So there I was trying my best to get a midlevel Microsoft manager to take the bait.
“Does Microsoft now feel confident it’s found a way to slow the rise of Firefox–maybe even win back some lost customers?”

Earlier in the day, Microsoft Chairman Bill Gates was onstage at the RSA Conference in San Francisco to unveil a beta of an updated version of Internet Explorer, a Web browser that’s been begging for new security features–let alone a facelift–for ages.

Microsoft promoted the introduction as a big deal. Naturally, I thought my interlocutor would jump at the opportunity. C’mon, I thought, run some jive about how IE is all ready to rout those pests from the Mozilla Foundation once and for all.

Best Microsoft MCTS Training – Microsoft MCITP Training at Certkingdom.com

Instead I was left high and dry. All I got was marketing mumbo-jumbo about how the company strives to do good by its customers and that’s the ultimate payoff–and so on and so forth.

Maybe that’s the standard PR practice “going forward,” as the jargon-meisters are wont to say. But Microsoft wasn’t always so reluctant to speak frankly. In fact, the company was damn good at sticking it to the competition.
The competition from Firefox is forcing the company to step things up.

During the early 1990s rivalry with IBM’s OS/2, Microsoft pulled out all the stops to make sure reporters were convinced the world was a better place because of Windows. Microsoft’s marketing prowess came in handy because IBM had a better product. The reason OS/2 failed was because Big Blue was utterly inept at making its case.

Company executives were too high-minded to call a spade a spade. Instead, IBM excelled at putting reporters to sleep with mind-numbing recitations of all its customer advantages. Maybe it was a corporate culture thing, but Microsoft was faster, smarter and meaner–and it paid off. Management knew what was on the line: nothing less than control of the PC desktop and the potential billions of dollars in future revenues that would accrue to the winner.

A similar scenario played out later in the decade during the so-called browser wars. Microsoft executives had no compulsions about trashing Netscape–publicly or privately–to reporters. (Was it really true that Marc Andreessen was “a cheeseburger-addicted frat boy,” as I recall hearing during one singular briefing back then.)

Again, the stakes were high. Netscape sought to replace Microsoft Windows with its Navigator Web browser as the de facto application development platform for personal computers. Had the strategy succeeded, Gates and Microsoft CEO Steve Ballmer today would be pumping gas for a living.

History obviously worked out differently. IE ultimately caught up and then surpassed Navigator. The company’s aggressiveness also ran afoul of antitrust statutes and Microsoft wound up in a drawn-out court battle with the U.S. Justice Department.

Firefox poses the latest challenge. The Mozilla folks say they have registered more than 25 million downloads since the release of Firefox 1.0 last November. Not too shabby a performance, even if some of those 25 million happen to be multiple downloads. Full disclosure: Yours truly switched from IE to Firefox last fall and hasn’t regretted the decision for a second.

Microsoft’s brass remains low-key, but the competition from Firefox is forcing the company to step things up. The beta version of IE 7 for XP SP2 will be ready later this summer. For Microsoft, which fought tooth and nail over the years to keep the browser fused to the Windows operating system, this is quite a big deal.

It’s a gamble, but it’s also a sensible idea. The next version of Windows is due out sometime in 2006, and Microsoft is notorious for missing shipping dates for the release of operating systems. Microsoft can’t wait another two years to answer the challenge from Firefox. But if the interim browser update fails to stem the tide, get ready for a flood of verbal pyrotechnics coming out of Redmond.

Microsoft Corp. announced that Microsoft Dynamics AX is positioned as a Leader in the Magic Quadrant for ERP for Product- Centric Midmarket Companies 2010, a research report published by Gartner Inc. In the same report, which this year evaluated global enterprise resource planning (ERP) products specifically tailored for companies with 100 to 999 employees, and with annual revenue between $50 million and $1 billion, Microsoft Dynamics NAV is recognized as a Niche Player.

Best Microsoft MCTS Training – Microsoft MCITP Training at Certkingdom.com

Microsoft Dynamics AX has a long track record of customer success and has experienced above-average growth rates in the midmarket. The solution features an friendly and easy-to-learn and -use Microsoft Office-like user interface, and RoleTailored dashboards. Microsoft Dynamics AX further provides a flexible architecture and solid foundation for partners to develop vertically specific solutions.

