Digital Choke Daynotes

 Sunday, February 27, 2005       mail    link   the story

I spent part of yesterday cleaning some junk out of my little truck. Among other things, there were three flashlights in there. There was a big two-D-cell battery, and two small AA-cell pocket types. One out of the three worked; the other two needed fresh batteries.

So I moved them all to my workbench in the garage, and got out the battery tester to check all the batteries. It turns out that all three needed fresh batteries; always a good thing.

But while I was checking out those three flashlights, I looked up at the top shelf of the workbench, and saw three more flashlights. And that got me to thinking about the all the other flashlights around here.

Let's see:

• Three in the truck
• Two in the car
• Three on the workbench
• Two in one of the garage closets
• Five in various locations inside the house
• A couple more in various toolboxes in the garage
• And one on my key ring

Hmm. Is the plethora of flashlights a "guy thing"? Now that I think about it, each trip to the local home center or hardware store or auto parts store always has me looking a new flashlights. And I sometimes buy another set; after all, you can't have too many, can you? They do come in handy during power outages or poking around dark places while working on the car.

Power outages. Let's see. I've been at this house for almost two years. It's in a pretty new subdivision with underground utilities. We don't live in a severe storm area. (Well, there was the small F0 tornado last week, and it's raining tonight.) I think that I recall the power flickering once. Never did go all the way out.

I'm always looking for a brighter flashlight. For instance, the flashlights you see on CSI. They seem very bright with a beam that is uniformly bright. Can't tell what kind they are, though. Are the brighter ones LED's? Is there a flashlight brightness scale. Or does someone have comparative reviews of flashlights? How many lumens are needed?

Yeah, it's a 'guy thing' -- "my flashlight is brighter than yours"....

 Monday, February 28, 2005       mail    link   the story

Early last week, our mail filter system at work blocked an interesting phishing email. It used a technique that I hadn't seen before.

Most phishing emails try to 'social engineer' you into clicking on their link in the email. They claim to need to verify your credit information, or they have noticed unusual activity on your account. They helpfully include a link in the email that will get you to the verification page. The link in the email looks like one from your bank, but clicking on it brings you to the phisher's "log-in" page. A sample of the process is in my "Phishing Report".

The technique uses a 'on mouse over' command. This command is used to display a message on the status bar of your mail or web browser -- the status bar area is usually at the bottom of the browser screen. The status bar normally shows the link that is specified in the "a href" command. You can use that status bar message to verify the link. So the status bar will show the page of the link -- try it with the "Phishing Report" link. You should see the value of

http://www.digitalchoke.com/daynotes/reports/phish-1204.pdf

So, you would assume that you would go to that page if you clicked on the link.

With the "mouseover" command, you can change the message on the status bar. Look at this "Phishing Report" link. You should see the text "Hello there!" -- even if your browser doesn't have all the latest security patches. (Note that a fully-patched IE will show "Hello there!"; FireFox 1.0 shows the actual URL. And since IE has such a large share of the market, the phisher has a good chance of catching the unwary.)

So, as a phisherman, I want to create a message that has a link to a bank. And I want to change the status message to show the link to the bank's site. But I want the click on the link to go to my phishing site. For example, this link to http://www.mybank.com/login.htm should go to the "My Bank" bank site. Notice that when you move the mouse over that link, the status bar shows that link, but if you click on that link, you'll get to the "Phishing Report" page.

Once you (the "phishee") gets to the login page, the first think I (the "phisherman") will ask for is your login name and password. The next page will ask for additional information (like the one shown in my "Phishing Report".

One technique you can do to verify a login page is to enter a phony login name and password. If the phisher accepts the entry, then you know that you are on a bogus site. That's what I did with the pages in the "Phishing Report". No matter what I entered on the initial login page, the phony login name and password is accepted.

Which brings me back (it was a long trip) to that email. A special user validation script is available for eBay user names. The script allows you to verify an eBay user name from your own site just by doing a query against the eBay site.

