top of it without constant learning?

And who’s going to pick up the cost of implementing a system that can accurately monitor personal vs corporate e-mail/Internet usage? Sure, there are products on the market that claim to do this, however in my experience unless they are set up correctly, they tend to get in the way of real work. Less able firms, with absent or inadequate IT direction, will struggle with this ruling, perhaps opting for a “personal blacklist” whereby overtime known “personal” addresses and domain names are blocked. I would take umbrage to this kind of mentality for a number of reasons:

  1. I use my blog to record information that I think might be useful to others…it’s also my way of ensuring I have some information “to hand”. I refer to some of the code samples and links on my blog a couple of time per day, it helps me with my day job.
  2. I communicate with a number of people (using e-mail) to organise social events (personal) and to conduct job-related business, the “personal blacklist” wouldn’t work in this situation.
  3. I send myself e-mails between my home computer and my office e-mail address that act as reminders, things to do etc. I also use shared tasks, shared calendars, etc. between my home computer and my office computer.
  4. The previously noted “newsletter” scenario.

I think it’s fair to say that those of us who find it useful to mix personal/business like this, do so because we find ourselves more productive as a result. A taxation of this kind would see my productivity take a hit, I would have to change the way I work because of a tax introduced by Government I didn’t vote for. Taxation doesn’t win votes. Taxation encourages emigration. When it’s votes that count, you can’t help but want to reduce emigration because emigration not only affects the number of potential votes, but it affects the economy too.

The recent scrapping of the Home Computing Initiative, whereby employees could purchase a PC via their employer with some for of tax relief, this is yet another blow to the promotion of IT uptake in the UK. I know of a handful of employees who would rather “ask a friend” for a little help with their office PC than go to some corporate helpdesks – more so for the “lesser done, easily forgotten” tasks in popular word processors or spreadsheets.

This is another fine example of the Government hitting on the masses, whereby we’ve seen taxation on travel (airport taxes, etc.) and massively increased fuel prices. I am surprised that there is no obvious taxation on the sending/receiving of SMS/MMS text messages as the sheer profusion of them sent every day seems to be an easy and obvious target.

What’s next Gordon, a tax on the office Biro that I use for personal business inside and outside of office hours?

With the current Government’s inability to differentiate between public and private, I refer to of course the aforementioned threesome, how can they possibly be trusted to enforce a IT tax like this?

.net, Delphi, Development, Opinion

Alas poor Delphi, do I see a sharp future ahead?

[Warning: thought gathering rambling follows, coherence might be sacrificed.]

Following Tod Nielsen’s letter announcing that Borland would be divesting their IDE product lines, driving an even tighter focus on the Application Lifecycle Management (ALM) market, what future lies ahead for those of us who have been using Delphi for most of the last eleven years?

I know that I am not alone in having an opinion about this divestment, and it’s one that may result in a further blog posting. Even some Microsoft employees have a very heavy interest in Borland’s divestment plans, some who were/are very close to the Delphi scene.

However, the purpose of this posting to two-fold:

  1. to plug Gnostice’s PDFOne – their .net 1.1/2.0 PDF creation components. It’s a great product, I reviewed their earlier Win32 VCL offering, eDocEngine and found it to be totally awesome (as this review confirms!). However, and this is not a criticism by any means, but the PDFOne demonstrations are written using C#. I believe that this is decision to use C#, and Gnostice are not alone, is a key driver that will dictate the direction of the “Delphi Language”.
  2. to try and understand, whether in this posting or a follow up, what might happen to Delphi as a “language”, if all vendors in the .net space move their demonstrations and support over to C#

Gnostice have produced a product for use in the .net environment. Without splitting hairs, that means products like: Borland Developer Studio 2005/6 (Delphi 2005/6), Visual Studio 2003/5, Visual C#/VB Express Editions. Given that Delphi 200x targets .net 1.1, Gnostice were wise to produce assemblies for both .net 1.1 and .net 2.0. The demonstration application that is supplied with PDFOne is written using C#…which means that it will work with Delphi 200x (via its “C#Builder” or C# personality) and it will work in the Microsoft IDEs too.

