Archive for December, 2005

The Chair To Keyboard Interface

December 30, 2005

The Chair To Keyboard Interface, aka the CKI, is the most essential component in the setup and use of your computer system. A corrupt, or improperly tuned, CKI can cause disasters. Fortunately, a CKI fault (aka PEBCAK) will not cause deadly results, as you might get with a similar fault while driving your car, for instance.

Computer systems are designed to be fault tolerant, in this regard. That does not, however, mean that you should freely operate your computer while heavily under the influence of various factors:

Your computer security, in the end, depends upon you. All the security programs on your computer are challenged, and possibly useless, when you go surfing to websites which you know you don’t belong on.

Common sense = CKI Optimisation = Protection.

Advertisements

Yesterday’s Security Alert

December 30, 2005

>>Today’s Alerts


6/21 Do you shred your confidential financial documents? If you want to depend upon shredding to keep you safe, make sure you know the risks. E-Week Secure Your Shredding describes new technology that makes simple shredding not-so-effective.


6/19 Happy Father Day from your FTC. Don’t get hooked by the phishers.


6/16 Last month, I alerted you to how the bad guys are getting personal, in their attempts to deceive you. Now we see how personal, as SecurityFocus Phishers look to net small fry discusses how the phishers are targeting customers of the smaller credit unions and other small businesses. Since your account is in a small credit union that nobody would know about, you’re safe, right? Wrong. No longer going after Citibank customers, thy’re going after customers of YOUR credit unon. And maybe even YOU.

The good news is, software is being developed to look for deceptive email. And you’re getting smarter, too. At least, you read this column.


6/14 Bad news from the home front today. The experts have admitted that the bad guys are winning.

Citing examples like Glieder aka Bagle, and Mytob, SecurityFocus Stealthy Trojan horses, modular bot software dodging defenses provides the opinion that “the battle is one that the good guys are losing”, because money drives the bad guys now.

The attackers are well motivated–no longer by fame, but by money, said Amit Yoran, former director of the National Cyber Security Division of the U.S. Department of Homeland Security and now an independent consultant.

Moreover, because the effort to clean an infected computer is much greater than the effort to infect one, PCs claimed by an attacker are much more difficult to restore to a user’s control, especially if the user does not understand security issues.

In other words, while the protection provided by Routers and Firewalls, and by AntiVirus and AntiSpyware products are still essential parts of a layered defense, you cannot ignore the importance of Common Sense and Education.

Keep reading this blog, but bookmark the websites that I link. Start exploring those websites too – thats where you will find the details that you need to protect yourself effectively. The future depends upon YOU.


6/13 A couple of weeks ago, I mentioned how insecure WEP is, and how easy it is to crack, and provided links to the Toms Networking WEP Cracking For Dummies, which is now in 3 parts (links to parts 2 and 3 in the referenced article).

Now an unknown benefactor (we think), calling himself Digi, has thoughtfully made WEP Cracking For Dummies: The Video where you can watch an entire WEP crack being done before your very eyes. You may not totally understand it the first time you watch, but you can at least catch the gist of it, and see how simple a WEP crack is to execute, with the right tools.

The example shown uses packet injection, which is an active attack. A properly monitored WLAN would detect a packet injection attack in progress, but the only option upon detecting an attack would be to shut down, and upgrade to WPA. A passive attack would be undetectable, but would take a bit longer.

It’s a 25M Flash file, so if you have a slow broadband connection, give it a few minutes and get a cup of coffee while it loads. But it’s worth the time spent to download and watch it. Excepting a few typos, it’s pretty well done, with good captioning and editing; total watching time is less than 5 minutes. The Flash control provides good video manipulation; besides the standard Play and Pause, you have a slider which lets you (with the video paused) move back and forth one frame at a time, to more easily watch any portion of the process that interests you.

After you watch the video, check out SecurityFocus: WEP: Dead Again (published just 6 months ago), and compare the tools mentioned in that article to what is shown by Digi’s video.

Again, folks, if you have a wireless LAN with WEP for “protection”, upgrade to WPA. Tomorrow, if not today.


6/10 If you’re using software products to protect yourself against malware, as you should be in any layered defense, please be selective about what software you depend upon for protection.

Today, Eric Howes Rogue/Suspect List reached a dubious milestone, in that Eric has now identified 200 anti-malware products that you should absolutely not depend upon.

