Scot’s Newsletter

Information About Windows and Broadband You Can Use!


 August 2004

 July 2004

 June 2004

 More Back Issues


 Newsletter Home Page


 The Forums

 Product Reviews

 Let’s Fight Sp@m!

 NetBEUI and Win XP

 PayPal Donate

 Letter Mail Donate

Get free delivery of this email newsletter!

Recommend Scot’s Newsletter to a Friend!

July 2004 - Vol. 4, Issue No. 58

By Scot Finnie


  • The Lowdown on Windows XP Service Pack 2 RC2
  • Let’s Fight Sp@m 12: Sender Authentication
  • Call for Contributions
  • For Linux Explorers: Whatis and Apropos
  • Program of the Month: WindowSizer 1.1
  • SFNL Forums Upgrade
  • Newsletter Schedule
  • Subscribe, Unsubscribe, Change Your Subscription

    The Lowdown on XP Service Pack 2 RC2
    After several delays, Microsoft made Windows XP Service Pack 2 (SP2) Release Candidate 2 (RC2) publicly available for download from its website on June 15. RC2 is likely to be the last major pre-release before Microsoft issues the final version of its ambitious Windows service pack, whose primary focus is increased security for Windows XP machines.

    Those interested in trying the new pre-release service pack software on a test machine may obtain it here. I recommend that you also download the Release Notes for Microsoft Windows XP SP2 RC2, which are packed with useful information.

    Windows XP SP2 RC2 comes in two versions. The 264MB "network install" version is designed for IT shops or anyone who needs the full set of CAB files for installing on multiple machines. There's also an online-installation version, called the Express Install or the Windows Update version, which tailors itself to the specific system it's being used with by only installing missing security and other software components. As a result, it's a much smaller download. In our tests, usually under 100MB. This ability to incrementally install is one of the new aspects of version 5.0 of Windows Update, which is being prepared in conjunction with Windows XP SP2.

    Windows Firewall. Click for full-size image. What's significantly new in Windows XP Service Pack 2 are Windows Firewall, a raft of security changes in Internet Explorer and Windows remote access functionality, Windows Security Center, revised Automatic Updates, a new wireless networking client, enhanced Bluetooth support, several new Control Panels, and upgrades to some Microsoft applications, mostly in the area of multimedia. What follows is a tour of the current state of those new features. I'll also tell you what I really think of this release, now that the facts are starting to emerge.

    Windows Firewall
    The new software firewall that appears in Windows after you install Service Pack 2 isn't all that new, really. Windows Firewall is an update of the Internet Connection Firewall, which shipped with the original release of Windows XP in October 2001. The most important difference is probably that Windows Firewall is turned on by default.

    There are some other advantages, of course. Windows Firewall is easier to configure, and more importantly, it's better about staying out of the way of your applications. It also now has improved protection during boot and shutdown, something all top-notch software firewalls provide. But the fact that it's on by default means that it could help prevent the spread of certain types of viruses and worms on millions of PCs in future.

    If you've been reading Scot's Newsletter for some time and following even half of my advice, chances are you already have better protection than Windows Firewall provides. Everyone should have at minimum a hardware router/firewall between all their PCs and the Internet. And better would be a software firewall -- such as ZoneAlarm 4.5 or 5.0 or Norton Personal Firewall 2004 -- installed on every PC they running on their networks. Any recent version of most software firewalls is a better choice than Windows Firewall. That includes products like Sygate Personal Firewall, Tiny Personal Firewall, Outpost, McAfee's Personal Firewall Plus, and Trend Micro's PC-Cillin Internet Security. Windows Firewall offers solid basic protection; it's better than ICF, and it's a lot better than nothing. But you can do better.

    One of the problems I've seen with Windows XP SP2 in Release Candidate 2 is that after you turn off Windows Firewall, it has a tendency to turn itself back on -- especially after a major system update, a crash, or when you restore a restore point. And when you have both Windows Firewall and a third-party firewall installed, there is at least the potential to encounter a software firewall conflict.

    When you install SP2, you should temporarily disable your firewall software. Although the chances of running into a major firewall conflict for the brief period of time it takes to turn off Windows Firewall after you install SP2 are relatively slim, temporarily disabling your any pre-existing firewall program is easy enough to do to ensure no problems. Then, once you've successfully installed SP2, open the new Windows Firewall Control Panel, choose the "Off" option, and then turn your third-party firewall application back on.

    Security-Hardened Internet Explorer
    According to a Microsoft product manager, Microsoft's last major delay of Windows XP Service Pack 2 occurred because of a hue and cry from enterprise evaluators about largely invisible new security measures, especially those in Internet Explorer that affect Web applications. Very likely you'll be able to see this for yourself after you install SP2. Mainstream websites that employ unsigned ActiveX applets, downloads, pop-up windows, browser helper objects, and other code- or scripting-based functions may encounter difficulty with the new version of the new SP2 version IE 6. Most of these activities are prevented by default, and until thousands of websites and web-based applications are upgraded to more gracefully deal with the new IE's many security precautions, a lot of stuff is going to be broken -- or, at least, temporarily halted.

    Internet Explorer's New Information Bar. Click for full-size image.

    That doesn't mean nothing works properly; a check of sites that offer more advanced Web-based functionality (such as software distribution) showed no significant problems at all. But even when things do work, they may be interrupted by Internet Explorer requiring user acceptance to continue.

