friedkitten.com - insanity included.

I assumed my readers were security and update minded, especially since I mention the importance of keeping the computer and program(s) you use up to date every now and then. I was looking at some stats gathered and here's what irks me about browser updates and patches :

Firefox :

75,68% of visitors use 3.0.10
3% of visitors use 3.0.11
12,61% of visits were done using 3.5 (which is a preview release that I've been testing)
5.71% still use 2.0.0.20
2.40% use 1.5 or 3.0.x

All things taken into account, 83.79% of visits are done using an insecure firefox browser, which disappoints me. The 3.0.11 version was only released last week though, so maybe I should give it some more time... not! Get patching/updating, slackers!

When looking at Internet Explorer, we get :

52.16% uses version 7.0
29.86% uses version 6.0
17.99% uses version 8.0

Unfortunately, I can't get more detailed versions about IE usage, as it seems minor versions are not being reported. Let's just broadly assume that about 18% of our IE users is using the latest version, which still leaves a whopping 82% using older version. Get updating as well, will you?

If you've never tried the Secunia Personal Software Inspector (download) to get a quick overview of what software needs your attention, do so now. It's free, it's easy and it'll help you become more aware of issues you never knew about.

I just got back home from a quick intervention to fix some computer related problems at J&S's place - their virus scanner needed an upgrade and while it's not all that complicated for someone familiar with the process, they opted to call me in to do it for them. Wise choice :)

This creates a win-win situation : they know that I won't just run in and out and leave things behind broken, and I get some spare cash out of my experience and knowledge. Today's task included upgrading the virus scanner on J's machine, update Spybot S&D, remove an old Java install and install the new one, cleaning up some no longer needed files and desktop links and a full test of all the programs he uses frequently to make sure nothing got fubar'ed.

On S's machine I verified the virus scanner installation, removed no less than 3 out of date Spybot installations and installed the latest version. Opera also got an update and an old flash version was patched as well. It still leaves her system rather vulnerable due to missing OS and Office patches, but that's something I can't fix that easily as they opted to "borrow" an installation disk from someone else, hence it's running a "not so legit" version of office.

All of that was done within the hour while having a nice chat and giving security tips along the way. Securing machines is a very rewarding job, believe me, even if there is no such thing as 100% security.

For those less in the know or up to date on vulnerabilities :
- Firefox version 3.0.10 was released recently, patching one additional vulnerability
- NoScript saw the release of version 1.9.2.4 (Firefox plugin)
- Opera version 9.64 is available
- IE 8 has been deemed a critical update through Windows Update.

This morning I ordered a new video card for my Dell Dimension 5150c - nothing fancy at all, but something that should give me a bit more graphics power than the current ATI Radeon X600 with 128MB Ram that powering the box. I had been looking around for a replacement for a while, but the 5150c model is a very tiny and compact machine which results in video cards sporting low profile and half height brackets can even be considered. And truth be said, there are not so much of those around.

I finally opted for the ATI Radeon HD 3470 Low Profile with 256MB Ram on board + it has support for dual screens. Not that I actually have two screens right now, but I'm not opposed to getting a second flat screen where I can run video or a web browser on while playing World of Warcraft.

I am fully aware that it's not the most powerful video card out there, nor probably the best. If it fits the machine though - big IF there, as Dell only lists the Optiplex 960 as being compatible and NO cards at all for the Dimension 5150c - it will suit me just fine and deliver what I need for a reasonable price. I'm not using my computer to play the latest first-person shooter or cinematographic animations or DVD.

If I wanted to do that, I should have bought a full sized tower 2.5 years ago. Instead I deliberately picked a SFF (Small Form Factor) machine that looked nice and was compact and reasonably priced for what I wanted to use it for. You just can't have it all and I've learned that spending thousands of euro's on top end computers is usually a waste of time and money. Sure, I too like toying around with the latest and greatest but if I think about it, it just makes no sense. By the time you walk out of the shop, your high end gaming machine has become obsolete. Nowadays, I buy what I need immediately or expect to require in the next 3-5 years.

I'll keep you updated as to whether or not I can actually get the card fitted. Which will take a while as Dell doesn't mention their SEPA compliant bank account number (IBAN/Swift/BIC) in their mail, nor on the site. Which means I have to mail Customer Support to ask for something they should have included in the first place. Ah well...

Note : talk about speed - This post was picked up and indexed by Google within the hour. As I was searching for some more info about this video card and WoW, my own blog entry turned up at page three, only being published 56 minutes ago. Sweet!

It's been a while since I urged everyone to patch their computers, but today seems like a perfect occasion to get everyone's attention. Take your pick, depending on whether or not you actually use the program and/or version mentioned. Remember to uninstall programs you no longer use - if it ain't installed, it can't be used as an attack vector!

If you don't trust the direct download links I'm providing, I'm also listing the homepage of the software creator so you can hunt down the correct link yourself.

• Firefox 3.0.7 - download - http://www.mozilla.com
• Adobe Acrobat Reader 9.1 - download - http://www.adobe.com
• Adobe Flash - download - http://www.adobe.com
• Windows - Various Patches - download - http://www.microsoft.com

It can be quite challenging to keep an eye on what new versions are released, what software needs patching, or where to get those updates. You could give the excellent Secunia PSI tool a try : Secunia PSI download.

It'll scan your machine and report what software is out of date, vulnerable or end-of-life, as well as give you - where possible - a direct download link so you can stay up to date easily. Run it every week or have it monitor your computer constantly, your choice, but I use it on all my machines and recommend it to most of my friends, relatives...

After - once again - reconfiguring the network at B&H's place it seems things are working properly now. I set up most of the devices to use DHCP to get their IP addresses, but the printserver is set up to use a static address to prevent it from changing every time and confusing the hell out of the users and all devices present.

My dad suggested to take the printserver out of the equation altogether, but after doing some tests it turned out that the NIC in the LaserJet 2200 was broken, so we had to reinstall the printserver in order to get at least one printer attached to the network running again.

I'm not sure that the current setup is "fool proof", "water proof" or "no power proof" but even after several reboots and such, things seem to run quite well.

This blog entry is actually being written while connected on the network, so if you can read this, things are working :)

Just a test post to see if the database issue is resolved and whether it is related to this blog or rather a general server issue.

(This post was published and edited without trouble... go figure)

I was looking at some back end data and found out that lately there's been some fishy searching going on. If anyone has a clue what the idea behind this is, or recognizes the IP's listed, by all means, leave me a comment!

Search: query for 'marketing' - 83.29.184.204 - 41 minutes ago
Search: query for ' front 242' - 79.138.242.177 - 1 hour ago
Search: query for 'domains' - 83.29.184.204 - 6 hours ago
Search: query for 'books' - 83.29.157.104 - 12 hours ago
Search: query for 'legal' - 83.29.157.104 - 18 hours ago
Search: query for 'privacy' - 83.29.181.192 - 20 hours ago
Search: query for 'traffic' - 195.46.41.144 - 23 hours ago
Search: query for 'shopping' - 195.46.41.10 - 1 day ago
Search: query for 'linux' - 195.46.41.235 - 1 day ago
Search: query for 'blog' - 83.29.184.211 - 1 day ago
Search: query for 'friends' - 83.29.184.239 - 1 day ago
Search: query for 'legal' - 83.29.184.211 - 2 days ago
Search: query for 'world' - 78.46.86.18 - 2 days ago
Search: query for 'politics' - 78.46.86.18 - 2 days ago
Search: query for 'life' - 78.46.86.18 - 2 days ago

I'm not so much surprised by the actual searches and terms, because most of those are valid tags or categories on the blog. What is more striking is the fact that there are three searches in a short period of time, then it stops and it starts again later. Some IP's return quite a few times too. I've ran some through a series of tools and one IP address is assigned to a German provider, one is coming from Sweden but - and here it becomes interesting - 5 IP addresses are linked to ISP Neostrada Plus (Krakow Poland) with another one coming from the Lerkins Group, also based in Krakow, Poland.

It would be most safe to disregard the Swedish search entry, as it is not a category or regular tag search, nor does it fit the pattern the other searches share. I just included it to be as complete as possible.

The sudden attention from Poland for this blog seems a little odd, wouldn't you say? I looked around on the Lerkins Group site and apparently they provide Security Audit and Consultancy services. Is someone profiling me? Are they just interested in what I have to write here? Is a Lerkins admin catching up on all my posts and once work is done, does some more checking from home? Who knows...

I'm gonna take a look in some other log files to dig a bit deeper. Should I find anything out of the ordinary, I'll report back.

Note : while checking the last 300 lines in the log file, I noticed some IP addresses that belong to comment spammers, so those are now banned.

I bet you were thinking Chuck and Larry, weren't you? Wrong guess :)

I now pronounce my main machine to be terminally ill, and practically deceased. While it was running rather stable last night with some extra cooling - thus strengthening my guess that some fan wasn't up to it's task anymore - today it shut down without any error and rebooted, twice. Sounds like something is seriously amiss, ain't it?

