Don't Rely on Password Managers to Keep you Safe on Untrusted Computers

In my previous post on password managers, I concluded that they can help you by "remembering" strong, hard-to-guess passwords for your different online accounts (or for other personal information). Actually, though, I started investigating these programs with a specific need in mind: to find a way to use my private accounts on untrusted computers such as public computers (airports, libraries, cybercafes) or your friend's computer if you aren't sure about the security it has.

In my post "Danger Ahead: Using the Cybercafe," I talked about the dangers of public computers, especially the fact that they can capture what you type including your user names, account numbers, and passwords, then pass that information along to cybercriminals. What good is a cybercafe if I can't trust it enough to log into my email account, for example? I looked into the password managers hoping that they would protect my information on public computers, but unfortunately my conclusion is that they do not. There is a ray of hope in another sort of solution, kyps, which I will mention later.

Can Password Managers Keep you Safe on Untrusted Computers?

Short answer: no. You should not use your personal data on an untrusted computer, even by way of a secure password manager. The kyps approach is more promising, but using your own (clean) computer is still the safest.

Long answer: no, though a password manager might reduce the risk somewhat. The problem in a nutshell is that, in principle, an untrusted computer and do anything with the data that goes through it. Theoretically, for example, someone could design a program from scratch that looks and acts just like Windows but also stores and forwards all personal information to the RBN (Russian Business Network) or other cybercrime center. There is simply no way to make an untrusted computer into a secure one.

Passpack is one of the two online password managers I reviewed. When I asked the company about this issue, this is what they said:

Yes, you're absolutely correct. The decrypted pack is used by (thus temporarily stored in) the javascript DOM. So any application that can access that DOM, can access the information stored in the decrypted pack.

As you noted, local memory is an issue with any program, online or off. Unfortunately, for as much as we can do to protect your account, you need to make sure you are on a clean computer. We have written one post to this effect here: http://passpack.wordpress.com/2008/07/23/travelers-check-your-browsers/

If I understand correctly, since Passpack stores your data in a single pack which it decrypts on your local computer, not only the passwords you use in a session but all your data is exposed this way, which would be dangerous on an untrusted machine.

Security expert Keith Bergen says,

In order for the passwords to be transmitted they have to pass through memory unencrypted so after they're sent to the other side the site can run a hash (md5, or what ever) against the plain text password to compare it to the hash that it stores. There are a few pieces of software that will look for passwords in memory as that is one of the best places to lift them from. ...

There are methods of stripping out the local SSL cert that your computer uses to initiate the SSL communication with the server and to copy and decode all SSL traffic that is sent to and from your computer. There are many Linux programs that do this and I have heard of some Windows implementations as well.

Bergen goes on to say that the practical implications of these issues are less clear. Even though methods exist to steal you credentials in these ways, we don't know how widespread they are. One thing is sure, though, and that is that the cybercriminals are sophisticated, motivated and bright. If it becomes cost effective for them to steal your identity in this way, then they will. So, although some of these managers may in some cases be better than nothing, their security is not something to, so to speak, put your money on. (And note that they may be worse than nothing as in the case of Passpack).

The author of kyps, Andreas Pashalidis, also discusses the risks of using password managers as well as other methods of trying to make a public computer safe. He points out that malware on the computer might not only capture your passwords, but also corrupt the data on your flash drive (if that's what you use) or infect the drive with malware making it unsafe to use even on your own computer.

Conclusion

In the end, I would not want to use any password manager on an untrusted computer, that is one that I am not reasonably sure is free of malware. In a situation where I had no alternative but to use an untrusted computer (suppose I was dying and stranded in a Somali village with no cell phones but with a cybercafe), I would either type in the credentials by hand or use a password manager, then change them as soon as possible and watch for any suspicious activity. However, there is a better approach, which is kyps, discussed in the next post (or just go there and have a look).

