Alternatives to Crappy Windows Software

[krAzykrAkr01]

It may be the year 2008, but a whole lot of sucktacular software still rears its ugly head on PC's everywhere, even when better-behaved options are freely available. Whether it's molasses-slow bloatware, shameless adware, anemic default apps, or "Your trial period has expired!" nagware, it's time to replace stinky Windows software with its superior (but lesser-known) alternative.

Application to Avoid: AOL Instant Messenger
Indictment: One-trick pony with ads included made by a company that holds its customers hostage.
Superior Alternative(s): Digsby or Pidgin or Miranda or Trillian or Meebo
Notes: The moral of the story is you should avoid anything that comes on six zillion free CDs that swamp your apartment building's mailroom.

Application to Avoid: Browser Toolbars (that you didn't seek out yourself)
Indictment: Notorious for hijacking your browser, phoning home with your online activity, taking up precious real estate, and not offering any features you actually want.
Superior Alternative(s): Your browser's built-in search box and a few good bookmarklets
Notes: Don't get us wrong: Not all toolbars are bad, but do beware when they get tacked onto the end of a totally unrelated software installation and you have to opt OUT of them.

Application to Avoid: Internet Explorer (6 and 7)
Indictment: Lacks features any self-respecting modern web browser had two versions ago
Superior Alternative(s): Firefox
Notes: Because IE gloms onto the innards of your operating system so inextricably, you can't truly uninstall it. Just set your system's default browser to Firefox to avoid launching IE ever.

Application to Avoid: Limewire
Indictment: Where do we start? Haven't launched Limewire since our college days, and don't plan to ever look back
Superior Alternative(s): Frostwire
Notes: Bonus: Frostwire does BitTorrent, too.

Application to Avoid: Windows Media Player
Indictment: WTF interface, chokes on clips in common formats
Superior Alternative(s): VLC

Full Story

[buckshot]

Almost all sound advice but avoiding IE 7 is just paranoia.  Hell, you know that firefox has had their problems too - certainly had their share of vulnerabilities.

Truth is IE is a pretty decent all-around browser - even mac users adapt it!

[krAzykrAkr01]

Almost all sound advice but avoiding IE 7 is just paranoia.  Hell, you know that firefox has had their problems too - certainly had their share of vulnerabilities.

Truth is IE is a pretty decent all-around browser - even mac users adapt it!

I might believe that if they start adhering to web standards. Being a web developer, it is such a pain in the ass to code for IE. I code in Linux and when everything looks great in Firefox then you boot winders and it looks all fucked up and costs you another 2hrs of coding to make it work, it is really frustrating. Especially when it comes from a so called software giant like M$.

[krAzykrAkr01]

As you know, 3 weeks ago I published my paper, "Microsoft Windows DNS Stub Resolver Cache Poisoning"
http://www.trusteer.com/docs/Microsoft_Windows_resolver_DNS_cache_poisoning.pdf

Unfortunately, the SWI blog entry contains two serious mistakes. The first mistake is an inaccurate description of the PRNG used for the Microsoft Windows DNS client transaction ID. The second mistake is SWI's claim that "attackers cannot predict a guaranteed, known-next TXID exactly even with this weakness".

I contacted Microsoft about those mistakes, and while Microsoft did not refute my statements, they also refused to revise the blog entry. On one hand, I am inclined to tag this as a simple unwillingness on the side of the vendor to revise its materials and admit its mistakes. On the other hand, I cannot ignore the fact that the two mistakes, when combined, result in misleading the blog reader about the nature and the severity of the problem.

The second mistake is SWI's claim that "attackers cannot predict a guaranteed, known-next TXID exactly even with this weakness". However, in my paper I describe exactly how to predict, with good accuracy (i.e. up to few dozen
guesses) the next transaction ID.

The SWI blog would lead one to believe that the only predictable bits in the transaction ID are the four high ones (due to the serialization of the transaction ID as little endian, those bits are serialized in the second byte) leaving the transaction ID with practical entropy of 12 bits (instead of the ideal 16 bits). However, if one
follows my paper, it's trivial to see that by gathering few dozen samples, one can extract K (or very few candidates), and one can then predict the 487 possible values for the next transaction ID, i.e. the transaction ID entropy is less than 9 bits.

But an attacker can do better than this. By having the victim load an HTML page crafted by the attacker, the attacker can control (to a great extent) the timing of the DNS queries, thus the attacker can predict the time delta of the next transaction ID generated, from the last sample seen, and apply a more fine-grained prediction algorithm which may yield few dozen candidates only (i.e. 0-6 bits of
entropy). This technique is fully described in my paper.

This is in stark contrast to SWI's claims. Furthermore, Microsoft did have the full paper (actually, a draft of it which contains all the relevant technical information) well before the SWI blog was published. So the problem here is not an issue of SWI not having access to the paper when they wrote their blog entry.

Full Story

This is one of the reasons that you should stay away from IE. M$ won't even admit that there is a problem half the time. They are always trying to downplay real exploits. They don't care about you or your computer. They only care about M$ and making butloads of $$ at any cost.

[krAzykrAkr01]

IE8 development: Microsoft should learn from Apple, Mozilla