    In many cases, that level of prevention is handled by Internet Explorer's "Information Bar," which halts suspicious processes on a site-by-site basis, presenting options for defeating or selectively defeating IE's automatic protections, either one time or permanently. Since that exception processing applies only to the specific Web page you're on, the decisions you make create a custom Web-security configuration on the fly. Microsoft got this part right. The only drawback I can see is that the text-based Information Bar doesn't jump out at you. It appears as a single line of text below the browser toolbars and above the Web page. Clicking the words "Click here" on the Info Bar opens a context menu of configuration options. The words and menus vary considerably in context. We are all going to become intimately familiar with the Info Bar, I fear. On the other hand, I can't think of a better way to bolster security in Internet Explorer -- one of the most vulnerable facets of Windows. We either make decisions selectively on a website-by-website, applet-by-applet basis, or on most users' PCs, we throw open the doors much wider. To me, the choice seems clear.

    IE's New Add-Ons Manager IE. Click for full-size image. One of the best new features of SP2's Internet Explorer is the Add-On Manager, available from the Internet Control Panel's Programs tab. It gives you a way to enable, disable, and configure ActiveX controls, browser help objects (also called BHOs), and browser extensions. The primary purpose of this tool is to provide a user interface for controlling things that have already been added to your Internet Explorer installation. When, for example, you have already said Yes to an ActiveX program Information Bar query, and later decide you don't want that program on your computer, the Add-On Manager is the tool that solves that problem.

    When you disable an ActiveX applet and you visit a site that wants to use it, the IE status bar shows a balloon pop-up informing you that the program is disabled and can be re-enabled in Add-On Manager. Add-On Manager is a very useful addition to Internet Explorer.

    SP2 also provides a new Attachment Manager that works with Outlook Express, Windows Messenger, and Internet Explorer by identifying and preventing potentially unsafe attachments during the opening process. When this occurs, the attachment is prevented from opening and a pop-up is offered to both warn you and offer options for controlling it. IE also has download monitoring that offers the same sort of protection for downloads from websites.

    Internet Explorer has also been strengthened internally to thwart several specific exploits and plug a wide swath of identified vulnerabilities. One of the more notorious vulnerabilities was a series of little-known IE security controls that protected the local machine. These controls could previously be adjusted by a malicious program, opening up the browser and thus the computer to attack.

    With the browser battle long since won, there's nothing forcing Microsoft to do much of anything about improving the functionality of Internet Explorer. But there's one feature IE has sorely missed. Virtually all its competitors provide tabbed browsing -- the ability to house multiple Web windows within a single browser window and let their users click tabs to switch among them. This is the underlying principle of the current Windows user interface, introduced with Windows 95. Yet Internet Explorer continues to lack the capability.

    Microsoft just isn't that interested in upgrading Internet Explorer's feature set. As a result, it's unlikely we'll see tabbed browsing before Longhorn, and it's not even guaranteed for that release. No wonder so many people are jumping ship for Mozilla Firefox and Opera.

    The Windows Security Center Control Panel. Click for full-size image.

    Despite obvious potential difficulties, especially for enterprise Web applications and some higher-end consumer websites, there's no major reason to avoid installing SP2. The security benefits outweigh the potential negatives, which will be fixed with time. And the nifty pop-up blocker should reduce the annoyance factor.

    Windows Security Center
    Windows Security Center (WSC) is a new Control Panel applet with system-tray notification whose sole purpose is to ensure you're aware when your computer is not adequately protected by firewall, antivirus software, and the latest Windows and IE updates. At its heart, WSC is three sensors that check your security configuration and indicate visually when your computer's protection isn't up to snuff. The antivirus sensor is the most complex. It's designed to check whether an antivirus program is installed, whether that program is running, and whether it's updated with the latest antivirus definitions.

    When any of the security checks for antivirus, firewall, or critical Windows updates aren't met, Windows Security Center alerts you with system tray pop-up notifications that open the large WSC Control Panel. A colored light system -- not unlike the U.S. government's terrorist threat-level warnings -- gives you instant feedback about whether your systems is good to go.

    So far so good, but in all major pre-release versions of Windows XP Service Pack 2, the ability of WSC's security sensors to accurately detect mainstream third-party security programs was seriously lacking. The desktop security products of vendors have the largest installed base of users, Symantec and Zone Labs, aren't properly detected by the RC2 version of SP2.

    Win XP SP2: Does Windows Security Center Work?
    I tested a large selection of commonly available antivirus and firewall products against Windows XP Service Pack 2's RC2's version of Windows Security Center to see how well it detected third-party products. The results were somewhat surprising with a late-stage OS update approaching its release date:

    Does Windows Security Center Work?
    Antivirus SoftwareDetected
    Grisoft AVG Pro 7.251 Yes
    Kaspersky Anti-Virus 5.0.121 Yes
    McAfee VirusScan Yes
    Panda Software Platinum 7.0 Yes
    Panda Software Titanium Antivirus 2004 3.01.00 No
    Symantec Norton AntiVirus 2004No
    Trend Micro PC-Cillin Internet SecurityYes
    Zone Labs ZoneAlarm Security Suite 5.0No
    Firewall SoftwareDetected
    Agnitum Outpost 2.1No
    McAfee Personal Firewall PlusYes
    Panda Software Platinum 7.0 PavfiresYes
    Sygate Personal Firewall 5.5No
    Symantec Norton Personal Firewall 2004No
    Trend Micro PC-Cillin Internet Security 11.31Yes
    Zone Labs ZoneAlarm 4.5 and 5.0 (free edition)No
    Zone Labs ZoneAlarm Security Suite 5.0 And ZoneAlarm 4.5 Pro   No

    Even so, security vendors interviewed for this story, including Symantec and Zone Labs, assured me that their products would be correctly identified by Windows Security Center by the time Windows XP SP2 ships. The hard truth is that Microsoft is requiring third-party vendors to change their software in order to be detected by WSC. Any security software vendor able to issue online program patches (and not just security definitions) should be able to make at least current versions of their applications detectable by Windows Security Center. At press time, none of the products from Symantec or Zone Labs were detected properly by WSC (see table above). But those companies may have been waiting for SP2 to ship before issuing online program patches to their products.