“We believe being recognized as a Leader demonstrates our commitment to enabling dynamic businesses,” said Crispin Read, general manager of Microsoft Dynamics ERP, Product Management Group, at Microsoft. “Our focus on simplicity, value and agility is key to maintaining our position as a leader in the ERP industry.”

Microsoft’s broad partner ecosystem provides a wide variety of individual solutions built on Microsoft Dynamics NAV, a highly configurable solution, to serve the specific needs of local and industry-vertical customers.

While Microsoft Dynamics NAV is targeted at midsize organizations with specialized and locally relevant business needs, Microsoft Dynamics AX supports global midsize and larger organizations operating in multiple locations, as well as organizations looking for a single ERP solution to manage subsidiaries, divisions and branch entities while maintaining a separate headquarters solution.

Organizations around the world benefit from Microsoft Dynamics ERP solutions:

Microsoft Dynamics AX

-Patagonia, a global provider of outdoor apparel and gear, worked with Microsoft Gold Certified Partner Sunrise Technologies to implement Microsoft Dynamics AX 2009. Together with the partner solution, Patagonia was able to cut costs associated with growth by two-thirds, improve inventory turns by up to 30 percent and fill by up to 10 percent, respond quickly to changing market demands and trends, eliminate redundant data entry and manual tasks, and enable business managers to now receive forecast results in one day that before used to take a couple of weeks to reach them.

-Peet’s Coffee & Tea, a premier specialty coffee and tea company in the United States that is poised to sustainably manage its significant growth, increased transaction traffic across multiple channels, improved reporting capabilities and Federal Drug Administration and Securities and Exchange Commission compliance, and started receiving meaningful, accurate information with a combined solution using Microsoft Dynamics AX and Junction Solutions.

There’s a new IT career path at Microsoft Services for project management professionals, spelling potential for 150 new project management positions paying “in line with the industry,” according to Christian Jensen, worldwide PMO program manager at Microsoft.

The new role, available to both internal and non-Microsoft employees, also indicates that project management expertise within the consulting industry is in more demand than ever. That’s because those interested in the jobs (search on project management at Microsoft.com/careers), or consultants considering expanding client services to compete with Microsoft’s new service branch, will need to have the Project Management Professional (PMP) Certification from the Project Management Institute (PMI).

Consulting division prompted new role
Last January, Microsoft chose PMI’s PMP certification program as its certification choice for the consulting aspect of Microsoft Services.

The PMI program beat out notable competitors, such as the CompTIA IT Project + and the International Project Management Association’s Certificated Project Manager and Certificated International Project Manager.

Microsoft’s consulting arm, where the new PM positions live, employs 4,000 of Microsoft’s nearly 55,000 employees.

In creating its PMI relationship, Microsoft joins the ranks of other corporations such as Unisys Corporation, KPMG, IBM, and AT&T that officially recognize the PMP as the official certification for project management professionals.

Best online Microsoft MCTS Certification, Microsoft MCITP Certification at Actualkey.com

Microsoft said it went with the PMP because of its global distinction. The PMI has more than 100,000 members in 125 countries, 54,000-plus of whom have the PMP, according to a PMI spokesperson.

The new positions
Microsoft Services’ project management title developed out of a need to meet the increasing demands of customers. Previously, product managers filled the PM role, but as more project teams required greater project management expertise, the company decided to create four new PM job grades, according to Jensen.

The job levels, Project Manager I to Project Manager IV, have specific responsibilities, roles, and training requirements, as outlined below.