Of the other vendors who are moving their components (demonstrations and documentation too) from the VCL to .net, what if a number of them started ignoring true Delphi and provided C# examples? I guess most of us would just muck in and convert the code on an as-needed basis, after all, it’s not very difficult converting C# examples into true Delphi code (and vice versa). Certainly it would make me think about whether I should be writing any new applications using true Delphi code.

The importance of the “Delphi Language” is gradually being eaten away by the almost omnipresent C#. There are folks out there who believe C# is the best thing since sliced bread. However, us folks in the Delphi world have enjoyed virtually everything that C# has to offer today. Granted language progression slowed down somewhat when Anders Heilsberg joined Microsoft (see his TechTalk here). C#, and parts of the .NET framework (especially 1.1) are not as well abstracted as people might think, especially those of us with a Delphi background, a point that I made during my recent lament about Borland and .NET:

…is .NET 2.0 up-to-date with regard to the needs of today’s developer? I’m not so sure: Delphi was the first product to simplify Windows-based development with its glorious abstractions around WndProc and the Windows messaging sub-system. No longer did we have to write code to create treeviews, add nodes, or draw them in special ways, etc. Win32 development with Delphi was almost reduced mouse clicks. Visual Studio for .NET 1.1 brought a similar IDE metaphor to the .NET world, however it lacked a number of Win32-style events that we in the Delphi world take for granted, such as the simple ability to have owner draw controls (have you never wanted to make root nodes in a treeview bold?) In .NET 1.1, it’s back to basics, you have to implement everything yourself (as described in these hoops and by the example here.)

So Delphi 200x IDEs may be relegated to being competition for Microsoft’s IDEs. Is that such a bad thing? Can the market withstand such competition? Well, Borland obviously have a view on the competitive aspects of their IDE – they’re selling it off. By selling it off, they are telling me two things:

  1. They’ve got something else to focus on, in this case ALM. Presumably this is the next big cash-cow and we all should be buying shares in any company that promises big things in the ALM space.
  2. They’re hoping that the potential buyer will work with developers and the market space, and will progress the IDE within the competitive environment. I certainly hope this is the case.

Delphi itself, as a product, has always enjoyed a lot of kudos because of its legacy support, i.e. applications written using previous versions would re-compile with newer versions. The only problem in this legacy support scenario is third party components. [Borland, please note, this is not a criticism] For years Borland have charged circa £1000 for an upgrade to the next major version or nearly £2000 for a new purchase. Now, I am a Delphi fanatic and have been for 10 years. That’s a lot of upgrade cash. I’ve lost track of the number of Delphi developers who recite the same story to me, especially at user group meetings and developer events.

It’s one thing migrating a vanilla Delphi application from one version to the next major version, it’s another thing to migrate an application that is “third party component heavy”. It’s another thing because we have to shell out for the third party components that match the version of Delphi we’re upgrading to. If you’re doing well, the third party component vendor(s) have kept up and their products are available when you need them…not months after the release of Delphi itself.

On the other hand, and keeping things equal, I like the Microsoft IDEs too. Whilst both Borland and Microsoft IDEs require huge amounts of desktop real estate (screen resolution), each of the respective IDEs have a number of features that make them a delight to work with. Granted, in terms of developer productivity, they are behind the likes of IntelliJ, although it’s authors are making great efforts to correct that as Rob Lally confirms in his write up here (expect a Resharper review to appear here and over at Scottish Developers real soon now!)

I wonder if the recent emphasis on C# signifies the demise of what we know as the “Delphi Language”? Two things will provide the answer: time and the new DevCo who take over the Borland IDE market space. Will there be developer consultation? Will there be a customer satisfaction survey that lets us suggest what language features to important to us? I certainly hope so.

