The Gripe Line | Christina Tynan-Wood | November 2006

MORE ENTRIES

November 2006

November 28, 2006 | Comments: (0)

"A New Day for Business" is the way Microsoft is billing this Thursday's rollout of the business versions of Vista and Office. But I wonder if corporate customers won't eventually look back on the end of November 2006 as the point when they ceded control of their organizations' networks to the anti-piracy efforts of big software publishers.

A fair amount of attention has been given to Microsoft's SPP (Software Protection Platform), the DRM technology debuting in Vista that combines the best -- or the worst, depending on your point of view -- of Windows XP product activation and Windows Genuine Advantage verification. But I haven't seen nearly as much discussion about Microsoft Volume Activation 2.0, the corporate piece of the SPP anti-piracy technology, in part no doubt because it's still rather unclear how it's going to work. And, outside of the Gripe Line (see "Adobe License Manager and Acrobat"), I've seen even less discussion about the interesting coincidence that November has also marked Adobe's introduction of its own anti-piracy technology for corporate customers, the Adobe License Manager.

Of course, the average consumer may feel that it's only fair that Microsoft and Adobe make volume license customers deal with the same kinds of DRM-induced problems the rest of us must struggle to avoid. As a number of readers have pointed out, it's also true that required license servers of one sort or another have been around for some time in high end and niche software markets. But having to deal with a different anti-piracy system from each mainstream software publisher, as it appears will soon be the case, will turn the already difficult job of managing a company's software assets into an impossible one.

"It's not really 'license management' until the day these systems, like the article says, will also tell you when you are OVER-licensed," wrote one reader it response to Adobe's ALM plans. "Then at least the potential exists for these systems to make money-saving suggestions. Until that day comes, these are Piracy Control systems!"

Some software customers think that corporate activation schemes will ultimately be to their benefit. "It is about time," wrote one reader. "Trying to manage hundreds if not thousands of seats of all the software corporate America uses is near impossible. Put the responsibility back on the software manufacture to provide the tools to keep us compliant. This allows corporations to use the software shared by users who only need the software intermittently. Autodesk, Bentley and others use this method."

But what are the consequences to the customer's business when one of these license servers fails? "You've never had one of those servers crash and stop working, have you?" wrote another reader in response to the above comment. "I have, and that made a mission critical application stop working until I reinstalled the server. Not a good thing at all."

While Adobe's ALM will at least be voluntary at first, readers are already finding themselves having to make hard and complex decisions about Microsoft Volume Activation 2.0. "They were in here the other day and we asked them whether we should use KMS or MAK in our branch offices," says one reader. "After droning on for an hour about how great something called VAMT will be when it ships real soon now, it dawned on us they didn't know the answer either. I guess Melinda and Bill aren't rich enough yet."

Since the one certainty about anti-piracy technology is that it will cause more problems for honest customers than it will for any software pirate seriously determined to defeat it, disasters are inevitable. Imagine the consequences if a spyware purveyor or even a terrorist organization learns how to seize control of these licensing servers for their own ends. And who is going to be responsible the first time entire corporations go into "reduced functionality mode" because of a buggy DRM update?

"Making the software so it can be disabled remotely without a mechanism that allows me to control the cause of the disabling is one-sided, greedy, and unethical," one reader writes. "I wouldn't have a problem with this if I could control the installation through usage of one-time install passwords or something else that I could control and generate. Adding the fact that I have to pay to regain use of my previously purchased license is just a bit over the top. Companies in the computer industry listen: All Computers Fail! It is only a matter of time. If you punish me for this fact I will remember that you are demanding money while you hassle me."

What's your take? Is this new day for corporate DRM a bad business, or just more of the same? Call the Gripe Line with your comments at 1 888 875-7916 or write me at Foster@gripe2ed.com.

Read and post comments about this story here.

Posted by Ed Foster on November 28, 2006 12:39 AM

November 24, 2006 | Comments: (0)

Straining Earthlings' Terrestrial Intelligence

If you'd like to participate in the great quest for extraterrestrial life, you just have to have some spare capacity on your computer. Well, and maybe the smarts to deal with some software that doesn't work very well and the patience to tolerate some flaming from those you ask for help. That is what one long-time supporter of SETI (Search for Extraterrestrial Intelligence) says she has discovered in recent months.