Project Manager I
Responsibilities:

* Manage teams of up to five people, or the equivalent of $500,000 in time and materials from project revenue
* 65 percent of time spent on projects
* 20 percent on proposal development
* 15 percent on mentoring

Training/Experience:

* Microsoft Solutions Framework (MSF)
* PMI Certified Associate Project Management
* Project Management Basics for Team Leads (PMBTL)
* Project Management for IT Professionals
* Microsoft Project Fundamentals
* Performance Xcellence/Problem Solving Methodologies (Six Sigma)
* Up to 5 years managing projects

Project Manager II
Responsibilities:

* Manage teams of up to 10 people, or the equivalent of $1 million in services revenue
* 60 percent of time spent on projects
* 20 percent on proposal development
* 15 percent on mentoring
* 5 percent on quality improvement

Training/Experience:

* PMI Certified Project Management Professional
* Advanced Areas of Knowledge in Project Management
* Fundamentals of Six Sigma
* Up to 10 years managing projects

Project Manager III
Responsibilities:

* Manage teams of up to 20 people or the equivalent of $2 million in services revenue
* 55 percent of time spent on projects
* 25 percent on proposal development
* 15 percent on mentoring
* 5 percent on quality improvement

Training/Experience:

* PMI Certified Project Management Professional
* Six Sigma and Project Improvement
* Up to 15 years managing projects

Project Manager IV
Responsibilities:

* Manage teams of up to 40 people or the equivalent of more than $2 million in services revenue
* 50 percent of time spent on projects
* 15 percent on proposal development
* 15 percent on mentoring
* 20 percent on quality improvement

Training/Experience:

* PMI Certified Project Management Professional
* Enterprise Programs for Project Management
* More than 15 years managing projects

Jumping on the career track
To get on the project management career track, candidates need to be extremely technical and have obtained at least a senior consultant designation at Microsoft Services. The senior consultant has three distinct career paths—management, technical, or project management.

Microsoft employees are able to get on the PM career path by working with their manager and Microsoft’s Global Skills Profiler, a tool in its Microsoft Professional Development Framework. The framework is used by full-time, part-time, or temporary Microsoft employees.

The Global Skills Profiler assesses people across nine project knowledge areas with zero to four ratings. First, the worker does a self-assessment, and then the manager evaluates the employee. The two scores are compared and contrasted to arrive at an agreement that helps the worker identify strengths and weaknesses and lay out a career development path, including the steps necessary to achieve it.

Going for the PMP
One of those steps for getting hired as a PM grade II to IV is achieving the PMP—described as “an arduous process” by manager of professional development programs at PMI, John Roecker, E.D.D.

First, PMP candidates have to verify, via essay questions, the number of years of experience they have in nine knowledge areas and five process areas of the PMBOK, the PMI’s tome of project management knowledge. Each year, a set of applications is randomly selected and audited to keep applicants on the straight and narrow.

Then the applicant must study for a four-hour test. Classes offered through local, independently incorporated PMI chapters can cost $1,000 for 40 hours of classroom time, said Roecker. Applicants are also given extensive homework and advised to study the PMBOK guide.

Finally, the applicants sit for the PMP certification test, which costs $405 for PMI members, $555 for nonmembers. (A membership to the PMI is $119 annually.)

Project management pay
While Microsoft’s Jensen declined to reveal the pay scale for the four project management employment grades, he said, “Each package would be really tailored to the individual” and includes a base salary, performance rewards, equity investment/stock perks, and even an automobile, in some countries.

According to a PMI 2000 survey, professionals who obtained the PMP made a mean total of $5,000 or six percent more on average than those without the certification on a global basis. In the United States, the mean differential in wages for those with and without the PMP was $9,000, or 10 percent.

Pros and cons of the Microsoft PM career
The time and labor commitment to the PM career path shouldn’t be taken lightly, and the new PM job role at Microsoft should also be given serious consideration. Microsoft’s Jensen is quick to share both the up and downsides of a career as a PM at Microsoft.

Along with the potential for extra earning power, a PM at Microsoft can enjoy the support of colleagues in ways not offered at other companies. Microsoft has a Services Business Management Process portal where all consultants can go to access records on consistent and repeatable processes.

“Wherever you are in the [project development] process, the consultant can go there and grab the tools and resources they need to support the place that they’re at in the process at that time,” said Jensen.

