Monday, March 1, 2004

Back to work today, after taking the whole week off last week (from work and from here). There was much family activity, and a lot of details to work out before the funeral on Friday. We were able to work with an excellent funeral home, who were very attentive, explaining all the details, and very compassionate in their dealings with the family. (Thanks to those that sent condolences.)

Pam and I spent most of each day at her mother's house. Her sisters were able to come up Sunday for what turned out to be their last visit with their Dad. He passed quite quickly. Sunday morning he was awake at times, and somewhat alert, but by the late afternoon, he was asleep in his hospital bed (set up in the living room of his house). He work up very briefly just a few times, then passed away on Monday afternoon. Although it was expected, it was a difficult time for the family.

So we spent that night making phone calls to relatives and friends, among all the other details. Tuesday we visited the funeral home to make the final arrangements. Wednesday we picked out the plot in the cemetery he chose. We worked on the funeral program. Christine talked about her memories of her grandfather, Pam and her two sisters did the eulogy, and I did the religious talk. We were able to get an inexpensive flight for Stacy to come home from college at Idaho, which was nice. And the Relief Society (the church women's group) were very helpful in providing meals for several nights, along with the lunch for after the funeral).

The three son-in-laws (and grandson-in-law and grandson) spent a bit of time doing some maintenance workaround the house. And we also started an inventory of the garage. Pam's father liked to buy tools, and he has quite a collection of wood-working tools (planers, band saw, table saw, routers, joiners, radial-arm saw, lathe and more); some quite new, and some a bit old. I think that he always had plans to use them, but perhaps enjoyed buying the tools more than using them. None of us have that talent, so we'll need to have a giant "Guy's Garage Sale". There are several types of other power equipment, plus a Kubota tractor (he's always had 1-2 acres of land), and some old equipment like a cement mixer, rototiller, trencher, garden shredder, etc. (Any takers out there? I live around Sacramento, CA, and might be able to deliver nearby. Let me know via the mailbox icon.)

There is some stuff that we'll keep, like the chain saw and log splitter which we will use at the cabin in the mountains. The almost-new travel trailer will need to be sold, along with the Ford F250 diesel truck. And then there are the other odds and ends that are found in a garage. Don was from Maine, so he kept just about everything just in case it was needed later on.

So now I have something to do on Saturdays for a while, which is OK, because I enjoy doing the weekend handyman thing. For instance, on Saturday, we replaced one of the toilets, and I worked on replacing all the exterior door locks (they weren't working properly). We did a bit of cleanup outside (tree and bush trimming; the electric chain saw on a pole worked well for that), along with taking a bit of trash to the dump.

Pam's mother is doing fairly well; it was a long illness, so she was somewhat prepared. Pam's sister lives in Texas, so they took Pam's mother home with them yesterday for a couple of weeks to help with the transition. And Pam is doing fairly well, although not sleeping much the past week.

So we spent yesterday (Sunday) taking it easy after going to church. Then back to work today, although it was a short day since Pam is still a bit tired. I was able to get a bit of work done remotely last week, so there wasn't a large pile of email to worry about. Even though there are many viruses out there, we are mostly protected against incoming viral email. But you should make sure that you keep things current: McAfee released updates last Friday and Sunday (yesterday), and I suspect there might be one tomorrow, in additional to the weekly one that comes out on Wednesday.

On another subject, I've been noticing a bit more spam in my personal email box. Most of it is routed through the mail server here at "DigitalChoke". The pages on this site don't use 'mail-to' codes, but a mail form (as you will see if you click on the mailbox icon). I had a theory about how the email addresses were being accessed -- by 'mail harvesting' programs that troll the 'net looking for mailing addresses. So I decided to test the theory with a little experiment. This letter to Jerry Pournelle explains the experiment, and the results.

As you know, I've been sending you security notices relating to viruses, worms, and other issues, and you have been kind enough to include them on your mail pages. In most of my messages, I include my email address on my web site at www.digitalchoke.com as part of my signature, with permission to use same.

My site, which includes my fictional short story, also has my "Daynotes" entries. And I include a mail form for comments. I use a mail form rather than a 'mailto' tag because that protects email addresses from web 'crawlers' that try to harvest email addresses from web sites. All mail to that site is forwarded to a different mail account.

Last year, I started noticing an increase in the amount of spam that I was getting through my digitalchoke.com mail addresses. It appeared that much of it was using the email address I put in my correspondence to you, which you published (with my permission).