Further Reading
Borland rides Segue on trip out of IDE biz
Borland gambles without developers
Marco Cantu’s Support Delphi blog posting.
DavidI’s posting is here.
http://www.regdeveloper.co.uk/2006/03/07/borland_ditches_delphi/
Hopefully this posting is merely an April Fool’s joke?
Product Roadmap
Borland wants to be a Red Hat for developers

.net, Community

Visual C# Express Edition

I’ve been looking at Visual C# Express Edition, which according to this blog posting is now free forever. Specifically, I’ve been looking at the functionality differences between the Express Editions and the fully-fledged Visual Studio Professional et al.

However, before I start to blog about the differences, I thought it prudent to let you know the benefits of registering these free editions. When I registered my copy of Visual C# Express Edition, I was offered access to a portal that gave me the chance to download this little lot of goodies:

IconBuffet Studio Edition Icon Suite
A collection of over 100 professional, royalty-free stock icons from IconBuffet.com. The IconBuffet Studio Suite collection contains core icons from several of IconBuffet’s most popular hand-crafted stock icon collections. As part of this promotion, you are free to use these icons in your desktop and web application development.

Microsoft Visual C# 2005 Express Edition – Build a Program Now! Document Microsoft® Visual C#™ 2005 Express Edition: Build a Program Now!
This fun and highly visual guide walks you through a complete programming project—a desktop weather-reporting application—from start to finish. You’ll learn how to put the lightweight, easy-to-use tools in Visual C# Express to work right away—creating, compiling, testing, and delivering your first ready-to-use program. You’ll get expert tips, coaching, and visual examples at each step of the way, along with pointers to additional learning resources.

Graphics Server .NET – Utility – Graphics Server .NET
Experience Interactive Chart Design with Graphics Server .NET. Learn how fast and easy it is to design a chart and integrate it with your Visual Studio 2005 application with our new Interactive Designer. Professional looking results, fast development and reasonable prices for both Win and Web Forms.

/n software IPWorks! ADO.NET Data Provider – Utility /n software IP*Works! ADO.NET Data Provider
Free single machine license of IP*Works! ADO.NET Data Provider. With IP*Works! you can use SQL queries and data objects built on the .NET Framework to easily access data for Internet development. Implements a standard Microsoft .NET Data Provider for accessing Email (POP, IMAP, SMTP), News (NNTP), and RSS.

WebPlanner 2005 – Utility – ComponentScience WebPlanner 2005
The scheduling component for ASP.NET 2.0. WebPlanner 2005 for ASP.NET 2.0 is a fully functional scheduling component for day, week, month and timeline rendering. WebPlanner provides drag and drop features and is compatible with Internet Explorer, FireFox, Mozilla and Opera. It also includes a MonthPlanner control as an extra bonus.

Corbis Images – Utility
An assortment of 250 royalty-free images from Corbis for inclusion in your web sites and applications.

There’s a good chance that more goodies will be made available, so it’s worth registering and worth periodically checking to see if any new stuff as been made available!

Community, Developer Events, Development

AJAX – Scottish Developers and the BCS joint meeting

Gary Short will be delivering an AJAX session in Dundee next month.

I you do plan to come along, please register via Scottish Developers (it’s free and only takes a minute):
AJAX – BCS Tayside Joint Seminar

When
Start : Thursday 4 May 2006, 19:00
End : Thursday 4 May 2006, 21:00

Where
Dundee University,
Department of Applied Computing,
The Queen Mother Building

Location Map
Note: The Department of Applied Computing has moved buildings. It is Building 61 on the UNIVERSITY OF DUNDEE campus map.

ABSTRACT
AJAX itself is not a language but a set of technologies used to enhance user experience on the Internet by allowing further information to be gathered from the server, asynchronously, without the page having to be reloaded.

In this demonstration we will examine the history and evolution of AJAX, before taking a look at some popular web sites that make use of AJAX. The demonstration will end with a code example of how to use AJAX to enhance the user experience, and a question and answer session.

Amazon, Google and Flickr are a few of the companies implementing AJAX in their websites, with many others following suit.

The excitement around AJAX ensure this is a must attend session for anyone involved in web design and development.