    In operation, I found Windows Security Center's RC2 sensors to be balky at times. Occasionally a change (such as turning on or off Windows Firewall or updating the antivirus program) isn't detected right away. Even after a reboot, sometimes WSC would be stuck showing the previous state. All in all, Windows Security Center is more a novelty than a truly useful tool for experienced users. Microsoft has made Windows Security Center centrally manageable via Active Directory Group Policies, but it's hard for me to imagine many enterprises getting excited about that.

    For individual users, if your computer is used by several people, or if you need help figuring security, Windows Security Center could well be a useful warning bell if it works properly with third-party apps. WSC does sense protection levels for the worst threats out there, but it offers no help for adware, spyware, trojans, privacy invasion, and spam. So it's no panacea.

    Automatic Updates Gets Aggressive
    On page 14-15 of the July 2004 issue of PC Today magazine I wrote about an annoying aspect of Windows XP Service Pack 2's enhanced Automatic Updates feature. SP2 automatically installs patches in certain conditions when you power down your computer.

    Automatic Updates Control Panel. Click for full-size image. The way it works is this: When you have pending critical updates for Windows that haven't been installed and you shutdown (not restart) Windows, the operating system installs the patches before it powers off. If patches are already downloaded, it usually takes only a few minutes to install them. But in tests of SP2 RC1, I found that it could take more than half an hour the computer to turn off because of this feature.

    To understand why (or at least, what I have pieced together as the probable reason why), you have to understand the new Automatic Update options. The new Automatic Updates Control Panel is a solid improvement over the controls found on the Automatic Updates tab buried in the System Control Panel in previous versions of Windows XP. The Control Panel offers four options:

    1. Automatic (recommended). Automatically download recommended updates for my computer and install them [on this user-specified schedule, defaults to daily at 3AM].

    2. Download updates for me, but let me choose when to install them.

    3. Notify me but don't automatically download or install them.

    4. Turn off Automatic Updates.

    When you choose the option 4, there is no automatic installation of patches when you power-down your computer. But your computer is also completely unprotected against the most recently discovered Windows vulnerabilities. Except in the case of a computer whose system updates are being managed in an organizational setting, no one should choose the fourth option.

    If you choose either option 1 or 2, available critical updates for your Windows installation will be downloaded automatically, so at shutdown it'll take a little time for the patches to install before your computer turns off, but not usually long periods of time. (It'll also make your next Windows start-up take longer because part of the patch-installation process occurs on the subsequent restart.)

    See the RC1 Turn Off Computer Box with Auto-Updates Install. Click for full-size image.

    When I tested the feature, however, I was testing with option 3, "Notify me but don't automatically download or install" security updates. What apparently occurred was that, since available critical updates weren't already downloaded on my computer, Windows SP2 RC1's Automatic Updates code downloaded available critical updates and then installed them before the computer turned off. The process took over half an hour to complete, and it took me the first 10 minutes or so to realize what was probably going on.

    At press time, I was unable to discover whether Microsoft modified the automatic-patch-installation-on-shutdown behavior for RC2. Since Microsoft rarely releases a real online update to pre-release software, whenever it makes changes to Automatic Updates or is developing a new version of Windows, it releases sample updates. In other words, it offers you large "update" files that basically do nothing to your PC. They're only there to give you the user experience. But in the two weeks or so since RC2 was released, none of my test machines have indicated that there are any updates available for it. In other words, no one can test the Automatic Updates process in RC2.

    Installation Screen Urging Automatic Updates. Click for full-size image.

    It should be noted that even though this background download and installation of critical updates is a little heavy handed, it is possible to defeat it. In RC1, the shutdown-instigated "Turn off computer" box offers you the option at the bottom to "Click here to turn off without installing updates." My guess is that most people will miss this fine-print at first. Of course, for all I know, this user interface has changed. Since there are no updates available, the "Turn off computer" box doesn't display the fine-print option.

    What Is Known
    I don't want to make too much out of this one annoying aspect of Automatic Updates. It's just the only aspect we don't have a full grasp on yet. In all other regards, Automatic Updates is a boon to Windows users. In fact, Microsoft's ability to automatically update millions of Windows PCs around the globe is especially well handled. You may snicker and say, well they had to do it, right? But while you may have long since decided that Windows isn't very well engineered, I would have to disagree with you on that point. Windows is simply the only seriously interesting target for hackers, virus/word authors, and spammers.

    To be sure, Windows is hampered by a huge installed base of Windows versions that barely gave a passing thought to security. But five years from now, that picture will look a lot different. It's as much the user-experience expectations of the people who use Windows that have to change as it is the code that underlies this widespread operating system.

