James O'Neill's Blog

October 30, 2006

Sony rookit on 1/4 million PCs, MSRT removes a malware somewhere every 3 seconds and other statistics.

Filed under: Security and Malware,White Papers,Windows Vista,Windows XP — jamesone111 @ 1:51 pm

I’ve been reading a paper about the Malicious-Software Removal Tool (MSRT, and I hyphenate it to prevent it being read as the Malicious software-removal tool), it’s entitled, MSRT progress made, trends observed. If your interested in what the tool does, or in the statistics it makes fascinating reading.

Here are some points from its summary with a few comments of my own.

  • The data was up to March 2006, over the 15 months it had been out, it had removed 16 million instances of malicious software from 5.7 million unique Windows computers. On average, the tool removes at least one instance of malware from every 311 computers it runs on. It had been run a total of nearly 1.8 billion times – the number of executions per month was rising steadily but averaged of 118 million.
    Quoted executions for March 06 show the tool running roughly 100 times every second, and a malware removed somewhere in the world every 3 seconds. On average a PC which has been cleaned had 2.8 malwares removed (though these may be at different times). My only complaint about the paper is that it talks in some places about PCs cleaned and in others about Malwares removed; the difference makes it difficult to work out some things
  • 41 of the 61 malware families targeted by the MSRT from January 2005 to February 2006 have been detected less frequently since being added to the tool with 21 of the families experiencing decreases greater than 75%. This is hardly surprising, the prevalence of a piece of malware declines over time.
  • Backdoor Trojans are a significant and tangible threat to Windows users. Of the 5.7 million unique computers from which the tool has removed malware, a backdoor Trojan was present in 62% of computers.
  • Rootkits, were found on 14% of computers cleaned although this figure drops to 9% if the WinNT/F4IRootkit, distributed on select Sony music CDs, is excluded. In 20% of the cases when a rootkit was found on a computer, at least one backdoor Trojan was found as well .Wow. The Sony root kit removed from 5% of 5.7 million computers – roughly 250,000! 0
  • Social engineering attacks represent a significant source of malware infections. Worms that spread through e-mail, peer-to-peer networks, and instant messaging clients account for 35% of the computers cleaned by the tool. Or, if people aren’t getting smarter
  • Most of the computers cleaned with each release of the MSRT are computers from which the tool has never removed malware. BUT In the March 2006 version of the MSRT, the tool removed malware from approximately 150,000 computers (20% of all computers cleaned) from which some malware had previously been removed by the tool in an earlier release.

I find the last one is interesting – 600,000 computers which had never been infected were cleaned, bringing the total to 5.7 million, so 5.1 had been cleaned previously. 150,000 of the 5.1M were re-infected – about 3%, compared with 600,000 out of 200M previously clean – an infection rate of about 0.3%. I guess this isn’t surprising. Of people infected most take steps to avoid re-infection; the ones who don’t change are doing the things that make them likely to get re-infected, some will get re-infected after a month, some after 2, some after 3 and so on What we don’t know is how many are clean through  protection and how many through lack of exposure.


This post originally appeared on my technet blog.

October 29, 2006

Camera lens rules

Filed under: Photography — jamesone111 @ 10:39 pm

Because my daughter has been on school holidays this week I have been spending time at home and thinking about photography more than work. In some of the forums I’ve been reading I keep seeing questions about the “digital SLR crop factor” – and statements that given focal length on digital is equivalent to a lens of 1.5 or 1.6 times the focal length on a 35mm film camera, so I thought I’d put the details down once so I can refer people here 🙂  

The lens doesn’t do different things with rays of light when you mount it on a different body; focal length never changes. However angle of view is a function of focal length and film/sensor size. We can calculate this with the formula 2 arc tan (2*focal length/image size) and you can see how this works in the diagram. It follows that if one camera records an image which is 1.5 times the size of another camera, it needs a lens with 1.5 times the focal length to get the same angle of view. If you look at the Details page of an image’s properties in Windows explorer you can often see a 35mm equivalent focal length recorded.

The diagram also helps us to understand the relationship between distance to the subject, size of subject and size of image. If you imagine taking photographing a building which is 36M wide so it fills a frame of film which is 36mm wide, the ratio of the building size to the image size is 1000:1. You can see that using similar triangles the ratio of lens to subject and lens to image distances must also be 1000:1 with a 50mm lens we’ll be 50M away. If you take the same picture on a digital camera with a 24mm sensor, the ratios are 1500:1, so we’ll need be 75M from the building to get it all in the frame.