BIO
Gary Short is a Microsoft Certified Applications Developer, currently employed in the role of software architect at Computa Limited. He has 16 years industry experience in both desktop and web enabled application development. Previously, he has worked for a number of blue chip companies including Amex, IMS Health and Scottish & Southern Energy. He is currently interested in SCRUM, TDD and other Agile methods.

Opinion

Core Values

During 2005, my last employer asked us to answer about 60 questions that revealed personal values (roughly speaking, the things that are important to us and guide our thoughts). Yes, it’s a little airy-fairy, but when the data from all of our staff from all of our offices was collated and presented graphically, it was rather interesting.

Firstly, there was a radar diagram representing a “Schwartz Chart”:

value1.gif

I believe that Schwartz, Shalom H. and Wolfgang Bilsky were responsible for this work. The Schwartz Value Inventory (SVI) contains a number of motivational domains. These domains reflect either an individualistic or a collectivistic interest dimension, or both, and they can be grouped into two dimensional structures composed of four higher order dimensions (openness to change, self-enhancement, conservation, self-transcendence) that are basic and bipolar. More can be found be following the references found here (worth reading if you want to make sense of the screenshots in this post).

This isn’t actually my radar diagram; if I can locate it I will update this post (I can’t seem to put my finger on it right now). To arrive at this diagram a number of employees were asked to complete a questionnaire comprising of about 70 or so questions. The questions were then used to determine the plot points on the radar diagram. The plot points relate to such things as: peace between people, broadminded, honest, honouring older more experienced others, respect for tradition, and so on, leading up to social recognition, meaning in work and choosing own goals:

Conservatism: national security, reprocation of favors, honoring elders, family security, respect for tradition, wisdom…
Intellectual Autonomy: curious, broadminded, creativity…
Affective Autonomy : enjoying life, exciting life, pleasure…
Egalitarian Commitment: social justice, world at peace, responsibility, freedom, equality…
Harmony: world of beauty, protecting environment, …
Mastery: successful, capable, choosing own goals, daring, independent ,…
Hierarchy: wealth, social power, authority…

There is a lot of moderately useful information present in the radar diagram. Further, it does demonstrate three things:

1) The organisational average (light blue, area)
2) The participant’s positioning (orange, line)
3) The standard deviation across the whole organisation (dark blue, line)

Secondly, there was a Values Categories Chart:

value2.gif

Now I realise that you probably can’t read these in detail, don’t worry, they are purely for demonstration purposes, I won’t be testing you on them later on.

During 2006, before I left this employer, we were asked to answer two questions based on the previous study:

1. “What should be the most important values in [your employment]? And Why?
2. “Choose 5 Values which you think should be the core values of [your employer] and will differentiate us from our competitors”

Here are my first-cut answers:

Question 1
I believe that the most important values that we should be nurturing and promoting are:

Creativity
We must think out of the box. Regular, lemming-like, thinking just won’t do at all. If you stifle creativity, the morale of individuals and teams takes a hit and folks leave. Thinking out of the box, seeing the bigger picture and beyond will help us discover better, more efficient ways of delivering excellent service that is innovative, daring and award-winning.

Daring
Risk needs to be managed. Instead of stomping down on daring creativity and daring innovation, “these risks are too great”, open your eyes, accept that some risk is good. Risk that is accepted in a positive fashion will see teams and individuals work harder and smarter to ensure that they can achieve the dare and thus enjoy the success of a job well done. Stamp down on the dare (risk) and it will just serve to de-motivate.

Innovation
Yes, some jobs, bread’n’butter jobs may not require much in the way of new thinking. However, the importance of new ideas, fresh creativity, taking a little risk for large gain all promote innovation. Clients like new ideas, they like to see folks “doing something out of the ordinary”.

Learning
Very few jobs are so simple that they require no learning (perhaps with the exception of some benign admin/overhead tasks). Individuals and team members should be given the opportunity to learn such that they can provide a better service that is more creative, more innovative and more daring.