Two sets of frameworks are available to support the consultants: the Microsoft Solutions Framework, used in the development and delivery of a solution, and the Microsoft Operations Framework, used after a solution is delivered to provide service-level and operational agreements to sustain the version of the project that Microsoft has rolled out to the customer.

While all that support is certainly helpful in an employee’s day-to-day work, there are inevitable, unpredictable hiccups of doing business on a global level.

The difficult parts of the job happen when unexpected organizational changes arise, such as an executive project sponsor leaving. Bankruptcies and political upheavals also add to a project’s uncertainties and a PM’s stress level.

“That’s a challenge, and sometimes we don’t know that those will be coming,” said Jensen. “I don’t think a lot of us expected Enron or Kmart. But we have a continuous risk management process, so some of those things we can see in the near future.” That’s definitely more than a lot of companies offer—an early warning shot about potential trouble spots with clients.

From an outsider’s perspective, working with Microsoft on establishing its project management career path has been exciting and rewarding for Roecker.

“I have really enjoyed working with Microsoft as we have developed the professional development program, being rolled out internally to all their project managers,” said Roecker. “To go beyond that…we will be growing the relationship with Microsoft.”

In addition to the critical security threats from Microsoft that I covered in last week’s column, the Redmond software giant has also issued a flurry of medium-level security threats that Windows administrators need to be aware of.
Details

MS04-018, “Cumulative Security Update for Outlook Express,” is caused by a failure of Outlook express to properly handle some specifically malformed e-mail headers. This is a DoS threat and Microsoft reports having seen published exploits but hasn’t received any reports from customers that have been compromised by the exploit. This threat is covered by CAN-2004-0215

Best online Microsoft MCTS Certification, Microsoft MCITP Certification at Actualkey.com

MS04-019, “Vulnerability in Utility Manager Could Allow Code Execution,” is a local elevation of privilege threat that can’t be exploited remotely. MSBA will report if your system needs this update and Systems Management Server (SMS) can help deploy it.

MS04-020, “Vulnerability in POSIX Could Allow Code Execution,” is an unchecked buffer vulnerability in the Portable Operating System Interface for UNIX. MSBA will report if your system needs this update and SMS can help deploy it. This threat is covered by CAN-2004-0210.

MS04-021, “Security Update for IIS 4.0,” is a buffer overrun vulnerability in the redirect function that can allow remote execution. MSBA will report if your system needs this update and SMS can help deploy it. This threat is covered by CAN-2004-0205.

MS04-024, “Vulnerability in Windows Shell Could Allow Remote Code Execution,” replaces MS03-027 for Windows XP (but not for the other affected operating systems). This threat is covered by CAN-2004-0420.
Applicability

MS04-018 applies to all versions of Outlook Express from 5.5 through 6, including operating systems from NT 4.0 through Windows Server 2003.

MS04-019 affects all versions (and all Service Packs) of Windows 2000.

MS04-020 affects all versions of Windows NT 4.0 and all versions of Windows 2000 (and all its service packs).

MS04-021 affects Windows NT Workstation 4.0 Service Pack 6a and Windows NT Server 4.0 SP6a (but only with IIS installed as part of the NT 4 Option Pack).

MS04-024 affects all versions of:

* Windows NT 4.0
* Windows 2000
* Windows XP
* Windows Server 2003

Windows 98, 98 SE and ME may be affected by all of these threats, but since none of these flaws are a critical threat to those operating environments, updates are not provided by Microsoft (which limits support for discontinued operating systems to critical-only updates).
Risk level – Important to moderate

MS04-021 and MS-024 are both remote code execution vulnerabilities that allow a remote attacker to run arbitrary programs and take complete control over the vulnerable systems. I would rate these as critical rather than the moderate rating Microsoft has given them.

MS04-020 is a local elevation of privilege threat and can’t be exploited remotely or without detailed information about the system and access to it.

Although MS04-019 can allow someone to take complete control over a system, it is rated a moderate threat because it can only be exploited locally by a legitimate user. This is not a remotely executable threat or one that could be executed by a complete stranger.

MS04-018 is considered only a moderate denial of service threat because successful execution would cause only Outlook Express to fail, not the operating system or other applications.
Fix – Apply the patches/updates provided

Please check the Microsoft bulletins before taking any action on these vulnerabilities, because several of the bulletins have been updated multiple times.