That made me curious as to how efficient the 'mail harvesting' programs were. Your site is quite popular, and bound to be a place that the email harvesting search engines would frequently visit.

So, as part of an experiment, I started including a brand new email address in my correspondence to you. The new address was first published (according to your search engine) on your site on February 5, 2004. I was careful not to use that email address in any other correspondence that I sent out.

I then set up a rule in Outlook that would route any mail from that new address into a separate folder. And then I waited.

The first spam message to that new address arrived on February 20, 2004, just 15 days after the first posting on your site. It was a variation of the Nigerian Scam message. I was careful not to open each message, in case it had a 'track-back' link that would verify my email address. I had also applied the Outlook setting to preview messages in text only, rather than HTML. So no action of mine should have verified that address.

I haven't had many messages to that new/unique address. Just today, I started to see messages from virus-infected computers. It will be interesting to see any increase in the number of messages I get to that unique mail address as that address is shared among spammers.

There are lessons to be learned from my experiment. If users 'share' their email address in messages that are posted on various web sites (such as yours, and be assured that you are not at fault here), then it is likely that their email address will get on a spammer's list. Web page designers should use mail "forms" rather than "mailto" for feedback or customer contact messages. Although there are many other ways to get valid email addresses, careful use of your (or employee) email addresses is wise.

So, learn from the lesson. If you have any questions or comments, just click on the mailbox icon to get to the mail form.

Tuesday, March 2, 2004

I spent most of the day working on (and worrying about) some variations of the Bagel virus. These variants put the viral executable inside a zip file that has been password-protected. The message itself contains the password to use to extract the bad file. Then once you extract the file, you have to run it to be infected.

On the surface, that seems like a 'harder' way to get a virus. But it also makes it harder to detect that virus. And that's what puzzled me for a while.

A user at work forwarded the viral message to me. I recognized the message subject line and content as one of the Bagel viruses. And the attachment was a ZIP file with an executable in it.

I've mentioned before (as you two regular readers recall) our mail filtering software is set up to detect viruses two ways. The first is by scanning them with a virus engine (McAfee) that checks for updates once an hour. (It checks that often because an update will happen at any time. McAfee normally releases an update every Wednesday, but they issued special updates last Friday, Sunday, and today (Tuesday). So a regular check for the mail servers is a good idea.) A 'known virus' message will be blocked by that process.

For those 'zero-day' viruses, where the virus is spreading before the anti-virus updates can detect it, we block any message with an executable attachment. Although there are occasions when a technical guy at work will need an executable, 99+% of the time the message and attachment will be a virus.

Our mail filtering program is smart enough to look at the structure of an attached file, even in a zip, to determine whether it is an executable. Even if you rename a file like 'program.exe' to 'program.doc', the structure of the file verifies it is actually an executable program. And if you put the "program.exe" file inside a ZIP file, the program can still sense the executable, and it will be blocked.

But the virus writers are increasingly using the new technique of putting the exe into a zip file, then password-protecting the zip file, which is a simple way of encrypting a file. Because the program doesn't know the password, it can't look inside the zip file, so it assumes that the message's attachment is not an executable, and doesn't block that message. The program doesn't have a rule-set that determines if an attachment is encrypted.

The virus-checking part of the program (a McAfee add-in) is similarly not able to look inside the zip file, so a scan of the zip doesn't find a virus. I verified this by saving the zip file to my hard disk, then running a virus scan on the file; it came up non-viral. I didn't extract the executable, since I didn't want to screw up my computer. I may try it in the lab on an isolated computer. But I think my theory is valid, since the characteristics of the attachment are described in the notices about the "Bagel.h" and "Bagel.j".

It would take a bit of effort to 'install' the virus. You would have to unzip the attachment, provide the password, then run the program after you extracted it from the zip file. So this may not be a very good technique, although some users are bound to do it. But I can think of an easy way to skip the un-zip step.

I was able to create a rule in the mail filter that would trap the encrypted zip file. The 'spam agent' is able to find an attached file that is encrypted (or password-protected). So I was able to start trapping those viral messages. We aren't getting too many, about 10 an hour, but it is good to be able to block them. (For comparison, when "MyDoom" virus became widespread, we were getting over a thousand of those each hour.)