For those of you who aren’t familiar with Eric, he’s probably the #1 recognised expert, on useless and harmful anti-spyware products, in the world. Before installing any product that will clean your computer, or remove unwanted software, please consider his advice. And bookmark his website.


6/10 And the hackers keep up with current events. Just recently, hackers used rumours about Osama’s capture to spread their products. Now, a massive spam campaign is spreading rumours about Michael Jackson’s attempted suicide, and attempts to lure the unwary to a website which will download yet another botnet agent onto your computer.

In my accelerating opinion, using blogs will soon become the only way for friends to communicate about current events.


6/9 A couple weeks ago, I alerted you to the Mytob email worm. The earlier variants of Mytob would arrive as a simple email from a friend, with an attachment. When you would innocently open the attachment, it would infect your computer, and email itself to all of your friends. That’s almost too easy to identify – hopefully, any of you would look suspiciously at any email with an attachment, even if it came from me (especially if it came from me).

Well, the authors of Mytob have not been lazy – they’ve been diligently crafting new versions of their work, for your enjoyment. The Symantec database currently lists over 80 versions of Mytob, with more arriving daily.

The latest variants, according to SecurityFocus Mytob variant hides sting in the tail, have replaced the bulky attachment with a sleek and sophisticated URL. Now arrinving in your Inbox crafted as a notice from your IT department or ISP, you are urged to click on a URL to confirm your account. Just as many phishing emails, the URL that you see contains a hidden URL, that takes your browser not to the apparent server belonging to your IT department, or your ISP, but to a server with malicious code that downloads Mytob to your computer. Your computer then starts distributing Mytob, as previous variants would do, to all of your friends.

Please carefully examine any email from your IT department, or your ISP, before clicking on any URLs in the message.


6/2 The Bagle worm, which has been around many months and has come in so many versions, has now become worse. The new version is more complex, and leaves a more lasting effect on your computer, and one security company has given it a new name.

Glieder, as Computer Associates now calls it, as described in ZDNet Security Bagle variants punch, punch and punch again, combines several elements in a way not seen before. In this staged approach, viruses seed their victims, then disarm them, and then finally exploit them.

Glieder starts as its predecessor Bagle, by emailing itself to all of your address book contacts. But it doesn’t stop there.

Glieder then downloads two additional worms, one which blocks antivirus software updates, and Microsoft updates; and a second worm which disables firewalls and antivirus software, and then joins your computer to the latest botnet.

Please make sure that your antivirus software is up to date at all times. Mine has updated itself several times daily this week. If yours doesn’t update itself at least daily, please get a new antivirus product. For all your friends sake.


5/29 Have you gotten any interesting email from Microsoft recently? The Gibe worm, which infects by posing as an emailed security update, is apparently still in the wild, and looking for new victims.

The worm will arrive as an email from Microsoft, mentioning security vulnerabilities affecting Internet Explorer and MS Outlook/Express.

And I restate, for those of you who don’t know (and there are apparently some who don’t): Microsoft does not email security updates.


5/27 Most rabid antispam activists in forums like news . admin . net-abuse . email have been blocking all email from countries like Brazil, China, Nigeria, etc for some time. The rationale behind that was three-fold.

  1. They needed to control the amount of spam hitting their customers email boxes.
  2. Their customers had no legitimate need to get email from any of those countries.
  3. There weren’t any real senders of email in those countries – just spam haven ISPs, that were abusing US, by providing safe harbour for OUR spammers.

Now, third world countries, just like the USA etc, use email in business and other daily activities. And, thanks to heavy handed attention by Spamhaus, SPEWS, and other blocklist publishers, developing countries are becoming very abused. See Developing nations losing spam battle, report says for more discussion about this situation.

In short, our economic system (which has employed the spammers for a long time) is providing a hindrance to what could be a major tool in helping third world countries take a step up economically.


5/26 The bad guys are getting personal. They’ve realised that form letter email, especially written badly, won’t get them as many vicitims as personal sounding email. So they’re starting out with details about you, and dropping those details into the email so you’ll believe that they’re legit.

Where do they get those details, like what is your favourite sports team, where do you live, or how do you like to spend your time? Not from hacking some super secret database – they make their own database, based upon the traces that you leave on the Internet.

