Posts

Showing posts from 2006

Vista su and IE7 sploit security risks

The NY Times has a habit of removing articles two weeks after posted, so don't dawdle to read this article on security exploits within Windows Vista . A sploit for IE7 is also cited, as well as the elevation insecurity risk within the Vista beta. Not having Vista myself, I can't comment on this exploit; the one 30-day beta I did try this summer was attractive, yet plagued (as early betas often are) with hindrances (as First Blogger Jerry Pournelle noted, it required user permission, annoyingly, far too often).

Polonium, l'affaire du Litvinenko and its Londonesque implications

Charlie Stross, most excellent author of the unthinkable and unspeakable , has a weblog article deserving of your consideration . Here's a snippet: The point is, someone with access to fresh Polonium 210 (read: less than a year old, hot from the reactor) decided to use it to bump off an enemy. And the terrorism alert status hasn't risen a notch? Pull the other one. Anyway, to the point: this wasn't simply an assassination. There are any number of poisons out there that would do the job painfully well but much more rapidly, and without the same scope for a diplomatic incident. Likewise, a bullet to the back of the head would have worked just as well (as witness the assassination of Anna Politkovskaya ). What this is, is a warning: "we have the capability to detonate a dirty bomb in central London any time we feel like it, so don't f*ck with us". (Just take Polonium and add a little TNT.) (Ed. note: Or, ANFO .) Who the warning is from, and who the intended r

Got Earthlink? Got Mail? No, They Lost it.

Robert X. Cringely, doyen compu-columnist for PBS , reports on a hidden e-mail problem at Earthlink: They're losing up to 9 messages out of 10 , found as a result of a friend's testing: He sent messages from other accounts to his Earthlink address, to his aliased Blackberry address, and to his Gmail account. For every 10 messages sent, 1-2 arrived in his Earthlink mailbox, 1-2 (not necessarily the SAME 1-2) on his Blackberry, and all 10 arrived with Gmail. Swimming upstream through Earthlink customer support, my buddy finally found a technical contact who freely acknowledged the problem. Since June, he was told, Earthlink's mail system has been so overloaded that some users have been missing up to 90 percent of their incoming e-mail. It isn't bounced back to senders; it just disappears. And Earthlink hasn't mentioned the problem to these affected customers unless they complain . (Emphasis mine.) Gee, you don't suppose they expect we actually want the e-mail ser

Got M$ Word? Got Virus?

Pending the availability of a security fix, Microsoft advises users "not [to] open or save Word files that you receive from untrusted sources or that you receive unexpectedly from trusted sources." Can Micro$oft be considered a 'trusted source' any more? Here's the advisory from Micro$oft they own selves and from The Register . Meanwhile, want security? Download and use OpenOffice , which is free and virus free.

James Kim's Body Found

UPDATE 2: SF Chronicle final story with the best graphic of the area yet seen . UPDATE: C|Net's obit . Sadly, the body of James Kim was found today. SMS text transmissions to his cellphone were traced to the search area, which led to finding his wife and their children where their car had crashed . However, the cellular reception in that remote area was so poor that it would not sustain a voice call. Wilderness experts advise you, do NOT leave your vehicle when lost. This was a sad example of that wisdom. For more on how SMS will work, when cellphones don't work for voice, see this explanation . I've used it to communicate with folks out on the tundra near Barrow whose satphone batteries were running down, and knowing how it works could save you .

Kim search photos

Image
A photo set showing the area where James Kim is lost, including a searcher lowered from a helicopter to see better, dangling from a rope in mid-air. Panel two, if you zoom in, shows the helo from afar. Photos courtesy the Oregon State Police .

Kim Update: Did Google Send Them?

Image
This morning, when I Googled the route from Glendale off I-5 to Gold Beach , it sent me over the same unplowed road the Kims were lost on. See photo, below. Folks, NF means National Forest, BLM means Bureau of Land Management, and Oregon is NOT the place to take those roads, except during high summer, unless you've got a ham radio transceiver and you've filed a 'drive plan' with someone reliable who know where you're going and when you will check in. Period. Don't count on a cellphone, despite the USA Today clueless suggestion, for the majority of Oregon's land has no, repeat, no cellular coverage. Don't rely on the low-power, crippled-design FRS or GMRS handy-talkies; get a real radio with real range , and learn how to use it (no more Morse Code requirement for your first license !). Here's an update and another on the Kims: James was reported by his wife to have left their car Saturday, December 2nd, at 7:45 a.m. in attempt to obtain help.