Absolute Image size never changes. A 36m wide subject will always give a 24mm wide image with a 50mm lens 75M away. (The lens won’t change what it does). But if the frame size changes, there is a change in the proportion of the frame the image occupies. Now: if changing the camera means a subject which is smaller or further away fills the frame it is natural for some photographers to call this magnification. Others, particularly who deal with Macro ratio (the ratio of subject size to image size) will say this isn’t magnification. They will point out the image isn’t bigger, it’s just had its edges trimmed off, so what’s left seems to have been magnified.

Perspective is not a consequence of focal length or angle of view as such: it only depends on the relative distances between the different objects in the image. If two objects are the same size but one is 1M in front of the other, with the camera 1M from the front object the one in the background 2M from the camera and appears half the size. If the camera is 9M front the front object, the far object is 10M away and appears 90% of the size. But where you position the camera depends on it’s field of view so in practice focal length does affect perspective, albeit indirectly – wider angles of view mean you move closer to the foreground and you get a heightened perspective effect.

This post originally appeared on my technet blog.

October 27, 2006

Hello Scotland !

Filed under: Events,Windows Server 2008,Windows Vista — jamesone111 @ 6:16 pm

We had a very well attended roadshow event in Edinburgh earlier in the year, but the truth is we don’t hold as many events outside Reading and London as we’d like to. I’m going to be doing some of the organizational stuff on the next roadshow so I’ll probably have a list of reasons why we prefer to stay in Reading.

I mentioned Andy Malone last week and he’s delivered some technet events for us in Scotland. Andy’s (fairly new) blog has details of a technology roadshow event he’s running. This isn’t an official Microsoft event, but still looks well worth attending. Last time I talked to him he was telling me how pleased he was to reactions he had for the last event, so all the signs are that this will be worth going to. The technologies he’s covering will be Vista, Longhorn server and Exchange 2007. We’re going to be talking about a lot of the detail of  Longhorn server for the first time in public at Tech-ed, and to the best of my knowledge Andy will be the first person to cover this ground in the UK. So for once Scotland gets the information first.

This post originally appeared on my technet blog.

Good and not so good use of RSS.

Filed under: RSS,Windows Vista — jamesone111 @ 2:24 am

Every morning my postman puts 3 or 4 catalogues through the door. My wife’s late father had a printing company, and she still murmurs “more work for the printers” when this things arrive. It’s one of of the few causes of friction in the O’Neill household, because I try not not to get to get these things delivered.

I won’t take the free subscriptions to the various trade magazines either; and I wouldn’t put my name down for a print copy of technet magazine (though I’ll pick up a copy because it around in the office). I had an announcement earlier that “Beginning with the November 2006 issue, we will be publishing all TechNet Magazine content online in 7 languages (English, German, Spanish, French, Brazilian Portuguese, Russian, and Simplified Chinese)” 

There are a pile of articles on Windows Vista there right now: go and take a look.  

Of course you don’t want to keep going back to a web site and checking for new articles, and neither do I. I was a bit put out that the RSS icon in IE7 didn’t light up when I went to the site. There is an RSS link on the left of the page and you customize can the RSS feed to articles that interest you. They just need to make the feed discoverable.  The technical editor for the on-line magazine tells me he’s looking into fixing that .

and for those of you who are either descended from printers or just don’t like trees, you can sign-up for the print version here.

This post originally appeared on my technet blog.

October 26, 2006

Taking a walk on the Virtual side

Filed under: Blogcasts,Events — jamesone111 @ 8:27 pm

I mentioned in my last post that I’d been working on Videos for Virtual Tech-ed – they’re calling the web-site “The Virtual side” ,they’re rotating the videos on the front page so fortunately you have to click on a link on the right to find the one of Steve and I.  I’m pleased with quite a lot of what I’ve recorded: this one I did with Kevin Sangwell which is on the home page now is a good example Kevin’s an old friend and an easy guy to interview: what says about the speakers, and how we react to feed back (basically the second half of the edited interview) is very interesting. We have several more videos in the can, and they will go up between now and the event.

This post originally appeared on my technet blog.

Hello Girls !