Stephen H. Wildstrom of BusinessWeek Online invented a person, and registered him in a dozen or so websites. Then found that those websites, popular ones like Major League Baseball, The Post, Victoria’s Secret, and L.L. Bean, would happily verify to anybody that the fictious person (email address) had registered with them.

In Leaky Web Sites Tell All About You, he describes how easy it is for the bad guys, with a little automation and network time (both of which the bad guys have in surplus), to find all about you. Once they have the details, they can use your email address to attack you, masquerading as someone who legitimately knows about your preferences.

Once again, can you say “Identity Theft”?


5/25 Two Instant Messenging attacks have been reported today. Users of AOL IM and Yahoo IM may get references to the new Star Wars move, “Star Wars Episode III: Revenge of the Sith”, both with links that take the unwary recepient to malicious websites.

The website referenced in the AOL IM attack will try to download a worm to the computer, which will then continjue to propogate itself to those in the Contacts list. The website in the Yahoo IM attack will ask for Yahoo credentials, and mail the provided information to another email address.


5/24 Are your systems up to date with their patches? Here’s an example why you should be.

You surf to a malicious website (said website has since been taken offline), which loads malware based upon an exploit that was patched late last year, encrypts some of your key files using a password known to the bad guys, and leaves you a ransom demand. Your money or your data.

This is real life, not a bad late night made for TV movie. Patch your systems, please.


5/24 Good news or bad? You decide.

The U.S. House of Representatives on Monday voted to establish new penalties for purveyors of Internet “spyware” that disables users’ computers and secretly monitors their activities.

Superficially, this looks like good news. But,

  • I doubt that our lawmakers can regulate a media that extends outside the borders of the country.
  • The contents of this bill are vulnerable to modification by the lawyers for the industries that will be affected by the bill. It’s highly unlikely that the bill will make it into final form in any useful state.
  • Here’s what makes me worry. Once there is a bill, effectively defining what is and what isn’t spyware, look out. Anything that can’t be defined as spyware may have a legal footing, to prevent us from removing it from our computers. This is one case where I think I agree with Microsoft. I just hope we don’t get to the point where you have to worry Is Deleting Spyware A Crime?.

5/23 The Sober worm, previously being used to distribute German language political spam related to a German election today, is also scheduled for reactivation today. TechWeb recently published Aggressive, Mass-Mailed Sober.p Worm Poised To Smack Users, which provides a very interesting overview about how cummingly the Sober worm was designed, to allow its creator to update it today without any chance of being detected. Included was an interview with Dmitri Alperovitch, a research engineer with an Alpharetta, Ga.-based security firm CipherTrust.

“He’s accumulated a number of machines,” said Alperovitch, but he wouldn’t hazard even an estimate as to the size of the network of infected machines, also called a “botnet.”

Good people, if you don’t have a layered protection strategy on your computer right now, please put one in place. The reality of botnets like the Sober one, and the casual way Alperovitch referred to its unknown size, is appalling. The private computer owners of the world have to start taking responsibility for their possessions.


5/23 Be careful when you install any Macromedia products as an extension to Internet Explorer.

Macromedia Flash, and Shockwave, are two common and reliable add-ons for every well known browser, and provide useful content (My personal opinion). You have to be a bit more paranoid than I am to block both from your computer. Unfortunately, it looks like Macromedia is bundling other products that you may not want or need, when you install their products.

When you install a Macromedia product, look carefully at the selections offered. If you don’t want Yahoo Toolbar, or Weatherbug, be sure to opt-out during the install process (in other words, look for the screen where installation of the extra product is selected by default).



5/18/2005 The Honeynet Project published Know Your Enemy: Phishing, which describes how devious the phishers are becoming, in hiding their identities, and in using botnets and hijacked servers to conduct their fraudulent activities.

5/13/2005 For an answer to many different questions about malware, check out this PandaLabs Malware Trend and Analysis Report for 1Q2005. It’s an Acrobat document enclosed in a .zip folder, but it’s worth the effort spent opening it.

5/11/2005 ISC SANS has a series of articles that offer a fascinating look at how malware gets loaded onto an unprotected system. The fifth episode in the series Follow The Bouncing Malware was published today.

4/9/2005 BBC-TV interviewed a reformed hacker, connected an unprotected computer to the internet, and watched as their sacrificial computer was hit by 3 worms in 25 minutes, and crashed before 30 minutes had elapsed. Watch the Video, it is not too technical in detail, it’s technically relevant, and only 6 minutes long.