Capable
Demonstrable evidence that the individual and team are able to do the job in hand.

Influential
As individuals working on a client project, we need to be capable of influencing and motivating; peer-group awards and qualifications suggest individuals are influential in their given sphere; team awards are even better. Don’t ignore awards from external organisations, if an employee has “done a good job” and been awarded for that job, recognise it.

Successful
Without influence and success, individuals and teams will struggle. A track-record has its place. Success comes from many places: being helpful, being influential, being positive, being supportive, being polite, being encouraging, being community-oriented, the list goes on.

Helpful
We (not just IT) need to be seen to be bending over backwards to help our clients and fellow workers. And if we made a mistake, it’s helpful if we admit to that mistake right away and bring a solution to the table during that admission.

Broadminded
Similar thoughts to creativity – parochially-minded individuals need not apply. We need to be willing to accept new ideas, new thinking, what worked before might not be best now.

Choosing own goals
Don’t tell individuals and teams how to do their jobs. Let them get involved with the client, the project manager, let them prioritise activities in conjunction with the client. Don’t force them to accept stretch targets that you know they are unhappy with – promote communication from the ground up, it will increase morale and give the project a better chance of succeeding.

Question 2
Five core values:

Daring
Innovation
Capable
Influential
Broadminded

I don’t know what became of the study, I left this employer just after I submitted my answers to these two questions. The study itself took rather a long time, spanning some seven or eight months (until my departure) and saw some staff hearing the phrase “disciplinary action” in order to gee them up into completing the original 60 or so questions (not me I hasten to add!). Who knows, may be the answers to the two questions provide some insight into who I am?

[Originally written January 2006, not posted. Revised April 2006]

Project Management

“Stop Doing” Lists

I attended a two-day induction course last week. Whilst there were many useful “takeaways”, good ideas, common sense approaches, etc. the course leader presented us with a book: Good to Great by Jim Collins.

Naturally I skimmed through the table of contents, then skimmed through each chapter. One thing that I picked up from this brief read was the need for “Stop Doing” lists. These are the opposite of “To do” lists.

Since I am a great believer in lists, particularly To Do lists, I figured that Stop Doing lists deserve more of my time. We all spend a lot of time either floundering or procrastinating – we prioritise tasks based on their level of enjoyment (best tasks first), their ease of completion (low value tasks, completed before high value tasks that require longer to complete), etc.

In amongst all of the tasks that we “do”, there are activities that are of high importance (perhaps high value), those that are middle of the road and those that are of low importance (low value).

Q. How much time and effort are you putting in to service those low importance tasks? Probably more than you would like. And how much value are they bringing you?
A. Probably not enough.

Q. Are those low importance tasks impacting the service you provide to the other higher importance tasks?
A. It’s very likely that it is.

Q. If you stopped doing the low importance tasks, would the service you could deliver to the high importance tasks improve?
A. A resounding yes.

Earlier in this post, I mentioned floundering. It’s perhaps a little strong, what I mean by its use is to fumble or bumble about whilst endeavouring to complete a task. Personally, I notice that I flounder whilst trying to get out of the house in the morning (to go to work). Floundering manifests itself in many ways, in my case, I find myself making second and third trips back up the stairs – when I had previously thought that I my tasks/work upstairs was complete. It’s a petty example, but such floundering has major knock-on effects, the extra trip upstairs can mean missing a particular train, which in turn delays getting to the office by 15 minutes…

The same effect can be noticed during day-to-day project work. I’m sure that we’re all guilty of revisiting what we thought were completed tasks…or perhaps losing the focus slightly then engaging in either re-work or dilly-dallying to get things going again. I know that I find myself doing this, sometimes, I can’t be alone…and given the number of books that have been written about getting things done, I’m pretty sure that it’s not just me!