It will be interesting to see how (and if) the anti-virus guys figure out how to sense this technique, and how effective their defense will be. If you have any ideas, mail them by using my mailbox icon down there.

I spent about the last hour of the day playing around with the FIND command in a batch file to look at the mail log file. I wanted to search for occupancies of some text in a log file. It was useful only as a learning experience. It certainly wasn't as complex as the batch files that John Dominick uses, though.

(Later)

I just noticed that McAfee released a second update (DAT) today (Tuesday). The 'readme' says that it was released due to the increased prevalence of the "Bagel.J" variant, which I believe is the one that was causing problems. I'll have to test out that version to see how effective it is with the ones that I am catching.

Although the latest DAT might catch "Bagel.J", there is the problem of the 'zero-day' infection. How do you protect against viruses that the AV vendors can't sense?

Wednesday, March 3, 2004

Interesting about the 'virus wars' that are going on. The Netsky and Bagel authors are fighting amongst themselves. And new versions are coming out almost hourly. In the meantime, the '4333' release of virus def's from McAfee seems to be able to detect the password-protected zip files that the Bagel virus sends out. And in the middle of this fight, the Netsky virus tries to fix/remove the Bagel and MyDoom viruses.

I still think that the virus writers ought to go after the spammers and leave the rest of us alone.

Or, as the folks at the Internet Storm Center say:

char msg[] = {0x47, 0x72, 0x6F, 0x77, 0x20, 0x75, 0x70, 0x21, 0};

Although the 4333 release of McAfee virus defs (and those from other vendors) can catch the password-protected virus of Bagel and others, that doesn't protect you from the 'zero-day' viruses. These are the ones that the anti-virus guys haven't figured out how to block or sense. And until they do, they might be able to get through your defenses. That's why blocking of executables is an important layer of defense. Some companies are also blocking ZIP files, even if they don't have passwords.

On other matters, we're working on a new enterprise-wide software update server. That project is being fast-tracked, and should be in place really soon. We're also fast-tracking another protection process, which I can discuss after it's in place.

We're also working on a wireless protection project. One of the aspects is a 'walkabout scanner'. The plan is to use a PDA with a wireless card to sense rouge wireless networks (later...see below). One option is using an iPaq with something like "MiniStumbler". Another option is a Sony Clie with built-in wireless, and a simple wireless connection detection. I'm not sure which will be best, so am open to suggestions.

Thursday, March 4, 2004

Sometimes (although it could be argued that "all the time" is more accurate) the proofreading process here fails. Consider this point (submitted by John Dominik, who lives in a slightly frigid area):

"The plan is to use a PDA with a wireless card to sense rouge wireless networks."

Really? I had no idea that makeup on wireless networks was a problem. ;-)

Or was that "rogue wireless networks"?

Um, yeah. I'm sticking with the dyslexic keyboard excuse.

Friday, March 5, 2004

Interesting article on Wired about a device called the "Pocket Vault", which is about half the size of an iPaq that can store information about all of your credit cards. When you want to use one of your credit cards, you tap it's icon on the screen, and a card pops out that has your credit card's logo with all of the encoded information from your real card on that temp one. You take the temp card, and run it through the store's carsd swiper, and off you go. The Pocket Vault has a fingerprint sensor (like the iPaq, I think) so only you can use it, and the temp card is only good for about 10 minutes until it blanks out. It sounds quite intriguing, and is supposed to be available early next year with support from the banks and credit card guys. It's all explained in the Wired article; the company's web site is here, with pictures and other information. It looks pretty cool.

I worked some more on the WIn2K Server security policies. It will be an "inf" file, with companion instructions on how to securely set up a Win2K server. It will also be used to audit those servers.

I have an older laptop at work that has an 18G hard drive. I initially set it up with three partitions: Win2K Pro, Win2K Server, and Win2003 Server. I used the server ones to test security settings, and to get familiar with how Win 2003 Server works (pretty nice, btw). The Win2K Pro installation is where the BindView auditing software lives. I use that to audit various settings, mostly on the Novell network side.

The hard disk is not big enough to hold all three operating systems, and still have room left over for other things that are needed. So I decided to get rid of the Win2K3 partition so I could expand the Win2K Pro partition. I booted into Win2K, then used Computer Management to delete the Win2K3 partition. Then I edited the boot.ini file to remove the reference to the now-deleted partition.