    Get a Look at Windows Update v.5. Click for full-size image. So the Automatic Updates user interface is vastly improved. Another difference from previous versions of XP is that during the SP2 installation, Microsoft also urges (but does not require) users to turn on option 1, the most aggressive Automatic Updates setting. The one that automatically downloads and installs critical updates on a daily schedule (or a schedule of your choosing). Even if you go along with Microsoft's recommendation, you can easily change it later. This is intended to get less experienced people who might never on their own turn on Automatic Updates to do turn it on. Since it's not mandated, it's a good thing because if they're protected, we're all a little better protected too.

    Microsoft is also working on the 5.0 version of Windows Update, its Windows-updating website, which handles a lot more than just critical updates. It's primarily a user-interface update, but one of the underlying improvements is that you'll no longer be required to restart your computer so often after applying updates. Windows is now able to wait to install patches on the next restart. Windows Update is also now able to make incremental installs ("delta installation" Microsoft parlance). This should be especially of benefit to dial-up users. Instead of installing the same patches over a patch that's already installed, Windows Update and Automatic Updates are able to install only updates that are not already on a specific system.

    Overall, Automatic Updates has been positively redesigned. In many ways, it's one of the best reasons to install SP2.

    Wireless Networking, Et Al.
    Windows XP includes a new wireless LAN client that provides a much better interface designed to help you understand and work with both secured and unsecured wireless networks. There's also a new Wireless Network Setup Wizard (yet another new Control Panel) that lets you add a wireless network to your system either with or without security. On the face of it, this interface is much better than original Windows XP and Windows XP SP1 versions of the wireless networking client. And there's nothing wrong with the upgrade. My only problem with it is that it doesn't go far enough.

    New Wireless Networking Client. Click for full-size image.The software provided by some wireless network device companies designed to run with Windows XP provides a better management of multiple-access point networks and better access to multiple networks. On a multiple-access-point network, for example, the OEM Wi-Fi hardware utilities let you configure which access point your computer is homed in on. The Windows XP SP2's wireless networking client treats all access points using the same SSID as a single piece of hardware. What that can sometimes mean is that your connection may lose signal strength as you move from one location to another, because Windows hasn't made the switch to the nearest access point.

    So I like the two major improvements, the new wizard and the updated user interface, but I want more.

    Microsoft has also added an enhanced Bluetooth networking stack in this service pack. Bluetooth, which provides wireless "personal area network" functionality (a replacement for the infrared wireless connections between devices, like computers and printers) missed the original version of XP by only a few months. And at that time Microsoft pledged to add this functionality. But while separate downloads and online updates have been available for a long time, this is the first time Bluetooth is being included and improved in a unified way. If your computer and devices are Bluetooth equipped and you make use of the functionality, you'll be pleasantly surprised by this update. I'll be honest though, I'm not all that wild about Bluetooth. It can be a serious boon for handheld devices though.

    New Wireless Networking Wizard. Click for full-size image.Finally, Microsoft is throwing updates for a series of its products and platforms, including DirectX 9.0b, Windows Media Player 9, Windows XP Media Edition 2004, and Windows XP Tablet PC Edition 2004 into Windows XP Service Pack 2. This is just a case of Microsoft taking advantage of an opportunity to widely distribute some recent changes to satellite applications. Most of the updates have little to do with security.

    For more information about what's in Windows XP Service Pack 2, check these Microsoft reference documents:

  • Changes to Functionality in Microsoft Windows XP Service Pack 2
  • Release Notes for Microsoft Windows XP Service Pack 2 RC2
  • Business Desktop Deployment of Windows XP Service Pack 2
  • New Networking Features in Windows XP Service Pack 2
  • Using INF File in Windows XP SP2 to Change Windows Firewall Settings
  • Download Windows XP Service Pack 2 RC2

    Real-World Recommendations
    The fact of the matter is this: No matter how annoying or substantively lacking in any real advantage other than increased security, there should be no debate in business or home circles about whether this one should be installed. Just do it. We have enough computer security problems without people getting stubborn about whether this upgrade takes away some of their computer liberties. It really doesn't. There are some mostly minor adjustments required. And for some of us, those changes may be nearly transparent. Corporate IT managers and users may have a bit more to wade through at first. But all in all, this shouldn't be heavy lifting. We're all in this security mess together, and this service pack strikes a blow for the good guys. It should be a no-brainer.

    Do you have lingering questions about Windows XP Service Pack 2? Send them my way.

    Back to the Top

    Let’s Fight Sp@m 12: Sender Authentication
    I've laid low on the ongoing Let's Fight Sp@m series the last six months or so because this is an incendiary topic that there's a lot of disagreement on, and I've frankly grown weary of explaining, arguing, and discussing the same topics over and over again.

    By now I hope most of you can see that at least some of my opinions stated a year or two back that spam threatens email as we know it -- and that in particular it threatens aboveboard opt-in email newsletters. That whole genre of publishing is teetering on the edge of not being viable. There are lots of reasons why this is the case. And there are few real solutions.

    It's nothing more than a cog in some eventual engine that could drive spam to its knees (because I doubt we will ever eradicate it), but the idea of Sender Verification -- something Let's Fight Sp@m and TechWeb articles I've written have been calling for, for quite some time -- is finally building steam.

