Category: Uncategorized

No big surprise, Gary Krakow at MSNBC wrote today about his experiences testing Vista:

The stuff that works on Vista seems to work well. But getting the Beta on to a computer was another matter. Installing Vista Beta 2, for me was one of the worst operating system experiences that I’ve ever encountered.

Link here.

Of course, it’s beta and a bit of hell is to be expected.

Experiences generally are mixed. We’re running Vista on various test systems here and I’ve personally been running it on in a Vmware.  Eric Sites, our head of R&D, has been putting it on his home machine and his experience has been a mixed bag:

I installed beta 2 last night with very few issues.

I had to download new Vista beta drivers for my new ATI (512mb) video card, purchased specifically because my not-so-old video card had only 128mb of RAM and would not support some of the nicer features of the new Vista graphics system. I got these from the ATI website, but it took about 3 reboot after disabling the motherboard video card driver in the control panel, which I had already disabled in the BIOS but Vista wanted to use it anyway. It was causing the ATI to not load which was strange because Vista did not have a proper driver for the motherboard video card either — it was using a generic driver so the screen looked like crap.

I also had to download drivers from the Creative websites for my Sounds Blaster Audigy 2 high end sound card. I rebooted and everything worked, I did not have any issues with the motherboard sound chip.

I did not try to upgrade my XP installation, I installed an old harddrive I had laying around and deleted the old partitions before starting the install.

Luckily Vista did have support for my motherboard network card, to download the other drivers.

After getting the system running with sounds and video, I installed MS Office 12 and set up my VPN back to the office to check email. The VPN setup was smooth but when I started download my email it was glacially slow. I took a look at task manager and the networking tab, it showed my VPN link speed at only 26 kbps. This was a little odd, it should have been 100 Mbps. After about 30 mins, the link speed started increasing, but only to 760 kbps. The Outlook 12 UI was very unresponsive while downloading email, I was able to read about 5 emails but it just got too frustrating to continue and it was getting late (2:20 AM).

More to follow later, I still need to install my dev tools and the new DDK now renamed to WDK (Windows Driver Kit) and KMDF (Kernel Mode Driver Framework) which is a component of the WDK.

One aggravating aspect of Vista is UAC (User Account Control, previously referred to as User Account Protection, UAP), where you get incessant dialog boxes asking permission to do some inane thing or another.  Paul Thurrott (who has railed against this feature in the past) claims that this feature has gotten better in Beta 2, so we’ll have to take a look. 

Anyone else out there running Beta 2?  Any other feedback?

Alex Eckelberry

Georgia school implements strict spam filter, and a low-bid is marked as spam… Whoops.

A Georgia school, eager to avoid a large volume of junk e-mail, recently installed an aggressive anti-spam system. Unfortunately, the filter stopped a message from a contractor who was submitting a low bid to do work for the school, and the spam filter error may have cost the school thousands of dollars.

Link here.

Alex Eckelberry
(Thanks Ferg) 

This was a company that had been in business for less than a year with a relatively small staff, but had a great idea.

The (rumored) back story on the deal is that a fairly short time after they went live with the service, there were approached by two interested acquirers.  A (rumured) sort of bidding war ensued, resulting in a sale that has now been confirmed at over $70 million.

From McAfee’s recent 10–Q:

On April 3, 2006, we acquired 100% of the outstanding capital shares of SiteAdvisor Inc., a web safety consumer software company that tests and rates internet sites on an ongoing basis. We believe the technology and business model that SiteAdvisor has developed is not currently available in the marketplace and it will allow us to enhance our existing product offerings and add value to the McAfee brand. The purchase price of the acquisition included approximately $60.8 million of cash payments made to the former SiteAdvisor shareholders and approximately $0.3 million of direct acquisition costs. We have also agreed to make $9.3 million of cash payments to certain SiteAdvisor employees and advisors over the next two years that will be contingent upon their fulfillment of future service obligations. These payments will be recorded as an expense during the periods in which they are earned. The financial results of SiteAdvisor will be included in our results of operations from the date of acquisition. We have not received a final independent appraisal of the acquired assets and liabilities. Accordingly, we cannot provide the purchase price allocation or the valuation of acquired intangible assets at this time.