Filed under: Events — jamesone111 @ 8:01 pm

I remember, four years or so ago commenting that a colleague had a new, and better hairstyle. She replied thanks, and since she’d thought long and hard about the change, it would have been nice if other people said so. And off we went into a conversation about how men and women in the work place have to tread so carefully that they dare not pass comment. Another story (which may be an urban legend) was of someone from the North of England who transferred to Microsoft in Redmond, and got called into HR having said “Morning girls” to two female colleagues. Where they came from calling any female over 10 a “girl” would be thought demeaning: where he came from it was quite normal. Perhaps it was just as well he didn’t come from the Southwest of England where “My lover” is a perfectly normal form of address for someone of the opposite sex, or from the North-east where no one objects to being called “Pet”.

I bring this up because, on behalf of the Virtual-Side, I was interviewing two of the organizers of the “Girl Geek dinners” this week, and I wouldn’t dare call someone a girl geek.  I’ve videoed Eileen on the subject as well, and I hope to do another with Sarah Blow who runs the dinners in London. Because it’s half term and I was supposed to be looking after my six-year old daughter, I brought her along. Afterwards she asked “What’s a geek ?” I explained. There was a pause. “Like you then ?” she said. Thanks Lisa.

There are Geek dinners are open to men and Women, but the simple fact was very few women came. I can’t think why they wouldn’t want to spend the evening in the company of a load of Geeky men 🙂 Girl Geek dinners are a chance for women who work in technology to network with each other. It’s not exclusively women, but men have to be invited by a female attendee.

If you’re going to tech-ed developer you can sign-up for the dinner here. If you’re going to tech-ed IT forum the sign up page is here. And boys, a start looking for someone to go with.

This post originally appeared on my technet blog.

October 18, 2006

Apple’s real problems shipping a virus

Filed under: Apple,Security and Malware — jamesone111 @ 4:40 pm

Apple have had to post the following on their website

We recently discovered that a small number – less than 1% – of the Video iPods available for purchase after September 12, 2006, left our contract manufacturer carrying the Windows RavMonE.exe virus This known virus affects only Windows computers, and up to date anti-virus software which is included with most Windows computers should detect and remove it.

They go on. As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it.

Oh bitchery ! Actually Windows Vista would catch this twice over, once via User Access Control and once via defender. XP will only get hit if you run as an administrator (and the fact that people do is down to bad applications, not Windows itself)

But, what infected these iPods ? Surely Apple aren’t owning up to the fact that a Windows machine is better suited to mastering iPods than a Mac running OSX ? And as they say “up to date anti-virus software which is included with most Windows computers should detect and remove it.” so their production PCs don’t have upto date Anti-virus software… Admitting that has to hurt.


Technorati tags: , , ,

This post originally appeared on my technet blog.

October 17, 2006

Virtual PC 2007 – Beta available.

Filed under: Beta Products,Virtualization — jamesone111 @ 1:46 pm

Last week I was talking to Andy Malone who has been running some great sessions for us up in Scotland, and he mentioned Virtual PC 2007. Until he mentioned it I didn’t know it was to be seen outside a certain privileged circle, but it is; you can sign up for it on the Microsoft Connect site. I’ll be installing it later today. Thanks to Ben Armstrong for the info. Ben also has instructions to make Virtual Server work on the Release Candidates of Vista. 


This post originally appeared on my technet blog.

October 16, 2006

Why Vista was delayed …

Filed under: Uncategorized — jamesone111 @ 11:31 am

I’ve mentioned previously that I’m coveting the new Pentax K10D – sadly Pentax have pushed the release back a few weeks, either because they have so many pre-orders for them that they want to produce some more, or perhaps because finalizing the camera and getting into production took a little bit more work than they expected.

This is not unusual, it seems to be human nature to under estimate the time it takes to do something. Stories abound of government IT projects which are late. I keep reading about delays to the airbus A380. Sony’s playstation 3 has had its availability pushed back, the 3G phone I was expecting has been deferred. Windows Vista looks like it will ship in the timeframe we gave back in the spring … but that was a postponement of a date that had already been pushed back.

Catching up on some reading over the weekend I read about a change we’ve put into Minesweeper for Vista: not simply the nicer graphics (which bump it’s memory use up). Some people find a game that involves treading on mines very distasteful and have said so, therefore the game now has 2 modes – don’t step on the mines, and don’t step on the flowers (click game, change appearance).The link gives you some idea what’s involved with changing something apparently so minor.  

This post originally appeared on my technet blog.