C|Net editor's family found, search for him continues

The Kim family and vehicle, minus Kim himself, were found this afternoon, and airlifted out. If I read the press releases correctly, somewhere between Merlin and Agness . The search for James Kim continues .

C|Net editor missing after trip to Portland

BoingBoing reports former TechTV product reviewer and current C|Net editor James Kim is missing along with his family while on vacation in the Pacific Northwest. James, his wife and two children left last week on a road trip. They were last seen in Portland on Saturday November 25th, where they visited with friends, before driving off in a silver Saab 900 wagon, California vanity plates DOESF as per Red Dixon's blog . OSP released photos of their type of silver Saab 900 wagon and have another press release with details posted at PDXINFO.NET . A SAR (Search and Rescue) mission is now underway . A tip center has been set up at 1-800-452-7888, and the San Francisco PD is also taking calls at 415-558-5508 during normal business hours and at 415-553-1071 after hours.

The Windows Shutdown crapfest

Here's an amazing explanation of why Longhorn/Vista took so long to reach market and why it's going to be a dud. An entire team of people working for a full year to code the shutdown menu . Sheesh.

Free, AntiVirus for Windows, Free

Individual Windows users concerned with cost have multiple choices for free anti-virus software. All of these publishers want to impress you with how good their systems are, to encourage you to buy their products or services, but that seems a reasonable trade IMHO. Reviews of some of these may be found here and there . AOL Active Virus Shield (requires you accept spamvertising, which can later be turned off). avast! Avira PE AVG anti-virus and anti-spyware ClamWin Comodo Antidote SuperLite (scanning only)

Geek Numbers

Image
This is a GizmoNumber sticker. The small sticker was placed on hard drives, iMacs and other gear stolen from FreeGeek . The larger sticker below was on complete computer systems (e.g., laptops, iMac, white boxen, et al.)

FreeGeek RipOff

Update: Watch for a small, about-inch-square white paper label with a ballpoint-ink hand-written six digit number, on possibly stolen objects. (Picture at the next blog post; click here to see.) That number, which IIRC was in the 3xxxxx range, is the GizmoNumber , used for internal QC and other purposes. There may also be a larger sticker, vertical layout, a form with tickboxes and such, which stolen things may also have. FreeGeek.Org is the the website for a 501(c)(3) non-profit corporation in Portland, Oregon, which is dedicated to spreading the Open Source ethos. Portland's a great place for Open Source; O'Reilly recognized that when they held OSCON (the Open Source CONvention) here this summer and in years past. Many, many volunteers help make FreeGeek work by recycling corporate cast-off and personally donated computers; receiving, evaluating, reassembling, loading Ubuntu/Kubuntu/Xbuntu on the machines (many of which were OK mechanically, but had Windows so badly corru

Documentary on Diebold E-voting Errors

Slashdot reports on an HBO documentary showing large-scale e-voting problems with Diebold systems . One Slashdotter noted: Regarding Diebold's claims, although the article is a little short on facts, for instance, following this section, "According to Byrd's letter, inaccuracies in the film include the assertion that Diebold, whose election systems unit is based in Allen, Texas, tabulated more than 40 percent of the votes cast in the 2000 presidential election." ... " ...it's probably safe to assume if HBO isn't backing down, and does air the documentary, that this is largely smokescreen on the part of Diebold to try and convince the public that HBO is just an extension of the "liberal media" lying to them. Furthermore, the article is short on explanation, but I don't think this is just a crass comment, "It appears that the film Diebold is responding to is not the film HBO is airing." ..but rather that HBO's spokesman is actua

National Energy Dependence

Image
A recent New Yorker article notes a puzzling stance by the Bush Administration against energy independence, more than once. For the wonks among you, here's an explanation of the original issue: A distribution transformer, much, say, like an elevator, is easy to ignore until it malfunctions. Its unromantic job, in most cases, is to take the high-voltage current transmitted over the grid and convert it—or step it down—to the lower-voltage current that emerges from a wall socket. There are an estimated three million distribution transformers in operation in the United States, and virtually all the electricity produced in the country—some four trillion kilowatt hours per year—passes through at least one of them en route from the plant where it was generated to the heating element in your toaster. Along the way, some energy is inevitably lost, and even though proportionately these losses are small, when you’re talking about four trillion kilowatt hours they quickly add up. Last month