    Some articles I've written about this in past:

  • SMTP Authentication
  • Authorizing Outbound Email
  • The Trouble with Email - TechWeb

    Stories recently in the news related to Sender Verification:

  • Major ISPs Look To Sender Auth To Block Spam - Security Pipeline
  • Sender Auth and Accreditation May Not Stop Spam - Messaging Pipeline
  • Should You Have to Show ID to Send Email? - Messaging & Security Pipelines
  • Microsoft Submits Merged Sender ID Email Spec - TechWeb

    There are pluses and minuses to the various methods of proposals for sender validation, however. Microsoft's approach, in my opinion, is apt to cause the most trouble. What we most need to lock down is the illicit use of SMTP servers by unauthorized users, in most cases spammers. To do that, we need to prevent anyone from sending mail from an outbound mail server who does not have the right to do so. IP-address verification doesn't make sense and doesn't go far enough. It should help weed out many spoofed messages, but some perfectly valid senders may be sending from different machines. And that introduces a huge gray area that will be hard to manage. It's the people we want to validate, not the machines. Focus on the people.

    To do this we need better, more secure SMTP server software than we have today, and an authentication scheme that is user-based. The solution to this problem should not require people to use a certain return address. That isn't helpful. For example, this newsletter (and most others) are sent by a third-party server managed by a company that specializes in that business. The server's actual IP address and return address are not represented by the return address in the headers. Why? Because if we did that, when you replied to a newsletter message I wouldn't get it. There are many other completely valid reasons for sending a message with a different return address. The validation mechanism should not be hinged to something in the email message or solely on the server that sent it (though that is useful information). It should be a separate unique identifier.

    Right now, this month, virtually every ISP in the country could institute outbound message sending based on basic open standard password authentication. Many have not, though. Ever count shared web hosting companies? Virtually every one of them manages hundreds of mail servers, the security of which is often woefully inadequate. The first step in this war starts with a requirement that any ISP that offers SMTP/POP services be required to authenticate senders!

    Companies like Microsoft, America Online, Yahoo, and EarthLink -- part of the Anti-Spam Technical Alliance -- all say that sender authentication is only part of what's needed, and I agree. What they call for is white listing of large email senders, some sort of reputation validation system. Man, I can't imagine anything worse than this. We think blacklists are political? With any system like that in place, small independent email publishers in the hundreds are not going to be able to afford the fees required to publish in this kind of environment. When Microsoft started out, what if some large company imposed a $10 fee per copy of software sold? That's what I believe this will be tantamount to. No whitelisting agencies are going to validate your reputation for free; and there's going to be a need to re-validate mailers annually or on a repeating basis. Most of the schemes that have proposed this in past have instituted a per-message-mailed fee. Under that sort of plan, the larger companies will get larger -- and the small independent voices that are an important part of the make-up of the Internet will get squashed.

    But whatever collection of technologies and policies are cobbled together to start making a difference with spam, the one thing that's been clear for some time is that it has to start with verifying senders. It has taken its sweet time, but the computer industry has begun to move in this direction. So there's some hope, finally.

    Back to the Top

    Call for Contributions
    Long-time SFNL readers (or anyone who subscribed before February of this year) have grown accustomed to my call three or four times a year for contributions to the fund that keeps this newsletter going. Well, you may be used to it, but it always makes me feel ridiculous. I'm not exactly a charity. But this newsletter is. Probably nothing will ever pay me for the time I put into it, but I'm happy if I can just cover expenses. According to my accountant, the newsletter almost broke even last year. The year before it did break even. Covering the costs is all I ask.

    So embarrassing though it is, I make the call because, to be quite honest, few people contribute if I don't. About 90 percent of the donations to Scot's Newsletter come in during the four weeks or so after the reminders -- like this one -- that I make in the newsletter. So I'm stuck making them. The request goes like this: Please send Scot's Newsletter whatever you can afford to help pay for the operation of the newsletter, such as the monthly charges to my spam-free list server service provider, my web host, my research expenses, and so on. Here's how to act on that request:

  • Donate via Conventional Postal Mail
  • Donate via PayPal
  • Sign-Up to PayPal

    Upcoming issues of Scot's Newsletter will include new coverage of Windows Longhorn (I just received a newer build), exploration of new broadband coverage, ongoing Linux tips aimed at Windows users, Windows XP tips, and a lot more.

    Why Donations?
    During the three years that I've published Scot's Newsletter, I wish I had a dollar for every time someone suggested I create a paid premium edition of the newsletter. The free edition that everyone gets today would continue on, but a new paid edition would offer some extra content and come out a day earlier. There might be some other premiums too. That's the strategy successfully employed by my friend and colleague, Fred Langa, who is also a Windows Magazine alumnus. It's been my goal all along to follow in his footsteps on the newsletter business model, but it's not as slam dunk easy as you might suspect. Three major obstacles have stood in my way:

    1. I needed to get the number of subscribers to the newsletter over 50,000 before this would became a cost-effective option. Guess what, we're almost at 50K now. If you can't donate cash, another way you could help the newsletter is to recommend that friends and colleagues subscribe to it. Send them here.

    2. I needed a relatively inexpensive way to authorize and accept Visa, MasterCard, American Express, Discover, Diner's Card, and so on. Yes, PayPal works, but it's not great internationally, and many people don't like it in the U.S. either. A friend of mine researching this right now for another newsletter (in a completely different field) turned up interesting information. The rise of Internet commerce has apparently caused prices to come down for these services. It's probably possible to add this service for $100 a month.

    3. This is the hard one, though: I need a system for tying subscriber payment data with the actual newsletter list. In other words, the database that handles newsletter distribution needs to be hooked up with the database (or reporting info) that shows who paid for a newsletter subscription and when they paid. Plus, the software needs to be able to send out reminders to paid subscribers every year to renew their newsletter subscriptions.