"I recently received an e-mail from the SETI@home people at UC Berkeley asking me to re-up in lending my computer resources to their search for extraterrestrial intelligence," the reader wrote. "In the past this involved installing a little screensaver replacement application that crunched numbers instead of just showing a pretty picture when it was screensaving. Then a year or so ago SETI switched to some new and incompletely engineered software called BOINC. I dumped the program, as did many others at the time."

But as an IT professional for almost 30 years, the reader has seen a few applications that got rolled out too soon but were ultimately made workable. "When I was solicited to return to the program, I figured they must have solved the many problems expected of a pre-beta bit of software, since that is what BOINC certainly seemed to be when I tried to it the first time. Unfortunately, I see no meaningful difference in the current version of the software. I've now had some problems with the software using massive bandwidth even when I had totally disabled it. Apparently you have to check and/or change a number of settings to prevent this behavior."

When the reader visited the SETI project's tech help message board, she was discouraged to see her problems were minor compared to those other would-be BOINC users were suffering. "There are so many problems with the software that the board has literally thousands of requests for help on the most trivial installation issues imaginable. You cannot even change local preference like the screensaver mode without logging onto the server and forcing an update routine. These are things that ought to have gone totally smoothly -- after all, BOINC is just a vastly glorified screensaver. And it often appeared that anyone with problems with the software would be flamed by the tech support volunteers as an incompetent moron for not fishing through the software to find its many switches and checkboxes."

But what really convinced the reader that the BOINC software is really not ready for public consumption were the many message board posts related to overheating problems that the software can cause, particularly with some laptops. "If you read through their rules and policies, you see they do warn that the 'applications run by SETI@home may cause some computers to overheat,' and that you are responsible for monitoring your CPU with a separate utility program," the reader wrote. "You're supposed to be able to control CPU usage with BOINC, but that's just another one of the things they've promised -- along with all the new and improved and wonderful interfaces -- that never seem to arrive."

Why, the reader had to wonder, did SETI summon back its old users before it had fixed the problems with BOINC that had driven them away? Even more disturbing to her was the way complaints from users of the old screensaver were being handled on the tech support message board. "Within the boards you regularly see the tech support people telling users there are no overheating problems and to go ahead and use it. And not only do they flame any professionals who point out their errors, they will go back later and 'moderate' the conversation to make themselves sound better and to make everyone who complains seem to be just some cretinous child pointlessly flaming them. To see that kind of treatment is aggravating because I proselytized heavily with my colleagues on behalf of this program. It is the overall lack of professionalism and willingness to give out bogus advice at the official site that gets to me."

And what will the ultimate BOINC effect be on the science that SETI and other projects are trying to accomplish? "I just can't understand why they couldn't have been a little more patient and waited until the software was actually ready to be put in the hands of average users," the reader writes. "They have managed to lose a huge numbers of users because of this software, and how many will be willing to try it yet again the next time they tell us it's ready for primetime? It just seems like a gigantic boondoggle in that one can have little faith in the science being performed invisibly by this software when the obvious parts of it work so poorly. I have to doubt that much of the research being done by BOINC will fly in peer-reviewed journals since there is no comparable network of distributed computing to test BOINC results against."

Got a story of your own to tell about software that doesn't work or support that doesn't help? Call the Gripe Line at 1 888 875-7916 or write me at Foster@gripe2ed.com.

Read and post comments about this story here.

Posted by Ed Foster on November 24, 2006 03:24 PM

November 21, 2006 | Comments: (0)

Oracle Security Patch Causes Insecurity

To patch or not to patch - that is the question for many software customers. And it's particularly tricky one to answer when the software company won't say what the patch is for, as one reader discovered with a recent Critical Patch Update released by Oracle for PeopleSoft.

