Retro: Windows 98 end-of-life

I wrote the following column for Computer Shopper magazine when Microsoft ceased providing security updates for Windows 98.

It seems appropriate to republish it now, as Windows XP is on the verge of the same fate.

October 2006

Computer Shopper magazine #224

Rants & Raves

WINDOWS 98 RIP

SIMON EDWARDS RANTS

So long, Windows 98. Rest in peace. When you were born you made getting online easier, you made using large hard disks possible and you were easier to install.

You had a new desktop system that not only allowed users to display web content live from slow and expensive dial-up connections, but regularly caused the system to crash.

You helped destroy Netscape’s business with your integrated web browser, simultaneously heralding the beginning of years of security problems for Windows users, and your integrated Media Player was judged anti-competitive, too.

So long, Windows 98. Rot In Pieces.

After eight years, Microsoft has pulled the plug on Windows 98. No longer will the company provide updates, even if (or rather, when) further security holes are found. The same goes for Windows Me. That’s OK, though, because no-one uses Windows 98/Me any more. No-one except the estimated remaining 70 million users.

98 TEARS

So who is using Windows 98 these days? My guess would be a mixture of people who are non-technical and those who can’t afford to buy a PC every few years. The original date for termination of Windows 98 support was 2003. It is thought that pleas from the developing world persuaded Microsoft to issue updates for a further three years. There will also be plenty of people who could afford a new computer but don’t see any reason to do so – if it still works, why worry?

If these people don’t use the internet, there is no real reason to upgrade. As long as they’re happy with their PC’s performance, don’t share files with anyone and don’t try anything clever with wireless networks then they should be reasonably safe to continue.

For now, you can still buy Windows 98-compatible firewalls and antivirus software, and the free Firefox web browser is also available from www.mozilla.org, so most internet risks can be reduced, even if you do want to browse the web and collect email safely using your old PC.

Radio 5 Live called me this month to find out if listeners should just buy a new Windows XP PC and have done with it. I wanted to say, “No, just keep your thirdparty security software up to date, install a different web browser and email client and it will be OK”. But buying a new PC is the easiest way forward. The fact that you can buy a reasonable Dell laptop for £399 makes the decision easier still.

HASTA LA VISTA

There is an argument that you should wait for Windows Vista to arrive before buying a new PC because, before you know it, Windows XP will be at the end of its life, too. But that means spending hours locking down your Windows 98 machine (and are you really sure you’ve done it right?) for just six months of operation before Vista supposedly arrives. Is it worth your time?

If you are very technically minded, you could install a Linux distribution on your old PC and breathe new life into it. You might even find it runs faster. You might also find you can’t get it working at all, but that’s all part of the fun.

The missus has a laptop that runs Windows 98. It’s a small, slim, silver machine that runs fast and performs the basic internet-based tasks for which it was bought. I am ashamed to admit that it doesn't even have a firewall or anti-virus software installed on it, although it does operate behind a hardware firewall.

It has never shown any symptom of viruses or spyware*, mainly because it is only used for about half an hour a week to check a Gmail account, which is scanned for viruses by Google. We discussed the options, including hardware upgrades and the Linux route.

This discussion was short, and I was made clearly aware that the way forward involved the minimum amount of time with the computer in pieces on the living room floor and the minimum number of late nights featuring me swearing at installation screens in the spare room.

We decided to buy a cheap £399 replacement laptop that will run Windows XP Home for the next few years. If you are one of the 70 million Windows 98 users out there, that is my advice to you, too.

* I am aware of how naive this sounds these days.

Change timezones fast

In Windows 7 it usually takes at least six clicks to change time zones.

If you need to switch between zones quickly, the following tip will help.

Why might you need to swap between time zones frequently and fast?

When I schedule meetings I like to see how things stack up in Outlook. Meetings abroad, and flight schedules, can make things tricky. Changing  time zones on the computer restores some sanity to the proceedings.

Outlook has a (well-buried) option for changing the time zone and it's just as easy (and tedious) as using the Windows Date and Time window.

Luckily there's an easier way.

Windows 7 includes a command-line tool called Tzutil. Here's how I've used it to make a handy toolbar-based time zone swapper.

1. Create a file for each time zone

Create at least two empty text files and name them according to the time zones between which you wish to switch.

In this example we'll move between GMT (GMT Standard Time) and PST (Pacific Standard Time), so the files are called GMT.txt and PST.txt.

In each file enter the following command, replacing the string in quotes with the one you need*:

tzutil /s "GMT Standard Time"

Now rename the files, replacing the .txt suffix with .bat.

You should have two files called GMT.bat and PST.bat.

2. Install the files

Move the new batch files to a folder on your computer. Let's create C:\TZ and move the files into that.