11/22/2003 The e-mail began, “Your site is under attack,” and it gave Mickey Richardson two choices: “You can send us $40K by Western Union [and] your site will be protected not just this weekend but for the next 12 months,” or, “If you choose not to pay…you will be under attack each weekend for the next 20 weeks, or until you close your doors.”


The Ping Command

December 30, 2005


The command utility “ping” is one of the simplest, and most universally useful, utilities used in computer networking. It asks just one question.

Do I have connectivity to a given host?

It answers that question, and possibly one other.

What is the publicly known IP address for that host?

Depending upon whether you specify a host by name or by IP address (and either is useful), and whether that host actually does respond, you may get a series of responses.

You run Ping simply by opening a Command Window, and typing the command. You can:

  • Ping (hostname).
  • Ping (IP address).

>>Top

Ping host by name, host responds.

I enter

ping pchuck1

And I see

Pinging pchuck1 [192.168.100.100] with 32 bytes of data:
Reply from 192.168.100.100: bytes=32 time
This tells me:
  • Host "pchuck1" is online and responding.
  • It's IP address is 192.168.100.100.
>>Top Ping host by IP address, host responds. I enter
ping 192.168.100.100
And I see
Pinging 192.168.100.100 with 32 bytes of data:
Reply from 192.168.100.100: bytes=32 time
This tells me:
  • Host "192.168.100.100" is online and responding.
>>Top Ping host by name, host does not respond. I enter
ping pchuck8
(I only wish I had 8 computers). And I see
Pinging pchuck8 [192.168.100.107] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.100.107:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

This tells me:

  • Host "pchuck8" is not online, or is not responding.
  • It's thought to exist, and to have an IP address of 192.168.100.107.

Possible problems:

>>Top

Ping host by IP address, host does not respond.

I enter

ping 192.168.100.107

(I only wish I had 8 computers).

And I see

Pinging 192.168.100.107 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.100.107:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

This tells me:

  • Host "192.168.100.107" is not online, or is not responding.

Possible problems:

>>Top

Ping host by name, host is unknown.

I enter

ping pchuck8

(I only wish I had 8 computers).

And I see

Ping request could not find host pchuck8. Please check the name and try again.

This tells me:

  • Host "pchuck8" is unknown.

Possible problems:

>>Top

Corporate Security Policy

December 23, 2005

Every company that uses computers, and connects to the Internet in some way, needs a Corporate Security Policy.

A Corporate Security Policy can be simple, or complex.

  • It can be as simple as “No surfing the web from company computers”.
  • It can be complex, and include multiple sections.
    • A business section, describing why the company needs Internet access, what it trusts its employees to do, and what they must not do.
    • A data protection section, inventorying what essential company data is retained in its computer network, how the data is protected and backed up, and how it will be restored in case of disaster. This is also known as a Business Recovery, or Contingency, Plan.
    • A security section, listing what protective measures are taken, both active and passive, including monitoring to ensure that its employees are using its resources properly.
    • A technical section, inventorying the company network, and describing the network devices and computers.
    • A response section, detailing what steps are to be taken when a problem is detected by its security.
    • A legal section, detailing how employees will be treated when they are determined to be in violation of the other sections.
    • An ongoing assessment section, describing how periodic evaluation of the CSP is to be conducted. Since a CSP is not static, it must be periodically reevaluated.
  • It can include more or less, according to the needs of the company.

A CSP with any degree of complexity needs multiple personnel to develop, and approve, its content.

  • Information Security.
  • Information Technology.
  • Human Resources.
  • Legal.

LSP / Winsock Analysis Using A Log From Autoruns

December 19, 2005

The LSP / Winsock component in the Internet Protocol network stack is complex. It’s used by the Windows OS, and by malware and anti-malware alike, to allow, and to affect, your access to the network.

Problems with the LSP / Winsock layer can be a lot of fun to diagnose. Generally, the problem is termed “corruption”, and you are urged to use any of several tools / procedures to simply reset it. But what if you suspect a problem, but a simple reset isn’t possible? Or what if you want to make an educated decision about a problem, or to help somebody else do the same?

You might start by enumerating (inventorying) the system components registered in the stack. One tool for doing this is the SysInternals product, Autoruns.