"On October 18, I received an e-mail notification from Oracle/PeopleSoft that they released new path levels for their products that contain critical fixes, urging that we install them," the reader wrote. "For the company I work for, this meant upgrading our PeopleTools release from 8.46.10 to 8.46.16. Over the years we've been running PeopleSoft, we've learned that we can't just take them at their word because we have always experienced some transitional instability and performance hits in the past with PeopleTool upgrades, without exception. We simply do not update the software unless there is a pressing need that addresses known, specific issues that affect our implementations."

"I opened a support case to learn the details behind the critical issues Oracle was concerned about with the patch," the reader wrote. "Details were not -- and are not -- available on their website. I received an e-mail directing me to information on their website that gave no specific information about the nature of the critical fixes. I then called and wound up speaking with a support manager."

The Oracle support manager told the reader it was against Oracle policy to provide the information he needed for his risk assessment. "As a matter of policy, Oracle does not disclose detailed information about an exploit condition or results that can be used to conduct a successful exploit," the Oracle manager told him in one e-mail. "Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the CPU or Security Alert notification, the Patch Availability Matrix, the readme files, and FAQs."

The reader pleaded that without more information he could not possibly do the risk assessment his company naturally wanted to do before making its decision. As he wrote the Oracle support manager: "Please understand that some managers at some companies expect their IT people to provide justifications for why and when critical patches are or are not implemented. I work for just such a company and yes, I do have management seeking explanations in regards to this PeopleTools patch ... We cannot plan on diverting IT resources to implementing these patches without this information so that we can perform our own risk analysis. I hope that merely mentioning the name Microsoft conjures specters of failed patches and thousands of hours spent by thousands of IT professionals around the world futilely attempting to keep their systems properly patched."

When that yielded no useful details about the patch, the reader tried one more time to explain to Oracle why he needed to know more. "Oracle sends out this alert and expects us to jump with no information on which to base a business decision," he wrote Oracle. "Do we have the staff to do it? What other projects will suffer due to diverting resources to applying the update? That's just the beginning. You do not account for the time it takes to follow Oracle's own recommended procedures for applying patches: apply to demo environment, compare to test environment, apply to test environment, test, compare to production environment, apply to production environment, pray nothing breaks. That doesn't even take into account that all development on all PeopleSoft-related projects is halted or delayed because we can't develop at one patch level and apply it to an application running at a different patch level during the time it takes to evaluate a patch/update and apply it to a production environment. It can take up to three months to do this properly. The timeframe can be shortened, of course, but again, we have no information on which to base any decisions. ALL of these considerations are part of the decision making process, regardless of consideration to critical issues."

Ultimately, though, his requests fell on deaf ears. "The bottom line is simply that, despite the fact we're paying thousands of dollars per year for 'support' from them, Oracle will not disclose the information we require. I know from my phone conversations with the support manager that mine is not the only company pressing for specific information about the patch. I can only imagine the IT staff of those organizations are pulling their collective hair out. Our decision, given that we cannot justify the interruption to MIS activities and a certain amount of inevitable system downtime in the face of no information from which to base a decision, is to not install the latest patch. Risks be damned, Oracle be damned, but if no one will disclose the information we require, how can we justify any other decision?"

After all, there's no security in a security update that may cause a customer more problems than it fixes. What's your take on Oracle's patch policy? Call the Gripe Line at 1 888 875-7916 or write me at Foster@gripe2ed.com.

Read and post comments about this story here.

Posted by Ed Foster on November 21, 2006 12:21 AM

November 20, 2006 | Comments: (0)

Earthlink Outpacing AOL in Marketing Tricks

If I mention that a major ISP is finding new ways to squeeze money out of customers, you might assume I'm referring to AOL. But in recent months it's actually been the marketing practices of Earthlink that have generated more gripes from my readers.