Anyway, I followed Hilda's "Zen Zen Zen" advice and flicked the power off, dropped a load of laundry in the washer and went to take a shower. No need to go crazy about something I saw coming. I managed to write a couple of CD's last night containing a bunch of things I'll need if I reinstall or move to another machine, and all (I think I got them all) my passwords are safely backed up as well, so till I have decided what to do with the old box, there is no need to stress about anything. Sure, access and reply to mail may be a bit slower, but all things considered, this ain't something that can't be resolved with some effort and focus.

Oh, because I can't stay away from privacy related topics, I'm pointing you to a complete set of instructions regarding preserving evidence on electronic devices to be followed by UK police officers at ACPO Guidelines for Computer Evidence (PDF format, 2.7MB). I do that not because I want you to know how to commit the perfect crime, but because it'll make you understand that traces are left everywhere and removing data may be practically impossible.

In the past two or three hours, my main computer has shit itself twice on some kernel stack inpage error, also know as a dreaded Blue Screen Of Death. According to some online resources I've found, it most likely points to an imminent hardware failure, possibly RAM or hard disks.

Since I suspect that temperature could also be related to the issue at hand, I've set up an extra fan to give additional airflow while I figure out what is the exact cause. If the disks are failing, the problem is rather easily solved, as I've got two 80GB disks laying around as spares. I got those last year when I suspected HD failure already.

I'm just trying to decide whether to head off to bed now and backup/rebuild and reinstall the complete machine tomorrow, or wait till next week when I've got a bit more time between shifts. Worst case scenario, it all crashes before and I switch to my laptop or the other machine.

Funny thing is that I fixed a couple of computers for others today, and now end up holding the shortest straw. Where's karma when you need it?

Service Pack 3 for Windows XP has been (re-)released, after it was pulled last week due to some incompatibility. Download it from the usual MS update site at http://update.microsoft.com. I've installed it on one of my machines already and have found no problems so far.

While you're doing updates, consider replacing your AVG Free 7.5 with the new 8.01 version as well. Download from http://free.grisoft.com/. I could point you directly to the download link for the free version, but have decided against it. After all, the free version is only available because some people buy the full version, so it would hurt everyone in the long run if I skipped all the links to the full version, understand?

Anyway, that's it for now. I'm off to get some things taken care off before I leave for 4 more days of work and then get into a large bird in the sky that's gonna take me to Ibiza.

Note to self : do NOT use the vacuum cleaner to clean a keyboard (while in use). It results in digging in the dustbin for missing keys!

Midday update : All XP machines patched to SP3, one Ubuntu installation salvaged and upgraded to Hardy Heron (8.04) and one missing "K" key retrieved and reattached to keyboard, lol. Left to do : shopping, and encrypting the complete windows partition on a laptop.

Afternoon update : Ubuntu has been removed, the partitions merged and the complete disk is currently being encrypted using AES. The initial test was good, so I've decided to go for full disk encryption. Lets hope I don't forget my pass phrase now :)

I just installed the latest beta release of Firefox 3.0 onto my machine (beta4) and while the change log and release notes are all referring to plugged memory leaks and improved performance, initial tests on my XP machine show something else. Sure enough, it is a beta release and my testing is far from scientific, but still.

Loading up my start page and then switching to another one, gets the stable release 2.0.0.12 up to just over 52.5MB in memory usage. When I do exactly the same with 3.0 beta 4, it needs 62MB, which is more, no matter how you look at it. Some of my extensions don't work yet, but mostly I'm missing my snazzy Pimpzilla skin. Guess I'll be uninstalling beta 4 soon and wait for beta 5 or the final release to appear before switching over. It'll give the developers more time to iron things out and get the extensions up to date as well.

Note : it's quite possible that your mileage may vary. Go give it a try if you're feeling adventurous.

I blog about the importance of keeping your software up to date on a rather regular base, but hardware needs to be checked as well. Before you think "I know nothing about hardware! It's only chips and shiny bits and bolts!" allow me to explain. Computers generate heat, and sometimes even a lot of heat. In order to keep things cool, there are a bunch of fans installed in your computer. Your CPU will have one, the motherboard may have one, the video card has one, the power supply has one... See where I'm going? Each of them is essential to the performance and life of the component it cools. Turn off your machine, make sure the power is off and open it up and take a look inside. Dusty, ain't it?

I used the vacuum too get rid of all of the dust, but allow me to warn you that it's not the best of ideas. Computers are delicate machines and they won't like a madman with a vacuum at full power rubbing the chips, motherboard and bumping into the hard drive(s). They don't like water either, so unless you are very careful with the vacuum cleaner (use it at the lowest setting) you can use a can of compressed air to gently flush away the dust that has gathered on and under the fans. Allow me to divulge that a heat sink covered in dust does a pretty bad job getting rid of excess heat.

If the compressed air doesn't get rid of the really clogged up fins or fans, try using a dry cotton swab - the kind you use to clean your ears with, but please : use an unused one, lol - and gently loosen things up before giving the compressed air another go.

Your machine - and in the end, your wallet - will love you for it.

Note : 4 critical patches for Microsoft products to appear on Tuesday. Remember to patch, and patch early.

Update : Amazing! Even under full load, the CPU is running approximately 10 degrees Celsius cooler then it was before I cleaned it out.

Recently I've decided to shut my main computer down when leaving for work. Not only does it save the hardware, but it also saves a bunch of energy. When I got home today, I fired up the machine while heading over to the living room to greet Tai and play with him a bit. When I was done playing - he wasn't, lol - I started working on the computer not noticing anything weird. I logged in to Second Life and then it hit me that I wasn't hearing any sound. Not the gentle splashing noises of the waves breaking on the shoreline - I live in a tropical sim, remember? - nor teleporting, typing sounds. Strange! Maybe another SL problem? I fire up a video and get nothing. It plays for 2 seconds without audio, then freezes on video too.

Time to check some cables and connectors - I had already checked volume settings and such, in the odd case I clicked somewhere that I shouldn't have and changed some setting without realizing it - but they all appeared in order, and taking the 2 second play time before freezing on video too, it would suggest a driver or software issue, not hardware.

After stopping and restarting the Windows Audio Service in the control panel, I've got full audio capability again. I have no clue why it failed - the status was "started" - but stopping it and firing it up again solved things. In case it happens to you, you know where to look. Alternatively, reboot the machine completely. Or smack it on the side really really hard repeatedly, preferably when the disks are just spinning up. It won't make your audio work any better, but it'll reduce stress levels and make a loud "bang" noise, which beats silence, doesn't it? It may also result in the need to purchase a new computer, hopefully one that doesn't suffer from the sound of silence disease.

The Microsoft windows patches for the month are available, or should be very soon. Software affected includes Internet Explorer 7, Microsoft Word, VBScript, Microsoft Works and Office Publisher, as well as the windows TCP/IP stack, and some IIS vulnerabilities that allow remote code execution. Out of the 11 patches, 5 are deemed important, 6 are even critical. If you'd like to use your windows based computer relatively safely for the next couple of days, patch it now. According to the SANS institute, no exploits are publicly known, but I think it may be well under 48 hours before the first are in the wild.

I think the time has come to wake everyone up again about the importance of securing your computer. You do lock your doors when leaving your house or parking your car, and your valuables are stored in a vault somewhere, right? The time that you used your computer just to type out a letter or play some game is long gone. Your computer will contain traces of your identity, may have bank account information stored on it, your passwords and ID for the online stock market, e-mail account information, you name it. If you never thought about it, now is the time to start doing so.

Why do bring up all this? Because I've got an excellent story to share with you all, and while the specifics are beyond me and I never actually thought about it, the story in itself hardly comes as a surprise. Thanks for the scoop, Dad. I probably would have missed it otherwise (too many news feeds to follow).

According to these articles (article 1, article 2), researchers have found a way to print directly to your network connected printer, by including some malicious code to a web page. Yes, obviously that would allow spammers to deliver spam directly to your printer (aaargh!) but also could lead to your confidential data being printed on some printer halfway across the world. And nothing you would be able to do about it.

Well, as long as XSS (aka Cross Site Scripting) exploits and vulnerabilities exist, you can bet your money that they'll be (ab)used sooner rather than later. While browser developers scramble to close the holes, there is something you can do : turn off your printer and only turn it on when you actually need it. Simple as that.

While that would partially restrict the impact of this exploit, the underlying cause remains. Another option - if you use Firefox, that is - is to install the NoScript browser addon. It was specifically coded to prevent and catch XSS exploits. It's not the prince on the white horse, nor the savior of the universe, but the less options the bad guys get to manipulate your data and your browser sessions, the harder it'll be to succeed.

Note : I specifically point to this firefox addon because I tend to use and love it. If there are similar scripts or extensions for IE, Opera, Safari or whatever browser you may be using, please feel free to let me know. I'll happily include a link in this post.