How can I identify the “stop doing” items?
I’ve seen people use the “red dot” technique, whereby they tag each work item or task with a red dot each and every time they touch it. Obviously the more often an item is touched, the more it looks like it has measles. However, whilst that method will identify some items, it won’t help you identify the low priority, low importance items, for it is these that you should be homing in on and weeding out. Everybody has a different definition of low priority, low importance, for me I’m trying to do fewer activities that impede my progress on higher value projects/items. This involves me being ruthless with any task that I believe is a time-waster, if there’s no value in it for me, it going on to the Stop Doing list.

In a nutshell, Stop Doing lists revolve around doing less of what adds little value (or little profit) to your activities whether business or personal. Instead, we should focus on doing more of those items that add more value (or more profit). By virtue of doing less (or no) low value items, we are free to spend more time concentrating on the higher value items. Those activities that we do spend time on will have more time spent on them, thus as a job, it should be done that bit better.

Food for thought…

Good To Great is also available as an audio CD.

Security

PC security is not the first thing on the mind of a home user

4 Comments

The MD of Roundtrip Solutions Limited posted an interesting link to a piece about security in this posting: 81% of Home Users Lack Critical Security Elements (which links to this CNET article).

Security is something most folks generally ignore. I took delivery of my next door neighbour’s Dell PC this week (late December 2005), now I know security won’t be on his mind once it’s all set up and working. And since virtually all Dell’s are supplied with a Symantec anti-virus/firewall product that’s free to use for the first three months, any Internet nasties that were thinking of taking up residence on his machine will be kept away…for the first three months. After that, and after the Symantec product has asked for a credit card number and been told “no” (politely of course), the machine gradually opens up and the nasties come in. That’s the start of spyware, malware, viruses, rootkits and trojans, each inviting the other, each breeding and infecting the machine, applications, e-mails and ultimately, machines belonging to others…the zombie network takes over.

[April 2006 update: Dell are now shipping with McAfee as their anti-virus vendor of choice, and they are offering 15 months instead of 3, but do check as I believe that this is an offer not a permanent thing]

A further three months might pass before the “fastest machine money could buy” starts taking a long time to boot up…simple operations take forever…perhaps the odd “memory could not be read” error or even a blue screens of death. If they’re lazy, they might put up with it for another few months, but invariably “Friendly Bloke/Relative (FB/R) who works in IT” gets a call.

The majority of spyware “items” infect your PC largely because you clicked on something that essentially gave them permission. It’s rather like a burglar knocking at your door, you invite him or her in, they take some stuff, including a copy of the keys and go. OK, so the spyware doesn’t actually go, it lurks about on your PC making it slower and slower. And spyware will not take a copy of your keys, it might take a copy of your passwords, credit card numbers etc. You may have read a lot in the press about identity theft – well, spyware is responsible for some of the pain and turmoil caused by identity theft. Spyware, malware, etc. that sits on your PC logging your keystrokes, watching what sites you visit, can be the first step to your identity being stolen…or worse, your bank account being accessed without your knowledge or consent.

Now, until the major banks implement better security mechanisms, on-line banking is threatened by these key loggers. However, if you PC is protected using the tools mentioned in this posting, you can relax a little. You can relax even more when you learn that the banks are working on methods that will make your usage of their services a little bit more secure. In addition to the plethora of passwords and bits of passwords that banks expect us to remember (never write down of course!), new techniques such as two-factor authentication are in the pipeline. It is the PassMark system that offers this two-factor authentication, more can be found here and here.

However, whilst your bank balance is somewhat hardened, imagine how your children might react if the computer that they had been using for their homework suddenly presented them with a rather less than salubrious list of previously visited sites? That’s what I’ve found a lot of PCs that I “look after” under the auspices of FB/R. Here’s a carefully edited screenshot that demonstrates the kind of thing to expect.

spyware

This is an extreme example. The machine in question had been used to view rather a lot of pornographic material and as such had been subject to a variety of popups many of which expected the user to click ok, Yes or Accept. It is this affirmation that lets the burglar into your house and thus free to do as they please. As soon as you confirm that you are happy to have something downloaded and installed on your PC, there’s often little that can be done to prevent any damage being done.

