Saturday Morning Ride…

Wow. I did 2 hours straight (well, one bathroom break) on the trainer this morning. I have a 1UP USA trainer (www.1upusa.com/bike_trainer.html). It's kinda nifty but it does take time to setup (about 15 min to get myself settled with drinks, tv remote and bubble gum to amuse myself with). The cats hate it. As does my ass. <br />
<br />
But I did do it. Hopefully this will help for the summer ride. Right now I just want winter to go away so I can ride to and from work and then do some nice long rides on the weekend. I think I might do at least one trip a month in the summer to and from Niagara Falls. Maybe camp out (soon as I figure out if there is a campground). <img src="http://www.msmittens.com/serendipity_archive/templates/default/img/emoticons/smile.png" alt=":-)" style="display: inline; vertical-align: bottom;" class="emoticon" />

Hrmmm…

Well. This might do for now. I think I will play a bit more with the log setup now that I've figured out how to modify the style.css. This isn't a bad pre-fab blog but takes some configuring and hacking to get it the way you want.

Sigh…

I think this is the 4th Blogging tool I've tried today. It holds probably the cleanest format but seems to be the one with the least amount flexibility (at least for now) for modifications. I'll have to figure out where I can put in my play logos and such. Eventually, I'm going to add some links for security, long distance cycling, etc. <br />
<br />
I'll get the hang of this yet!