Most people are focused on the upcoming festivities, but once everyone is done partying, it may be wise to clean out and tune up the browser you use every day. Every day new exploits are released - think QuickTime, Adobe Flash, PNG, ... - and some plugins may help you stay more safe while getting rid of a ton of unwanted content at the same time. Here are some of the extensions I sometimes use. The list is not complete though :)

Browser :
firefox (2.0.0.11)

Browser extensions :
NoScript (1.1.9.6 stable or 1.1.9.95 development)
AdBlock Plus (0.7.5.3)
Download Statusbar (0.9.5.2)
Forecastfox (0.9.6)

(note : all versions up to date as this post is being written)

not there yet. I had installed POPfile on the machine of someone who is far from an experienced user a while ago and today he sent me some usage statistics that I requested.

Messages classified: 635
Classification errors: 14
Accuracy: 97,79%

Not too bad for a light e-mail user with not that much exposure to spam, but we ain't there yet. I'd like the installation to reach well over 99% accuracy before I'll even consider turning on automatic trashing based on POPfile classification.

For comparison, here are the stats of my POPfile install :

Messages classified: 13,880
Classification errors: 29
Accuracy: 99.79%
Last reset : June 25th 2007

So now you immediately understand why I need to run a mail proxy and various other related tools at home... close to 14,000 messages in under 4 months time - a bit scary, ain't it?

Oh, while I got your attention, make sure check out these links to security advisories and update your installed versions accordingly : Java Sun JRE (1.6 update 3), Adobe Acrobat and Acrobat Reader (8.1.1) and Real Player (10.5)

For those that consider these patches trivial or non urgent : POC or exploit code is available and in the wild.

Went to the movies with J. last night and after a good meal we ended up watching Disturbia. Not a bad movie, but not spectacular either. I'd label it as "mindless filler thriller" if I had to. Nevertheless, fun was had.

Today I'm returning to a client that had called in my help last week, and while it seemed all the issues were successfully tackled, he did mail me that one wasn't fixed. Allow me to quickly describe what happens, and what my plan of attack is for today :

As soon as the customer pops a CF card in his card reader, or connects his digital camera to the computer, a blue window pops up. Not a blue screen, phew, but a blue window. There is no text on this window, not even a title bar, no buttons to push, and no way to close it again. We can slide it to the side, but it remains an irritating bugger.

So, as I was unable to find out last week what program was causing the issue - I'm guessing an old and possible no longer installed photo manipulation program - today I've expanded my toolkit with ProcessExplorer V11.02, and if that doesn't tell me what program is launching that broken pop up window, then nothing will I guess. So, the plan of attack is quite simple, though potentially full of obstacles as well :

1. Install ProcessExplorer
2. Connect CF Card or camera
3. Wait for blue window to appear
4. Find process that changed or appeared
5. Find out what program is connected to the process
6. Look online to find updates or tech support for said program
7. Fix the issue and head back home

I was looking at some website statistics and it turns out that a whopping 68.8% of my visitors have an older (and insecure) version of the Adobe flash player installed in their browser. Let's all work together to get that percentage down, shall we?

Get Adobe Flashplayer. Latest release for windows is 9.0 r47, latest release for linux is 9.0 r48.

After installing, try removing files of the old install that may be scattered all over your harddisk. An easy way to find out where those are lurking is by using the secunia Personal Software Inspector, which can be downloaded here : Secunia PSI (0.1.0.2 beta).

That's it for now, I'm off to install and educate an end-user on using POPfile to help him deal with spam. It'll be a long day...

From the Spybot team I received this mail as I was asleep :

Hello,

thank you for reporting and sending in the pfmapi16.dll for analysis. It appears to be a false positive. The upcoming detection update should not flag the file as Win32.OnlineGames anymore. Please contact us if the file should still be marked as malicious.

From my customer this mail came in : Around 9:30 the file was still marked as infected, however after the latest update, around 15:30 the infection was silently cleared and my system was reported as clean. Thanks for your help!

Everyone happy I guess...

The other file (mentioned in a previous post) that was detected as infected by Win32.OnlineGames has indeed been confirmed a false positive by the spybot team. I just returned from my client where I ran another scan, forwarded all the reports and the file to myself and I just finished reporting my findings and suspicion to the spybot team.

It's entirely possible that since the issue is known already that it'll be fixed in the update that's scheduled to be released tomorrow already fixes our false positive, but it could be that ours is a different one that needs analyzing as well, so I'll see what happens next.

On Saturday evening I received a mail from one of the people that calls me in a couple of times a year to check the computers of his wife and him, and he wrote that he was possibly infected as Spybot S&D generated a warning on one of his scans. I've worked with Spybot S&D quite a lot and find it one heck of a tool, so I took his mail rather serious. I proposed to come over Sunday afternoon after working an early shift, to see what the problem was, and how to get rid of it.

Since I asked him to send me all information about the possible virus/trojan before coming over I packed my VundoFix tools and updated HiJack!This and all my other anti-spyware tools. When I arrived sure enough S&D reported a win32.onlinegames trojan to reside in pfmapi16.dll. I ran HiJack!This, took a look at the logfile created and found no trace of Vundo infection. I ran a specific scan for Vundo, but that too was negative.

Even after several attempts to get S&D to clean or remove the trojan, it remained present. I decided to verify the infection and sent the file to Virustotal for a second opinion. Out of 30 scanners that analyzed the pfmapi16.dll file, none reported it as being infected. Strange, very strange. This leads me to believe that a false positive is generated on the DLL file, but as I promised my "client" I would verify on other machines. Note : detection for Win32.OnlineGames was added to Spybot S&D on August 1st 2007.

I called B&H to see if I could pop in and verify the possible false positive on any of their machines and they said I was welcome. D&M were also on their way, so it would be a nice meeting. I checked two machines, no Win32.OnlineGames trojans found, but those are english XP machines, not German ones. When I checked my machines, none of the S&D installs gave me a trojan infection. This only makes me more convinced that there is a possible false positive on a german XP version in the latest detection updates.

Today I found a post on the forum where another German S&D uses claims to have a potential false positive on a file named Ctrsct16.dll, which also resides in the system32 folder. He has sent the file in for further analysis and I'll be doing the same tomorrow, as I think we are both seeing the same incorrect detection.

Will be continued...

Another rather technical entry, but as I ran into some trouble and had a very hard time getting it fixed, I can only assume others may run into the same, hence more information is better.

I run Ubuntu on my laptop and had the superb idea to install the AVG free antivirus program, which totally failed. After downloading the package, I ran into an error that told me the file could not be opened. When I launched the package-manager again, it complained that the package avg75fld was broken and couldn't be found. Running sudo apt-get clean from a terminal window didn't fix a thing and my package manager remained as broken as it could be.

After searching the ubuntu forums, I was finally able to get rid of the error and the broken package by running sudo dpkg -P --force-all avg75fld from a terminal window.

Note : according to the thread in the forums, one should not use this option lightly as forcing a remove could lead to all kinds of problems, so it is clearly a case of user beware!

Anyway I took the plunge and got rid of the avg package. While the scanner performs well on most windows systems, I'd suggest steering clear of it on linux!

I just got a mail stating that some of my domain names needed to be renewed, so I headed over to my registrar to check which ones needed my attention. I found 5 domains that needed to be renewed soon and I decided to drop one and renew four. As I was almost ready to check out and pay for my purchase I had the common sense to check online whether there were no promotional codes that I could use to lower the total cost. A quick browse gave me the code PETE2 that took off 20% of my order (only valid on orders over $40). Yay!

If you are a GoDaddy customer and about to renew a bunch of domain names, log in and enter promo code PETE2 to save : GoDaddy.com

This is gonna be an entry that fellow geeks may find interesting, but I assume the majority of people will find quite boring. However, even for them, there may be a lesson to be learned.

I just installed the new beta release of the Secunia Personal Software Inspector (download here : Secunia PSI beta) and the initial scan scored my system at 89% up-to-date. I had a few insecure programs installed, and some others got an end-of-life warning. Some uninstalling, rebooting and installs later, I managed to get my rate up to 97% - which is much better, but still not perfect. (Update on July 26th : I'm up to 98% now, with just two end-of-life programs left)

Two tools I currently use - not regular though - have gotten an end-of-life warning and one is plain insecure and should get a service pack applied asap. I don't recall why that hasn't been done yet, I guess I tried it before and it failed back then, and I forgot about it. I'll see if I can patch it and remove or replace the two programs that are no longer supported. The less vectors for attack and intrusion, the better.

Please feel free to run and download the tool yourself and post your initial score in a comment. Then install as many updates and patches as possible, and post your new rate. The one who manages to score best will get... absolutely nothing. Well, not from me anyway, but they'll get to work on a more secure system that is less prone to getting abused. Which should be all the incentive you need :)

Thanks to the excellent advice and instructions published in the castlecops MRP wiki, I was finally able to remove that damn Vundo adware infection that I somehow had gotten. I'm currently processing over a 120 mails that had come in over the past 4 days, most of them being spam so it'll take me but a click on a couple of buttons to zap those.

While going over all the programs installed on my machine, I noticed that QuickTime wasn't updated yet, and the adobe flash player had a new version available as well. Coupled with an even stricter update policy and IT security for my machines, I hope to stay adware free for at least the near future - it's always a battle and a constant evolution on the side of the attackers as well as those defending and coding removal tools.