One reader was puzzled when he started having trouble getting his e-mail from an old Earthlink account. "I had signed up with Earthlink to get their broadband service four years ago. When I moved away from the town where I was using it two years ago, Earthlink said I could keep using the address, no problem. Two weeks ago, I'm told that my address cannot log in because it's been 'disabled' and I have to call Earthlink to have it turned back on. I eventually get connected with a sales rep who tries to sell me Norton Antivirus and tells me that I can only keep my old e-mail address if I pay $3.95 per month for a 'premium' account. I refused, and after spending a few days considering my options, I go to Earthlink's page and see that I can sign up for a free account! I signed up for an almost identical account name and all is fine for now. But I just wonder how long this one will last."

A second reader was prompted to relate their experience with Earthlink in response to an earlier story about AOL billing customers who had tried to cancel during their "free trial" period. "AOL is not the only one," the reader wrote. "I'd cancelled Earthlink after two days, but was charged around $45 total for something I was unable to use. No amount of complaining got me a refund. I cancelled the credit card I'd used because they would not force Earthlink to make it right."

Another reader can't get Earthlink to stop harassing her with phone calls. "I have been getting nuisance calls from Earthlink for months now. I have two accounts, one broadband and one dialup. My accounts were originally through Internet Partners of America, and I paid them via check. When Earthlink bought IPA, I was given the option of continuing to pay by check, which has never been rescinded by Earthlink. Then the calls from Earthlink began. At first it was occasionally, and they would invariably insist on getting my credit card number, or worse yet, my checking account information. After seeing what AOL does to its customers' credit cards, there's no way Earthlink is getting mine. So they started ramping up the calls. Some weeks I get as many as five calls. In every case, I get a recorded message saying only that I need to call them and update my account information. I started out politely telling the people in India that they could not under any circumstances have my card. I escalated to screaming at them. Nothing impresses them. They call anyway."

Trying to get the calls stopped, the reader contacted Earthlink headquarters. "So a few days ago I called Atlanta and got the 'escalated complaint' department. They were very nice and assured me the calls would stop immediately. Of course, they didn't stop. I got yet another mechanized call this morning. So I called Atlanta again and explained to the guy who took my call that they were supposed to have stopped, and that if I got another I would switch to AT&T. His response was a polite no response. I then asked to speak to his supervisor, who never did come on the line. But the service guy swore that they had done what they said they would do the other day. It's clear that Earthlink has way too many customers. I refuse to pay for the privilege of getting spammed. The only good news is that I work in a typical office cube, and everyone who works around me knows exactly how bad Earthlink is now."

Got a story to tell about Earthlink, or another ISP, that's even worse? Call the Gripe Line at 1 888 875-7916 or write me at Foster@gripe2ed.com.

Read and post comments about this story here.

Posted by Ed Foster on November 20, 2006 12:51 AM

November 16, 2006 | Comments: (0)

Home Depot Rebate Goes in Deep Freeze

The litany of excuses that rebate fulfillment houses will use for putting your rebate on ice seems never ending. But one reader decided she was going to put an end to the excuses when rebates she was owed on a refrigerator purchased at Home Depot went unfulfilled by Continental Promotion Group.

"I've got a gripe with Home Depot's rebate company, Continental Promotion Group," the reader wrote. "In a nutshell, I bought a Hotpoint frig in July and got the rebate forms when it was delivered -- one for making a purchase that qualified for a $25 gift card and another for reimbursement for the $55 delivery charge. I sent everything in on time with all the necessary documents."

"Then the excuses began," the reader wrote. "The thing that clued me into the scam was that each time the reason for not having gotten the rebates was different, like the copies were illegible (not so -- checked them carefully before I mailed them) or they didn't receive the customer invoice (I'm obsessive-compulsive, so do you think I just happened to leave something out? Not a chance.) I refused to jump through their hoops by sending duplicate stuff. I talked with the Home Depot customer complaint center by phone twice with promises, promises, and finally discovered the name of the rebate company online and called them."

Continental Promotion Group, which along with its www.rebatestatus.com website has been the source of rebate gripes before, wasn't happy to hear from the reader. "I think they were a little shocked I got their telephone number because it wasn't on any of the forms -- just addresses and websites and one automated rebate voicemail that was listen-to options only. There is no way to access a real human and no option to leave a message. I told 'Unwa' I thought his company was a scam and I'd be busy making sure as many people as I could know it. I'm so mad I want to make a big sign saying that rebates should be called scam bait and go picket in front of those huge rebate promotions posted outside the local Home Depot."