ARTICLE: Deflecting Assaults on Privacy

Protecting information is often one of the most challenging and important tasks for administrators today. As I write this, Microsoft is dealing with a new risk with the release of parts of the NT and Windows 2000 source code. If Valve's situation is any indication, it might have been due to a hijacker type program.<br />
<br />
Administrators put up all sorts of firewalls, IDSes, Anti-virus software and other security mechanisms to control how information flows in and out but these particular "annoyances" still manage to slip through. Part of this may be the attitude that they aren't really viruses or threats. However, I would disagree as it tends to ensure that information – about the user, where the user has been and the system the user is on – is getting out without proper checking.<br />
<br />
These methods, sometimes referred to as browser hijacking, spyware, adware, etc., are all methods of gaining access into a system without the knowledge of the user (even if the EULA or AUP of that software states that they agree to it by looking at an ad) and then forwarding that info to another party. If companies allow employees access to the Web then there is a risk of spyware or other malicious code coming in.<br />
<br />
One of the best and strongest defenses against this is user awareness and education. Nothing beats having a user who pays attention to the activities on their machine and informs administrators and technical support of any issues, even on occasion minor ones. Inform users on what spyware is, what the risks are to the company and how to recognize it. Sometimes unusual slow downs, extra unknown activity and/or sporadic computer behavior can all signal the presence of "unknown" software.<br />
<br />
Other preventative measures might include the limiting the reception of HTML-based emails. Outlook 2003 and up have options available to disables HTML in such emails. The problem is that many companies still use Outlook Express and earlier versions of Outlook. A nifty little (and somewhat cheap) solution is called NoHtml. This can be added to the base employee image and turned on by default. This eliminates the possibility of "phishing" techniques being used to gather information from the company. Visit <a href="http://www.msmittens.com/serendipity_archive/exit.php?url_id=57&amp;entry_id=34" title="http://www.baxbex.com/nohtml.html" onmouseover="window.status='http://www.baxbex.com/nohtml.html';return true;" onmouseout="window.status='';return true;">http://www.baxbex.com/nohtml.html</a> for a free trial.<br />
<br />
We also want to make this protection transparent to the user so a firewall add-on like WebSense is recommended. This tool works with both software and hardware firewalls. In essence, it acts as a filter for specific malicious web activities. The flexibility and scalability of the product ensures that no matter what your users do, you can protect them (and the company) from potential external attacks. Visit Websense's website for more details and comparisons with other similar products (<a href="http://www.msmittens.com/serendipity_archive/exit.php?url_id=58&amp;entry_id=34" title="http://www.websense.com/" onmouseover="window.status='http://www.websense.com/';return true;" onmouseout="window.status='';return true;">http://www.websense.com</a>).<br />
<br />
Other methods of defense include limiting which Web browser is used by your users. While most desktops run Windows, it isn't necessary to run Internet Explorer. Using alternatives to IE can help mitigate some of the activities of spyware/adware/browser hijacking. This can be avoided by using browsers that have built-in pop-up control. Netscape, Mozilla and Opera all have this feature. You can also get pop-up blockers (software specifically designed for dealing with this). <br />
<br />
While the preceding apps are examples of preventative measures, the reality is someone or something is likely to get through. And if they do, it isn't a bad idea to have a handy toolkit of utilities to use to detect problems and deal with them on the user's machine. Some utilities will say they catch everything but personally, I've never seen anything as thorough as three products from one software developer: CWShredder, HiJackThis! and StartupList.<br />
<br />
What I have found with these three tools is that they often find items that many of the spyware products leave behind. They have a nice "Info" feature that allows an admin/tech support person to check the status of the Registry or system status. As an example, below I've done a CWShredder check first on my system:<br />
<br />
<CODE><br />
CWShredder v1.47.3 scan only report<br />
<br />
Windows XP (5.01.2600 SP1)<br />
Windows dir: C:\WINDOWS<br />
Windows system dir: C:\WINDOWS\system32<br />
AppData folder: C:\Documents and Settings\fac3\Application Data<br />
Username: lyne.bourque<br />
<br />
Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (734 bytes, A)<br />
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe<br />
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,<br />
CWS.Vrape/CWS.Addclass Registry value: DefaultPrefix [] http://<br />
CWS.Vrape/CWS.Addclass Registry value: WWW Prefix [www] http://<br />
Registry value: Mosaic Prefix [mosaic] http://<br />
Registry value: Home Prefix [home] http://<br />
Found Win.ini file: C:\WINDOWS\win.ini (1053 bytes, A)<br />
Found System.ini file: C:\WINDOWS\system.ini (231 bytes, A)<br />
<br />
– END OF REPORT -<br />
</CODE><br />
Looks like my system is ok. Let's check HiJackThis!<br />
<br />
<img src="pixel/hijackthis.jpg"><br />
<br />
Overall nothing serious, but if I'm feeling suspicious I can check items by selecting them and getting information as to the risk they may carry. Configuration options allow me to ignore specific enterprise implemented tasks, creating a startup log (so I can check for any potential "nasties" there) and creating backups.<br />
<br />
The last tool, StartupList, is a simple little program that generates a notepad listing of what things begin on a Windows machine. Very handy for troubleshooting.<br />
<br />
Now while these tools are often targeted to the home user, administrators in enterprise environments shouldn't shy away from them. Remember that attackers often don't make distinctions between home and enterprise users. All they see is a victim. These three tools can be found at Merijn.org. An interesting side note, the site has been victim of a massive DDoS, perhaps a testament to the effectiveness of the tools finding the results of bad activity?<br />
<br />
We have to realize that protecting privacy extends beyond individual end users. Our employees might inadvertently be putting the company at risk by simply performing research for a project or receiving what seems like work-related emails. While education is an excellent method of dealing with these threats, using technology as a backup helps to keep all the bases covered.<br />
<br />
<b><i>Addendum</i></b>: For more information on Phishing, check out <a href="http://www.msmittens.com/serendipity_archive/exit.php?url_id=59&amp;entry_id=34" title="http://www.antiphishing.org" onmouseover="window.status='http://www.antiphishing.org';return true;" onmouseout="window.status='';return true;">The Anti-Phishing Website</a>.