How to steal an election by hacking the vote

This ArsTechnica article shows why Oregon's vote-by-mail system is the only way to assure that elections are not a fraudulent exercise (can any say, 'Ohio?'). Especially considering how Diebold has hidden problems in their system , please allow me to suggest, if you don't live in Oregon, that you vote absentee (as half of Seattle's voters now do). Our national election infrastructure is now largely an information technology infrastructure, so the problem of keeping our elections free of vote fraud is now an information security problem. If you've been keeping track of the news in the past few years, with its weekly litany of high-profile breeches in public- and private-sector networks, then you know how well we're (not) doing on the infosec front. Over the course of almost eight years of reporting for Ars Technica, I've followed the merging of the areas of election security and information security, a merging that was accelerated much too rapidly in the

Boom Boom

Here's a fascinatingly useful piece, which seems to confirm that Pyongang fizzled their alleged nuke test; a table correlating Richter scale seismograph reports to explosion sizes . With the magnitude 4.8 quate recorded , that suggests a 16 ton equivalent explosion. Fizzle, indeed.

[M$] Still more details on drive-by Internet Exploder

Microsoft has issued a bulletin , describing how you can manually disable system functions to protect against picking up viruses just by visiting a web site while using Internet Explorer. A fix, rumored to be labeled KB925486 (which is not yet an active link), is said to be in the works. Until then, either perform the complicated steps outlined in the M$ bulletin , or use the safer Firefox web browser, instead of Internet Explorer.

MacBook hackability: Hacked in Sixty Seconds?

Image
Yes, Mac notebooks can be hacked, and here's a discussion , starting with a Washington Post article. However, this is a hack of hardware, not of an operating system, and the same vulnerability exists with all PC-capable operating systems. In addition to having hackable hardware, 1) you have to tell the Mac you will accept any connection from any wireless network, 2) the hacker has to be within the range of your wireless network card, and 3) you have to be running as the administrator of your Mac and not just a user. Whatever you use, OS X, Windows or Linux, make sure to update your operating system frequently to cover security holes.

[M$] More details on the Internet Exploder drive-by security hole

Here, Sunbelt Software shows how a fully patched Internet Explorer shows picks up viruses just by visiting a website . This is a follow-through to yesterday's warning . It's 15 days until Microsoft is scheduled to fix this.

[M$] Drive-By Viruses, Internet Exploder and a fix

ZERT, the very unofficial Zero Day Emergency Response Team , now offers an unofficial patch targeted at Internet Explorer browser users who otherwise could get viruses just by visiting a web page. Of course, the free, faster and otherwise superior Firefox is immune to getting viruses this way {/hint}. ZERT was formed after the December 2005 WMF (Windows Metafile) attacks and is not Microsoft-endorsed. However, as Microsoft becomes more agressive in sunbsetting popular operating systems like Windows 2000 and 98, more and more IT gurus will comoe out of the woodwork to become the J. C. Whitney catalog of software longevity and keep these old classics alive, as well as offering response quicker that 'wait 'til the second Tuesday of the month' Patch Tuesday approach Microsoft has extended to Windows users. "Something has to be done about Microsoft's patching cycle. In some ways, it works. But, in other ways, it fails us," says Joe Stewart, a senior security res

Hail Eris!

The dwarf planet formerly known as Xena received a new name today, while Pluto was given a number to reflect the loss of its status as a planet, as explained in this NY Times article . “It is absolutely the perfect name,” Dr. Brown said, given the continuing discord among astronomers and the public over whether Pluto should have retained its planetary status. In mythology, Eris ignited discord that led to the Trojan War. “She causes strife by causing arguments among men, by making them think their opinions are right and everyone else’s is wrong,” Dr. Brown said. “It really is just perfect.”