Of course, with a deal of this size that happens so quickly, it must be causing short-term capital gains problems for the company’s backers (Bessemer Ventures).

I’m sure no one is feeling sorry for them.

Alex Eckelberry

Earlier today I wrote about Scandoo.  But based on a user’s report, the product is perhaps not ready for prime time.

For example, a search for Kazaa yields this result:

Since Kazaa bundles Direct Revenue, one would think that it would not be rated “green”.

Similarly, Bearshare.com bundles adware, but is rated green by Scandoo. Ibisit.com (fifth Google result for “Ibis llc”), makers of the notorious IBIS WebSearch toolbar, is rated green by Scandoo.  And Duble.com (seventh Google result for “ringtones”) distributes Zango, but is rated green by Scandoo

In addition, Scandoo doesn’t rate search engines’ ads.  We know from a past study by SiteAdvisor that ads are where the dangers lies: 2-3x as many dangerous sites are in ads as in organic results.  

It looks like a promising service but it does needs a bit of work.    (Note that SiteAdvisor isn’t perfect either and is still a work in progress.)

Alex Eckelberry

SiteAdvisor, a service which rated sites based on a number of criteria, was recently bought by McAfee (for about $70 million).

Now there’s a competitor, Scandoo, which promises similar results as SiteAdvisor, but with no software needed on your system. It’s a division of ScanSafe and is based off of ScanSafe technology.

Simply go to the Scandoo website, enter a term, and something like the following shows up, with rating marks next to each result:

Link here via TG Daily.

Alex Eckelberry

Last week, Reuters ran a story about the “growing problem of Internet addiction” that was picked up by CCN and other major news outlets. You can read that article here.

It quickly spawned follow-ups, such as AP’s survey the next day showing that half of workers who use the Internet at work would rather give up their morning coffee than lose their Web surfing privileges. That one’s here.

It’s not a new issue; concerns over “Internet addiction” have been in the news intermittently since the early 90s, when commercial ISPs started offering access to the public at affordable prices. The spector of a generation hooked on getting their computer “fix” has been the subject of a few sci-fi books and movies.

“Addiction” is a popular buzzword these days: in addition to drug and alcohol addicts, we now have gambling addicts and sex addicts. Those who overeat are food addicts; those who spend too much money are shopping addicts, those who lose their tempers are anger addicts. Back in the olden days, before newspeak took over the language, addiction was a very real medical condition. People who are addicted to opiates or alcohol or nicotine or even caffeine go through measurable, painful, sometimes life-threatening physical withdrawal symptoms.

Obsessive or compulsive behavior does not equal addiction. Simply engaging in an activity “too much” does not make one an addict. Yet we have doctors like the one quoted in the Reuters article – people who are supposed to be trained in the difference between physiological and psychological manifestations – saying that the Internet may promote “addictive behaviors.”

Why the rush to label all undesirable behavior as a disease? My theory is that doing so benefits both doctor and “patient.” If the person engaging in the behavior can pass it off as a disease or addiction, that relieves him/her of the responsibility for changing that behavior. The addict can’t just quit cold turkey; that’s too hard. He/she needs help. Enter the doctors who cater to these pseudo addicts. If it’s a disease, their services are required – at a hefty price, of course. We all expect “healthcare” services to cost a bundle. And of course, if we can get it official recognized as a disease, maybe the insurance companies will pay for it.

I guess you can tell I’m not too impressed with the whole “Internet addiction” crisis. Sure, some people spend way too much time online. Some folks might say I’m one of them. I make my living writing, mostly for online publications, so I’m at the computer between six and ten hours a day. I have dozens of friends with whom I’ve been communicating online on a daily or weekly basis for over a decade, some of whom I still haven’t ever met in person. Even for keeping in touch with my “real world” friends and family, most of the time I prefer to zap off an email rather than picking up the phone (and thus risking bothering someone in the middle of something).