3. Create the toolbar

Right-click the Taskbar and hover over Toolbars. Click New toolbar and navigate to C:\. Choose the C:\TZ folder and click Select Folder.

You should now see the letters TZ on your Taskbar, next to a pair of tiny arrows. Click once on these to show the available time zones.

To set a new time zone click once on any of the visible icons.

The icons above are actually renamed Windows shortcut files that point to my batch files. I changed the icons by opening each file's Properties and using the Change Icon option.

* Time code list
To obtain a full list of valid time zone codes run Tzutil from the command line like this (the last character is a lower-case L, not the digit one):
C:\>tzutil /l

...

(UTC-09:00) Alaska
Alaskan Standard Time

(UTC-08:00) Baja California
Pacific Standard Time (Mexico)

(UTC-08:00) Pacific Time (US & Canada)
Pacific Standard Time

(UTC-07:00) Arizona
US Mountain Standard Time

(UTC-07:00) Chihuahua, La Paz, Mazatlan
Mountain Standard Time (Mexico)

...

So to make a PST file, you'd type the following into the file:

tzutil /s "Pacific Standard Time"

Free encryption tools

Encrypting personal data is a sensible thing to do. If you computer is lost or stolen then at least your sensitive files are not at risk of being abused.

There are a number of common ways to do this:

1. Encrypt each file, one file at a time, manually.
2. Create a bundle of files in one archive and encrypt the archive.
3. Automatically encrypt all files placed into a specific folder/directory.
4. Automatically encrypt all files placed into a virtual hard disk.
5. Encrypt the entire hard disk, or portions of it.

Each of those options has its benefits and downsides. All can be achieved for free. Free encryption has been available for a long time but it is frequently hard to use.

PGP/GPG

Pretty Good Privacy (PGP) and GnuPG (GPG) aren't suitable for consumers simply because, even with the optional graphical interfaces, the very concepts that they rely on are not trivial to understand. They also usually involve both the sender of secrets and the receiver being equally competent.

Anyone can understand the idea that you can password-protect a file. Public key encryption is a little harder to understand and explaining it usually involves analogies involving Bob, Alice and Eve.

PGP/GPG are really useful tools. They just aren't that easy for regular users to handle.

PGPdisk

This fantastic tool allows you to create an encrypted archive that appears as an extra hard disk e.g. F:\

Any files placed into this disk are encrypted automatically and transparently. The user can act as if using a standard internal or USB drive. In fact you can place the archive on an external drive, which is quite a sensible thing to do.

Unmount the disk and the files are locked. Unlocking the files involves entering a password for the archive or for the private key (if you used it to create the archive).

You can also create self-decrypting archives. This means that the files are bundles into one Exe file. Send this to someone who knows the password and they can extract the files without owning a copy of PGPdisk. The downside to this is that you have to let them know the password in a secure way.

PGPdisk used to be free but this changed and you had to buy the commercial version of PGP to obtain it. Since Symantec bought PGP it's not clear to me whether or not it is still available at all. Free versions for Windows and Mac are still available from the PGPi website, but these are pretty ancient versions.

Windows EFS

Windows Encrypting File System, which is available on the more expensive versions of Windows XP, Vista, 7 and (soon) 8 is very easy to use but it has some significant problems too.

These include the ease with which users can lock themselves out of their computers and data, the complication of backing up an encryption certificate and the fact that the files are not protected while the user is logged in. This means that malware can steal data, even if the thief who stole your laptop cannot.

There is also some confusion over what happens when you copy encrypted files to other disks.

Here's an example of EFS going horribly wrong in a home environment. I encrypt some folders on my laptop. The laptop is shut down and the files are safe. I forget my password and boot the laptop using a password reset tool such as the Offline NT Password & Registry Editor. While I can access all of the unencrypted files, I have sadly lost access to the encrypted ones forever (unless I made a backup of my encryption certificate).

In a similar way, a vandal with access to the laptop could reset the password using the bootdisk mentioned above and then just walk away, having locked me out of my encrypted files.

Businesses and technical users will be aware of the need to backup the encryption certificate and should be able to cope with corrupted systems. They probably also have full, unencrypted backups. The same is unlikely of most home users.

TrueCrypt

The TrueCrypt software provides a relatively easy way to encrypt files, and has some very advanced features. However, it's interface is not as intuitive as some would like.

One really useful feature is its ability to fully encrypt the hard disk, including the boot partition. Anyone who does this will have some technical knowledge and interest, which is just as well because forgetting your password would be disastrous!

Sophos Free Encryption

Sophos Free Encryption provides a similar feature to to one that is provided in PGPdisk. This allows you to create self encrypted archives, a bit like password-protected Zip files.