Sony Rootkit Not Dead Yet

Reports indicate the 'rootkit' Sony's music CDs installed if you played their music CDs on your PCs is still causing trouble. The glitch may cause a computer's CD-ROM drive to be disabled, according to the Texas attorney general's office, which said Wednesday that the problem was discovered by officials who have been testing the XCP copy-protection technology as part of the state's lawsuit against Sony BMG. State investigators found that if a CD with XCP technology is loaded on a computer running AOL's ``Safety and Security Center'' software, the program's antispyware feature will attempt to delete the XCP components, but often while also disabling the CD-ROM's configuration in the PC's operating system. The same glitch surfaced on computers running CA Inc.'s PestPatrol separately from AOL, the state said.

[Mobile] Cellular measurement

Popular Science has a list of procedures for various popular cellphones which enables accurate signal strength results on the phone display. Kewl.

[Amateur Radio] Where to take the test

With the removal of the requirement for Morse Code for the first (and very useful Technician license, amateur radio is easier than ever before to join. Oregon has many, many Volunteer Examiners who will administer the FCC-required tests to get an amateur radio license, and here's a statewide list , with dates, times and locations(also for Metro Portland only ). The federally-mandated fee is $14, a much more reasonable cost than back when I also had to drive two hours to The Big City to take the exam in an FCC Office. If you'd like to sit in a class to study, here's an October session forming nearby . The Hoodview club for Gresham and East County also has courses; click here for details . You can study on-line with the Amateur Radio Relay League course which includes on-line support, or order the study guides if you prefer self-study. There's even a free study guide for Palm PDAs , or you can download plain text or PDF files of the question pool for your exam . MA

Word 2000 + Windows 2000 = Extremely Critical Flaw

An "extremely critical flaw" in Microsoft Word 2000 is currently being exploited by malicious attackers, which could lead to remote execution of code on a user's system, security researcher Secunia advised yesterday in a C|NET story appearing today. The vulnerability affects systems running Windows 2000 and occurs when processing malicious Word 2000 documents, according to Secunia's security advisory. Symantec detected the Trojan MDropper.Q exploit several days ago. It uses a two-step attack. Trojan MDropper.Q exploits the Microsoft Word vulnerability to drop another file, a new variant of Backdoor.Femo, according to a security advisory by Symantec . Will this incident increase the rate of migrations to the free and functionally compatible OpenOffice ? And, how will this latest hole in Microsoft security affect Microsoft Office, their long-time cash cow?

Free! Free Maps!

A philanthropic hacker asked, on the web, for the money to buy all the Federal USGS maps, which were public domain but which the USGS would not freely provide. He got his money, bought the files, and now makes them available on the web for free. One of the many programs which read is available for free download here .

Hurricane Katrina report from National Weather Service

The National Weather Services has a report on their tracking and prediction of Hurrican Katrina . Interesting reading.

Duude, You've Got a Dell.. On Fire

Over four million Dell laptops with batteries made by Sony are being recalled. Check that second link to see if your model is included.

Heimatsicherheitshauptamt says patch your Windows NOW

In a rare alert, the U.S. Department of Homeland Security has urged Windows users to plug a potential worm hole in the Microsoft operating system. The agency, which also runs the United States Computer Emergency Readiness Team (US-CERT), sent out a news release on Wednesday recommending that people apply Microsoft's MS06-040 patch as quickly as possible. The software maker released the "critical" fix Tuesday as part of its monthly patch cycle. Details here . The ISO image file of all August patches is available here if you do not trust Microsoft and wish to avoid installing, say, Windows Genuine Disadvantage on your machine through Automatic Update.

Knock-Knock Laptop Jokes

I am not kidding. Knock on your laptop... and run commands. Of course, it requires Linux.

A Miscommunication Story

Subject: Re: [QRP-L] A Miscommunication Story -- 2nd corrected version Here's a perfect example of why hams need to a) Continue supporting Morse Code... for could a voice signal gotten through ? b) Continue educating, and in this case re-educating, the 'authorities', to make sure they understand our capabilities. c) Continue sharpening our other skills, e.g., GPS and co-ordinate systems (the subject of last night's Clackamas ARES meeting , BTW, Ain't guaranteed to be easy. Neither are many other ways to save lives. We do it anyway. (Redaction of names by blog editor for privacy.) Thanks for your interest, K***. I've just finished a telephone conversation with Deputy F**** R**** of the Okanogan County Sheriff Department, who clarified some points raised in my piece. Here is the corrected version: Late in the afternoon of Saturday, August 5, 2006, my wife Margaret and I were hiking up the connector trail to the Snowy Lakes from the Pacific Crest National Sc

August Patch Tuesday files

Patch Tuesday was yesterday, and here are the ISO Images of the August patches. For details I'll explain later, it's much better to download the patches yourself and then apply them... better for YOU, anyway.