ARTICLE: Prelude to a Secure Enterprise

Intrusion detection systems (IDS) have come a long way since their humble beginnings in the mid-1990s. While much of the Open Source environment has taken to Snort, a new player may be coming into focus that will change the way that IDSes work.<br />
<br />
One of the primary criticisms against IDSes is that they tend to be unique to their environment. They are either exclusively network-based or host-based. Rarely do we see both in the form of a Hybrid IDS. Prelude IDS, released in 2002/2003, is the first Open Source Hybrid IDS.<br />
<br />
Rather than simply create another NIDS (network-based intrusion detection system), the creators of the Prelude project felt that an IDS that pays attention to system activity as well as network activity would offer better results to administrators over larger networks. And certainly, it makes for ease of control when there is a single console to manage various IDS sensors.<br />
<br />
The basics behind the Prelude system include the Prelude Library (libprelude), sensors, managers (basically consoles within the environment), counter measure agents (actions that can be used to stop malicious activity) and the front end. Prelude is still in its infancy, but even this pre-1.0 product has a lot to offer a network security administrator.<br />
<br />
This particular Open Source IDS, at the time of writing, is available for most Linux, OpenBSD, FreeBSD (the author's testing was done on this platform), NetBSD, Sun/Solaris and MacOS X. Sorry Windows enthusiasts; there is little indication that a Win 32 port is in the works. The reasoning behind this seems lie in keeping the CPU and network footprint of the IDS small. This is evident in my testing of the IDS on a meager Pentium 100 with 64MB of RAM.<br />
<br />
Because of this companies do not have to spend enormous amounts of cash on hardware to support a decent IDS for their network. Too many software manufacturers are adding too much "dazzle" at the expense of raw computing power.<br />
<br />
Another advantage of the Prelude IDS is its capability to understand other IDS rule sets. This means that if you are transitioning from one IDS to Prelude you can use your existing rule set and not have to start from scratch. Added to this is the capability of the IDS to search out Managers if the designate Manager is unavailable (perhaps due to a DoS, hardware failure, and so on.). If none of the other designate Managers are available to receive an alert, the IDS holds on to the alert until such time that it can forward it appropriately.<br />
<br />
The Sensor itself is certainly outfitted with the standard stuff. It has a network detection engine, but what it adds is a "Linux-only" library (which might be why a Win32 version hasn't been seen yet) that should detect buffer overflows in systems and protect them from attack.<br />
<br />
This particular activity is done through the Polymorphic Shell Code Detection Plugin, which is a nice default feature to have available. It also employs many of the "standards" like Scan detections and arpspoof detection. Add to that data normalizers to deal with any attempts to evade detection through the use of Unicode characters and you have the foundation of a solid IDS.<br />
<br />
One of the default features I was particularly impressed with was that Prelude started as a hidden IDS. That is, it performed its detection duties without attaching to an IP address. This, in turn, means that it will be harder for the attacker to figure out where the IDS is located while extending better control over the network to a security administrator. In addition, I don't have to make changes as it defaults to this configuration from startup. You actually have to tell Prelude if you want it to listen to a specific NIC.<br />
<br />
Prelude was fairly easy to set up in its default configuration. You know it's working from the "heartbeat" it leaves in the logs. You can also easily test it with a simple TCP_Connect() scan from NMAP. Much like any IDS, it will light up like a proverbial Christmas tree.<br />
<br />
The one difficulty I've found has been the front-end. At present, the only front-end that seems supported is PIWI perl-based. This, in the author's view, is a bit of a downside but one that I suspect will change as Prelude matures over time. At one point there was a PHP front-end, but there were difficulties in it that made it somewhat unusable.<br />
<br />
All of the features I've mentioned are only the tip of what Prelude offers. There certainly is far more to it than what was possible to cover in this article. I would recommend Prelude as a new form of IDS for large LANs and perhaps even Internet traffic. It seems willing to take on the challenge in the Enterprise environment even in its early stages of development.<br />
<br />
Prelude IDS can be downloaded from <a href="http://www.msmittens.com/serendipity_archive/exit.php?url_id=53&amp;entry_id=33" title="http://www.prelude-ids.org" onmouseover="window.status='http://www.prelude-ids.org';return true;" onmouseout="window.status='';return true;">http://www.prelude-ids.org</a>.