A new blogging platform for Africa: Maneno

Yesterday, reading WhiteAfrican.com, I was alerted to the existance of a new blogging site for Africa: Maneno (which means "words" in Kiswahili). By "blogging site" I mean something like Blogger or WordPress, a place where anyone can create a blog. What is the point of a new site or platform when other good ones are available? There are several advantages:

• The site is designed from scratch with the goal of making pages load fast over the slow connections that most of us have in Africa. There really is a noticeable difference.
• The site is easy to use. (Actually, I'm not sure it's any easier than Blogspot, but the authors are working to keep it simple.)
• Maneno is multilingual. Other sites do allow you to type your blog entries in your own language, but Maneno has the added feature of an easy interface that lets any member translate any blog post into another language, sort of a communal approach to making the entries themselves available in other languages. Of course, it's the African languages that are the focus.
• Maneno recognizes that many users in Africa do not have access a computer, so the site is exploring ways to allow people to access it through mobile phones and other relevant technology. (Blogspot also allows posting by mobile phone & email ... will Maneno be better in some way? Probably it at least will be slimmer.)
• Maneno is focused on Africa. Unlike Blogspot, which is a place for any and every type of blog, Maneno is more topical, describing itself as striving "to provide a communication and development platform for Sub-Saharan Africa."

If you live in Africa and write about life and culture here, or if you're interested in reading the blogs and commentaries of those who do, you should definitely have a look at Maneno.

Password Managers: Brief review of three good products

PassPack list of passwords and automatic logins

In two previous posts (here and here), I looked at the security problems of using a public computer such as one at a cybercafe. Living in Africa, and in a country whose name is almost synonymous with scams, we need to be especially cautious. On the bright side, of course, there are probably fewer people in Nigerian cybercafes with bank accounts worth the effort of cybercriminals, but that is not very reassuring.

The basic problem of public computers is that they could contain any kind of malware, including the kind that can copy your login credentials (user name and password) and send them off to cybercriminals who can then use them, for example, to log in to your bank or email account. Not a happy thought.

Enter the password managers. These programs let you to store your passwords safely somewhere where others can't read them. The passwords are encrypted so that only you can get to them, with some "master key" that you know. This lets you use different, high quality passwords on your sites without being burdened with remembering them all. This in itself is quite useful, without even considering the issue of public computers.

Perhaps the biggest security problem with most people's passwords is that people tend to use easy, guessable passwords and the same password for many accounts. This is natural, since it is hard to remember different, long passwords (or better, passphrases) for each account. A password manager can generate a long, random password for you, or store the password you choose, so that you don't have to remember it.

In the past few couple of weeks, I've looked at three highly-rated password programs: RoboForm, PassPack, and Clipperz. RoboForm stores your passwords on your own computer or flash drive, while the other two store them online.

I have tried mainly the portable RoboForm, called RoboForm2Go, which stores the program and encrypted passwords on a flash drive. This gives me access to the passwords both at home and at work; I could also use the same flash drive on a friend's computer, another computer at work, or a public computer with an available USB port and have access to the passwords without installing any programs or data onto the other computer.

All three of the programs I tested were fairly easy to use, but I think that RoboForm was the easiest. The program sits in the background and automatically offers to memorize the credentials any time you open a new login page or any page with forms to fill in. The next time you open the page, it offers to fill in the fields automatically.

RoboForm Passcard Editor

How is this different from the automatic password retrieval in Firefox and Internet Explorer? First, with RoboForm2Go you can carry your passwords with you rather than their being stored only on your computer. Second, RoboForm2Go can store many pieces of data besides your user name and password, including first and last name, phone number, address, email addresses, and so on. At your command, it will fill in as much of any form as it can using these stored values. You can store different profiles and identities if, for example, you want to have one set of information for your work and another for your personal life.