But am I “addicted?” I don’t think so. If I have to be in a place where there’s no Internet access, I miss the convenience of being “connected” but I don’t break out in sweats or get excruciating headaches or start to shake uncontrollably. Far from interfering with my “real life,” the Internet has enabled me to participate more fully in it – I find out about community events and neighborhood meetings that I probably wouldn’t attend otherwise, I obtain consulting gigs and speaking engagements. My cousins and I had drifted out of touch for years until everyone got Internet access; now we keep each other apprised of what’s going on in our lives and coordinate, via email, monthly lunch get-togethers.

Sure, the Internet can be used for nefarious purposes, too. There are predators who hang out in chatrooms to look for victims. There are also predators who hang out in parks for that purpose. The CNN article implies that the Internet causes divorces. Doesn’t it seem more likely that the people who engage in “online sexually compulsive behaviors” probably aren’t/weren’t models of marital fidelity offline, either? Ah, but it’s so much more convenient to be able to protest that “the Internet made me do it.”

The article paints a dire picture: sleep deprived addicts suffering from dry eyes and carpal tunnel syndrome who get “cybershakes,” characterized by typing motions of the fingers when not at the computer. It’s enough to make you want to go out and pass a Constitutional amendment enacting a new Prohibition, this one on Internet Service Providers. I can just imagine the black market that would spring up, with shifty-eyed techies standing on street corners, offering surreptitious connections to underground wireless networks for cash.

What the addiction proponents seem to ignore is the difference between addiction and habituation. Hanging out on the ‘Net can become a habit that’s hard to break. So can watching TV, playing the guitar, or talking on the phone. Are those addictions, too? Will we soon be seeing meetings of Unlimited Minutes Anonymous? Hmmm … one might even those who feel compelled to label any and everything an addiction are Addiction addicts.

Tell me what you think. Am I way off base here? Am I just an Internet addict who’s deep in denial?

Or is the issue being hyped by both misguided helper types and those who stand to profit from turning excessive ‘Net surfing into a dire disease?

Do you know anyone who suffers from “cybershakes”? Do you get withdrawal symptoms if you’re deprived of your monitor and keyboard? Is the Internet damaging your real world relationships, destroying your marriage, turning you into a compulsive cybersex fiend? 

Deb Shinder

How to automatically close non-responding programs
It can get old: a program hangs and stops responding, and you open up the Task Manager and click End Program (sometimes several times before the uncooperative program finally shuts down). Why not just have Windows close programs that quit responding so you won’t have to? You can do it with a registry tweak. As usual, we recommend that you back up the registry before making any changes. Here are the steps:

1. In your favorite registry editor, navigate to the following key:
   HKEY_CURRENT_USERControl PanelDesktop
2. in the right pane, right click the entry AutoEndTasks.
3. Select Modify.
4. In the Value Data field, change the value to 1.
5. Click OK, and close the registry editor.

If you want to change Windows back to the default behavior (not closing unresponsive programs, just repeat the process and change the value back to 0). You’ll need to restart the system for the change to take effect.

Some add-ons aren’t listed in the IE Add-on Manager
Internet Explorer with XP Service Pack 2 includes an Add-on management tool that lets you easily disable and enable browser add-ons, but you may find that some of the add-ons you know are installed don’t appear in the list when you open the Manage Add-ons dialog box. This can happen because a flag was set in the registry during installation of the add-on that prevents it from being managed this way. There’s a fix available that you can download from Microsoft. See KB article 888240 for a link to the download and more info.

“Delayed Write Failed” error message
If you get an error message that says “Delayed Write Failed” when you try to save or move files in Windows XP, this can be caused by the configuration of your hard disk controller and a feature that enables write caching on the disk. You may need to change a setting in your system BIOS and/or turn off the “enable writing caching on the disk” feature. For instructions on how to do so, see KB article 330174. 

Incorrect battery information on laptop computer
If the total battery power remaining and other information displayed on the power meter tab after you resume from a suspended or hibernated state on your portable computer, or the computer stays in low battery hibernation mode even though the battery is fully charged, it may be because you replaced the battery with one of a higher or lower capacity after putting the computer in suspension or hibernation. There is a hotfix for the problem, but Microsoft recommends that you wait for the next service pack unless you have a special need to correct it. You can read more about how to get the fix in KB article 889816. 