Around 9AM I started cleaning the machine, hoping to be able to bring it back to life without too many problems. It's 13h49 as I start writing this entry and I've not gotten one step further :(

The problem is this : two DLL files are linked to the WinLogon registry entry, causing them to be be loaded the second I boot into windows. Once they are loaded, I can't remove the files themselves, and if I manually delete the registry entries that refer to those files, they add them again. It's a catch 22 as far as I'm concerned. I may try booting into linux using a live CD, and see if I can kill those DLL's then, since windows ain't running, the files shouldn't be in use or protected.

I've ran Spybot S&D, I've ran AVG AntiSpyware, I cleaned up my system using CCleaner and I've attempted to run Trend Micro Housecall, which unfortunately often caused my browser to crash. I may give it another try soon though. HiJack!This does find the rogue entries, and tries to remove them, but fails as the running process interferes. I've asked for help on the CastleCops forums, hoping the expert volunteers there may be able to help out getting this crap out of my system.

Half a day wasted with this already and not all too pleased with it. I had other plans for the day...

I'll be running a couple of more checks, but this morning a first check gave my main machine a clean bill of health. A secondary check is running as I write this, and once I get home tonight - though it may be postponed till tomorrow - I'll be running at least two more scans before considering the box to be free of bugs.

The warning below still stands till I'm 100% certain the nasties have been eradicated.

Yesterday I noticed some things weren't as usual on one of my computers. The machine was throwing errors when trying to launch IE - which I rarely do anyway - and I suspected something was amiss : and right I was. A couple of scans and checks later, it seems it has become compromised by something referred to as "torpig".

It certainly is a pig as I have not yet managed to remove it. I am glad however that even though one machine has become infected, my defense in depth techniques have safeguarded all the other machines in the network.

I've been working on it for a couple of minutes just now, but I need to head off to bed and get some sleep coz tomorrow it's gonna be another long day. Thursday I'll be picking the system apart to see if I can clean the box while maintaining data integrity, and if that's not the case I'll take the only course of action possible : format and complete reinstall. Something I'm definitely not looking forward to, though on the other hand I can't keep on working on an infected machine either. Anyway, it's shut down and disconnected from the network as well as from the internet while I gather information about my little unwanted guest.

It certainly is a setback as I was hoping to get other things done on Thursday, but this has just become my new priority task. I can't afford to loose my main machine to some crappy trojan/spyware program.

The best thing about this all is that I can be almost certain the infection occurred less than 24 hours ago, which leaves the window of opportunity for an external entity to really snoop around on my machine rather short.

Consider this a very serious notice that if you happen to receive a mail from me that looks weird - well, more weird than is usually the case - or that you didn't ask for, it should be deleted, shredded and evaporated without opening it. At least till I post here that everything is at status green again.

For those that may still think spam is not really a problem :

Over the past three years (March 10th 2004 till June 25th 2007) 171.339 e-mails went through my spam filters and proxies. Of those one hundred and seventy one thousand three hundred thirty nine mails, 162.310 mails were classified as spam (94.73%).

Luckily, my spam solution has a running average accuracy of 99.55%, leaving only 759 mails incorrectly classified. Those stats are just for my first layer of mail classification. The incorrectly classified mails are not instantly discarded, but all mail is presented to a second layer, where I glance over them - usually very quickly as I know the first layer of defense has a proven track record - and change an incorrectly classified mail if there is one. That change is then also made in the first layer proxy settings which will make it more accurate next time it comes across a similar mail.

Is your inner geek satisfied now?

Yesterday I booted the laptop (an Amilo L7300) into Ubuntu and when checking for updates, was promptly given the option to upgrade to version 7.04, the latest release. I had already read on A Geek In Korea that the upgrade from Edge Eft (6.10) to Feisty Fawn (7.04) was quite painless, so I gave it a shot. The update went without a hitch indeed : after downloading about 62MB of files, it installed, removed obsolete packages, cleaned up the system and rebooted.

One little snag though... I can't set my desktop resolution any higher that 800x600, where I'm very certain it was at 1024x768 earlier. If anyone has the solution to get Feisty Fawn running at that resolution on an S3 IGP Unichrome Pro videocard, I'd like to hear it.

I have a similar problem when running Second Life on the laptop by the way : after the latest update to 1.5.0.2, text is pretty much unreadable and very hazy. Yet the card works without a hitch at 1024x768 in windows XP Home. Solutions? Tell me!

Note : there are no newer drivers for the videocard as far as I'm aware.

I usually am against many of the extra "tools" that you can download from the internet and tie into your browser since the majority is either nothing but a front end for spyware, adware or pretty emoticons. The Alexa Toolbar is different though : created and supported by Alexa Web Search it offers me a quick view on some stats about the sites I visit, they offer related sites as well as who links to the site. Sure, it may only appeal to my inner geek, but maybe you'll like it too, who knows.

An IE version can be downloaded from Alexa Toolbar Download. Firefox has a plugin that you can find at SearchStatus : Firefox SEO Toolbar. Enjoy!

This post was done using a brand new install of ubuntu linux on my laptop. A simple install and 139 patches later - also a breeze to download and install - I've moved myself to a new OS. Well, not permanently as I still run XP on this box as well, but I like this one quite a lot. I'll see how things progress over time. I need to get the wireless connection working, but that seems as simple as getting the correct WPA2 key installed.

I think I'll do that over the weekend. Before you all go thinking I did nothing but geek things today, I also got two loads of laundry done!

Firefox 2.0.0.2 was released, I recommend updating to it to fix some vulnerabilities. I don't recommend updating the addon forecastfox 0.9.5 though, as it contains a bug which results in settings not being saved. Very annoying!

I hope it's fixed soon, because I find it quite a handy addon...

Update : Fixed, version 9.5.1 was released a few hours ago. Use the update mechanism to get the fixed version.

It's Monday morning and I've been up since 6h30 and awake since five. Talk about a totally fucked up sleeping schedule! Last night my dad called me and woke me up... at 18h15. I had pulled an all nighter and finally went to bed around eleven planning to get back up around two and head over there to take a look at his computer problems.

I did go there and fixed the issues, but a tad bit later than planned. It was well past 7PM when I finally looked at the troubled machine, but by 11:30 it had undergone an upgrade to XP Professional SP2 (a legit copy!), had been fulled patches and checked and freed of spyware (there was little to be found, phew); had flash updated, Opera uninstalled, as well as some other programs no longer used.

The second machine I had nearby - actually one roll of the chair away - was given a new install of Java and all older versions got removed. Ancient flash installs got their head chopped off too and some minor tweaks were done.

All things considered a rather productive afternoon/evening and one less machine open to (easy) abuse by hackers, virus and malware authors or spammers.

Oh, I finally found an easy way to update Apple Quicktime to the secure 7.1.3.191 version - even a new install from the Apple website still hands out the insecure 7.1.3.100 version, boo Apple! - and I'll be providing the instructions here (assuming QT is installed in the default directory) :

1. open Windows Explorer
2. navigate to C:\Program Files\QuickTime and check the version of QuickTimePlayer.exe
3. if it is 7.1.3.191, all is well, lower versions are insecure and/or out of date
4. if it has a lower version number, navigate to C:\Program Files\Apple Software Update and run SoftwareUpdate.exe
5. Download and install the update to Apple Software Update
6. Download and install the Security Update 2007-001
7. Verify the version number of QuickTimePlayer.exe and see if it's 7.1.3.191
8. Done!

I get home this morning, log on for a quick mail check and every POP connection times out. Surfing (http on port 80) works fine, just no mail arriving. Strange! Could be the mail server(s) of my ISP being down, but as I've got servers in use all over the globe, that would just be too bizarre.

Immediately I think about the patches installed yesterday, but notice nothing irregular about them. Checked the firewall settings - those weren't changed in any way - yet still no POP connections possible.

The I recalled the first rule in IT : if something doesn't work, reboot it.

I did. I promptly saw tens of mails rolling in of which most were spam. I think I've never been so happy to see spam in my mailbox ;)

Off to bed now. And don't let my small mail problem hold you back from patching your windows machines ASAP! It was after all probably not related to the patches released on Patching Tuesday

If you have been considering "upgrading" your machine from XP to Vista, but find the price charged by MS a bit too steep, take a look at this article : How to install a Vista upgrade on any PC.

So far I have not experienced any slowdowns but Hackers Attacked Key Net Traffic Computers on tuesday. More coverage at The Register : DDoSers bombard Military root server (and more) and at SecurityFocus : Attack seriously slows two root servers.

Remember people... you too play a role in making sure these core servers stay safe. If you keep your personal machine(s) up to date and clean, it is much harder for others to abuse your system in a large scale attack such as this one!

I fired up my copy of Microsoft Baseline Security Analyzer and was promptly warned that a newer version (2.01) was available. I downloaded it (here) and removed the old version. However, the installation of the new version failed to complete as there was a problem registering serversecure.dll and xmldb.dll with error code "HRESULT - 2147221164". Nice... even a second attempt failed, so now I had the newest copy of the security analyzer, but couldn't get it installed.

Thanks to some searching I found that running the "regsvr32 c:\windows\system32\atl.dll" command fixed the corrupted information concerning the registration state of atl.dll, and fixed the registration problems with the two other dll's as well. Strange if you ask me, but hey... it works.