ARTICLE: Viruses + Social Engineering = 2003

When I look back at the past 12 months, it occurs to me that some common themes keep appearing. I begin to wonder about what the CSI/FBI survey for 2004 will look like when it's released next spring. Certainly there has been discovered many flaws and holes in various applications, but overall two things stood out: viruses continued to breed and social engineering had reached new, unprepared audiences.<br />
<br />
2003 reached new heights in the destructiveness of viruses and it highlighted how the primary method of dealing with viruses today simply isn't working.<br />
<br />
The CSI/FBI survey of the past year indicated that about 98% of respondents had implemented anti-virus software as a security measure. If that's the case then why did a virus/worm like Slammer (Sapphire) have such a devastating effect and bring the Internet to a near halt? And how do we still end up with propagated emails everyday?<br />
<br />
Well, in Slammer's case, the propagation method caused the problem, which leads one to think that the firewall setup is the issue. Allowing for certain ports to be open and available to the Internet invites trouble. And it's not just to protect from Internet attacks but also to stem the flow of "malicious" or unwanted traffic from the Intranet to the Internet. Administrators cannot solely rely on anti-virus software to solve their security and virus problems.<br />
<br />
Administrators need to limit where and how often users go out to the Internet. In many work settings, there rarely exists a need to instant message, send/receive personal email, Web surfing, etc. In fact, few employees truly need access to the Internet, beyond work email.<br />
<br />
While this may seem like a harsh reality, it nonetheless needs to be advocated more often. Users are often unaware of the dangers present at the many places they visit online, and admins are often too overworked to check every site users visit. A stricter Internet access policy is the way to go.<br />
<br />
Besides Slammer, 2003 saw a bevy of other viruses, probably the best bumper crop — so to speak — since the days of "I love you." Bugbear, Blaster, Sobig and Swen made headlines. In fact, they introduced a bold new twist: spoof the source address to mimic that of a legitimate e-mail.<br />
<br />
It's surprising that no one thought of this before. Even more surprising is that users truly believed that Microsoft and others would demonstrate such diligence and take it upon themselves to e-mail users with "fixes" to their computer problems. Not surprisingly, these viruses made the rounds (and still do today). And yet, we see that 98% of companies have installed anti-virus software. <br />
<br />
<b>Blameless Administrators?</b><br />
<br />
Indeed, it appears that home users are mostly to blame for propagating this. Perhaps, but I think there are greater dangers at the enterprise level. One company I work with has a problem involving propagating emails. Within any given day, the typical user receives 10-20 emails all due to a virus (at present, Klez and Yaha variants seem to send the most email).<br />
<br />
When the IT department — and specifically, the Mail Admin — was asked to do something about it, the reply was "that all users have anti-virus, shouldn't double-click on attachments and should set up filters using Outlook so they wouldn't have to see the e-mails come in".<br />
<br />
This is a poor way of dealing with this issue. Users are not computer experts. Administrators and tech support staff are. Users have been trained to perform their jobs and to generally believe, for the most part, that whatever hails from the Internet is a valid form of communication and thusly must be true.<br />
<br />
The expectation that users should inherently be able to protect themselves do this is an incorrect one and one that I believe will continue to result in the continued spread of viruses. Rather than being reactive, perhaps it might be worthwhile for administrators to be proactive.<br />
<br />
One technique that isn't reviewed or discussed often is virus walls. There aren't many manufacturers of this type of product but it does exist. A virus wall is similar to a firewall in that it examines packets as they travel back and forth between networks. The difference is that a virus wall will put packets together and examine them for virus signatures. Clearswift's MIMEsweeper, Trendmicro's Interscan, or Mcafee's Web Shield appliances are all options available to deal with viruses on the fly rather than relying on users to deal with them.<br />
<br />
There are, unfortunately, still things that get through. Swen introduced an element of social engineering that hadn't been seen in viruses before. By pretending to be a legitimate company, the virus writer gave users a reason to want to click on the attachment. Social engineering has subsequently seen an increase in its use for spam messages.<br />
<br />
What is worse is that there are many messages that get users to respond by putting in personal information like credit card information, phone, address, SSN, SIN, etc. or, in a recent example, cause users to flood the victim company with complaint phone calls. While users aren't expected to be that technically inclined, it is still worthwhile to educate them on the dangers of the Internet and that not everything that resides there is safe.<br />
<br />
Some tricks to help admins and users deal with spam and viruses:<br />
<ul type=button><br />
<li>Avoid using Outlook if possible. Many viruses are dependent on the integration that is offered by Outlook and Microsoft OS platforms<br />
<li>Turn off the ability to view emails in a preview pane. Although it takes a few extra seconds to double-click and open an email, it does avoid some problems that are often found with anti-virus checking and preview pane options<br />
<li>Turn off HTML email (receipt and sending of). HTML emails hide some of the social engineering techniques used spammers and virus authors (last time I checked, Microsoft.com was headquartered in the US, not Russia).<br />
<li>Be vigilant. The Internet is home to many truths, but as 2003 has shown, it's a breeding ground for lies. Users should take everything that's deposited into their inboxes with a grain of salt. <br />
</ul><br />
<br />
Perhaps 2004 won't be as fraught with as many security woes as 2003 was. One can only hope.