October 13, 2006

Follow up to my post on power outages

Filed under: Uncategorized — jamesone111 @ 4:17 pm

I had this from a friend a few moments ago: I thought it was priceless  

From: David {Details removed
Sent: 13 October 2006 15:59
To: James O’Neill
Subject: Just read the blog


Just read about the power. Spare a thought for one of my team that sent a text from Cyprus today saying he might not make it back to the UK in time to go work on Monday as expected. It rained big time in Cyprus, two floors of his hotel got washed into the sea, and then it caught fire. They were evacuated so quickly that he didn’t get any of his stuff. So now he can’t come home as he hasn’t got a passport!!


OK, so 24 hours without Internet doesn’t seem so bad.

This post originally appeared on my technet blog.

Reliability… I wish.

Filed under: Uncategorized — jamesone111 @ 10:34 am

One thing that people who don’t live in Britain find hard to understand is how we can have such varied weather – to the point where it is a favorite topic of conversation – and yet find it difficult to cope with Sun / Wind / Rain / Snow. I live in a village within 5 minutes of a major town, but all it takes is a thunder storm and the power goes out. Interestingly although we can select the company which “supplies” our electricity, this relationship is just which company acts as a broker between us and the generator – the power lines remain the same. 

My friends in Microsoft Consulting Services like to talk about high availability as “3 nines” or “4 nines” or “5 nines”, meaning 99.9%, or 99.99% or 99.999% uptime. Since there are 8760 hours in a year, 99% uptime means you’re off line for 87.6 hours, 99.9% is 8 hours 45 minutes, 99.99% is 53 minutes of downtime, and the magic 5 nines is a little over 5 minutes downtime per year. My power goes off at least 10 times each year (in the winter it seems to happen at least weekly) – it’s usually back on within a couple of hours, but the power reliability is significantly less than 3 nines.

A thunderstorm on Wednesday took out the power to the village, and I came home to find that my cable modem  service had not come back up properly. This morning it still hadn’t come on line, so I called the infamous “customer service” department of the cable company. The first thing that happens is they ask you to key in your phone number. Why can’t their system read caller line ID (from a phone on their network) ? Having gone through that they tell callers to redial a national rate number if they have a broadband problem – why can’t they just get me to push a button and connect me. The broadband problem line was closed: why didn’t they put the hours on the first message ?  I called back to get another announcement of the numbers to call if this wasn’t a broadband issue, once that had finished, other announcement tells me they’re very busy and to call back later if I didn’t want a long wait (again why couldn’t that come first !) .

What amazed me was how much I depend on my broadband connection, not just for work but for entertainment in the evening. With a poor evening’s viewing on telly the first half dozen things I thought of all needed an Internet connection; which is just a bit worrying…

This post originally appeared on my technet blog.

October 10, 2006

Windows 2003 Datacenter with unlimited virtualization rights

Filed under: Virtualization,Windows 2003 Server — jamesone111 @ 2:28 pm

I mentioned a few weeks ago that we were making Windows 2003 Datacenter server available outside of the high availability programme. It is now on the price list Volume license customers. If you have a volume license agreement, you buy Datacenter as a free standing product. It comes with the rights to run an unlimited number of virtualized servers.

Technorati tags: ,

This post originally appeared on my technet blog.

Vista RC2 now on TechNet and MSDN subscriber sites.

Filed under: Beta Products,Windows Vista — jamesone111 @ 2:24 pm

If you have a subscription to MSDN or to Technet , you’ll be pleased to know that RC2 was made available on both sites overnight simply go to http://technet.microsoft.com or http://msdn.microsoft.com and click Manage My Subscription on the right hand side towards the top.  At the moment we have 4 languages – English, German, Japanese and Spanish – but only the 32 bit versions are posted at present.

This post originally appeared on my technet blog.

October 9, 2006

IE 7 is coming. Are you ready ?

Filed under: Internet Explorer,Windows XP — jamesone111 @ 5:08 pm

Back in July, we announced that that IE 7 for Windows XP will be pushed out using Windows update. Since IE7 is bound up with Windows Vista, the release of IE7 for XP will happen at about the same time as Vista releases to manufacturing. A few weeks after that it will be pushed out via Windows Update.

If you manage a large number of PCs, then you should be using Windows Server Update Services to manage updates and you can decide whether or not client PCs get the update. However if your PCs connect to Windows update directly, you should check to see if IE7 works correctly for any applications which are critical to you, and if not consider getting the IE7 update blocker

More information is available on the IE team blog


This post originally appeared on my technet blog.

Get Safe On-line

Filed under: Events,Security and Malware — jamesone111 @ 3:11 pm

Steve is off working on Get Safe On-line this week. The BBC reports a government sponsored survey released to coincide with the push says 21% of people felt most at risk of “net crime” compared with 16% who were most afraid of being burgled.