Guess What? Louisiana Still Can't Communicate

A year later, not much has changed in Louisiana . One minor example: Relying on "beefed-up" cell towers for communications in a major disaster, as the gov't official interviewed does, is ludicrous. Cell towers have one, maybe two T-1 lines, permitting 24-48 phone calls in an area with, typically, 5,000 cell phones per square mile.

Clackablog: 9/11 Live: The NORAD Tapes

Clackablog: 9/11 Live: The NORAD Tapes

[M$] Those Hazy, Lazy, Crazy Days of Patches

Get yer patches on ISO images, downloadable free from Micro$oft! Avoid Windows Genuine Advantage, while still protecting yourself! Give patches to your friends who don't have broadband! Support Aunt Minnie! Why? Well, the credible Brian Livingston reports ..Microsoft's in-house Windows Update routine is now likely to download marketing gimmicks such as Windows Genuine Advantage to your PC. I advised all Windows users, other than novices, to turn off Automatic Updates. And, InfoWorld's Ed Foster chimes in : ...the WGA false negatives are leading to increasing number of situations where customers run afoul of XP's product activation, leaving them to beg Microsoft and/or their PC vendor to help. "A Mr. Rajiv Malhotra with Microsoft's New Delhi office told me that installing software -- any software -- can trigger the activation process all over again. And that condition extends to third party software. A Mike Russell, also with Microsoft and somewhere in Eastern

FEMA txting 2 u (updated 2006-07-22)

In the beginning, there was CONELRAD (which starred in the made-in-Portland CBS documentary A Day Called X , downloadable here and here ). It was replaced by the Emergency Broadcast System , then the current Emergency Alert System , but none of those can reach you if you are not listening to local radio & TV . Watching DirectTV or listening to Sirius satellite radio? You don't hear any notice. Also, believe it or not, EAS is *voluntary*. Yep. Local stations don't have to provide it, as you can read in the state plan . However, that may change, in the light of a presidential order last month . FEMA is developing an SMS text alerting system , with cooperation from major cellular carriers . But, this is a opt-out system, instead of opt-in like every other system. It also likely will send private messages to emergency responders as well as generalized alert messages to the general population. Multiple sites have allowed e-mail and SMS text message alerts for years, e.g.,

[Mobiles] It's a Smaller World, After All

Oh, Bother. Eeyore's Got a Cell Phone. Disney Mobile has begun selling phones and service through its Web site and by phone, officially launching the mobile virtual network operator service that promises parents a high degree of control over how much and when their children can use their wireless phones. The family service plans start at $60 per month for 450 minutes and range as high as $250 per month for 4,500 minutes. All the family plans include two lines of service, and additional lines can be added for another $10 per month. The service requires a two-year contract, credit approval and is limited to nine phones per family account. All lines are subject to an activation fee: $35 for the first line and $25 for each additional line. Sprint is the carrier for DM. More details at RCR News .

[Environment] Not Just a Space Heater Any More

It wasn't until college and the curriculum required for my B. S., back east at Sub Normal U., that I learned of the variability of the sun. It is a variable star, and its output waxes and wanes in both defined cycles (sunspots) as well as for either random, or undetermed, reasons. Just ask any of the hundreds of thousands of amateur radio operators who are bemoaning the current dearth of sunspots . In the past two years since this Swiss study was published, I've seen other no-axe-to-grind scientists concur in its validity, and seen no contradiction to the data. Sun gets hotter; Earth gets hotter. Here's one fellow who tracked that variability through a number of indicators in the natural world , collectible with low-tech devices. Another undeniable large physical event could have altered the biosphere adequate to cause all we've seen, and that idea's put forth by Vladimir Shaidurov , inner of the most prestigious scientific award in Russia for 2004, the State P

[Linux] Free Linux Support Via IM

Qunu is a new launch which offers free technical support on Linux and computing via Instant Messenger services. Here's a list of compatible IM clients and setup instructions if you'd like to join in. Qunu is a next-generation expertise matching service. We use instant messaging to connect -- in real time -- people who have software or tech-related questions with experts who are passionate and willing to help.