A partial workaround for MS04-018 is to disable the preview pane (View, Layout, and uncheck View Preview Pane). This doesn’t completely remove the threat, but it does make it easier to remove the offending message.

There is no workaround for MS04-024.

As mentioned above, Windows 98, 98 SE, and ME are no longer supported except for critical threats, so no patches are available for those operating systems. Also, Windows NT Workstation 4.0 has also just passed out of normal support, but Microsoft already had a number of these patches prepared for that operating system and has included fixes for it in these updates.
Warnings

MS04-019 (Utility Manager bulletin) – In addition to fixing the vulnerability, applying this update will eliminate access to context-sensitive help from the Utility Manager.

MS04-021 (IIS 4.0) – There is apparently a problem updating with the ISAPI filters running (see knowledge base article 873401). That’s what Microsoft says. Actually the problem is a complete crash-and-burn, so I’d pay attention to this knowledge base article if I were applying this patch. The IISLockdown tool installs URLScan and will protect against this vulnerability. See the workarounds section of the Microsoft bulletin for directions on configuring the tool. Also, the workaround using URLScan will block all incoming requests larger than 16K. IIS can be disabled or stopped in IIS Manager or removed, but this will also block other Internet services, such as the IIS SMTP service.

MS04-024 (Windows Shell) – Active X features may be limited by some of the recent IE patches and this patch refines some previous changes in IE 6 Service Pack 1 that may prevent other cross domain vulnerabilities. The update can prevent attackers from moving code execution from the Internet Zone to the more permissive Local Machine security zone.
Final word

As for the problem in Outlook Express, MS04-019, I don’t believe this software belongs on any business system. In fact, I don’t even use the full version of Outlook because it is tied to, or is the source of, so many vulnerabilities. Thus, my personal best practices would have avoided this problem entirely. None of my clients use Outlook Express and if any of them use Outlook, it is against my advice.
Also watch for …

* Secunia has released an advisory for an unspecified mod_ssl 2.x (mod-proxy) threat in Apache that the security vendor has rated as highly critical because of the widespread critical applications in which Apache is used. No further details were available but the vendor that reported the threat recommends immediate update to version 2.8.19-1.3.31.
* Beagle/Bagle is once again showing its teeth. Fast-spreading and virulent, the latest incarnation of Beagle/Bagle (the one known as Beagle.AG at Symantec) has its own SMTP mail engine and opens a backdoor at TCP 1080. Click here for a number of Beagle removal tools.
* According to a CNET news.com report, the new Atak mass-mailing worm actually watches for antivirus software activity and, when it begins a scan, Atak shuts down so it won’t be discovered. It doesn’t carry a dangerous payload but Atak is part of the new generation of worms that are intended to spread spam. F-Secure’s lead virus specialist says that while many viruses and worms attempt to hide, this one is exceptionally good at it.
* In the “it had to happen someday” category, you can now place bets (they are actually a kind of futures options) on an Irish sports betting site (tradesports.com) about when the next big worm or virus attack will take place. See this ZDNet UK story for more details and get your bets down early!
* There is a Gentoo php update that is rated highly critical. It addresses two apparently unrelated vulnerabilities that can allow an attacker to completely compromise a system. See the full advisory here. Another moderately critical vulnerability in Opera for Gentoo Linux 1.x has been patched. The impact of this threat is phishing related. See this Gentoo-announce report and this Gentoo Linux Security Advisory for more details.

A year ago, the author of the MSBlast computer worm taunted Microsoft with a message in the fast-spreading program: “billy gates why do you make this possible? Stop making money and fix your software!!”

Bill Gates and company apparently took up the challenge. On Friday, Microsoft released to PC manufacturers Windows XP Service Pack 2, an update aimed at locking down customers’ computers. SP2 took more than nine months to complete and contains significant security changes to the flagship operating system.

Microsoft’s overhaul of the software underwent a fast shift in direction–from a focus on features to an overwhelming concentration on security–after the rapid spread of MSBlast last summer threw doubt on the operating system’s protections.