ARTICLE: The Future of Open Source in Security

At many colleges and universities around North America, students learn about a variety of topics. Quite often for reasons of cost and flexibility, courses rely on Open Source alternatives to solutions that the industry typically employs. In fact, for many, Open Source opens new doors for students that would have otherwise been locked out.<br />
<br />
Seneca College, located in Toronto, is no exception. In fact, Seneca College recently won an award from <a href="http://www.msmittens.com/serendipity_archive/exit.php?url_id=51&amp;entry_id=31" title="http://www.mcgrawhill.ca/highereducation/_integrated+technology/integrating+technology.php" onmouseover="window.status='http://www.mcgrawhill.ca/highereducation/_integrated+technology/integrating+technology.php';return true;" onmouseout="window.status='';return true;">McGraw-Hill for Innovation in Education</a>, specifically due to the way we teach Open Source at the College.<br />
<br />
This year we held our <a href="http://www.msmittens.com/serendipity_archive/exit.php?url_id=52&amp;entry_id=31" title="http://poseidon.senecac.on.ca/~sos2/index.html" onmouseover="window.status='http://poseidon.senecac.on.ca/~sos2/index.html';return true;" onmouseout="window.status='';return true;">2nd Annual Open Source Symposium</a> and it certainly fit the bill as a wide variety of topics were presented from security to higher education theory. Most importantly, the presenters were not just from Seneca College's Programming and Networking programs. Professors from Humber College, York University, Sheridan College and Durham College presented in addition to those from the private sector including IBM.<br />
<br />
Some of the topics covered included the usability of Open Source utilities and Voice over IP (VOIP), Wireless Discovery tools, the value of Open Office, changes in the upcoming new Kernel 2.6, and teaching .Net via Open Source tools.<br />
<br />
Taking center stage was Open Source and how well it can help drive network security. While a few would argue benefits of closed-source applications, mostly due to their support features, I believe that it is Open Source that can encourage the industry to innovate.<br />
<br />
As an example, tools used in the Wireless Discovery presentation highlighted how easy it is to enter into a wireless network. Tools like wavemon, airtraf, wave stumbler and lwspy determine the "accessibility" of a network. Other tools like Kismet, Air Snort, Wellenreiter and Moxy can also be used to expose network vulnerabilities.<br />
<br />
We have to remember that we cannot be lax in security by just patching what we think is wrong. Tools like these remind us that we sometimes need to view things from other angles to get the full picture. A savvy network administrator, after setting up a wireless network, can use these tools to determine how open their network is. He can then apply appropriate security to the wireless network (e.g., firewall, authentication controls, encryption via VPN, WEP, MAC controls, static IP, etc.). Finally, of course, he checks again with some of the tools above.<br />
<br />
Open Source and security share a fairly long history. Many of the recognizable security tools were created with Open Source ideals. Tools such as Nmap, SATAN, SAINT, SARA, Nessus, Snort, Prelude, ipchains, iptables, squid, tripwire, SSH/OpenSSH, GnuPGP/PGP, OpenSSL, honeyd, MIT Kerberos and many more. Very few, if any, areas of security haven't been covered by one open source project or another. <br />
<br />
<b>Open Source's Expanding Reach</b><br />
<br />
Interestingly, these projects are encouraging people to get into security. Take for example, snort. Since its release in 1999, it has been downloaded over 10 million times. Whether people are deploying it at home, in a SOHO or in the LAN of a Fortune 500, it is nonetheless becoming a fixture on a growing number of networks. This project has encouraged users to become comfortable with security without having to deal with two major hurdles: extremely high cost and creation of a monoculture computer/network system.<br />
<br />
Perhaps the biggest advantage is that many of the projects are licensed under the GPL. Anyone can download the source, compile it and install. They can then configure it to their heart's content.<br />
<br />
Need support? Visit mailing list or forums. Users are very adept at helping each other with problems and for the majority this works. There is, nonetheless, a small percentage that continues to encounter difficulties. By and large, this is no different than paid technical support except for one thing. You don't have to pay $50 an hour to be told, "Reboot your machine. That should solve it," as any administrator can attest.<br />
<br />
The second biggest advantage is that open source products reduce the likelihood of a monoculture OS/Network. Certain closed-environments encourage that specific vendor tools be used to allow for ease of function and administration, certainly a logical idea.<br />
<br />
Unfortunately, if that specific vendor is the same for your OS, firewall, IDS, Web server, DNS server, etc. and is found to have a dangerous vulnerability, the chances are high that this bug will carry through all servers rather than stopping at just one server/service. With Open Source, we lessen the likelihood of this kind of problem and mitigate some of the inherent risks in a monoculture environment.<br />
<br />
Open Source is now in a position to direct where security will go. It's not the be-all-end-all solution, but it certainly opens up the door to better products. We are not dependent on single vendors for boxed solutions and can create avenues to secure networks on our terms. Education centers like Seneca College can help drive Open Source into the business marketplace, where the advantages can be enjoyed by all. <br />
<br />