The more the reader researches rebate practices in general, the madder she gets. "I guess, when I did hours of research yesterday online and discovered that these companies get away with STEALING consumers' hard earned dollars and blatantly practicing the art of deceit, I just snapped," the reader wrote. "How these people can sleep at night is beyond me. I had a lengthy conversation with the assistant manager of our local Home Depot last evening, giving him copies of blog comments I ran across yesterday when I discovered I'm not alone. He was shocked, or at least he put up a good front. I've filed a complaint with the FTC online yesterday and will do the same with attorney general as soon as I can. Thanks for listening - I feel a little better, anyway."

Filing a complaint with the FTC, your state Attorney General's office, and the store where you bought the product are all good steps when you get stuck with a deadbeat rebate. Better yet, try to deal with retailers like Office Max and Best Buy that are generally eliminating mail-in rebates. That's probably the only way to the rebate fulfillment houses in the deep freeze.

Post your comments about this column on my website, write me at Foster@gripe2ed.com or phone my voice mail at 1 888 875-7916.

Read and post comments about this story here.

Posted by Ed Foster on November 16, 2006 12:04 AM

November 13, 2006 | Comments: (0)

Lenovo Downgrades Return Policy

Manufacturers can usually make the terms in their fine print harsher without anybody noticing. That's not the case for Lenovo this time, though, because a sharp-eyed reader just spotted the fact that the company's policy on product returns has gone from being one of the best in the laptop business to one of the worst.

"This fall I have been keeping an eye on IBM ThinkPads in anticipation of a purchase in early December," the reader wrote. "Around the end of October, I confirmed that Lenovo still offered their 30-day, no-questions-asked, no restocking fee, return option. A few days ago I checked the well-hidden policy again, out of curiosity. Now the policy is a 21 day return period, there 'may' be a 15% restocking fee, and the package has to be UNOPENED!"

The Lenovo returns policy page reads in part:

"For a new Product that is unopened and still in it's sealed package, you may return it to Lenovo for any reason within 21 days of the date of invoice and obtain a refund or credit ... Products returned may be subject to a restocking fee equal to 15% of the price paid. You agree to pay the restocking fee as Lenovo specifies."

Of course, return policies differ from warranties in that they allow you to return the product if it turns out you don't like it, rather than just if it's broken. Charging a restocking fee is not unusual, although Lenovo's claim that they specify whatever fee they want is a bit unsettling. But the thing that really bothered the reader is the idea that the package can't even be opened. After all, it's hard to decide you don't like something without actually opening the box and getting a look at it.

One doesn't generally buy a product for its return policy, though, so the reader suspects he'll still wind up buying a ThinkPad because of the features he likes. "I hate how every other laptop PC has the critical navigation keys scattered all over the right-hand side of the keyboard, instead of putting them in relatively the same place as on a full size keyboard, as IBM still does. I also love the track-point mouse control, unavailable elsewhere. So I guess I will still be forced to buy from Lenovo, although I won't be happy about it. I understand that companies need to prevent people from abusing return policies, but going from one of the best to one of the worst in the mail order PC industry in one fell-swoop is crazy. Maybe some publicity will make them change back to a more reasonable policy?"

Read and post comments about this story here.

Posted by Ed Foster on November 13, 2006 09:26 AM

November 09, 2006 | Comments: (0)

A McAfee Marathon

All too often, getting support for a software product can turn into a grueling experience. In fact, just getting back to where you were before you bought the product can be a small triumph in itself, as one reader decided after a recent encounter with trying to install a McAfee security suite.

(By the way, this story marks the debut of my Gripe Line podcasts, which you can download here. So you can listen to this reader discuss his McAfee support experience and hear a few other comments my readers have phoned in. Give it a listen if you have a few minutes and let me know what you think.)

The reader's run-in with McAfee struck me as interesting in light of the running discussion we've been having about paid support. The consensus there has been that customers should not have to pay for support just to get the product they purchased installed and functioning. But our reader found that's not the way it works with McAfee.