Today, we officially announced our new Ninja Messaging Security product for Microsoft Exchange.  It’s a pretty significant milestone for us, as we’ve been working on this product for over two years, with a considerable financial investment for a company of our size.

In fact, it’s one of the most impressive products I’ve been involved in during my 20–odd year career in the high tech arena. I don’t say that lightly, either.

The story of Ninja started after we shipped our spam filter for Microsoft Exchange, iHateSpam Server.  It did well in the market, but we really felt that the whole messaging security space could be looked at differently. After all, what’s the most critical protection point for security in an enterprise?  Email. 

To give you some background, the email security space is dominated by the major vendors, like Symantec, McAfee and Trend.  Then, there are the players like Sybari (now owned by Microsoft) and GFI, and then the hosted security solutions like Postini.

However, none of the existing solutions work perfectly for managing email security in an organization.  None of them present a truly comprehensive solution.  Most don’t provide a layered approach, where you have multiple scanning engines and security checks that an email has to go through before being passed on to the user.  Some are downright cumbersome to use. And most are quite expensive.

Let’s further dissect the key problems with email security:

1. Lack of comprehensive solutions:  You may buy an antivirus program from one of the big security vendors to stop email-borne viruses. But will it also do a good job of stopping spam and malicious attachments, provide content filtering and content auditing, as well as handle your other needs like corporate-wide disclaimers?  No:  You will have to buy multiple solutions for a hodge-podge approach. 

Why is this bad?  Well, one key issue is security.  With multiple products running to handle your email security needs, you have multiple patch points.  Another key issue is  learning.  You have to keep up on multiple different products, with their own methods of operations, their own quirks.   Reporting isn’t pulled together for all modules. And then there’s cost.  It just costs more to have dedicated solutions for each problem you’re trying to solve.

2. Lack of policy-based solutions.  All security solutions should be policy based, but most aren’t.  This simply means that you can establish one set of security policies for one group or person, and another set of policies for a different group.  For example, let’s say that you want some people in the company to be allowed certain attachments, but others, no attachments at all. You would simply create a custom policy for each group of people. 

3. Reliance on one vendor.  Relying on one antivirus company to stop viruses through email is asking for trouble.  In fact, I would call it dangerous.  eAs we’ve seen on this blog in the past, antivirus companies are in constant catch-up, trying to keep up with the latest outbreaks.  If they’re a few hours late with one virus, it could mean absolute havoc for your company.   So one AV filter for email might work for the home user, but to an organization, it’s an incredibly dangerous approach.  It’s like relying on only one lock on your front door, in tenement housing in a bad part of Manhattan. You’re going to get robbed.

4. Touch-and-go quality.  Quality is all over the place in messaging security.  Let’s look at attachments as one example.  Did you know that the most common way that people bypass attachment filters is to rename the file extension?  So you could have someone sending in an .exe file into an organization, but by simply renaming the file to a .txt extension, it blows by most attachment filters.

Or, take content filtering.  With most solutions, you can’t filter content inside the organization.  You can only filter content that is going in or out of the company.  So Billy Bob who sends around endless joke emails inside the company, wasting time and creating potential security risks with stupid links, is actually completely ignored by most content filters.

In answering these problems with email security, our solution was to do the following:

1. Create a framework.  We created a framework in which best-of-breed security plug-ins could be inserted.  Ninja is basically a large security interface to Microsoft Exchange, and the plug-ins do the work.  We ship three plug-ins with the product:  Spam, antivirus and attachment filtering. More, such as content filtering and auditing, will be added in the coming months.  

2. Make it policy based.  Ninja is policy based from the ground up (with the one exception of antivirus, where you must filter all email with one policy).  You can create endless policies to specifically tailor the application to your own organization’s needs.

3. Create plug-ins with a layered approach.  Both Ninja’s antivirus and antispam plug-ins use multiple scanning engines.  For antivirus, we use BitDefender and Authentium.  For spam, we include Cloudmark’s antispam engine along with our own home-brewed engine.  These are all included in the cost of the product.