Another reboot, then installed Partition Magic to resize the Win2K Pro partition. That was all that was required. The Win2KPro partition has enough room on it now that I can start using BindView again for some more analysis of the Novell NDS tree. I started a few of the reports this afternoon, and will take a look at them next week.

After work, we stopped by WinCo (big food store) for groceries. It is conveniently located right next to Lowe's, so Pam did the grocery store thing while I wandered around Lowes. I picked up a couple of things I'll need for when I go over to the in-laws' house to start on the garage. The plan is to get a few things off to the thrift store to make some room for starting to go through various odds and ends in the garage. I plan on stopping by the Dollar store to pick up a bunch of small plastic wash basins (about the size of a kitchen sink), and use those to organize things that we'll try to sell in the big spring "Guy's Garage Sale".

There's also a few things to finish up from last Saturday. Two of the new door latches don't match the hold in the door frame, so I need to do a bit of trimming for that. I picked up a set of inexpensive wood chisels to help out with that. I also got a small voltage sensor, the kind that sense the voltage from the outside (no bare wires). The living room in that house is a step down from the rest of the house, and there is an electrical outlet right in the middle of the step that has been damaged, so I need to cover it up. I'd always wanted one, and it as only $8.

So, it will be a bit busy tomorrow. But I enjoy doing the handyman thing. There isn't much of that to do around this house, because it's pretty new.

And now it's time for "Monk". Good show.

Saturday, March 6, 2004

I got a lot accomplished today at the in-law's house. Their church ward (congregation) sent over the Bishop (leader) of the ward, along with some high school boys and their fathers to do a lot of weed-eating. One of the boys got the Kubota tractor working, and they used that to clear up a bunch of rocks out of one area of the yard. They spent about there hours there, and cut down most of the weeds in the non-lawn area. (They have a bit over an acre of land, not all of it planted with a lawn.)

While they were working that part, I started on the garage. I loaded up the big Ford F-250 (super-diesel) with a load of stuff for the thrift store, and got another pile of stuff ready for the dump. I took the first load to the thrift store, then returned to load up the truck with the dump stuff. Jared (son-in-law) was there by then, so we replaced a couple of the hinges on the door from the house to the garage with a spring-loaded hinge. We also put in a hinge-mounted door stop. Now the door shuts by itself quite nicely. And we used one of the old hinge pins on one of the other doors, which for some reason was missing a ping.

Then we moved to the front door. Last week I had replaced all the door locks (handles and deadbolts), and that door handle didn't match up with the striker hole in the door frame. So I picked up an extra long striker plate (the metal part on the door frame where the latch latches), and Jared wielded the chisel to cut out the spot for the new striker plate. He did a nice and neat job, so now that door latches properly.

Then we tackled the outlet that is mounted in the step down to the living room. The wires in there had come loose, which is a definite fire hazard. A bit of trimming of the wire, new wire nuts, and some electrical tape for extra measure fixed that. I bought a blank (no holes) cover plate for there, but since the outlet box is surrounded by carpet, I will need to get some longer screws to get the face plate mounted. In the meantime, the wires are safer now. I'll get that done next weekend.

A final job was to replace the sink sprayer handle, which had developed a small crack in it. That was a simple fix, and now the sprayer is working nicely. The kitchen really needs an overhaul, but that's a major decision. The house and property have a good value (especially in our high-priced market), but Pam's mother is not ready to make that decision yet. It's way too soon, and there is no time pressure.

Then it was time to drive to the dump, which was a bit busy. The weather today was excellent, sunny, warm, and I think that it got above 70 degrees (F). So it was a nice day to be working outside. Everyone is cleaning up their yards, so there was a bit of a long line at the dump. They are quite reasonable, though, charging only about $12 a "yard" (which is about the size of a full-size pickup bed up to the top edge of the bed).

I got home about 5pm, where the grandkids and Pam were off to the neighborhood park. We decided to do a short babysitting job while Jared and Christine went out for dinner. We had a nice time at the park, with slides and stairs, and a long session at the swing set.

Then home to dinner (meat loaf, red potatoes, green beans, biscuits), then watching some kid shows on TV and playing with the toys until Jared and Christine returned from dinner. They left about 8pm, so I'm doing this (and a bit of web surfing) while Pam falls asleep on the couch watching "Trading Spaces".

So, a productive day. Hope yours was as well.

... more later ...
Last Week	Next Week	mail	bookmark	The Digital Choke story