    Unfortunately, #3 doesn't exist off-the-shelf for email newsletters. I don't know if Fred is still doing it this way, but I know that when he first launched his paid LangaList Plus edition, he reconciled that data by hand. Notice that very few other people who have newsletters have paid editions. There's a reason. The logistics are a big deal.

    So keep the contributions and new subscriber recommendations coming. I'll get there yet.

    Back to the Top

    For Linux Explorers: The Whatis and Apropos Commands
    During your Linux exploration, it sometimes happens that you forget a command or two or misremember what it does. This is especially true for those of us whose years of Windows use has caused command-line synapses in our brains to atrophy. Luckily, Linux takes this into consideration and has a solution to help retrieve those commands that have escaped into the forgettery. We'll tell ya all about it.

    Important: The tips in this document require the use command-line commands. For more information about how to read and execute Linux command-line prompts and commands, please check the Linux Clues' Linux Cheat Sheet, especially Linux Prompt Basics and Linux Command-Line Nomenclature.

    The Whatis Command
    Whatis is a funny command that's bound to come in handy, especially while you're learning Linux. By typing "whatis" followed by a command, Linux returns the first line of the Man-page (manual page) for that command. Here's an example to show you what the "cp" command does:

    $ whatis cp

    This returns:
    cp (1) - copy files and directories

    The command is listed followed by a number in parentheses. The number refers to the section of the man-pages (manual pages) that the command can be found in.

    For the command ifconfig:

    $ whatis ifconfig
    ifconfig (8) - configure a network interface

    If you wanted more information about one of the commands -- how it works and what the optional arguments are -- you would type:

    $ man ifconfig

    And get back the explanation, all 176 lines worth.

    NOTE: Some distros won't have a pre-built Whatis database. Instead of the descriptions above, you'll see a response telling you to build the database. In that case log on as root and type:

    # /usr/sbin/makewhatis

    Up a Notch
    But that's just the beginning of what you can do with whatis. Imagine you want to see a cheatsheet of commands in, let's say, the /usr/bin directory, for example. First change to that directory:

    $ cd /usr/bin

    Then type this command:

    $ ls | xargs whatis | less

    (Note: The "|" is a pipe, also known as the "Shift \" key.)

    The beginning of the list looks like the following, with some minor variations depending on which distro you're running. It's a scrollable list; just press the spacebar to advance the page. To exit the list, press the Q key.

    411toppm (1) - convert Sony Mavica .411 image to PPM
    a2p (1) - Awk to Perl translator
    a2ps (1) - format files for printing on a PostScript printer
    abiword@: nothing appropriate
    AbiWord-2.0*: nothing appropriate
    access (1) - determine whether a file can be accessed
    access (2) - check user's permissions for a file
    access (5) - format of Postfix access table
    aclocal@: nothing appropriate
    aclocal-1.4*: nothing appropriate
    aconnect (1) - ALSA sequencer connection manager
    acroread@: nothing appropriate
    activation-client*: nothing appropriate
    adddebug*: nothing appropriate
    addftinfo (1) - add information to troff font files for use with groff
    addr2line (1) - convert addresses into file names and line numbers
    addresses (1) - Dumps Palm Address Book to STDOUT in simple format

    Advanced Tip
    If you're the type who can't leave well enough alone, here's an explanation of the command you just typed:

    $ ls | xargs whatis | less

    ls = list directory contents
    xargs = build and execute command lines from standard input
    less = opposite of more (Just kidding, actually this reads input and renders it into a page.)

    As you can see from the command list above, Access, for example, has multiple listings because it's listed in the manual several times. "Nothing appropriate" means there is no Man-page entry for that command.

    Secret Sauce
    Though you can run Whatis almost anywhere, there are some places it's more interesting to use than others. Try it here:


    Because Linux knows so many commands, it's impossible to remember them all. (See, it's not just GUI-itis!) So here's a trick to help you. From a previous Linux Explorers tip you should know that if you type the first few characters of a command and press the Tab key, Linux will auto-complete the command or present you with a list of options for auto-completion:

    We're going to be tricky and combine that feature with Whatis to really jog your memory, using the Apropos command.

    Imagine you know only a part of the name or description of a command. Say for example, you remember "alsa," but not the whole of the command. Type:

    $ apropos alsa

    This returns:

    aconnect (1) - ALSA sequencer connection manager
    alsaconf (8) - config tool for the Advanced Linux Sound Architecture
    alsactl (1) - advanced controls for ALSA soundcard driver
    alsamixer (1) - soundcard mixer for ALSA driver, with ncurses interface
    amidi (1) - read from and write to ALSA RawMIDI ports
    amixer (1) - command-line mixer for ALSA driver
    aplay (1) - command-line sound recorder and player for ALSA driver
    arecord [aplay] (1) - command-line recorder/player for ALSA driver
    aseqnet (1) - ALSA sequencer connectors over network

    If you still weren't sure, you could use "$ man {command}" to get more information about each command.

    Well, that is pretty cool isn't it? Very cool! But how cool is Linux, really? Way cool. Trust us.

    $ apropos cool

    Smalledit-3.17.7 (1) - Stripped down version of Cooledit text editor
    cooledit (1) - Full featured X Window text editor for the System, v.11
    coolicon (1) - Icon manager with graphical icon and drag and drop
    coolman (1) - X Window Man page reader based on the Coolwidget library
    sane-coolscan (5) - SANE backend for Nikon film-scanners

    They don't come cooler than that, do they?