Clipperz and PassPack both store only your encrypted passwords online. The advantage is that this gives you access to them from any Internet-connected computer. On the other hand, you need to trust either service enough to enter your passwords on its web page. For that matter, you have to trust RoboForm in the same way. Since all the companies have been around a while and appear reputable, this seems reasonable. Assuming the companies do what they claim, your decrypted passwords never even exist on ClipperZ or PassPack; the only thing that gets sent to the server is an encrypted package.

With either online service, to retrieve your passwords or to directly log in to a protected site you first open your Clipperz or PassPack account with your master password. The master password should be strong so that no one else can access your account. PassPack adds an added layer of protection by using two master keys: one to log in to your account and retrieve the encrypted package, and a second key to use on your own computer to decrypt the package. This means that even someone who breaks your PassPack account password and steals your encrypted package will not be able to decrypt it. It seems to me that if your master password is strong, then the added security is not that important; no one could open your account by a brute force attack, and anyone who manages to steal one password (e.g. with a keylogger or looking over your shoulder) may just as easily steal two.

Although the two work a bit differently, in essence both Clipperz and PassPack send you your encrypted package and then your own computer performs the decryption to extract the actual passwords or other data. Assuming that you have chosen an unguessable master password to unlock all the others, the only significant risk to your data is the risk that exists on your own computer: that's the only place that the unencrypted password ever occur.

All three of the programs (RoboForm, PassPack and Clipperz) allow you to select a service from your stored list and log in directly, thus functioning as a collection of bookmarks as well as passwords. RoboForm, which by default adds its toolbar to your browser, lets you click on the login button then select the page you want to navigate to, where it logs you in after entering your saved credentials.

All three programs also let you save notes in the encrypted entries, so you can store your account numbers, credit card info, phone numbers, or whatever you want. PassPack, for example, provides a note field for each entry (figure at right). Clipperz lets you choose from a variety of "cards" pre-formatted for you bank account, credit cards, address book and so on, or you can define your own fields as well as using the Note field that's included in each card.

Both of the online password managers allow you to copy your encrypted data to your own computer so that you can access it without an Internet-connected computer. Their methods are different, with PassPack using separate programs that require either Adobe Air or Google Gears to run, while Clipperz downloads a large HTML file which you open in your browser just as you do the online version.

Distinctive Features

RoboForm

• Runs from your own computer or a flash drive. You need a separate license ($) for each computer and each flash drive, though package discounts are available.
• Fills forms of all kinds from data you store in "identities".
• The easiest of the three to use when saving new login information.
• Paid version lets you store separate profiles and identities.
• Free version limits you to 10 passwords and 2 identities after 30 days

PassPack

• Stores your encrypted data online
• Two-passwords: one to access your account and another to decrypt your data.
• Although they cannot retrieve a forgotten decryption password, PassPack staff can roll back your account to use your previous password if you remember that one.
• Stores and retrieves your data as a single package; updated or new entries are not saved until you click a button to save the package back to the server.
• You can reach any of your entries quickly, even if there are many, by typing the beginning of the name into the search box.
• Free version limits you to 100 passwords (but you could open multiple accounts); yearly fee of about $15-20 for unlimited account.
• Small but growing company, with the responsiveness and accessibility that comes from that.

Clipperz

• Stores your encrypted data online
• Stores and retrieves your data as single "cards" as needed; updated or new entries are saved automatically.
• Freeware (donations accepted), unlimited passwords
• Not commercial; future development status uncertain, though product is fully-functional as is.

Which is best?

All three of these are good programs, and I think would be quite usable for most people. I found RoboForm to be a little more convenient than the others, but it's not free. I do not think that there is much difference in features and usability between PassPack and Clipperz, though I've only used them for a few weeks. Since all three programs are either free or have free versions, you will probably want to try them out for yourself to see which you prefer. There is no question that any of them will make your life easier if you want to follow good security practices and use strong, different passwords for your various accounts.

Will they protect you on a public computer?

This is a question I will discuss in the next post. The short answer is that while these products probably decrease your risk on a public computer, they do not eliminate it. There is one more service, however, called kyps (keep your password safe) that works quite differently and might be considered safe for use on a public computer.