4. Improve the quality of security.  Our attachment filter actually looks inside many types of attachments, so you can’t fool it by renaming the extension, and it can look at all attachments — inbound, outbound or internally within the company.  And so on.  Everything in Ninja is just world-class quality.

5. Make it free or insanely cheap.  One of Ninja’s hottest features, the intelligent attachment filtering, is free.  You can download it today, and have the best attachment filtering in the business at absolutely no cost to your organization.  And the rest of Ninja is very aggressively priced. 

Ok, so now I’ve said my piece.  If you’re an Exchange administrator, take a look, let me know what you think.  

More corporate propaganda here.

Alex Eckelberry

Former AT&T technician Mark Klein’s statement about the company’s alleged collusion with the NSA has been under seal in a San Francisco courthouse as part of EFF’s lawsuit against AT.

Wired just released statement. 

In San Francisco the “secret room” is Room 641A at 611 Folsom Street, the site of a large SBC phone building, three floors of which are occupied by AT&T. High speed fiber optic circuits come in on the 8th floor and run down to the 7th floor where they connect to routers for AT&T’s WorldNet service, part of the latter’s vital “Common Backbone.” In order to snoop on these circuits, a special cabinet was installed and cabled to the “secret room” on the 6th floor to monitor the information going through the circuits. (The location code of the cabinet is 070177.04, which denotes the 7th floor, aisle 177 and bay 04.) The “secret room” itself is roughly 24-by-48 feet, containing perhaps a dozen cabinets including such equipment as Sun servers and two Juniper routers, plus an industrial-size air conditioner.

Link here.

Alex Eckelberry
(Hat tip to the indefatigable Ferg.)

VA official takes a bunch of discs home with 25 million social security numbers. They get stolen.

WASHINGTON – Personal data, including Social Security numbers of 26.5 million U.S. veterans, was stolen from a Veterans Affairs employee this month after he took the information home without authorization, the department said Monday.

Link here.

Alex Eckelberry
(Thanks Catherine!)

A break-in that lasted over a year.

In a disclosure that hasn’t been widely reported, one of the compromised servers, which held Social Security numbers belonging to 137,000 people, was penetrated by U.S. and overseas-based hackers for at least a year and possibly much longer, Sams said in a phone interview Sunday with CNET News.com.

Link here.

Alex Eckelberry

From our WServerNews, many of you have seen this, but it’s worth passing on to newbies.  Sample scam site. Link here.

Alex Eckelberry

System administrators use the command-line program HFNetChk to audit a list of service packs and hotfixes installed in Windows computers.

A new program gives admins all the commands for the app in a GUI. SearchWinSystems has more here.  I just took a quick look and it’s very basic but quick way to run HFNetChk on systems.

Alex Eckelberry
(Hat tip to Stu)

Pretty interesting… 

“Emails were sent to specific individuals within the organization that contained a Microsoft Word attachment. This attachment, when opened, exploited a previously-unknown vulnerability in Microsoft Word (verified against a fully-patched system).  The exploit functioned as a dropper, extracting a trojan byte-for-byte from the host file when executed.  After extracting and launching the trojan, the exploit then overwrote the original Word document with a “clean” (not infected) copy from payload in the original infected document.  As a result of the exploit, Word crashes, informs the user of a problem, and offers to attempt to re-open the file.  If the user agrees, the new “clean” file is opened without incident.” They are working with Microsoft on this.

“We are still analyzing the trojan dropped by the exploit.  What we do know is that it communicates back to localhosts[dot]3322[dot]org via HTTP.  It is proxy-aware, and “pings” this server using HTTP POSTs of 0 bytes (no data actually POSTed) with a periodicity of approximately one minute.  It has rootkit-like functionality, hiding binary files associated with the exploit (all files on the system named winguis.dll will not be shown in Explorer, etc.), and invokes itself automatically by including the trojan binary in “HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows”.  Note that, as of this morning, no anti-virus signatures detected this file as problematic according to virustotal.com.

We have traced nearly this attack to the far east; specifically, China and Taiwan.  IP’s seen are registered there, domains seen are registered there, and the emails received originated from a server in that region.  The attackers appear to be aware that they have been “outed”, and have been routinely changing the IP address associated with the URL above.