Autoruns, like many SysInternals products, needs no complicated install process. Just download it, and run it. Make sure that “Verify Code Signatures”, under Options, is enabled. It will present an incredibly detailed GUI inventory of all of the processes started by your computer automatically, in a tabbed display. One of the tabs, labeled “Winsock Providers”, will list all components registered in the LSP / Winsock layer.

If you save an Autoruns log, you can extract the Protocol_Catalog9 portion of the log, which will contain a text based inventory of LSP / Winsock components. Each section of the log is headed by the complete path of the key to its root, in the case of Protocol_Catalog9, that’s

HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9

Protocol_Catalog9, on my computers, is the next to last section in the log.

Below, in Attachment A, you will find an example of the relevant information, extracted from a log from one of my computers. A log from one of your computers may or may not contain the same entries – and the differences might point us towards a solution to your problem. If your log includes entries that are listed as “(Not verified)”, check them out with Online Analysis (free).

If none of these details interest you, you are welcome to simply reset your LSP / Winsock, using any of the 6 recommended procedures and tools. It’s your computer, and your dime.

Attachment A – Autoruns Log: LSP / Winsock Enumeration

HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9  
+ DiamondCS TCP/IP Layer [RAW] dcsws2 (Not verified) DiamondCS c:\windows\system32\dcsws2.dll
+ DiamondCS TCP/IP Layer [TCP] dcsws2 (Not verified) DiamondCS c:\windows\system32\dcsws2.dll
+ DiamondCS TCP/IP Layer [UDP] dcsws2 (Not verified) DiamondCS c:\windows\system32\dcsws2.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{4AA95793-B5DE-4179-8D2C-2469C3D63D3F}] DATAGRAM 2 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{4AA95793-B5DE-4179-8D2C-2469C3D63D3F}] SEQPACKET 2 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{64409384-CE61-4B92-ADFA-77A210FA4C80}] DATAGRAM 3 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{64409384-CE61-4B92-ADFA-77A210FA4C80}] SEQPACKET 3 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{7D8C1637-F016-494D-B66A-1BD865F1E19F}] DATAGRAM 7 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{7D8C1637-F016-494D-B66A-1BD865F1E19F}] SEQPACKET 7 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{9E8A31FA-5327-49A2-8091-E9C207367658}] DATAGRAM 8 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{9E8A31FA-5327-49A2-8091-E9C207367658}] SEQPACKET 8 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{AE574BAC-9E75-4917-B07E-EC7CB922CF5D}] DATAGRAM 1 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{AE574BAC-9E75-4917-B07E-EC7CB922CF5D}] SEQPACKET 1 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{B7E18D15-D9B1-4295-9DAD-C733C695294F}] DATAGRAM 0 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{B7E18D15-D9B1-4295-9DAD-C733C695294F}] SEQPACKET 0 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD Tcpip [RAW/IP] Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD Tcpip [TCP/IP] Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD Tcpip [UDP/IP] Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ RSVP TCP Service Provider Microsoft Windows Rsvp 1.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\rsvpsp.dll
+ RSVP UDP Service Provider Microsoft Windows Rsvp 1.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\rsvpsp.dll

Windows Firewall and Windows Networking

December 12, 2005

Windows Firewall, first provided with Windows XP SP2, is provided so systems running Windows XP will be secure, when setup out of the box. One of the features of Windows Firewall is default blocking of file shares, so the bad guys on the Internet can’t see the shared data on your computer.

Unfortunately, a secure system set up out of the box, and plugged in to your network, won’t be able to provide shared data to the other computers on your network either. So you may have to configure Windows Firewall, to allow your computer to be accessed by the other computers on your network.

  • Open Security Center from Control Panel.
  • Select Windows Firewall.
  • On the General tab, sake sure Windows Firewall is ON, and clear the selection for “Don’t allow exceptions”.
  • On the Exceptions tab, enable File and Printer Sharing.
  • With File and Printer Sharing highlighted, select Edit. If the Scope does not show as “Subnet”, hit “Change scope” and select “My network (subnet) only”.
  • Hit OK as necessary.

If problems persist, continue with Your Personal Firewall…, and then Irregularities In Workgroup Visibility.

Windows Explorer

December 9, 2005

One of the challenges involved in dealing with Microsoft Windows is describing the many objects in Windows – and some objects, though named, do not show a name when they are seen on your screen. Windows Explorer (not to be confused with Internet Explorer) is one of these objects.