His travails began when he purchased the latest VirusScan suite with anti-virus and firewall from McAfee. "I only bought it because McAfee told me my old version of VirusScan was out of date and I would no longer would be able to get virus signature updates for it." The anti-virus program installed without a problem, but the firewall wouldn't install because of conflicting files, which turned out to be from an older McAfee firewall from the Network Associates era. The reader spent several weeks trying on his own trying to identify and remove all the old firewall files, but the new version would still not install.

If he wanted to get the firewall part of the security suite up and running, the reader soon realized he had no real choice but to pay McAfee for a support incident. "It would seem they have NO free tech support at all," the reader wrote. "You can try their e-mail, but it's slow, especially if the problem is serious. And their knowledge base is next to useless. So you can pay per minute -- I think it's $2.95 --or you can buy one incident for $39 as I did."

It turned out the reader would pay a lot more than that, just in stress alone, as that's when the real horror show began. Just to summarize briefly, the first tech with whom he spoke walked him through removing the conflicting files, which unfortunately resulted in his Internet connection being disabled. Over the ensuing days, tech after tech promised to research the problem and get back to him, and of course never called back. "On the third evening, I attempted to phone them, but their phone system would not accept my PIN number, saying the incident had expired. So I could spend another $39 for another 48 hours of runaround if I wished."

Well, the reader didn't wish. Being without an Internet connection for days on end was costing him business, so he began calling McAfee customer service and sales, demanding that they get someone competent to help him. Even then he kept finding himself speaking to techs in far-flung parts of the world reading from scripts that they didn't understand themselves. Finally, he just happened to get through to someone who could help him.

After five days of enormous persistence on his part, the reader finally had his Internet connection back and all McAfee files removed from his computer. "I've installed Bit Defender instead, as they appear to have 24X& free phone support," the reader wrote. "McAfee refunded both my $39 for a tech support incident and my $39 for the software, so I guess you could say it was a happy ending. But they cost me days of lost business while I didn't have connectivity and all those hours I had to spend on the phone. If I had just been able to speak to someone competent in the first place, it could have saved us all a lot of trouble."

Indeed, perhaps that real moral of this story is there is no such thing as free support. Not only did the reader's experience cost him time, think of what it cost McAfee - they lost a long-time customer, some good will, and all those hours, cheap as they may be, that McAfee must pay its overseas techs for their generally futile toil. When support turns into a grueling exercise, we all pay.

What support experiences do you have to share? Call my voice mail toll free at 1 888 875-7916 and leave your own gripe for us to hear. Or, post your comments on my website or write me at Foster@gripe2ed.com.

Read and post comments about this story here.

Posted by Ed Foster on November 9, 2006 09:43 AM

November 07, 2006 | Comments: (0)

Gripe Line Podcast

McAfee technical support puts one reader through a gauntlet.

listen Listen

Posted by Ed Foster on November 7, 2006 03:22 PM

November 06, 2006 | Comments: (0)

Sun Never Sets on Java Security Updates

When it comes to security, Sun tends to be subject to much less criticism than some other system software vendors we could mention. But one reader thinks that a little more scrutiny of Sun would be a good thing, particularly in terms of how it handles Java security updates.

The reader first wrote me in early July about his frustration with keeping up with Sun's oversized and numerous Java updates, and also with keeping the old updates from piling up. "Sun continues patching the JVM every few months, and gets in streaks where they patch every few weeks," the reader wrote. "Although I run the jusched.exe process on several PCs that supposedly monitors the Sun site for updates and takes up cycles and memory, I still had no idea that Java 1.5.0.7X came out several weeks ago, until I read it in an enthusiast's posting. Sure enough, there it was on the Sun Web site. So I installed it and as usual, 1.5.0.6X was still installed. I uninstalled it and sure enough, some folders for it (and 1.5.0.5X!) were still around ... From Sun's explanation, it would seem the Java architecture is so flawed that removing files and folders from older versions breaks stuff, since it can't rely on something like the Registry for versioning. So instead it leaves the old versions on the disk -- which, by the way, could allow the exploits the update is guarding against to be executed anyway. What kind of security is that?"