When I worked on last years campaign I drew parallels between feeling safe in your home and on line.

  1. Don’t let the bad guys just walk in… For your home, put locks on the doors, For your PC use a Firewall (Windows XP SP2, and Vista have them, but there are good ones available cheaply or even Free.)

  2. Bad maintainence can let them in… For your home, keep doors and windows maintained (it’s no good having locks if someone can push the doors in), For your PC Make sure you keep it up to date – use Windows Update.

  3. If the bad guys get in, sound the alarm… For your home, get a burglar alarm, For your PC use anti-virus / anti-spyware software. (Windows defender helps find malware, and there are good third party products, again some are free).

  4. Be on your guard when people visit… For your home, check callers before letting them in, For your PC be suspicious of mail that you didn’t expect. Did someone in Nigeria really choose you to help them get money out of Africa for a cut of the proceeds ?

  5. If the worst happens… For your home, insure your house and contents, For your PC Backup your information.

Now, the chances are the people who read this blog know that anyway. Spread the word.

This post originally appeared on my technet blog.

Virtualization event in Reading

Filed under: Events,Virtualization — jamesone111 @ 1:18 pm

I saw an event entitled Virtual Server: The Tip of the Iceberg appear on the list of forthcoming events and and got a bit panicky – as Virtualization is one of the things I speak on, and I didn’t know anything about it.

It’s an all day event on Tuesday Novemeber 28th, and a quick check revealed it was being delivered by my Architect colleagues; I will be attending to see what I can steal best practice in this area. Just follow the link above for a detailed agenda and to book a place.

This post originally appeared on my technet blog.

Vista Admin event in Manchester

Filed under: Events,Windows Vista — jamesone111 @ 1:01 pm

Not everyone can make it to Microsoft’s office in Reading for Technet events, so we’re taking What’s new in administering Windows Vista to Manchester next week – the afternoon Thursday 19th to be exact. The event is free – just click the link for more information and to register.

This post originally appeared on my technet blog.

October 8, 2006

Vista RC-2 availability

Filed under: Beta Products,Windows Vista — jamesone111 @ 3:43 am

We have put RC-2 on the Vista download site. It has not yet appeared on the MSDN and Technet member sites, although we have said it will do, so expect it to appear there in the next day or two.


This post originally appeared on my technet blog.

October 6, 2006

Tech-ed IT Forum: It’s a sell out.

Filed under: Events — jamesone111 @ 1:19 pm

I remember the first time I saw the comedian Eddie Izzard perform live, he walked onto the stage in Oxford, and looked around the audience. There wasn’t a single empty seat. He said “I’ve sold out! People always say ‘Stay true to yourself and never sell out’ but I say NO!!! ”

It’s one of a few comedy lines which comes to me like some kind of Pavlovian reaction, and I had this in my email this morning.

Tech Ed: IT Forum is a complete sell out. In total 4.500 people will attend the conference and the expo hall with sponsors and exhibitors is also sold out. This evening we are closing the public registration.

Wow, sold out six weeks ahead of time. It’s obviously popular this year. I’ll be there, I might do a turn in the ask the experts area. But my main job is to recording for virtual Tech-ed. I’ll post the links for that in due course … but we’ve been interviewing some of the content owners and the folks who put the event infrastructure together. If you’ve booked it looks like it’s going to be great event. If you haven’t booked you’ll have to watch Virtual tech-ed.


Technorati tags: ,

This post originally appeared on my technet blog.

October 5, 2006

Vista RC-2 heading into view

Filed under: Beta Products,Windows Vista — jamesone111 @ 3:36 pm

It looks like someone has been giving Paul Thurrott some internal emails again. We have the build which we think will be RC2 – 5744. Numerologists will note that we have moved on 144 – a multiple of 16 – from RC-1, which is 5600. (See my explanation of build numbers spurred on by Paul).

I’m running 5728, which has some noticeable improvements over RC1. 

We seem to have been incrementing the builds in steps of one over recent days, and there were builds numbered 5743.0 and 5743.1. Paul suggested that we were going to release one of those, but have switched to 5744. The minor build number for 5744 is 16384, which normally indicates a build we think we may release…

RC2 will be on the Technet and MSDN sites soon after the build is judged “fit”. Watch this space.

This post originally appeared on my technet blog.

Blog at WordPress.com.