What’s worse, this particular machine had lost its Start bar, hence the appearance of the Windows Task Manager at the bottom of the screenshot. The user of this particular machine had to use the Task Manager to run applications (some of which were in fact corrupt). By visiting pornographic sites, downloading whatever they have to offer and claim to need in order to run, this computer become very slow, unstable and required a complete re-format to bring it back to life.

Incidentally, the metastop toolbar that you see in the screenshot above, it’s a “search hijacker”. Whilst it might not sound dangerous, largely because many search hijackers will return similar results to those returned by your preferred Internet search tool, e.g. MSN Search or Google. The subtle difference being the fact that you might be directed to a site that gives the search hijacker some benefit based on the number of clicks and click-thrus that are made. If you are offered the chance to install a toolbar, particularly if you are just browsing, my advice to you is to ignore it. There are very few toolbars that you need – the big names have the market sewn up, Microsoft, Google, Yahoo, etc. More about this particular search hijacker can be found here.

You can, however, protect yourself in a number of ways:

  1. User education – don’t visit dodgy sites. This is harder than it sounds – convincing folks not to visit dodgy sites is a mind game, good luck!
  2. Avoid clicking on popups. Use the default operating system close icon instead: in Windows this is a red cross in the top right of the popup – some popups will try and fool you by including their own red cross, watch out for this and don’t be tempted to click on it. If in any doubt, ignore the popup, reboot and don’t visit that site again!
  3. Purchase and install a reputable firewall product. Many popular broadband routers, such the NetGear DG834 and the DLink DI-624+, have a firewall built in. Generally, this is a good thing and it does give you out of the box protection. However, if you really want to know how and when your PC is sending messages from your machine to the Internet, a operating system level firewall is useful. There are many good ones, such as ZoneAlarm. Many antivirus products now have an integrated firewall, so it is worth considering software products that do both – there are a few listed in the Recommended Software section at the end of this posting.
  4. Purchase and install a reputable anti-virus product. Whilst you can rely on your ADSL/Broadband router to protect you with its firewall, there’s nothing it can do to help you protect your machine from viruses, Trojan horses and other nasties that might come in via other means.
  5. Install an anti-spyware product. There are some good free tools, such as Ad-Aware, however like firewalls, many anti-virus vendors are integrating them into their products. John notes that he is enjoying success with Windows Defender.
  6. Use a file cleaner such as CCleaner. Over time, your computer builds up a lot of temporary files. Whilst Windows is reasonably good at maintaining these files, inevitably many remain. Amongst many others, CCleaner is capable of removing a whole plethora of temporary and unneeded files. After you have used CCleaner, I recommend that you defragment your drives too.

What if I don’t want to buy any software?
In that case, I recommend that you download and install a firewall such as ZoneAlarm. I would also suggest installing a free anti-virus product, such as AVG or avast!. Further, you should also install Ad-Aware.

Of course, it’s not much use downloading and installing these products, whether free or not. You have to keep them up to date. Most of the products I’ve mentioned in this post offer some form of automated update, so once you’ve installed them, they’ll happily update themselves in the background – it’s worth watching to see that this does actually happen. The first sign of a virus infection usually manifests itself when the virus tries to disable or alter the anti-virus protection that you have installed. Viruses are not known for their delicacy and often step on lots of toes whilst attempting to thwart the anti-virus protection!

On-line alternatives
Many anti-virus vendors offer their “scans” on-line, often for free. Microsoft’s Windows Live Safety Center and Symantec do just that.

Lastly…
This post homes in on the need for security on your [home] PCs, the author makes reference to a number of products that can help achieve a level of security that is sufficient. However, security is an on-going thing, it’s important to keep any security products up to date. It’s also about vigilance: don’t do anything “out of the ordinary”, don’t click “yes” or provide some sort of confirmation to popups that you weren’t expecting. Don’t open e-mails or attachments if there is anything “odd” about them, particularly if they look as if they are “executable”, e.g. .exe or .com extension…or unsolicited Word/Excel documents. The author welcomes comments and pointers to other competent software.