In September, the reader wrote again. "Just so you know, 1.5.0.7X was withdrawn, replaced with 1.5.0.6X for several weeks, then replaced with 1.5.0.8X, then that was in turn withdrawn and the Java site reverted -- ONCE AGAIN -- to 1.5.0.6X. Last time I checked, 1.5.0.8X was not available. Pitiful - doesn't Sun do any quality control before they release their bloatware to the world?"

Last week the reader wrote in again to say the beat still goes on, this time with the now-released Java Runtime Environment 1.5.0.9X. "If you go to the Java.com site that is what you will get," the reader wrote. "In the meantime, .update 6X was the last 'official release. According to some channels, update .8X was issued for Vista compatibility, so that the Aero UI was not disabled while the JVM was loaded. However, until the other day, if you visited the site with Vista RC 1 the Java version you were presented to download was Update 6. Since I last wrote, if you used the Java verification applet on the Java site, you were told: 'Congratulations! You Have the Latest Version of Java!' whether you had .6X, .7X, or .8X. Confused yet? And note that .9X also was patched immediately on release from b01 to b03 -- really nice regression testing, huh? And they are still continuing in the grand Sun tradition of not automatically removing the older version when the update is installed."

Why, the reader wonders, isn't Sun getting the same kind of heat over its less-than-secure security updates that Microsoft is? "Unlike Microsoft's security issues, Sun gets a free ride on security patches for Java. No flames, no editorial comment. I suspect that this is due to the concept that Java runs in a 'sandbox' so it can't harm a PC like an ActiveX component. I know I have been asked to give those permissions to a Java app, so I guess I miss the distinction. For me, Sun's cross -platform promises for Java have just turned into cross-platform insecurity."

Read and post comments about this story here.

Posted by Ed Foster on November 6, 2006 12:17 AM

November 03, 2006 | Comments: (0)

Botnet Spam Getting Out of Hand

Well, at least I'm not the only one who feels like the spammers are winning. Since I wrote last week about our struggles with link spam here, the evidence has been mounting that spam in general has been increasing at an alarming rate in just the last month. And the cause of all these woes is the growing menace of botnet attacks.

E-mail security vendor Postini reports the amount of spam it intercepted in October was up 59 percent over September and that as of yesterday 91 percent of all e-mail traffic consists of unwanted messages. Last week it was reported that spam blacklist maintainer Total Quality Management Cubed has seen 450 percent more spam in the last two months.

And there's no question where all this additional spam is coming from. "We can see it's coming from the bots," says Daniel Druker, executive vice president of marketing for Postini. "The part of our system that tracks this type of attack are just off the charts over the last six weeks. It's gotten to the point now where in any 24-hour period we'll see a million different IP addresses being used in coordinated attacks, and 50,000 operating at any given instant. We're starting to get emergency calls from large organizations that are finding that they simply can't handle the spam problem on their own anymore."

Of course, if everyone had effective security software on their computers, there wouldn't even be a botnet problem because there'd be no zombies for the bots to control. Since that day isn't likely to dawn anytime soon, though, how do we keep the botnets from making e-mail worthless for us all? One reader pointed to an interesting discussion in this regard by Ed Felton. Part of the problem, he says, is there simply isn't enough discussion about botnets outside the security business. The more people are made aware of the bots are doing to us, the more likely they will defend their computers against being taken over.

So, by all means, let's discuss botnets, because seeing that I'm not alone in suffering from their attacks doesn't make me feel all that much better. What do you think can be done to rescue the Internet from this rapidly growing scourge?

Post your comments about this column on my website, write me at Foster@gripe2ed.com or phone my voice mail at 1 888 875-7916.

Read and post comments about this story here.

http://www.gripe2ed.com/scoop/story/2006/11/3/1736/72581

Posted by Ed Foster on November 3, 2006 12:11 AM

GRIPE LINE PODCAST

Listen to the latest podcast:

MP3 •