    Most of the material you find in Tips for Linux Explorers comes from Bruno of Amsterdam, one of the moderators of the popular All Things Linux forum at Scot's Newsletter Forums.

    Bruno is helped by All Things Linux co-moderators Peachy and Teacher, as well as other forum members who have posted in the highly useful Tips for Linux Explorers thread (from which and the Linux Explorers section of Scot's Newsletter are adapted). Previous installments of Tips for Linux Explorers can be found at

    For Linux Explorers is content-edited by Cyndy. (Scot copy edits.)

    Back to the Top

    Program of the Month: WindowSizer 1.1
    I can't tell you how many times I've wished for a product that does what WindowSizer 1.1, by David Ross Software, is trying to do. I have a large-screen monitor (one of the best monitors you can buy for the money, the Samsung 213T 21.3" wide-aspect-ratio LCD) running at 1600-by-1200-pixel resolution. I want to maximize the use of that pretty large amount of screen real estate so I can have as many windows open, and interact between them with copy and paste, drag and drop, and so on. Working smartly with multiple windows makes me more productive. The main advantage is that my train of thought doesn't have to halt so often to focus on the mundane task of navigating windows. What I want is to have every window I need access to easy to put a finger on without any appreciable effort.

    WindowSizer remembers and manages windows sizes, positions, and relationships. And it can memorize and quickly revert two open windows to a default configuration with just a double click. Open two windows side by side in WindowSizer, and once you set the program to control them, if you resize one, the other one resizes to complement the change to the first on the fly. Until you try this yourself it's hard to believe how fast and powerful it is. WindowSizer can also save and recall special configurations as local PANES files, which lets you save and apply multiple window configurations for different applications.

    What WindowSizer is trying to do is very cool, but its challenge is also very complex. The utulity is especially good at managing two windows. While it is able to manage and automatically resize up to 12 windows at once, the way this works is not as useful (to me, anyway). When you use WindowSizer to manage three or more windows, it's rare for all three to open large enough to be truly useful without having to resize. While resizing is much easier with this utility, I'd prefer a scheme that allowed me to apply a specific configuration and then swap in and out second, third, and fourth windows, all in that same size. In other words, automatic resizing alone isn't enough to solve multiple-window-management problem. It's just an excellent start.

    One feature I'd like to see in some future version of WindowSizer is the ability to designate a specific program window as dominant (one whose position and size never changes). WindowSizer ignores all minimized open Windows when applying arrangements -- a very useful trick for using this product. Another useful ability might be to have new windows automatically tuck themselves into the currently applicable layout, and to designate that all windows from a specific program appear in the same size and location. Although less important than other capabilities, the addition of a window transparency option would be a neat feature too.

    For more information about WindowSizer features, see:

  • WindowSizer Features
  • WindowSizer FAQ

    This product is only a couple of months old, and it's pretty amazing for being so new. The product is full-featured but time-limited for 30 days. The registration fee is $19.95.

  • WindowSizer 1.1 Download

    There are quite a few other new utilities that work in this vein, many of which provide transparent windows and window dominance. This is a very immature little utility segment, and the coming of Windows Longhorn will surely have a large impact on it. Here's a small sampling of other windows-related utilities I turned up in Google and a few shareware sites. If you've tested some of these programs (or want to tell me about others like them), drop me a note and let me know which ones you liked and why.

  • WinTiles
  • ShellEnhancer 1.0 Beta
  • WindowTool 1.3
  • WindowGhost 1.0
  • Windows Transparency
  • Actual Windows Manager
  • Actual Windows Guard
  • Actual Transparent Windows
  • Alpha XP
  • Vitrite

    Have you found a little-known freeware or shareware program that solves a specific Windows or broadband problem extremely well? I'm looking for diamonds in the rough, software that begs to be discovered, utilities that can save your bacon. This isn't about mainstream applications, folks! It's about software many of us might not have heard about before, or that just doesn't get enough attention. IMPORTANT: Please include a link to the software-maker's site, not some big download place. Also: 30-day full-featured trialware programs are acceptable, but freeware will get preference. And simpler programs that do one thing well are far more likely to be selected as Program of the Month. Please tell me about your personal favorite, what it does, and why you like it.

    Back to the Top

    SFNL Forums Upgrade
    If you haven't been to Scot's Newsletter Forums in a while, or if you've never checked it out, swing by and take a look. SFNL Forums has undergone a software upgrade to Invision Power Board 1.3.1 and redesign this week. Thanks especially go to Lead Admin Arena2045, who designed the skins and did the upgrade work, and also to Heide Balaban, the graphic artist and designer who created the logo.

    Scot's Newsletter Forums is a small but very active community. It's worth swinging by to take a look at this place. It covers Windows, Security, Programming, Applications, Browsers & Email, Networking, Hardware, Linux, the Mac, and there's a Q&A section. Our moderators and Forum MVPs are just the best. I want to thank everyone who contributes so much time to Scot's Newsletter Forums, especially our amazing moderators and senior staff. They are the best!

    In a couple of weeks, Arena2045 and I will be performing a webhost transfer. It's taken me a while to locate a webhost that I prefer, and I've found that host. It turns out to be the same company that creates the forum software, Invision Power Services Hosting.