Link here via F-Secure.

Alex Eckelberry

Symc sues Microsoft over storage technology.

Alex Eckelberry

Turk hacks thousands of websites in one day.

Yesterday the Turkish cracker going by the handle “Iskorpitx”, succesfully hacked 21,549 websites in one shot and defaced (on a secondary page) all of them with a message showing the Turkish flag (with AtaTurk face on it) and reporting:

“HACKED BY iSKORPiTX

(TURKISH HACKER)

FUCKED ARMANIAN-FUCKED FRANCE-FUCKED GREECE-FUCKED PKK TERROR

More here, and stats here, both via Ferg.  And check out the Google search here for “Iskorpitx” — lots of hits, although not all are related to this attack (Thanks Richard).  

Alex Eckelberry

Ah well, it was only a matter of time.  Link here.

Alex Eckelberry

You can see if your machine is ready for Vista here.

More at CNET.

Alex Eckelberry

Online poker site Checkraised accidently ships trojan/rootkit thingie in the payload of a rake calculator (“rake” is a term denoting the percentage the house charges in a poker game):  

In December 2005 we contracted a programmer to create a rake calculator for us. The rake calculator (known as rbcalc, rbcalc.exe) was an executable file that a player would run on his machine to calculate rake from hands he previously played (stored in hand history files or a poker tracker database).

It has recently come to our attention that early versions of this program that we received contained a virus that installs itself every time the user runs rbcalc.

The virus goes undetected by Norton AntiVirus and Microsoft Defender, even to this day. This is why we never noticed it until a 3rd party contacted us about the malicious software.

Link here.

ComputerActive has a bit more:

The malware then covertly stored gamblers’ information and the executable files allowed hackers remote access to the victims’ computers.

The stolen information has been used to log into various online poker websites including Partypoker, Empirepoker, Eurobetpoker and Pokernow. Having gained access, the hacker can then play poker against himself, losing on purpose and reaping the rewards.

Absurd.

Alex Eckelberry
(Thanks Catherine!)

Real Time Blackholes (RBLs) have had their share of controversy in the past, but they can be quite useful in stopping spam (if you weight their responses).

However, I recently noticed a post by someone on one of Sunbelt’s discussion forums.

We had a (now-former) employee install a bunch of spyware on a workstation late Friday. One of the messes was a spam generator of some kind. The workstation’s offline now.

The problem is we only have one external visible IP, so now my mail IP is blacklisted all over the place. Is there a magic process for getting off blacklists?

I’m googling as we speak  

Ok, that’s understandable.  So what happened?

He started the process of getting off the blacklists (something, incidentally, you can check yourself by going to dnsstuff.com and doing a Spam Database Lookup).

However, he hit a roadblock. One blacklist, UCE Protect, refused to even consider his request in a timely manner, unless he shelled out 50 euros.  From their webpage:

FREE OF CHARGE REMOVAL:
There is no need for you to request removal, if you do not want to pay.
Every IP at Level 1 will expire 7 Days after the last mail from it hit our SPAMTRAPS.
This means your IP will be removed automatically after that period.

PAID IMMEDIATE REMOVAL :
If you do not want to wait 7 Days, you may request a paid immediate removal.
Fee for this is 50 Euros per IP. Payments are accepted by Paypal only.
Removal will be done by hand, as soon as Paypal tells us, they received your money.
Click here if you want to request a paid removal.

Well that’s nice. You need to pay to get expedited service, because of a mistaken blacklisting.

On related subject, he’s also having  trouble with SORBS, because SORBS is convinced that his IP is dynamic, when it’s static and one his company has had for over four years (according to him, “SORBS is apparently blocking IPs with a rDNS TTL of less than 12 hours, and his IP is blocked because SORBS feels that the TTL of 3 hours indicates that it’s a dynamic IP and dynamic IPs are used by spammers.”)

On the subject of RBLs, there are a number that should not be used, and DNS Stuff’s list of blackholes is useful in that regard.  It will tell you which RBLs are too aggressive (some are run by real vigilantes who believe in blacklisting an entire carrier — that kind of thing).

Alex Eckelberry