Windows Explorer is the applet used to view objects. Windows Explorer does not label itself as such, because its title bar will always reflect what objects it’s displaying. A window labeled “My Computer”, “My Documents”, or “My Network Places”, for instance, is an instance of Windows Explorer.

You can start Windows Explorer from any of several ways:

  • Windows Key + “e”.
  • Right click on Start, and select “Explore”.
  • Doubleclick on either of the “My Computer”, “My Documents”, or “My Network Places” desktop icons.

Download Software Selectively

December 8, 2005

Usenet is a useful place to get advice for your technical issues. But accepting advice (which is validated by the other helpers in an open forum, constantly), and downloading software (which can’t be easily validated by anybody, at all) are separate issues.

Bad advice, given in any trustable forum, does not remain undisputed very long. The experienced helpers in serious forums know the consequences of allowing bad advice to be given, and not contested. All regular helpers, in any forum, both actively and passively validate the advice given by the others. Software, from an unknown server, can’t be validated by the helpers so easily.

Don’t see where this is going? Checkout the DSLR Forums discussion Is your PC a drug mule?. In it, one of the posters, who signs himself as B, points out

I’ve always thought one would have to be a little crazy to trust executable software obtained via those channels. Movies and sounds, sure, but binary code? I don’t think so. For all anyone knows those warez Photoshop installations have some nifty sleeping trojans.

This is a valid concern. If I were a bad guy, and wanted to spread my code to thousands of computers easily, I’d get some popular software, patch it with my bad code, and stick it on my server. Then, I’d log in to a help forum somewhere, and when a pigeon asked for help, I’d tell him to download my software. Quite likely, more than the pigeon would read my post, and hundreds of folks would download, and install, my bad software.

This is a lot easier than finding, and exploiting a weakness in network software. Get the pigeons to do the work for you. It’s essentially the same strategy which leads to the devlopment of botnets.

So if I tell you to download some free software, like Filemon, Regmon, and Process Explorer (as an example), why should you trust me?

Whenever anybody tells you to download binary code (ie, software) from an unknown web address, do some research first.

  • Checkout the forum where you see the recommendation for the software in question. Don’t accept advice only given in dodgy forums.
  • Checkout the link to the software. Google or Yahoo for previous references to the title. See if there are any complaints, or mentions in malware forums, about the link. See if any complimentary comments about that website were made by anybody. NEVER download software, even if it has a good reputation, from a dodgy or unknown website.
  • Checkout the person recommending the software. Checkout prior posts, and coorelate them. See if there are any other posts by the same person, where that person was busted for giving bad advice. Make sure there ARE prior posts by that person – and check prior posts for a match in style and content. See if any complimentary comments about that person were made by others. Don’t download software that’s only recommended by dodgy or unknown persons.
  • Checkout the software itself, by title. Again, Google or Yahoo. See if there are any complaints, or mentions in malware forums, about the title. See if any complimentary comments about that product were made by anybody. Don’t download dodgy software.

My theory is that serious recommendations, by trusted helpers, in serious forums, probably points to safe software. If I see something mentioned in alt.comp.freeware, on the other hand, I consider the software itself, but I research before downloading.

In some cases, an AntiTrojan and AntiVirus scan of anything downloaded, before installing, is a good idea too. Since you’d be doing a one-time scan of an individual file, even an online multi vendor scan would not be a needless precaution. Better an hour wasted researching, before installing software, than a couple days wasted diagnosing a damaged system or network.

How To Not Be Seen

December 6, 2005

Caption on screen: ‘HM GOVERNMENT, PUBLIC SERVICE FILM NO. 42 PARA 6. “HOW NOT TO BE SEEN”’

Cut to a wide-angle shot of hedgerows, fields and trees.

VOICE OVER (John Cleese): In this picture there are forty people. None of them can be seen. In this film we hope to show you how not to be seen.

VOICE OVER: In this film we hope to show how not to be seen. This is Mr. E.R. Bradshaw of Napier Court, Black Lion Road London SE5. He can not be seen. Now I am going to ask him to stand up. Mr. Bradshaw will you stand up please

In the distance Mr Bradshaw stands up. There is a loud gunshot as Mr Bradshaw is shot in the stomach. He crumples to the ground.

VOICE OVER: This demonstrates the value of not being seen.