Features Summary

	Price	Multiple Identities	Ease of Use	Offline Storage	Online Storage	Access from any Internet- connected computer	Quick lockout feature
RoboForm	$30 ($40 for flash drive version)	Yes	+++	yes	no	with flash drive version	yes
PassPack	100 entries free; $15-$20/yr for unlimited version	No (but can use multiple accounts)	++	yes	yes	yes	yes
Clipperz	Free	No (but can use multiple accounts)	++	yes	yes	yes	yes

Import/Export features

	CSV	HTML/ Printable	KeePass	RoboForm	Password Plus	Printable	JSON
RoboForm		E?
PassPack	E/I	E		I	I
Clipperz	I	E	I	I	I	E	E/I

RoboForm lists export options as Firebox bookmarks and Internet Explorer favorites. Importable files are Firefox Passwords, Outlook contacts, and various favorites and bookmarks. There does not appear to be an option to import/export arbitrary data with passwords, but I have not researched this beyond looking at what the Import and Export buttons on the menu do.

---

I welcome any corrections to this review as well as different viewpoints and suggestions of different products to consider for the job.

See also

PassPack and Clipperz, head to head

Addendum and corrections arising from comments

"Also, while not native support, there is also a way to run Passpack off of a USB drive. It uses Passpack's Offline version + Google Gears + Portable Firefox: http://tinyurl.com/passpackusb"

Bluetooth inventor needed for aging Baby-boomers

OK, I'm not that old yet, but along with how ever many million other baby-boomers, I'm moving along the timeline. I already notice it's a little harder to hear sometimes: my son tells me my phone is ringing, and I have trouble hearing people in noisy conditions or in rooms with poor acoustics.

I'm already getting unhappy in big gatherings like our monthly potlucks with loud background music, when I can't hear people talking, or, rather, can't understand what they're saying. I know I'm not the only one, since others voice the same complaint. So, my idea is, why not invent a Bluetooth system that lets you use those in-the-ear phone thingies to talk to the people around you in noisy gatherings? Since the technology is already in place (phones, ear adapters, tiny Bluetooth transceivers and so on), it seems that it could actually work.

Bluetooth would work well for talking with the people nearby because it has a limited range and you wouldn't be hearing everyone in the room. Some kind of selection mechanism would be needed, perhaps, or maybe it would be more natural just to be able to hear everyone in a defined range as in normal conversation.

Meanwhile, my sister suggests I should take up sign language. Sounds like a good idea to me!

Will a password manager let me check my email in a cybercafe?

In my last post, I said that it's basically impossible to know you're safe when using a public computer to access password protected sites (including your email), since your account information including password could be captured by a keylogger. Now I'm trying to find out if password managers provide enough security to let me go ahead and log on to my gmail account or even my bank account (now that won't happen any time soon!).

Secure password managers such as RoboForm, PassPack, and ClipperZ may allow us to safely access our password-protected accounts on a public computer. It seems to be generally accepted that they do provide protection. I'm trying out the three products above (all have a free version) but will avoid putting any financial or really important passwords online until I find out more.

These products all work by encrypting your passwords so that no one else can read them, then storing them somewhere. Offline password managers like RoboForm store your encrypted data on your own computer or a flash drive that you can take with you to another computer. PassPack and ClipperZ are online password managers. They save your encrypted passwords (and only the encrypted form) online so you can retrieve them from anywhere you have internet access. They also give you a way to save the information on your own computer for when you don't have a connection.

It sounds quite promising and the products are well-established. I just want to learn a little more to be sure that there aren't any known ways that malware could copy my passwords even if I don't physically type them.

Danger Ahead: Using the Cybercafe

Summary

Using a public computer is risky business and cannot made safe for entering or reading sensitive information including accessing your email account. You must consider the risks and benefits in any situation. The best alternatives in a cybercafe are to use a secure laptop (preferably your own), or to boot the public computer from a live Linux CD or flash drive.