Best Microsoft MCTS Training – Microsoft MCITP Training at Certkingdom.com

The worm compromised more than 9.5 million Windows PCs by exploiting a flaw in the software that not many customers had actually patched, even though Microsoft had made a fix available.

“This time last year was a really exciting time,” said Amy Carroll, director of product management in Microsoft’s Security Business and Technology Unit. “There wasn’t a lot of sleep involved.”

The MSBlast worm hit the Internet on Aug. 11, 26 days after Microsoft published a patch for the vulnerability that the worm used to spread. But many Windows users failed to vaccinate their systems, even though there was widespread expectation that a virus would emerge from the security hole. The result: The malicious program caused enough havoc to play some part in a major power failure that affected as many as 50 million homes in the United States and Canada, though it did not cause the outage.

SP2 Resource Center
Visit our SP2 Resource Center for more SP2 news, updates, and discussions.

A year later, the release of SP2 means that Carroll and her Redmond cohorts may get at least a few hours more winks. Through changes to the Windows XP code and configuration, the update adds better security to the operating system’s handling of network data, program memory, browsing activity and e-mail messages.

Some security companies are tentatively hopeful that the XP software fix will bolster security in the average PC.

“It is probably too early to say whether SP2 will meet its promise,” said Alfred Huger, senior director of engineering at Symantec, a security company. “That said, it’s a great step in the right direction. We still have all the same fears as before, but we are in a better place to deal with them.”

Those that install the update will be better protected against MSBlast-type network worms. The security revamp has multiple layers of redundancy that would have stopped MSBlast and the more recent Sasser worm from spreading, Microsoft’s Carroll said.

For example, the flaw in the Remote Procedure Call (RPC) component in Windows that allowed MSBlast to spread has now been fixed, she said. Even if it hadn’t, SP2 has an automatic update feature that would have installed the Microsoft patch before MSBlast propagated. Then, if a user turned off that update feature, SP2’s improved firewall would have blocked the worm. And if the firewall had been turned off, Microsoft has changed the way that Windows XP interacts with such viruses, so that MSBlast’s attempts to infect computers would have failed.

“There is a whole cascade of defenses that make the operating system more resilient overall,” Carroll said.

Now Microsoft has to persuade consumers and corporate network administrators to apply the SP2 changes. The company has repeatedly learned that customers are less than assiduous about applying updates to their systems. The Slammer worm, which exploited a 6-month-old security hole in Microsoft SQL Server, spread widely because many companies failed to patch the flaw during that half-year.

“This is the most secure version of Windows that we have shipped yet,” said Carroll, who issued a plea for customers to apply the patch. “That said, it is not a ‘silver bullet,’ and we are doing a lot of other things to address security.”

Complicating matters, the update could cause problems with corporate homegrown applications, Microsoft has acknowledged. IBM, for one, has told employees to wait for the go-ahead from management before installing the update. To allow companies time to test how the update will affect their users, Microsoft has published a tool to enable businesses to block people from downloading and installing the update.

Giving companies a choice is one of the lessons learned by Microsoft. A handful of major worm and virus attacks in the past three years have taught the software giant that security is not simple. The result is that the company pushes for security on multiple fronts.

The Code Red and Nimda worms led the company to embark on its 10-year Trustworthy Computing initiative, designed to focus Microsoft employees on building better security into products and on improving customer response. The Slammer worm convinced the software giant to stress patching and to find ways to defend systems that are not patched. And the MSBlast worm helped lead Microsoft to create Service Pack 2 and to finance a reward program for informants who help pinpoint virus writers.

Although it is harder to create network worms that can penetrate Windows XP SP2’s defenses, it can be done, Symantec’s Huger warned.

“It would stop the old MSBlast. I don’t know if it would stop a new one,” he said. “This isn’t the end of the network worm, but it makes more sense (for attackers) to focus on other methods.”

Security researchers are already picking apart SP2, looking for flaws. Thor Larholm, a senior security researcher with PivX Solutions, downloaded the software last Friday and continues to analyze it. The true test for the update will likely come in the next few months, once those researchers’ efforts bear fruit.