I don't know yet whether I should consider this good or bad news, but the fact is that I'm back online for now. Instead of replacing the splitters first, I decided to take the firewall out of the loop and that solved the problem. With a direct connect from the main box to the ADSL modem, there are zero connection problems, which probably means the firewall is at fault.

It could - I assume - also mean some cat 5 cable is faulty, disrupting the connection between the modem and the firewall, but it seems rather unlikely. I'll have to do some more testing to know for sure. It's a good day to stay inside anyway, with windspeeds up to 110 km/h predicted I don't feel like going out unless really necessary.

Notice : you may see FK disappear for short periods of time - if everything goes well that is - due to some maintenance being performed. If we return the latest version should be running under FastCGI resulting in an increased performance. I'm not sure whether that performance will be noticeable by end users/readers or mostly on the back end/server. Time will tell :)

Update : The new version seems to be running, but I can't get FastCGI working. Whenever I change the extensions to .fcgi and update my config file to point to them, they return a "file not found" error. If you have any clue on how to solve this - yes, the files do exist and the permissions are correct if you ask me - please let me know!

The internet connection didn't magically fix itself while I was out. I think I've got my work cut out for me tomorrow. My first guess? The modem somehow got fucked up. I've checked the firewall and everything seems fine with it. Both the firewall as well as the modem were restarted (power down, not just a reset) and I still can't get anything beyond an IP assigned by the DHCP server in the firewall.

First work tomorrow is replace the DSL splitters, though I'm quite certain those are not the problem - they are just the easiest to replace. After that, I'm taking the firewall out of the loop and connecting the modem directly to the main box to see the result of that. If the modem is fucked, I'll know it right away.

Anyway, if you don't hear back from me right away (IM, mail, comments, whatever) it's probably due to a very limited connection. I don't feel like sending unsecured data over a network that ain't mine, and is open to everyone who happens to feel like connecting.

While happily browsing away today, suddenly I ran into DNS trouble. I tried disabling the network connection, but that somehow failed. After a reboot, I still get no look up from the DNS. The firewall is up and running - logging in is no problem, I verified all settings even though they haven't changed a bit - and the DSL modem was rebooted. It synchronizes fine, so the physical connection is up as well. I'm stumped right now as what the problem is, but it is clearly not isolated to the first computer. None of the other machines can resolve names to IP's either.

So, off I hop onto a wireless connection of a neighbor, and I check the Skynet network status page : all is fine according to them. Not if you ask me, but I don't have the time to troubleshoot more now as I have to head off to work.

It better be fixed when I get back home.

Oh, Nadia : I received a reply from EDPnet, and they do support newsgroups and even the binaries. If you want, I'll forward the links to the documentation online to you once I'm fully connected again.

I've been working on the laptop of a colleague from work, as he complained that it was almost impossible to use anymore. He described it pretty much like this : "There are tons of windows that open, it's very slow and generally a pain in the ass to work with". It's not the first time I hear descriptions such as that one, and I'm usually not really impressed by the amount of spyware, adware and viruses installed on the machine. Seeing that this was a 4 month old laptop, with all but the most recent windows patches installed, I was impressed.

A first scan with SpyBot returned 286 malware related entries. After uninstalling an expired copy of Norton Antivirus and installing AVG Free, 195 virus related files were discovered. I also uninstalled WinSoftware AntiVirusPro 2006 (adware!) and made sure the OS was patched to the latest level.

A couple of hours and several scans later - I went to bed in the mean time - the laptop is almost performing up to it's specs and only a couple of stubborn malware entries remain. One of them being CmdServices, and Ad-Aware as well as SpyBot SD have trouble completely getting rid of it. I think it may be time to do some manual registry surgery!

I admit, I found this article interesting : Computer Warming a Privacy Risk. If you're even more of a geek than I am, you can find the presentation in PDF format here : Detecting temperature through clock skew (5.6MB)

There's one problem with this technique if you ask me : if tor servers are not dedicated, they will be used for other tasks as well, and the intensity of these tasks will also affect the amount of heat produced, thus resulting in fluctuations not caused solely by this technique. Even when attacking a dedicated tor server, others use the same server and the load and temperature will change frequently. I'm not a security researcher though...

I got up before eight and have been working behind the scenes of this blog since. Several tiny alterations have been made, though most if not all will be unnoticeable to you. It ranges from adding alternative descriptions to the videos posted recently, to replacing deprecated html tags with their css counterparts. Nothing spectacular yet it should make the site more accessible to people with a handicap or using text readers.

It takes a little extra effort to get these things right, but there are several tools to make your life easier. Today I used the Readability Test to get a first impression, then Watchfire WebXACT was used to verify the page, and I also ran it against the Cynthia Says content accessibility validator.

I admit there's lots of work to be done - especially if I want to go from the current W3C WCAG P1 level that the pages gets now to a Priority 3. On the other hand... how many individual webmasters do you know that actually care about these things? At least I work to improve the accessibility of this blog.

I can't really thing of better description of myself right now. As I spent quite some time last night reconfiguring the print server, I tested and retested everything, or so I thought. When I wanted to print some documents from the old desktop, nothing appeared apart from some errors. Strangely enough, everything works when originating from the laptop, so the print server itself should be up and running.

Now is the time to smack myself in the head : I forgot to update the installed printer so it reflects the changes made. It was still pointing to LPT1, while it's now attached to the network! No wonder nothing printed :) With that sorted, I'm up to date on my finances and filing statements now and off to grab some food and prepare for a night shift.

It's a couple of minutes past four - in the morning - and I'm about to head off to bed. While watching some addictive documentaries on Nation Geographic I've been running some tests on my network. I think there's quite some work left to be done in order to find and hopefully fix all possible attack vectors, if such a thing can be done at all.

I grabbed a copy of the Nessus scanner and ran some tests against some of the clients here, one being the print server. A first scan returned 11 warnings and 4 holes if recall correctly. A couple of configuration changes later, I cut the amount of warnings for the print server is cut back to 2 warnings and only 1 attack vector remains unpatched. There's little I can do about that though as this piece of hard and software is obsolete and no longer maintained nor supported. I'll set up filters on the network to prevent attacks.

Yeah, this was a pretty boring entry, I know :) Off to bed now!

I was able to disassemble and reassemble the dashboard much quicker today, I guess I'm getting used to it. However, I seem to have one spare Torx 20 screw, I wonder where that came from?!

I don't know if anyone has paid attention to the spam they receive, and especially the return addresses used in them. I have been a victim of joe jobbing before, but after I made some changes all unrouted mail that arrives at my domains ends up in the eternal bit bin. Problem solved? Not really as bounces still end up at my domain(s), but I don't have to deal with them anymore. But that's not the point I was trying to bring accross.

Take a look at the first part of the e-mail address. Don't you notice anything special? If you don't, you probably don't receive enough spam :) Here's a list of (partial) return addresses I know for certain :

Deboranovack - Deborahterreri - Deborasdesigns - Deborayen - Deborahsm55 - Deboramvianna

All of these are titled 'It's [insert name here]". I ran the mail headers through some tools and they originate from various IP addresses all over the world. Going by my gut instinct, this spam run is being performed through a series of infected zombie PC's, a botnet.

Now do you understand why it's important to keep up to date on patches, have a firewall running and correctly configured, keep the virus scanner up to date and not to open mails that promise instant sex with 69 virgins, or images of those acts? Your ignorance makes me deal with crap I don't want to spend time on - I'd rather be having sex with 69 virgins!

After having moved quite a lot of domain names through various registrars, the records got quite polluted. Due to constant abuse of my domains in spam runs - not that there is anything to abuse, but they used them as return address to catch the heat (joe jobbing) - I tried making some changes to one domain to see if it would get things back under my control. After making the changes last week, things didn't cool down.

When I checked some records today, it turned out the changes were still pending because the old name servers remained active! This left me with domains registered at Register B, while the domain were still reflecting the name servers of Register A. Not too healthy a situation, so I just spent some time checking all records and making changes as needed.

There is a slight possibility that you may see some domains disappear every now and then as the changes are propagated through the internet, but none of the changes made should interfere with friedkitten.com - or .org, .net, .info, .eu, .tv and .be for that matter.

I've got yet to see a reply to my post about the comment problem that occurred last week - either people don't understand the problem, or they don't have a solution for it I suppose. Over time it'll become an open but cold case...

Off to the store now to see if I can get some good but affordable 13cm speakers to replace those currently in the car. This afternoon I'll call Smart Center Sint-Niklaas and order the bass bins. Installation on tuesday or wednesday depending on delivery time. (bass bins are ordered and this is what I'll be attempting : fortwo soundupgrade.

For everyone that has been waiting for it anxiously - probably just me - it is possible to grab firefox 2.0 even though the mozilla homepage still lists 1.5.0.7 as the latest available version : check some of the local FTP mirrors (I grabbed mine at ftp.uni-erlangen.de) and you'll see 2.0 is available already.