Al Gore's fundamental misunderstanding of nuclear power choices

Read Al Gore in WIRED, part of his media blitz for his movie An Inconvenient Truth . Then, I saw BoingBoing link to an interview in GRIST . We still have other issues. For eight years in the White House, every weapons-proliferation problem we dealt with was connected to a civilian reactor program. And if we ever got to the point where we wanted to use nuclear reactors to back out a lot of coal -- which is the real issue: coal -- then we'd have to put them in so many places we'd run that proliferation risk right off the reasonability scale. And we'd run short of uranium, unless they went to a breeder cycle or something like it, which would increase the risk of weapons-grade material being available. Ahem. Here lies a fundamental misunderstanding of nuclear power choices. ALL power stations now in service are breeders. What have been named as "breeder" reactors are optimized for making Pu-239 from U-238, Pu-239 being the best variety of Pu for reactors (and bom

ATT: 950% profit on GI phone calls

Incredible, simply incredible. It costs 2 cents a minute to connect to Iraq. ATT charges 21 cents a minute and has a monopoly in doing so. That's a 950% profit, taken out of the pockets of GIs. GIs with families often are so poor, they're on food stamps. Should ATT change their slogan to "Reach Out and Rip Off Someone"?

Oregon's Atomic Rocket

Here's a WOU/OSU research team flight-testing an atomic rocket engine on NASA's C-9 null-gee flying testbed . More about the C-9 here and here .

Nanny State: Hams, You Can't See Your Web Sites

To: sites@securecomputing.com Subject: Remove from all lists, completely Ref: http://www.boingboing.net/2006/02/27/isps_in_iran_tunisia.html Ref: http://www.bloglines.com/citations?siteid=66&itemid=16801 Dear Secure Computing: You're blocking access to the ARRL website for users of your dumbware, SmartFilter? You have GOT to be kidding. Amateur Radio is a vital resource of national Red Cross / Red Crescent societies at the local , state , national and international levels, and is partnered with the federal Department of Homeland Security. Countless MOUs (Memorandum Of Understanding) document the value of Amateur Radio to local, state and national government agencies. Amateur radio operators need constant web access to get essential information in and out of disaster areas, yet YOU want to choke off access through including such sites as www.arrl.org www.rac.ca www.eham.net www.qrz.com www.qsl.net Maybe you haven't heard of the Boxing Day Tsunami, Hurricanes Katrina, Rit

[Democracy] Voting machines audit shows very high error rate

The OCR system used in vote-by-mail in Oregon has the lowest error rate of all systems' surely lower than the voting machines profiled here .

[Retail] Checkpoint Charlie at electronics stores

Ever wonder about the post-cash-register checkpoints at stores like Fry's, CompUSA, et al? One blogger's experience with excessive zeal by those loss-prevention checkers led me to an article from a loss prevention specialist who outlines do's and don'ts for legal and professional conduct by same . You can, apparently, Just Say No.

[Preparedness] Radio frequencies useless if they don't work

The next time you hear some politico blithering about 'spectrum' and 'compatability' for emergency responder radio, you'll understand how clueless they are if you've read this article . Don't coast on these excepts; there's a lot more meat in the entire article.. There are many lessons to be learned from how emergency communications performed, or failed to perform, in the wake of Katrina. The debate is burdened by a weighty status quo, bureaucratic politics, and the inescapable fact that emergency response most often is a local function, divided up among more than 60,000 state, county and city jurisdictions nationwide. {SNIP} But no one perfect frequency exists for all emergency communications; firefighters prefer the brick-and-concrete-penetrating abilities of lower frequencies, for example. No single frequency band can meet the public safety demand. {SNIP} Katrina, however, drives concerns about emergency communications down to an even more basic leve

[Computing] Evaluation of blank disc quality

Handy site, this: A ranking of CDR/DVDR quality .

[Shelter] Shipping Carton Corrugated Cardboard Geodesic Domes

The Burning Man set have upgraded plans for making Geodesic Domes from recycled shipping cartons . If you need expedient shelter, or want to add something to keep you dry to your 72-hour kit, these look interesting.

Death to Spam, redux

Here's a link to report splogs and other spam you find from a Google search to Google, thanks to the GregHughes blog .