ARTICLE: Software Review: Password Officer 5.0 Deluxe

As administrators and dispensers of technical support help, we often face one particular challenge that makes us want to pull our hair out: convincing our users of the importance of good password security. It is a challenge we've all faced at one point or another.<br />
<br />
Users end up doing one of two bad extremes. The first is the usage of known information as a password, such as using their SSN, birthdate, username, spouse/partner's name, child's name, etc. Or worse, they'll use dictionary words such as "password" (the most common dictionary word) or no password at all (blank).<br />
<br />
On the other side are the users that single-handedly keep 3M and other "sticky" manufacturers happy. Their monitors are gardens of colorful stickies that hold everything from reminders of anniversaries, projects, and shopping lists to account information, passwords, and PINs — all in plain sight!<br />
<br />
Some figure they will be creative and hide their passwords under their keyboards, behind their computers, or in their top desk drawers. This is particularly true when administrators provide users with longer, more complex passwords. Users have notoriously short memories and seem to have difficultly remembering a password even if they use the same one for months. So how do administrators go about resolving the password challenge?<br />
<br />
Compelson Laboratories has come up with a pretty nifty tool called Password Officer 5.0 Deluxe that is designed to remember passwords for users and store them in an encrypted file. The program is intelligent enough to know which applications and/or Web sites are associated with which usernames and passwords. It can also optionally be used with a smart card environment.<br />
<br />
Password Officer 5.0 Deluxe is for Windows-based systems (Windows 95, 98, ME, NT, XP) and interacts with Internet Explorer as its browser of choice (more on this later in the article). It has two "installs": one is the standard double-click and install into the system, while the other is to use the product directly from disk (useful for users who don't have administrative rights on their NT/XP boxes — which was my situation).<br />
<br />
I decided to experiment with it on a few Web sites and a few applications. Once I set up the sites and applications, I selected the option for them to reside in the systray. This meant I could now just go to the icon and select which site I want, and, viola, I was in! <br />
<br />
Password Officer 5.0 Deluxe launches Internet Explorer, loads the page, enters the username and password, and even automatically clicks on the "Press Enter to continue" box. When using it with an application, it isn't too difficult to configure but can sometimes require a few minutes of getting the exact sequence of keystrokes, text, enter commands, tabs, etc. I was able to get my Password Officer to launch my SSH GUI client without trouble — a rather nifty use of the application, as some of the accounts I use with the SSH client have very difficult passwords to remember.<br />
<br />
Now you may think that anyone could launch your copy of Password Officer, right click on the icon in the systray, and easily connect to your password-protected Web sites and/or applications. Compelson obviously thought of this and put a master password on the encrypted file it uses to store the passwords. This means that if you try to load the password file, you'll need to first enter the master password.<br />
<br />
You can also opt to keep the encrypted file locally or on removable media (a USB pen drive might be a good choice). The file itself is relatively small (2 Web sites and one application with keystroke combinations and such created a file of 482 bytes). Even the application itself is small at less than 2MB (including all DLLs needed).<br />
<br />
Password Officer can even go so far as to create passwords for you (say you are signing up for a new online account at a Website), with the length and character mix you want (you can specify which special characters are valid), and with one of three algorithms of your choice: Twofish, FIPS 181 DES, or FIPS 181 AES.<br />
<br />
There are two drawbacks I've found with Password Officer. The first is its dependency on Internet Explorer for the Web portion of password recall. I'm not fond of Explorer due to the many problems that seem to crop up with it and the many vulnerabilities that have appeared of late. Try as I might, I couldn't get Password Officer to work with Netscape.<br />
<br />
The second issue is that it doesn't pick up on application requests for changing the password (at least it didn't detect when the Linux box I was connecting to required a password change). Because it doesn't capture the password change, you have to manually go into Password Officer and change it for that specific application.<br />
<br />
Keep in mind that while Password Officer does all the username and password entry for you, it doesn't take care of encryption over the wire. The security of the Web sites users visit and/or the insecurity of clear-text transmittal is still something that needs to be taken into consideration by the ever-vigilant network admin.<br />
<br />
That all said, this application could prove beneficial for the administrator that attempts to get users to use their passwords safely. In fact, the administrator could set up all applications to be launched by Password Officer, put in the appropriate information, and off they go. At the very least, it may cause a few "sticky" gardens to fade away.<br />