Winzip, 7z and other password-protected archive tools

It is perfectly possible to store files in password-protected Zip files. This is the quick and easy way to achieve some level of privacy, although it is less convenient that using more transparent tools such as PGPdisk, TrueCrypt or EFS.

For example, finding files on your hard disk is easy when you can use Windows' search tools, Google Desktop or some other method. Searching inside encrypted Zip files, or creating catalogues of them, is a non-trivial task for regular home users.

Some older versions of Zip tools have a vulnerability that allows passwords to be recovered very easily using a variety of free or inexpensive tools.

Suspicious.avi.exe

Last month I wrote about the fact that Windows (XP, Vista and 7) hides file extensions by default. In my view this poses a security problem. Let's illustrate this using a real-life example...

I received a malicious email yesterday that contained a link to a file called bestvideo.avi.exe.

If I was silly enough to download this file then my PC would show the file as being called:

bestvideo.avi.exe

If my default settings were in place (hiding the file extension), then the file would be called:

bestvideo.avi

In both cases, double-clicking the file would run the executable file. In the latter case, a user might expect Windows Media Player to run and to load and display a video file but that's not going to happen.

More than likely the real result would be that the program would run and would make some changes to the system, such as editing the hosts file or downloading further malicious software. Whatever it does, it won't be anything useful.

The Complete Internet Security Handbook 2009

If you want to keep your family safe and your data private then The Complete Internet Security Handbook 2009 is the book for you. It includes the following:

What do you want to protect?
Learn how to manage risk and provide the best protection you can for the people and things you care about the most.

Cyber-criminals
Why do viruses, hackers, spam and fake bank websites exist? Discover the criminal underworld of the internet and find out how the scammers and conmen operate.

Chapter 1: Basic Desktop Protection
Take advantage of Windows' built-in security features and protect your computer for free.

Chapter 2: Viruses
Learn how to avoid viruses, recognise them when they appear and remove infections from your computer.

Chapter 3: Hackers, spies and other criminals
Prevent the bad guys on the internet from gaining control of your computer, internet connection and personal details.

Chapter 4: Spam and how to avoid it
Is your email inbox overwhelmed with annoying messages? We'll show you how to regain control and banish spam forever.

Chapter 5: Protect your child
The internet is a great educational resource, but threats abound. Ensure your kids stay safe online with our comprehensive guide.

Chapter 6: Lost and stolen
Reduce the chances of computer theft and encrypt your files to keep them private, even if they are stolen.

Chapter 7: Accidents and malfunctions
Discover the easiest way to keep your files safe and find out how to recover them if the worst happens.

Chapter 8: Personal privacy
Learn how to prevent your personal data falling into the wrong hands.

Chapter 9: Scams, fraud and hoaxes
Learn how to protect yourself against identity theft, email hoaxes and fake websites designed to steal your money.

BONUS CHAPTER: Wireless networking
They are convenient, but how safe are wireless networks? We show you how to build and bullet-proof your network.

The Complete Internet Security Handbook 2009 is available now from Borders and costs £7.99. It will also be available in WHSmiths from 27/11/2008. Amazon is currently selling it for £6.39 (as of 23/11/2008).

ISBN: 1-906372-18-7
Cover price: £7.99
Edited and (mostly) written by Simon Edwards.

Windows Encryption on USB drives

If you are lucky enough to have a version of Windows XP or Vista that supports Encrypting File System (EFS), you might reasonably expect it to provide protection to files you copy to a USB drive. It won't, though. Probably. If you want to know the details, read on...

The encryption built into some versions of Windows is a handy way to add extra protection to your sensitive files. It is incredibly easy to use and all you need to do is right-click a file, choose Properties, click the Advanced button and tick the 'Encrypt contents to secure data' option.

You can also encrypt folders, which will save you from repeating the above instructions every time you want to encrypt a file. Move a file into an encrypted folder and it will become encrypted automatically.

Using this system will protect your files from unwanted attention should your computer be stolen. You might assume that copying these files to a USB flash drive will result in a secure archive of portable files. However, when you copy an encrypted file from your PC's hard disk to an external drive the encryption might be removed. The (slightly) good news is that Windows will warn you that the encryption is being stripped (see below).

EFS relies on the NTFS file system. If you move or copy encrypted files to a hard disk, floppy drive or USB flash drive that is formatted using a different file system then the encryption will be removed. If you format your USB flash drive with NTFS, instead of using the usual default of FAT or FAT32, then Windows encryption will work.

If you lose your drive and it is found and accessed by someone else, they will see an 'Access is denied' message when trying to open encrypted documents (see below). If the drive was formatted with a FAT file system they would be able to read the files without any problems.