Further Reading
Identity theft, phishing, key loggers…
http://www.rootkit.com/
Sony, Rootkits and Digital Rights Management Gone Too Far
EMPLOYEE FRAUD – THE ENEMY WITHIN
Banks introduce transfer delays in drive to stamp out phishing
Victims of internet bank fraud will have to pay up

Recommended Software
Windows Live OneCare

Norton Internet Security

ZoneAlarm Internet Security Suite 6

Kaspersky Antivirus

McAfee VirusScan Professional 6.0

Panda Antivirus Platinum

AVG 7.0 Anti Virus PRO

[Originally written 31st December 2005, not posted. Revised April 2006, posted]

Security

Identity theft, phishing, key loggers…

Despite what you hear, major banks have a more serious problem to contend with than on-line fraud – there is a lot more fraud happening inside the banks themselves, i.e. internal fraud. In a recent case, somewhat close to home, the bank in question acted rather naively and demonstrated that they are not geared up to deal with on-line security issues. I can say this because earlier this year I had to verify that my friend’s business PCs were not infected with any viruses or key loggers – they had just witnessed a large sum of money vanish from their business account via a transaction that apparently used their own credentials.

However, instead of the transaction being carried out from a PC located in Scotland, the transaction was carried out using a computer located in Sheffield (insofar as we could tell, the actual machine could easily have been elsewhere in the world – this is the concept of a zombie PC coming to the public eye.) The computer in Sheffield appeared to be using a cable modem and Blueyonder as their Internet Service Provider (ISP). Now this, in my opinion, is the first warning sign and one that the bank should have picked up on before committing the transaction and allowing it to complete. The business in question use a fixed IP address, therefore it is always the same address each and every time they use the bank’s on-line service.

Suddenly, out of the blue, this customer wants to transfer over 95% of their business account to an account that they have never used in the past. Clue number two: what sort of business transfers 95% or more of their account in one go? Clue number three: the destination account is unknown. Clue four: over 95% of all this business’ transactions are conducted via Scottish branches of the destination bank.

Worse than that, a few days later, the same bank and the same software was used to conduct another withdrawal, this time from a ‘deposit’ account that should never have allowed withdrawals of this size anyway. This time the PC was located outside of Scotland and was using AOL as their ISP. At this point, the business in question lost faith in the bank’s ability – the business owners had been accused of performing the initial fraudulent transaction themselves, for it to then happen a second time on an account that was meant for deposits only, cracked an egg on the bank’s face.

Luckily, the business in question had all their money returned rather quickly, which provided a clue that the problem was more internal than external. It is not uncommon for disgruntled employees to leave a bank, “walk off” with a handful of user login information, go to ground, then use it a few months after their departure. Indeed there are a few links at the end of this posting that confirm this happens, they make worrying reading.

Of course, had the bank been using a two-factor authentication mechanism, this kind of fraud would be virtually impossible to commit.

Why am I so hard on the bank in question? Well, in 2004, my bank were wise enough to notice that I had used my credit card in Plymouth, Aberdeen and Edinburgh within a few days of each other – this didn’t worry them too much, it was reasonable to expect me to have been in those three locations in the space of three days. However, on the fourth day, I happened to use the same card in Tenerife, a fact that when put in context with the other three days travel caused the bank to give me a call. They did authorise the transaction in Tenerife, and gave me an option for them to call me back. Once they had confirmed that all was well with my credit card, business continued as usual.

I’ve not really touched on phishing, in this post. Perhaps because I don’t believe that this was a phishing case. All signs are that it was an internal security issue, not the work of a rogue e-mail asking the business owners to login to the bank via a link in the said e-mail. Of course if you do receive such an e-mail, remember that the major UK banks will never ask you for your login details to be “repeated” in their entirety and remember that it’s always best to manual type in your bank’s URL.

Further Reading
PC security is not the first thing on the mind of a home user
EMPLOYEE FRAUD – THE ENEMY WITHIN
Banks introduce transfer delays in drive to stamp out phishing
Victims of internet bank fraud will have to pay up