Note : some extensions "broke" after installing the brand new 2.0 branch, but I guess they'll be updated to work on 2.0 soon enough. Pimpzilla has a a 3.35 version available which seems to work on firefox 2.0. Happy testing!

For the really geeky people out here, here's an overview of browser versions used to visit www.friedkitten.com :

IE : 52.21 % (89% uses v6.0, 4.24% uses the latest 7.0 version)
firefox : 41.15% (96% uses v1.5.0.7, 1.08% uses soon to be released 2.0)
Netscape : 2.65% (100% uses v7.2 - hi dad!)
Opera : 2.21%
Safari : 1.33% (hi Ash!)
Konqueror : 0.44%

I've been using Eudora for the past 10 years or so, much to my delight. I've always loved the client and in fact I even purchased a license for it. When I read a couple of days ago that a new version was available, I installed it and the install promptly downgraded my version from Paid Mode to Sponsored Mode - thus showing ads in the client.

It seems my license had to be renewed, yet at the same time Qualcomm announces that Eudora will become an open source program, under the wings of the Mozilla Foundation. The client will be free to everyone once it has become OS which is expected to be somewhere in 2007. Not bad as I'm all in favor of open source software, but then again Qualcomm wants me to shell out another USD19.95 to keep my current client in paid mode till the free version arrives? Not bloody likely!

So today I started migrating away from Eudora and towards Thunderbird - a client I already use on another machine. Installation was a breeze, importing messages went quite smoothly, but somehow I couldn't get the addressbook imported. Whenever I tried using the Import tool, it just stated : no addressbooks found. I exported my Eudora addressbook in csv format, imported it in TB and ended up with a totally garbled mess. Not the solution either.

Luckily, thanks to the excellent TB support forums, I found the solution : rename the Eudora addressbook file (NNdbase.nnt) to NNdbase.txt and it'll easily import into Thunderbird. Fixed!

I'll use this opportunity to clean out the old mailboxes and get rid of long forgotten messages while I finetune everything to my liking. I'll sort of miss my trusty Eudora, but it's time to move on.

Is anyone of you familiar with Murphy? Yeah, the same Murphy from Murphy's Law : "Whatever can go wrong, will go wrong".

As I finished cleaning up the place - not that it looks any better now, quite the contrary - I moved the rack to the other side of the room and started moving IT appliances around. I moved the DSL modem to the rack, and then came to the conclusion my phone cable wouldn't stretch that far (For those unaware of physics laws, phone cables don't stretch at all). I knew I had tons of phone cable around somewhere... but where? I dug through all my boxes filled with remainders of IT related things, and sure enough I found phone cable, lots of it. And all of them came up short. When I finally dug one up that was long enough, it turned out to have an RJ11 connector on one side, and an RJ45 (ISDN) plug on the other side.

Which makes sense, as I stripped it off a DSL modem that was connected to an ISDN line in The Netherlands, but it wouldn't fit here. I grabbed my trusty cable cutter and plug tang and removed the RJ45 connector. Then it turned out I had no RJ11 connectors to replace it with. Crap!

Leaving that for what it is, I moved over the wireless router, and started pulling Cat 5 through the room to reconnect everything. Not a problem in sight, except... All my UTP cables were too short. Not much, but just like phone cables, they don't really stretch. Off to the shop for network cable, RJ11 plugs (or pre-made phone cable). I finally got 2x5m Cat5 UTP cables and 4.6m of high quality phone cable. Ten minutes after I arrived home, my three machines were connected and online again. What an afternoon, but the outcome will be totally geeky :)

I'll delay the introduction of the Netgear router to the mix till friday afternoon or saturday. Sunday I'll be driving around in my Smart for most of the day (smart meeting in Ostend) and monday is back to work for a night shift.

Kenny, I'll see if I can make some photographs of the current setup, though there is little to see about a bunch of things stuck into a rack...

Click to enlarge the thumbnail and see some explenation about what is what. I still have to move a printer to the rack, tidy up the power strips, and once I'm done (or started) moving my files from the old desktop to the new one, the old one will be placed at the bottom. On top of the rack - out of sight of the photo - is the wireless router, because they tend not to work too well inside a metal cage. I still have to test that connection, will do that later. Off to have some spaghetti first, then off to bed!

While borrowing Joco's car on wednesday to pick up that rack, I damaged it, it turns out. It probably happened while unloading the rack by myself, and I hadn't noticed it in the dark, otherwise I would have told him right away. Today I went over to assess the damage and sure enough, there are scratches and paint is gone where I unloaded the rack. I feel damn bad about it too, I really should have been more careful with things that ain't mine! I hope to hear from him soon, so we can settle this thing - not that there are hard feelings or something like that, but I'd like to put it behind us.

Tuesday, I'll be off for a full day, and then I hope to install some new gear. The idea is to connect my DSL modem to the new router, which will provide some more security than the current setup, and hook my wireless linksys router up to the wired router, so it also sits behind the firewall.

Schematically, it would be something like this :

Internet - ISP - DSL modem - Netgear Router/Firewall - LAN - Linksys router - Wireless.

The linksys should not pass out IP addressess, but rather pass on those gotten from the netgear router, so all clients are in the same IP range. Later on, I could add another wireless AP, which I can then open up so everyone can connect and get basic (but strictly bandwidth limited) access to the web, and I log everything and run a constant sniffer on the subnet to see what passess, including passwords and such. I think it is a nice social experiment to see who sends unencrypted data over a "free" AP they don't know. I know I certainly don't.

That'll be a project which may or may not happen, depending on whether or not I can split the open AP away from my LAN so nothing can cross between my secure network and the free-for-all network, while at the same time seriously limiting the damage that can be done through the free AP. I certainly don't want hacking, spam or any other suspicious activity happening through an IP assigned to me.

I scrapped the mobile phone repair attempts for the day, and after getting in touch with Joco and the ebay seller, I picked up Joco's mini van and drove off to Ostend to pick up my 19 inch rack. And a nice one it is too, especially considering the fact that I paid 36 euro for it!

The drive was easy - GPS is such a usable tool - and we were able to get the rack downstairs and loaded into the car without too much problems. The side panels and front door were taken off, so that lightened the weight considerably. Then after getting home with it, I realized I had a bit of an issue : we loaded the rack into the car by the two of us (the seller and I) but when I got home, it was just me. I got the door and side panels out, then disassembled the remaining 2 trays and carried all of that upstairs, using the elevator. Now, the frame which still is heavy, is something else. Using some very creative carrying techniques I got it in front of the elevator, but now I had to make it fit. Metal bars don't give way too easily and you can't just bend them in order to fit.

After taking some measurements, I decided it would fit, and it sure did - barely. I had about 5mm to spare at each side, but it got up alright! I had to take the stairs though ;)

Once it was unloaded and inside - right in the middle of my hall, but inside nevertheless - I took the car back to Joco and Eef after filling it up for 50%. Joco warned me not to risk returning it topped up, so I complied, lol.

The past 2 hours I've spent cleaning the rack and assembling it again. I've done two trays already and the side panels are latched on as well, but the rest will have to wait for tomorrow. Off to bed now after I've caught up with mails and other outstanding things.

Oh, that other rack I was following on ebay, that sold for 153.5 euro, more than I was willing to shell out for it anyway, even if it was nicer.

I should be on my way to Neerpelt, but I clearly am not (yet). I'll be leaving soon though, once I finish writing this entry.

A couple of minutes ago, I got my SPF records published for the friedkitten.com domain, after some mailing back and forth with my webhost. They were professional and excellent as always, pointing out benefits and disadvantages but leaving the final decision up to me. After getting their informed opinion, I decided to go through with it, as there is little to lose for me.

SPF is not an anti spam tool, but rather an anti forgery tool. It should prevent unauthorized people from sending mail in your name, though much of that depends the checks done by the receiving party. If no one checks the validity of the SPF record, they don't benefit from the added layer. Even if checking, one can still accept, question (accepts but moves to a specific mailbox for instance), or refuse the mail, based on the outcome of the check.

It's a vicious circle, I'm well aware of that. If no one publishes SPF records, people will not rely on them to decide what's potentially legit or fake. If no one checks the records, why would you publish them? I went ahead and had them published for one domain so far. I'll now be monitoring if any problems arise - if not, more of my domains will have their SPF records published.

For the time being, I suggest you don't refuse mail that fails the SPF check on friedkitten.com, especially since this is just a first test case. But please, do check if you can. Gmail, the mail service of google, for instance does check SPF records, but appears not to reject based on the outcome.

Note : right now most SPF checking will be done - if any is going on - by the mailservers of the company/ISP/organization you use. End users have little options to verify SPF records themselves as far as I know. If you know of any tools, feel free to leave a comment with explenation or an URL for me to check.

Security aware users of friedkitten.eu or fans of the local friedkitten.be blog, already know that firefox 1.5.0.5 should now be jumping the fence, leaving the vulnerable 1.5.0.4 version behind. If you didn't get the update, please do so now by going to the Help menu in firefox and click "Check for Updates". A small download and exactly one firefox restart later you're good to go again.

If you're still using - I'd almost wrote "trusty" - old IE, follow that firefox 1.5.0.5 link above to change your browsing experience for the better.