“Give it a few weeks, or a few months, and you will see the first vulnerability announcements regarding Service Pack 2,” Larholm said.

2010 saw the release of version 7.3 of the Vim text processing editor. Vim was originally written by Brian Moolenaar in 1991. While it has not been around nearly as long as Berkeley vi — the model on which Vim was based — it is a venerable mainstay of many developers’ toolkits.

Best Microsoft MCTS Training – Microsoft MCITP Training at Certkingdom.com

Vim has offered built-in support for file encryption for a long time, as long as it is built with the cryptv compilation option. This made working with encrypted files incredibly easy and transparent — almost entirely unnoticeable, in fact. Unfortunately, Vim file encryption suffered one major problem: it used PkZip compatible encryption, which is not the strongest encryption available.

As of Vim version 7.3, the editor now supports Blowfish encryption. Bruce Schneier created the Blowfish cipher to fill the need for a replacement for the aging and increasingly vulnerable DES cipher, releasing it in 1993 and declaring that he would never subject it to restrictions on use and implementation:

Blowfish is unpatented, and will remain so in all countries. The algorithm is hereby placed in the public domain, and can be freely used by anyone.

No truly effective cryptanalysis of the Blowfish cipher has been confirmed to date, a good sign after longer than seventeen years of heavy testing and use. It is one of the strongest ciphers available to the general public and, unlike ciphers that have been developed in part by the NSA, there is little reason to fear that it is subject to any intentionally included “backdoor” vulnerabilities.

To determine whether the Vim package you have installed on your OS of choice has been built with the cryptv option, enter the vim –version command at a shell prompt. If the string +cryptv appears in the output under “Features included (+) or not(-):”, your Vim binary has been built with support for file encryption. If your Vim version is 7.3 or later, it should use Blowfish encryption.

On a typical Unix-like system, you may want to filter for the +cryptv string:

vim –version | grep +cryptv

The result, using the grep utility, should look something like this:

+conceal +cryptv +cscope +cursorbind +cursorshape +dialog_con_gui +diff

Assuming it has been built with file encryption support, working with file encryption in Vim is so easy as to be nearly second nature to a habitual Vim user. To open a plain text file or create a new one, you might normally enter a command at the shell like this:

vim filename.txt

The exacting, complex, highly difficult and dangerous version that tells Vim you want to encrypt the file when you save it looks like this:

vim -x filename.txt

Once a file has been encrypted by Vim once, you never need to use the -x option when opening that file again; Vim will automatically recognize it as an encrypted file and Do The Right Thing. Using the -x option when opening a file that has already been encrypted by Vim should not hurt anything, though.

Because Blowfish is a symmetric key encryption system, the same key is used for both encryption and decryption. When Vim opens a file for the first time with the -x option, the first thing it will do is ask you to give it a key you can use to encrypt and decrypt the file, with this prompt:

Enter encryption key:

After entering the key, you will then be asked to confirm the key, to ensure you did not mistype it.

Enter same key again:

After that point, Vim will act exactly the way it always has, as far as the user can tell. When you save and exit the file, there will then be an encrypted file containing the secret data you put in it. When opening the file with Vim again, the editor will ask you to enter the key needed to decrypt it for you; once open, you can again edit the file just as you would any other, and when you save the file again, it will be encrypted again.

Of course, you probably want to avoid littering your hard drive with Vim’s swapfiles, since one of the benefits of using Vim directly for file encryption management is that you do not have to create a decrypted version of the file on the hard drive before editing it, then save it decrypted, and re-encrypt it. That benefit is completely obviated if your editor saves tempfiles full of unencrypted data to disk.