    For those of you keeping score from my past discussions of webhosts, I currently have three webhosts:,, and IPS. That's temporary, and Hostway is getting the axe. SectorLink, which is the current host of the Scot's Newsletter website and Scot's Newsletter Forums will be relegated to less important duties. I know a lot of people who use Hostway and like it. I've been a Hostway customer for over three years. It's a good, not great, webhost. The support levels are not good, and support personnel have a tendency to be overly terse and downright snide. Their control panel is very good. Their uptime has been very good the last couple of years, though lately email has been problematic. SectorLink has the worst control panel and the worst reliability of any host I've ever used. A recent power outage in their area brought everything down for several days (despite 100% standby power backup). But the prices are good, and the feature set is excellent for value hosting. They're just not the right place to host an active forums and newsletter website. IPS has an excellent control panel and the service levels are reasonable in all regards. It's a no B.S.-sort of webhost.

    Of course, I've only been an IPS customer for about 45 days, and haven't put them to the test yet. But for those of you who know LockerGnome and PCPitStop, the forums of both of those sites are hosted on IPS. Interestingly, I didn't know that LG's Chris Pirillo had transferred his forums to IPS until about a week after I'd placed my order there. Great minds, I guess. Last time I talked to my buddy Dave Methvin, one of the principals at, they were using IPS's Forum Hosting service and very happy with it.

    We expect to make the big webhost swap in mid July. When this occurs, both the Scot's Newsletter website and the Scot's Newsletter Forums site will be down for at least several hours, and perhaps up and down intermittently for 24 hours or more. The newsletter's email will also be affected, and may bounce for a while. Technically, it could take up to three days for everything to resume normal operation.

    I've devised a simple status page to help people keep track of when the Forums and newsletter sites are operational.

    Signing Up for Scot's Newsletter Forums
    Scot's Newsletter Forums is completely open to anyone who wants to read anything posted there. But we restrict posting privileges to prevent "driveby flames." People who jump on, say something incendiary, and leave never to return. It's a common occurrence at some forums that operate differently.

    In order to post, you must register. The only detail we collect from you is a valid email address, which we confirm. You can't use a bogus address to sign up, and you have to respond to a confirmation message before you'll be given access to post. Your email address is completely protected by the forums software, and we have had zero reports of any spam or other issues concerning privacy on the forums.

    Hope you'll give it a try. We're always looking for more people to join the community, which numbers nearly 2,500. We're also coming up on 100,000 posts.

    Back to the Top

    A Moment of Silence
    A couple of weeks ago the last satellite dish in my yard was rudely ripped from its lovingly created cement footing and jammed unceremoniously back into its giant cardboard coffin. Yes, I'm talking about my StarBand satellite dish. Though the connection was still working, the services were just overmatched and made redundant by my DSL and cable Internet connections. Those of you who have been reading this newsletter for some time and who have paid attention will have noted that occasionally my editor-slash-wife sneaks rudely into this missive with bracketed "Editor's Note" comments. Well, not this time, buckeroo. I'm writing about a weighty matter, the loss of a broadband connection. And it doesn't deserve to be made fun of!

    [Editor's Note: Do you believe this guy? He acts like I shot his best dawg. It was just an ugly satellite dish. Besides, I'm going to make it up to him. --Cyndy]

    You can always find out when the next issue of Scot's Newsletter is expected to appear by visiting the Scot's Newsletter home page?

    Back to the Top

    Newsletter Schedule
    Scot's Newsletter is a monthly "e-magazine." My aim is to deliver each issue of the newsletter on or before the first of each month.

    I'm toying with taking an issue off this summer, and if I do that I will probably skip the August issue. More than likely that decision will be made based on what there is to write about. Traditionally the July-August timeframe is a very slow time of the year for Windows and broadband (and everything else in the northern hemisphere). I haven't definitely decided to skip the August issue yet, but if you don't hear from me for a couple of months, you'll know why.

    You can always find out when the next issue of Scot's Newsletter is expected to appear by visiting the Scot's Newsletter home page?

    Back to the Top

    The Fine Print
    If you like this newsletter, I need your help spreading the word about it. Please share it with friends and co-workers, and encourage them to sign up! It's free.

    Visit the new Scot's Newsletter Forums.

    Subscribe, Unsubscribe, Change Email Address or Message Format
    You can unsubscribe at any time; I don't believe in captive audiences. The website subscription center is the easiest way to manage your Scot’s Newsletter subscription. Changes take only a minute or two. You must select your message format — Text or HTML — even for address changes or unsubscribes. All subscription changes are now handled on the same page with a database-look-up feature that ensures greater accuracy:

    The Scot’s Newsletter Subscription Center:

    To help with the cost of creating and distributing the newsletter, I accept contributions via PayPal and Letter Mail. For more information on donations:

  • Sign-up for PayPal (if you don't already have it)
  • Option #1: Donate via PayPal
  • Option #2: Donate via Letter Mail

    Send comments, suggestions, or questions about this newsletter. Don't be bashful about telling me what you like or don't like. Send emails related to editorial content (only) to

    Please address advertising inquires (only) to:

    Sign-up for PayPal.

    Support this Newsletter by Donating Today.
    Or donate via Letter Mail.

    How to Link to Scot’s Newsletter

    Copyright © 2001-2007 Scot Finnie. All Rights Reserved.
    Ten Myths About Copyright Explained.

    You are subscribed to Scot's Newsletter HTML EDITION as: $subst('Recip.EmailAddr')