If you're a McAfee user, you may not be able to switch to firefox entirely, as I just found out. Now that on the new box IE has been degraded to the "can't uninstall but don't use it either" browser ir turns out that the nice people at McAfuck write tools that can only be updated using internet explorer. Say what?

"Oh sir, you're interested in this nice new vault? Oh, you're buying it too? Very good sir! When will you be picking it up? In two minutes? Wonderful!" (insert sound of money and cashregisters)

2 minutes later.

"Oh, I'm sorry sir, but you can't transport our vault with that shiney new Lexxxus pickup truck that'll hold the weight of ten vaults. Our vaults can only be transported by an old Nirvana Van that'll come very close to the edge of breaking down." (Note the lack of sound of money or cashregisters now)

Yeah, if I recall correctly - and I do, even at 9 in the morning after once again way too little sleep - I said I disliked the McAfee Security Suite from the start, even if I got it for free. I just clicked the Seach for Updates button and what pops up? A page from McAfee stating : "Please note that Microsoft Internet Explorer 5.5 or higher is required to download and install McAfee products." Lets see if we can trick McAfee into working with a better browser by switching the User Agent of firefox to IE 6.0...

After switching the UA, and reloading the IE required page, we're suddenly greeted by a page claiming they detected netscape as our primary browser and an offer to download McAfee Clinic Activator which will support Application installations and updates. For the heck of it, lets see what happens next...

I download the McAfee Clinic Activator yet it doesn't show up in the extension overview. After a restart of firefox, and another attempt to download and install updates, we're greeted by a blank page. The source shows it doesn't lack content though, but it doesn't display either. I guess you really need IE to update your virusscanner...

Time to harass the McAfee support habibs :)

Nice... If you want to use the McAfee support pages to contact a "live technician" you first have to run a virtual technician which will check your setup. It requires... Internet Explorer. So much for being helpful, though I must admit they offer to download a standalone version. I won't even bother and just look for my Uninstall button instead!

McAfee Personal Firewall Plus.. Uninstalled
McAfee SpamKiller... Uninstalled
McAfee VirusScan... Uninstalled
McAfee Security Center... Uninstalled
Reboot!

Because KDS and Nadia asked what the hell the last entry was about, here's some extra information.

If you've got a wireless network at home, you want your wireless device (laptop for instance, or PDA) to connect somewhere, right? The connection is made to the Access Point (AP) which may also double as a switch, router, DSL modem. The connection between the client and the AP can be protected using a number of techniques, of which WEP is probably the one known by most people. WEP encryption is not secure, and if possible it would be better to use WPA or WPA2. Thruth be said that even WEP provides a basic security and while it can be "cracked" it'll take a while to do so because you'll need a number of packets before one can crack the key.

But I digress because WEP, WPA and WPA2 have nothing to do with wardriving. As you may know, your AP may advertise it's presence by broadcasting it's SSID, so others can see it. What the SSID is set to doesn't really matter, and some people leave it at the default, or change it to something funny or anything that makes sense to them. It's also possible to stop your AP from broadcasting it's SSID, but that doesn't mean the signal can't be picked up.

Now, when wardriving, we use a mobile device (usually, it's a bit more difficult to walk or drive around with a full desktop on the seat next to you) such as a laptop or PDA. In the device a wireless network card is present and usually an external antenna is connected to it so the range of detection goes up. The antenna picks up the signals from Access Points present pretty much everywhere and displays them on screen, and/or logs them to a file. I use netstumbler to scan, but KisMac or Kismet are also available, iIt all depends what operating system your scanning device runs. We do NOT log in to networks, crack WEP keys or access the (often open) network in any way! We just drive around and map the area, just as if you were to walk around your neighborhood and write down the names of the people next to their doorbell. You don't ring the doorbell in order to do so, nor do you push the door open or break it down. You just see who's around and what information they're giving out.

In order to make wardriving more interesting, you can attach a GPS device to the setup, so coordinates can be logged as well, and you can later put all the found AP's onto a nice map. For the time being, I've not done this yet, as I lack a GPS device :(

So, to answer KDS's question "Why was it good for you?" : because I'm a Geek at heart and only now realize how much radiowaves are sent through the air without most people knowing ;)

It was good with a capital G. Oops, so that should read "It was Good". I'm not talking about my first time having sex, because that's quite a few years ago, but today I did my first ever real wardrive. My senao pcmcia card with 5dBi magmount antenna arrived by mail today - ordered on friday, late in the evening - so I immediately started setting things up, but that proved to be a bit of a challenge. The drivers were supplied, but each time I launched the file, it would open a dialog, allowing me to click NEXT and that was it. It just froze, but when I checked for running processes (not applications!) it clearly showed to be running. After loads of reboots and killing various programs that are always running on my laptop, I got the card installed.

I'm still struggling with the order it needs to get it running from the first time after booting the laptop again, but it won't be long before I get the hang of it. I drove off to work, the antenna placed close to the windscreen on the hood, because unfortunately... smarts don't have a metallic roof, so magnetic foots don't attach to the roof. Anyway, that problem will probably be dealt with tomorrow (super glue and a small piece of metal maybe) and off I went.

I drove the 40 kilometers to work, while netstumbler was happily "boing"ing away pretty much all the time. When I check the number of AP's found, I was pretty suprised : 346!! Knowing that quite a major part of my route is out in the middle of nowhere, and on highways, I really didn't expect such a result. On the way back I got 284 AP's and then the laptop went into hibernation mode because it ran out of juice. Damn! Anyway, I've ordered a universal car charger so that problem should be solved shortly as well.

The antenna works great, but I find a 2 meter cable to be on the short side, because that seriously limits where the laptop can sit and where the antenna can be placed. I think 2m is long enough when running from a PDA out of a backpack for instance, but from a car... quite short. Unless you don't mind drilling right through the roof that is.

Tomorrow, I'll go get two new harddisks because the shop I'd like to purchase from is not open on mondays. A new computer has been ordered as well, and I hope to receive it shortly. This means however, that I have to go to the bank now to make a payment...

A quick overview of the new system : Intel Dual Core 2.8GHZ processor, 250GB SATA HD, 1024MB RAM, a fancy Ultra Sharp Flat Panel 19" Monitor (I was still using an old CRT monitor so far), ATI X600 SE videocard (not the most fancy, but should be enough for my needs).

Update : Murphy strikes back, or so it seems. I just received a mail that there is a problem with my order, so I should get in touch. When do they send out such a mail? At 16h41, and their offices closes at 17h00, so that will have to wait till tomorrow :( I just tried contacting the Brussels branch, but that just forwards me to The Netherlands and they happily say "the sales division is closed for now, please call back tomorrow". Online sales, quick and easy? My Ass!

Damn... when I got up this morning and turned on the monitor of my desktop, I was once again greeted by a screen that had letters flashing "Critical" all over it : it's clear that yesterday's RAID warning wasn't a coincidence, one of the drives is indeed starting to fail. I powered the system down and am now contemplating my options.

Surely I'll have to back up as much as possible before the drive crashes beyond repair, even though it's only one disk. All the information is still available on the mirror but as we all know, Murphy rarely travels alone.

I could start hunting for a two new Mator 80GB HD's (D740X-6L) right now, and replace the failing disk. Then once the raid mirror is back up and functional, replace the good drive as well so I'm good for another couple of years. This would be the cheapest and fastest path to fixing the problem.

I could configure and order a completely new system, which means quite some hoops to jump through and a fair amount of work to be done. I'd have to copy all the data and configure and finetune the new system to my liking, and knowing myself, that will take time and irritate the hell out of me. On the other hand, it would give me a nice and up to date new box to play with. New toys are always nice :)

Or I could do both... replace the (failing) disk(s) and order a new system at the same time. Then I can use the new machine for everyday work, and use the old one to install linux onto, run and IDS on it, things like that. But I've already decided that if I get a new system, I don't need a fancy latest state of the art configuration. I mostly use it to browse the web, do some photo manipulation and play video's on it.

Oh, the options and the decisions...

Skype (2.5.0.113 - new features and bugfixes)
WinAmp (5.24 - security patch)

A 0-day exploit has been reported in Excel, but no patch is available yet. Read more at secunia. While there, take a look at the Microsoft Windows Hyperlink Object Library Buffer Overflow as well.

Apple seems very determined to infect as much machines with their iTunes software, as possible. I just tried installing QuickTime 7.1 - because my older QT version told me 7.1 contains important security fixes - but alas, one can no longer install just QuickTime. It now comes "bundled" with iTunes, making it a download of over 30MB! I don't need iTunes, I don't want iTunes, so why should I be forced to download it, install it, and then remove it again to just keep the component I need? You tell me!

I could understand Apple promoting iTunes when a user wants to download and install QT, but at least give someone the opportunity to opt out, or deselect the additional download. Seems Apple is going the MS way :(

I just sent Apple feedback about this issue, so maybe, some day, they may realize that their users are adult enough to decide for themselves what they want/need.

Update : "notasblindasyou" graciously pointed out that there is a standalone version of QuickTime : QuickTime standalone version. I must have had stuff in my eyes for not noticing it. Sorry Apple people!