---

We all know that net cafes are not ideal and that they have security issues. Sometimes, though, there doesn't seem to be a good alternative. Maybe you're traveling and don't have any other way to connect. Maybe you have a home connection but it has been down for several days. Whatever the reason, you may find yourself in a cybercafe.

If you read no further, just remember this one point: never enter or access any personal or confidential information on a public computer.

Personal data that you must not enter or access includes

• Bank information, account numbers, credit card numbers and so on
• Personal identifying data such as date of birth, social security, drivers license, passport, national id, mother's maiden name, or phone number
• Email accounts and passwords
• Any other user names and passwords

This might seem too extreme, especially when you realize it will prevent you from even accessing your email. You must realize, though, that there is nothing you can do to make that public computer completely safe. Anything you type or view could be stored or transmitted to people who would love to add your information to their files. This danger is no longer an occasional problem, but common and serious.

Even if you boot from your own CD or flash drive (see below), anything you type could still be captured by a hardware keystroke logger.

Besides the risk of your personal data being captured, there is also the risk, or inevitability depending on the location, of your flash drive being infected with malware if you insert it into a public computer. Always use a clean computer with an up-to-date virus and malware scanner to clean your flash drive after using it in a cybercafe (or, for that matter, in any computer).

What to do?

Balance the risks and benefits

As in any situation, you should always balance risks and benefits. If you access your email on a public computer, there is a risk that your email account will be compromised. That means someone could gather the addresses of your contacts, email them from your own account, send spam under your name, view sensitive information (financial records, orders, addresses ...), and potentially steal your identity. That's a pretty big risk.

On the other hand, if you access your email account on a public computer in a "reputable" cybercafe and can then change your password soon afterward on a secure computer, the risk would be decreased. My own assessment of that risk-benefit balance for case would be that (a) I would only want to take the risk if it was very urgent to access my email and (b) I would try other alternatives first: SMS messages, phone contact, or whatever I could think of.

Use your own laptop

If it's possible to connect your own laptop at a cybercafe, you will avoid the problem of all the malware that could be on a public computer. Needless to say, you won't want to do this unless your own laptop is well protected with at least a software firewall (like the one built-in to XP and Vista, or an add-on) and an up-to-date antivirus program. (There are portable hardware firewalls available that plug into your USB port. But you can probably do almost as well with free software.)

Use a Linux Live CD

Using a Linux live CD or flash drive, you reboot the public computer from your own copy of Linux designed to run only in memory. The hard drive is not used and does not even need to be present. This means that drive infections are no longer a risk.

It's easy to make such a CD; you just download the file (called an iso image) and burn it to a CD or DVD. See the good article, Why you want a Linux Live CD, for some more information, or just google "Linux Live". Many current Linux installation CDs will work as well. Ubuntu (~ 700 MB) and Slax (~ 200 MB), are two examples. As these are large downloads if you have limited, expensive Internet access, you may want to copy a friend's disc or get someone to send you one (Ubuntu will mail you a free copy).

Don't be scared off by the word "Linux," either. You need no experience with Linux to use these. Just boot the computer from the CD or flash drive, and you'll see a familiar desktop with a web browser (usually Firefox), text editor, and others depending on the exact version.

Limitations of Linux Live

• The computer must be configured to boot from a CD or flash drive. If it is not, a co-operative cybercafe manager may be able to set it up for you (or you could do it yourself if you know how).
• While web browsing is almost always supported, it may be tricky to connect to the cafe's printer. But you could save what you need to a flash drive and print it later.
• Hardware keyloggers could still intercept your typing. These are devices intentionally installed between the keyboard and main computer box; I have no idea how common they are but certainly much less common than malicious software.