You can do so by creating a special vimrc file — though you will not want to name it .vimrc because it may then be used by Vim all the time, automatically. Call it something like .encrypted_vim_rc and you can use it with Vim’s -u option:

vim -u ~/.encrypted_vim_rc -x filename.txt

That may look like a bit of a virtual “mouthful” to type every time you want to work with encrypted files. A shell alias, such as defining the vimenc alias to execute vim with that set of command line options will help. How exactly you go about setting aliases depends on your shell. In tcsh, for instance:

alias vimenc “vim -u ~/.encrypted_vim_rc -x”

In bash, it would look more like this:

alias vimenc=”vim -u ~/.encrypted_vim_rc -x filename.txt”

You will not need to type more than vimenc filename.txt as a command to open a file (whether it has already been encrypted by Vim or not) and encrypt it while saving it, without unencrypted versions of the file being saved to disk as Vim swapfiles while you have the editor open, then. Of course, for this to work, you need that .encrypted_vim_rc file. It should not write unencrypted data to disk if you include the following in that configuration file:

set nobackup
set noswapfile
set nowritebackup

Note that the -u option ensures that Vim does not automatically load any other vimrc files. If you want Vim to use the complete set of configuration options normally sourced by the editor, you can use Vim’s source command in your .encrypted_vim_rc file to indicate an additional vimrc configuration file, so that the special configuration file that gets loaded when you run the vimenc command alias now contains these lines:

source ~/.vimrc
set nobackup
set noswapfile
set nowritebackup

Unfortunately, Vim’s built-in encryption support is not entirely suitable for sharing encrypted files with others, because its only strong encryption support is the Blowfish cipher. Blowifsh is great, but it is a symmetric key cipher, not a public key cipher. It is great for single-person file encryption tasks, but less so for sharing files with others. This is where external tools must be used with Vim to manage file encryption.

I would like to side-step all pretenses about how and why software is flawed. And, instead, focus on what we can do to protect ourselves from the vulnerabilities caused by the flaws. Have you heard: “Make sure your software programs are up to date?” It’s becoming a tired mantra, but alludes to one of the best ways to stay safe online.

Best online Microsoft MCTS Certification, Microsoft MCITP Certification at Actualkey.com

Not so simple

Keeping updated seems simple enough, but becomes complicated when put into practice. Questions occur. For example:

* How do I know if a program is up to date?
* How often do I need to check for updates?

Some software companies cover the questions by having an automated client application and scheduled updates. Microsoft, for instance, uses Windows Update to roll out patches the second Tuesday of every month. If there is a serious problem, Microsoft will issue an out-of-sequence patch.

Google is another example. The Chrome web browser automatically updates in the background without any user interface.

Unfortunately, Microsoft and Google are the exception. Other software developers tend to update at their convenience or if a major issue surfaces. Which begs the question: How are we supposed to know when that is?
Secunia

One company makes it their business to know. That company is Secunia. They have developed scanners for the corporate world and a freeware version for consumers called Personal Software Inspector (PSI). It is reassuring to fire up PSI and check if programs are up to date. If not, PSI will offer suggestions on what to do. It works well, if you remember to update.

Having to manually update is the chink in PSI’s armor. By not automating, the process tends to be hit or miss.
Auto Update

That has changed with version 2.0 of PSI. Jakob Balle, VP of Product Development for Secunia refers to the new update feature:

“Secunia aims to solve this problem with Secunia PSI 2.0, featuring updates that are truly automatic. In the sense that, if the user prefers, Secunia PSI 2.0 can install most security updates without requiring the user to download, run, or otherwise perform manual actions to patch their PC.”

Secunia received a vote of confidence on PSI 2.0 from the Online Trust Alliance:

“The Online Trust Alliance applauds the launch of the Secunia PSI 2.0. OTA has been working with Secunia for over two years to develop best practices and solutions.”
Installation

Downloading (less than 2 MB) and installing PSI is painless. Also, the install is one of two places where you configure the auto-update feature:

The next configuration PSI asks about is whether you want to have the tray icon show all the details:

If you are a current PSI user, you will notice the user interface screen has changed dramatically. I asked several system admins what they thought about the new interface. All commented it was an improvement:

Alternative settings

Advanced users may not like having programs update automatically. Having thought of that possibility, Secunia offers the choice of only allowing updates to install with user approval:

Final thoughts

I asked the same system admins what they thought about Secunia overall. To a one, they said it was one of few applications that has never disappointed them. I tend to agree