Cut to another location – an empty area of scrubland.

VOICE OVER: In this picture we cannot see Mrs. B.J. Smegma of 13, The Crescent, Belmont. Mrs Smegma will you stand up please.

To the right of the area Mrs Smegma stands up. A gunshot rings out, and Mrs. Smegma leaps into the air, and falls to the ground dead.


Cut to another area, however this time there is a bush in the middle.

VOICE OVER: This is Mr Nesbitt of Harlow New Town. Mr Nesbitt would you stand up please. (after a pause – nothing happens) Mr Nesbitt has learnt the value of not being seen. However he has chosen a very obvious piece of cover.

The bush explodes and we hear a muffled scream.


Cut to another scene with three bushes.

VOICE OVER: Mr. E.V. Lambert of Homeleigh, The Burrows, Oswestry, has presented us with a poser. We do not know which bush he is behind, but we can soon find out.


The left-hand bush explodes, then the right-hand bush explodes, and then finally the middle bush explodes. There is a muffled scream.

VOICE OVER: Yes it was the middle one.

Cut to a shot of a farmland area with a water butt, a wall, a pile of leaves, a bushy tree, a parked car, and lots of bushes in the distance.

VOICE OVER: Mr Ken Andrews, of Leighton Road, Slough has concealed himself extremely well. He could be almost anywhere. He could be behind the wall, inside the water barrel, beneath a pile of leaves, up in the tree, squatting down behind the car, concealed in a hollow, or crouched behind any one of a hundred bushes. However we happen to know he’s in the water barrel.

The water barrel just blows up in a huge explosion. Cut to a panning shot from the beach huts to beach across the sea.

VOICE OVER: Mr. and Mrs. Watson of Ivy Cottage, Worplesdon Road, Hull, chose a very cunning way of not being seen. When we called at their house, we found that they had gone away on two weeks holiday. They had not left any forwarding address, and they had bolted and barred the house to prevent us from getting in. However a neighbour told us where they were.

The camera pans around and stops on a obvious looking hut, which blows up. Cut to a house with a Gumby standing out front.

VOICE OVER: And here is the neighbour (he blows up, leaving just his boots. Cut to a shack in the desert) Here is where he lived (shack blows up – cut to a building) And this is where Lord Langdon lived who refused to speak to us (it blows up). so did the gentleman who lived here….(shot of a house – it blows up) and here…..(another building blows up) and of course here…..(a series of various atom and hydrogen bomb explosions.)

Links

December 4, 2005

These are links to websites of my friends, and some of my personal activities.

  • The American Red Cross wants to help you to be prepared for disasters.
  • Chuck’s Kitchen is a small, but growing, collection of my favourite recipes. If you come checkout my church, you may get to try one. I’m a Methodist, and Methodists love to cook.
  • Chuck’s Miscellaneous Musings are Miscellaneous Thoughts About Local and World Events and Trends, from a techie viewpoint.
  • Crooked Spire is a Celtic music band, that performs in the Bay Area.
  • HowFunky is a place with useless technical content, from an MVP that lives in my area.
  • Jeffrey’s Ruminations is The Thoughts and Musings of Jeffrey Randow, another Networking MVP, about Networking.
  • Martinez Music Forum Gift to the Community was a joyful celebration of the Christmas season, including both secular and spiritual music, including both Crooked Spire and Martinez UMC Choirs. We’ll have more during the year – so watch this space!
  • Martinez United Methodist Church is a small yet very active community church, in the East Bay suburbs of San Francisco CA. Drop by sometime, if you’re in the area.
  • Mom’s Trip To Russia is a pair of blogs – mine and Mom’s – about my Mom’s trip to Pytagorsk, Russia as a member of a VIM team.
  • MoonLake CyberSmiths WebHosting is a business part owned by a friend at DSLR Forums, and a possible future MVP.
  • Nitecruzr As A Hacker is a rambling tale of my college years, including one very memorable episode where I might have been expelled but for some furtunate circumstances.
  • Owzone & Linux provides information about Fedora Core Linux, its Security & Software features and how to apply them to your benefit.
  • Pacific IT Pros, previously known as the San Francisco Networking Technologies Users Group, SFNTUG, is an independent non-profit organization for IT Professionals.
  • The Sounds Of Words is a revolutionary process for teaching reading, to students with special needs, developed by my sister.