If you have no other alternative ... making the computer safer

It's important to stress that you cannot make the public computer safe. You can only reduce some of the risk. Kris Littlejohn lists and explains "10 things you should do to protect yourself on a public computer" including:

• Delete your browsing history
• Don’t save files locally
• Don’t save passwords
• Don’t do online banking
• Don’t enter credit card information
• Delete temporary files
• Clear the pagefile
• Reboot
• Boot from another device
• Pay attention to your surroundings and use common sense

Apart from booting from another device, as I discussed above, none of these measures will stop keyloggers from spying and reporting on everything you type. As long as you don't type anything sensitive, you'll be fine, so these precautions would help in a situation where, for example, you need to print an existing document with sensitive information, since you wouldn't be using the keyboard. And they will help in a situation where there happen to be no keyloggers or other malware intercepting what you type.

Shooting themselves in the foot? Blocking customers from your website.

Why do some sites make it so hard to do business with them? Is it because they want customers hardy enough to jump through the hoops? Perhaps if the customers prove their stamina and cleverness by making it through to order a product, they will be the ones less likely to need support?

I've gotten some good deals from TechForLess.com, so it is taking me longer than usual to give up on them. My first bad episode was when I ordered a laptop, got the confirmation, then the next day got a message that the order was canceled--seems they didn't like my being in Nigeria even though the order was paid from and shipped to the US, as well as sealed by one of those "prove your identity" credit-card pop-ups. However, their customer service was very helpful and made sure that the order got filled eventually.

Turns out that one of the laptops I bought from them as a Vista system actually had been downgraded to XP, and badly done so that the right drivers were missing. Oh well, mistakes happen.

Now, though, I can't even browse their web site! Since switching our hospital system from transparent to non-transparent proxy (so that we can force user logins), I just get an error message on their site, "Sorry, but the activity from your computer has tripped an alert on our server. This maybe because you are using some form of web browsing accelerator software. If this is the case, please disable this software while browsing our site." There is a bypass -- type "GO" and press the button, be patient for a 30 second delay -- but it doesn't work.

Now, is this business really so swamped by bots or web accelerators or whatever that it can't manage, and has to block legitimate customers? Are they so far above their competitors that they can afford to annoy their customers and actually ask them to disable their web browsing accelerators? Since those possibilities are hard to to accept, I can only conclude that TechForLess is trying to screen out customers who don't fit their mould, who might just say "oh well" and go on to NewEgg where at least they can start shopping. TechForLess is by no means unique ... at least for international shoppers, there are many other businesses that seem more interested in keeping us away than in getting our business.

For ease international shopping, I have to give the prize to Amazon. In fifteen years and with hundreds of purchases on Amazon, I have never had a problem. If I want to ship to a new address, no problem. If my ip address is in Nigeria, or Kenya, or South Africa, no problem. No surprise cancellations, no denied credit cards, just good service (ok, now and then a little problem, but 99% good).

Broken Bridges

We still remember Bevelyn's restaurant here in Jos as the "Broken Bridge Restaurant," since through the '90s it featured the beautiful mural shown on the right, of a long bridge (across San Francisco Bay??). As you can see, there was one small problem with the way the panels were placed, thus giving the restaurant its nickname.

That name has been going through my mind in the past couple of weeks as I've spent nearly half my time dealing with a certain type of network problem, the kind where you're on one side (usually the wrong side) of a broken bridge.

The problem is, you have to have both sides of a communication bridge working properly if they're going to function. When there is a breakdown in a local setting such as an office, it's not much trouble to go from one end to the other to sort out the problem. But what happens when one end of the bridge is a block or two away at another site, and there is no one there to help (and no good way to communicate even if there was someone)? The result is a lot of walking back and forth, trying one thing on one end, something on the other end, until the two sides can talk together again, to mix my metaphors.

Worse yet, our internet connections via satellite have broken down twice recently, both at Evangel and the SIM office. The network technicians could not solve or even diagnose the problem from their side, so I spent many, many hours following their instructions given over a barely intelligible cell phone, waiting and waiting to see what happened next, reporting back, and so on. If only we had the luxury of two connections, so that we could use the working "bridge" to get to the other side of the broken "bridge" and fix it.