First a little update on the machines currently in for maintenance/repair :

Laptop from S. : Clean install of Win 2K + SP4 v2 (Roll Up 1) completed.
Desktop from N. : fixed and picked up (Hint : pleased with the service?)
Desktop from A. : First analysis done. Need original XP CD to proceed.

I just installed a patch on my laptop to fix a quick battery drain. According to The Register, not all causes for the high consumption are fixed, but 1 out of 3 is better than no patch at all, right?

A quick first update on N.'s desktop : infected with nasties such as Sex.List, CommandService, Smitfraud-C, CoolWWWSearch.BadZoneMap, CoolWWWSearch.WinRes, DeskWizz, NetWork Monitor, and that's only halfway through the first scan.

Once I can get rid of CommandService and Network Monitor (they're related), I think I'll have a good shot at getting rid of all the rest as well. Especially the fact that some of the adware programs constantly monitor the network and download and re-install themselves makes it harder to remove. So, what did I do so far? I booted it up, connected it to the LAN, updated the virusscanner (failed), updated Ad-Aware (successful), downloaded/installed/updated Spybot S&D (successful), did a windows update (failed), edited the hostfile (removed a bunch of entries), download/installed Firefox (successful) and then disconnected from the LAN immediately. Reboot, and start working...

This once again shows that "regular computer users" are very unlikely to be able to free themselves of all nasties the have made their PC their new home. And unless you can get rid of ALL of them, there's more than enough vectors to get infected within seconds.

I don't know if spring actually affects computers, but it sure seems like it. Two weeks ago, S. asked me if I could take a look at his laptop, because it failed on him. Over the weekend, N. mailed me to see if I could check her desktop because it was infected with a trojan/virus/adware/spyware and giving her trouble. Yesterday afternoon, a colleage A. asked me the same, because his desktop is throwing a fit too.

Today, N. dropped off her machine and I started working on it, and it sure seems troublesome. Something is running havoc on it, but so far I've not been able to identify the culprit. It ain't MyTob, that I'm sure about. I'll look into it more on thursday, my day off. The laptop form S. sits on my desk because I don't have a sure way of fixing it yet. It seems like a hardware problem, though I'm not sure. More analysis on thursday as well I suppose.

Today's plans include downloading Knoppix (4.02 CD version, just over 700MB, happening as I write), building a more up to date version of VPM (including Tor 1.0.17, and Firefox 1.5.0.1) and installing that on the USB stick. The build on the VPM page contains slightly outdated programs, so I'll be attempting to get a grab on linux, and build my own tarball. That'll keep me busy for the day I suppose.

I'm doing some laundry in the mean time, and I've soaked and washed two pillows already, as Tai didn't like me staying out late last night and pissed on one of them. He did the other one earlier last week. I tell you, he's an unforgiving bundle of joy, that cat of mine.

Update : over 3 hours later, I've booted and shut down Knoppix about 5 or 6 times, and didn't get any further than "cannot change ownership" while doing some tar operation on libevent-1.1a.tar.gz. I did however learn how to mount and remount a USB stick in read/write mode, and that *nix systems like "CR" and not "CR/LF" like windows systems. Did that help me get my VPM up to date? Not in the least, but I feel like I've learned something...

Update 2 : Tai is a damn whiney cat. Always wanting attention, cuddles and miaowing away. If I wanted that much attention or responsability, I'd have kids! All I wanted was a silent presence, and now I'm stuck with an omni-present clingy furry creature that hates being left alone. I love him, but come on... this is getting ridiculous!

I've been keeping myself busy with these things lately - especially reading up, comparing, gathering information, asking questions :

- Fedora
- Tor and #tor on irc.oftc.net
- Dell Poweredge 1850

Eventually, these things should go on the box as well (if I ever decide to go ahead and get acquainted with a *nix system, buy that server, get a colo, maintain it and get it up and running) :

- freenet
- Mixminion Type III anonymous remailer

I've been noticing some strange behaviour on my laptop lately, and when it happened again today, I decided to look into it. I'm working normally, and suddenly a small pop-up tells me my virusscanner is trying to access a certain IP adress using POP3, even though I'm not - as far as I'm aware - running any application that would need POP3 access at the time.

I quickly opened a command prompt and a netstat session did indeed confirm an attempt to reach an ip address linked to bethere.co.uk, which makes NO sense at all. I'm not in the UK, I'm not using a UK provider and no one I know is either. It only happens on the latptop, so my first idea was that someone is messing with my wireless link to the desktop machine. However, I've set up my link using WPA2 with a completely random and strong key, so that shouldn't be possible.

I could suspect tor, but there is no real reason to do so, apart from the fact that when this happened earlier, it stopped after I removed the application. However, when I check tor and the bandwidth it uses, there is no activity at all, which sounds right as it is not in use all the time. I only fire up tor and the proxies when I need some additional privacy, and the speed with which data arrives is less important. Is someone trying to use my installed tor client to send out mail? That again should be impossible since I have it configured as a client, not a server, and by default it doesn't allow POP3. My idea is that it ain't caused by tor.

I quickly ran my antivirus, spyware and adware tools to see if anything got past my defenses, but nothing has shown up so far. The firewall is up, the virusscanner is up to date, yet something tries to create a POP3 connection to a UK based host. Go figure.

Update : I have now finetuned my netstat capture to not only list the open connections and their state, but also which binary is responsable for creating them, sorted by protocol. This should be enough to find out more about the perpetrator. My e-mail scanner log files it under AutoPOP3, which really doesn't ring a bell. To be sure I've upped my default log information from medium to high, so I hope to get some more info.

If anyone happens to know where this mysterious POP3 connection to bethere.co.uk originates from, I'd be happy to find out. The IP address it tries to connect to is 87.194.29.236.bethere.co.uk and the brand and model of the laptop is an Fujitsu-Siemens Amilo L7300. I must say that I've found similar questions from people online wondering why their AVG Mailscanner suddenly feels like connecting to foreign servers. To be continued, no doubt.

Note : I'm not running eMule, eDonkey, or any other filesharing programs, nor are they installed on my machine(s).

Update : Guess what. The PID of the offending program is 1264 in my case. I check the running processes and shows up? Tor. Crap. Off to read up and possibly talk to the developers of it. Solved : thanks to some volunteers in the #tor IRC channel (irc.oftc.net) the mystery was solved. Tor keeps some connections open and 87.194.29.236 is the address of a dir server, which runs on port 110, thus is captured by my mailscanner. Whether I find it "wise" to run a dirserver on a port specified for mail remains to be seen, but the mystery is solved. Off to throw something in the donation bin for tor now...

Programs updated
FileZilla was updated to version 2.2.18 on December 26th.
Ethereal was updated to 0.10.14 on December 27th.

Security
An unpatched bug exists in the handling of WMF files in Windows. It is actively being exploited, thus rather important that you are aware of it. For the time being there is no patch, see Microsoft Security Advisory (912840).

You can unregister the vulnerable dll though, by following these instructions :

- Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and click OK.

This will prevent Windows Picture and Fax Viewer from starting when a .wmf is accessed.

To restore functionality, follow these instructions :

- Click Start, click Run, type “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks), and click OK.

I just downloaded a demo copy of Airopeek NX, weighing in at just over 30MB, to come to the conclusion it doesn't wanna play nice with my Ralink RT2500 wireless network card. I could always install or run Linux on the laptop, but I don't feel like it. Toying around with wireless networks is not that high on my list to to switch OS.

Note : I've been up since 9h30, which is way too early if you ask me.

I just replaced my old 300 watt PSU for a brand new 400 watt PSU. I didn't really need the extra power, but I did need the stability. It's actually the first time ever that the PSU gives me trouble - before it always was the motherboard, or the drives giving up. Not really suprising though if you know I run my machine 24/7, 365 days a year. Sometimes components just can't live up to the demand I suppose.

Anyway, things seem to be running fairly smoothly, I just have to look into some USB devices windows was complaining about, I may have to point out where to find the drivers again, but that shouldn't be too hard. Off to clean the ferret cage, and entertain them. I'll put on Nid & Sancy while doing so.

While I was skyping with Joco, I suddenly heard an audio alert in my headset. The fun thing was that Joco was able to hear it too, which really supprised me. I wonder what else people can hear while skyping?

Anyway, the computer just shat itself again, but at least now I've got an idea what the problem may be : an irregular voltage line in my PSU. It's expected to supply about 3.3V constantly, but every now and then it drops to 2.80, which is too low. I just had an alert for the past 3 minutes or so, and now it's back up to a healthy 3.26 volt - pretty bizzare if you ask me! I guess that means I'll be shopping for a new PSU tomorrow. I hope I can find one for an acceptable price, according to Joco they're rather expensive, when looking for a high performance, low noise one.

Gonna give my dad a call now, he's much more a techy than I'll ever be, and electricals is not really my forté. I'm better with software and general maintenance, mail, AV solutions, blogging (setup, maintenance, ...). Which reminds me, I just set up a basic blog for another friend of mine, who will be creating his personal place on the web - away from his professional site(s).