If you want to store encrypted data on a USB flash drive that uses FAT or FAT32, you might consider using encryption software such as Pretty Good Privacy, which can encrypt individual files or create an encrypted virtual drive. Once mounted using a passphrase and/or key, it behaves like another local hard disk. When you unmount it, the data contained inside is secure. PGP is commercial software.

GnuPG is a compatible free alternative, although it does have a similar encrypted hard disk feature. For that you could use TrueCrypt, which will let you create encrypted virtual disks or even encrypt an entire drive.

The following versions of Windows support EFS:

• Windows XP Professional


• Windows Vista Business


• Windows Vista Ultimate


• Windows Vista Enterprise

Alternative encryption software includes:

• Pretty Good Privacy (PGP)



• Gnu Privacy Guard (GnuPG)



• TrueCrypt

Vista Security Bypassed

SecurityFocus has published an interview with two Indian graduates who claim to have developed a new way of attacking Windows Vista.

Essentially, they have found a way to introduce potentially harmful program code to a Vista PC, bypassing all of the available protection and tunnelling in to the kernel. This gives the program virtually complete control of the system.

The code needs to be loaded as the system boots from a CD, flash drive or other media. Removing this media and rebooting the system also removes the program. The researchers claim that the so-called bootkit leaves no trace because it does not place any files on the hard disk.

Hacking a PC with a flash drive

Windows Vista is supposed to be the most secure version of Windows available to the general public. That's probably true, but don't think that means it is impenetrable. A few loopholes have been found in this operating system's protection already, and it has only been available for four months.

That said, the bootkit attack relies on the attacker having physical access to the target PC. This starts to become a physical security issue rather than an operating system one. A long time ago Microsoft published an article called 10 Immutable Laws of Security, which discusses security problems that affect all computers, not just Windows ones. The one to note in this case is:

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

Having physical access means he could damage or penetrate your computer in a number of ways, ranging from a low-tech denial of service attack ("smash your computer with a sledgehammer") to stealing a copy of your password files for decryption at his leisure.

The new bootkit technique could be used to attack a PC very quickly, because you could just wander past a PC, plug in a flash drive and press the computer's reset button to infect it. However, you'd probably want to whip the flash drive out again, fast, before innocently walking away from the PC. And should its user reboot for any reason, your efforts may have been in vain.

Windows Vista Firewall Myths

Windows Vista comes with a firewall. This is good news, because it means you don't have to install a third-party software program to stop hackers and automated network attacks connecting to your PC. This pre-installed firewall is more powerful than the one included with Windows XP, which was pretty basic (although effective). It is more powerful because it doesn't just block unwanted incoming connections - it can also control traffic flowing from your PC.

Sounds great, doesn't it? With Windows XP, the firewall only controlled incoming connections and you had to install a product like ZoneAlarm to monitor outgoing traffic. Now you can rely on the software included with Windows.

But wait one second...

While Windows Vista's firewall can control outgoing connections, it doesn't. That is to say, by default it allows all programs to make outgoing connections to the internet. If you have a piece of spyware, or some other bad program running on your computer, it can leak your personal data out to the internet and the firewall won't care. You can use a fairly advanced control panel to lock down the outgoing traffic, but it's not very easy to get a regular working system to run happily this way.

At this point it is only fair to point out that, if some malware attempts to run, the User Access Control system might prevent it from causing a disaster. This is, of course, assuming that you have not disabled UAC in a fit of frustrated fury.

When most of us think about personal firewalls controlling outgoing traffic, we assume that the firewall checks which programs are trying to make a connection to the internet and then allows or denies them by following some simple rules. Preferably it will ask us what it should do first, and then remember our preferences. That's how ZoneAlarm and just about every commercial personal firewall works. But not the one you get in Windows Vista.

Microsoft does produce a firewall that behaves in the way we'd expect. The problem is, you have to pay for it. It is only available with the underwhelming Microsoft Live OneCare product and, considering that the other parts of this package are so disappointing, it seems a bit rich to pay for what we consider to be a basic firewall.

So in the end, despite claiming that the enhanced, new Windows firewall "supports filtering for both incoming and outgoing traffic", sensible users will install better, free options such as ZoneAlarm or turn to the firewall components of their internet security packages.

The Ultimate Guide To Windows Vista

Now available at all good newsagents, this is the only Vista magazine you'll ever need to buy.

This useful and entertaining book/magazine is written by editors from PC Pro and Computer Shopper magazine.

Why am I blogging about this? Because I wrote the security chapters and the bits about Internet Explorer 7.

• Install Vista in minutes


• Make Windows faster


• Explore new features


• Keep safe online


• Let Vista entertain you


• Wireless networking