In yet another metaphor, I'm learning (trying) to pay attention to which part of the branch I'm sawing off -- the part I'm sitting on or the far end. It's always tempting, when working over a remote connection, to change something and hope that it will work. It's often a risk worth taking, but sometimes I fall with the branch.

Suppose I am working over a wireless bridge, with one end in the office and another across the street, and I want to reconfigure the radios to talk to each other in dialect Y instead of dialect X. I have to first tell the far radio to change to language Y, then tell the local one to make the same change. If it works, fine. If it doesn't, I've sawn off the branch I was sitting on. I can change the local radio back to the way it was, because I'm connected to it, but the far radio is now dangling in never-never land--"I'm not hearing you, I'm not hearing you!" I have to walk to wherever it is and directly connect to it, to tell it "never mind, we'll stick with dialect X."

A simple solution, which I've never seen or heard of being actually implemented, would be for the radios to have a trial period whenever you make a change that might break the connection. In effect, the radio would say, "ok, I'll switch to dialect Y, but if I don't hear from you in 5 minutes, I'll assume that this didn't work and I will go back to dialect X." Operating systems like Windows do that when they change your graphics settings, with a button that says "Click to accept these settings, or I'll revert in 30 seconds" That saves you from the problem of having a totally messed up display and no way to change it back. Alas, with all their amazing technology, wireless network devices don't seem to have figured this out. But then, many don't even allow you to save and restore the settings that it took you so long to figure out.

As I finished writing this and sat wondering what the point was, it struck me that the greatest broken bridge story is the way God relates to people. He created a perfect world, including people, and loved his creation wholeheartedly, especially the people, but then they went and broke the relationship, the bridge. In the end, no kind of remote troubleshooting would to, and God put on his shoes and took a long journey to the other side of the broken bridge, to a zone barren and devastated by the long loss of contact. It cost his life, but the bridge was restored.

(cross posted from my main blog)

Top Ten Reasons for Switching to Vista

Since I needed a new computer, I left my old laptop in Nigeria and had a new one waiting for me when I got to the US in early December. I intended to use Windows XP on it, but as it would cost more to order that way (i.e., more than getting it with Vista installed), I was going to use my personally-licensed XP Professional on the new one. Some complications prevented me from making that switch so I have been using the pre-installed Vista. I'd like to share what I see as the top ten reasons I can see why you, too, should upgrade to this new operating system.

1. You're having a quiet vacation and need something to do.
2. You're getting bored of the stability of Windows XP or your Mac, and want to try something more challenging. You like an interesting OS that keeps you guessing what will happen next, or you miss the fun of lockups and reboots you used to have with older versions of Windows.
3. Your current computer is running too fast, not giving you enough time to make and drink your coffee.
4. When you try to run a program, you'd like your system to ask you if you really want to run the program.
5. You'd like to have Google desktop, but don't want the bother of installing that free program. Plus, the Vista version has a picture puzzle you can play with.
6. You need an excuse to pay to upgrade to the latest version of your programs (otherwise, some won't run on Vista).
7. All your friends are will laugh at you if you stick with XP (actually, they're jealous).
8. You've got to have transparent menus and windows (though for this, I think, you'll need more than Vista Home Basic ... so be ready to pay a little more).
9. You need a way to use all those dozens of gigabytes of memory you have installed on your new machine.
10. You want to show Microsoft your support and appreciation.

Seriously, I'm quite convinced that Vista is a superior operating system, at least for businesses. Hopefully in a year or two the bugs will be worked out and it will be ready for me to try again. Meanwhile, when I get back to Nigeria, I'll be dusting off my XP Professional CD-ROM and starting another re-install.

(BTW, don't tell me to try Linux. I've got that installed also, in the Ubuntu flavor, but I still have too much invested in software and experience to abandon Windows.)