The phisher used this script in their "eBay Login Page". The page looks just like the eBay login page, but it is hosted on the phisher's site. If you don't enter a valid eBay user name and password, you get a 'login failed' page. Which might lead you to believe that you were on the eBay site, so the phisherman can ask for more information (credit card, PIN codes, etc). And the phishee is on their way to some identity theft or financial fraud.

The result is that a login page that looks like eBay will verify your eBay user name and password - and store it for future use by the phisherman. All of that made possible by a simple script that eBay makes available to anyone.

Be careful out there.

... later ...

It occurred to me (and to Karl L, who took the time to write a note to me) that one might infer that eBay is at fault here. I wasn't trying to make that point. It is just that a process that is available to legitimate users of eBay (their merchants) can also be used by nefarious people (the "phishers").

Email is a wonderful way to keep in touch with others. But it has been abused to the point that we have to spend much time and money dealing with all the spam that we get.

eBay is not the culprit here, any more than a tree is responsible for allowing a stick to be used by a bad guy to smash a window to gain access to your house. There are protections that we have to put into place in this society to protect ourselves. We have locks on our doors, alarm systems, dueling rattlesnakes (like fellow "Daynoter" Robert Thompson), or weapons that are used for our protection. Even with all of that, we need to be careful. You don't wander around the bad part of down with $100 bills hanging out of your pocket.

You need to be careful with your use of your computer. And you need to help others be careful. Which is why you see those "Simple Steps" reports at the top of these pages to help you protect your computer.

So, protect your computer. Educate your family on how to avoid trouble with their computer. User education is important to ensure safety.

 Tuesday, March 1, 2005       mail    link   the story

A welcome to new visitors. I hope you find this place interesting. I don't have a large readership, but each of you are intelligent enough to visit at least once. I hope you become as regular as Metamucil (uh...visit often).

You might also look at the various reports up there at the top of the page. In particular, share the "Simple Steps" advice with your friends and relatives that might need the help. Send them the links, since I do make minor changes occasionally.

You have probably noticed that FireFox has come out with version 1.01, which fixes a few important security risks and problems. If you have used FF, you might have noticed the "Check for Updates" choice in the FF menus. (It's in Tools, Options, Advanced, then the "Software Update" section.) I recall that both checkboxes (for FF and extensions) are enabled by default.

On that screen, there is a button that says "Check Now". If you have version 1.00, go ahead and click it. You'll get a message that says "Firefox was not able to find any available updates". Hmm .... that must mean that my copy of FF 1.00 must be current.

Sounds to me like a false sense of security. And it turns out that FF doesn't have the infrastructure in place for automatic updates, so the button doesn't work. Note that the message doesn't say "Sorry, update checking is not available at this time. Please check our web site." Nope, just that "there aren't any updates now".

That's not to say that the FF 1.01 update is not available; it's just that you have to manually go out there and get it. And the update information (last time I looked) doesn't make it clear if you can "over-install" 1.01 on top of 1.00, or if you have to uninstall/reinstall. Or if all your settings will survive an update. I suspect that any customized settings will endure through the update, but it's not clear.

Regular readers (yes, including you three in the back that use Metamucil) will know that I am a firm believer in automatic updates. It's a recommended setting in the "Simple Steps" reports. Around here, my computers do an hourly check for anti-virus updates, and a daily check for updates from Microsoft. And those automated updates work. (Yes, I know that the MS Office updates are manual, although that will change within a few months.)

But I'd think it would be important for FF to at least be a bit more truthful when you hit the "Check Now" box.

 Wednesday, March 2, 2005       mail    link   the story

Dr. Jerry Pournelle had a reader that reported (link to his site) that Microsoft's Anti-Spyware program detected FireFox as a "Spyware Threat". Hmm ... I've got FireFox 1.01 on my system, along with MS Anti-Spyware Beta 1. And it was not the case on my system. I even ran a full scan. Here's my screenshot (opens in a new window, as usual). Notice that Firefox is running in the background, with MS Anti-Spyware in the front.

Looks like a bogus report to me, although visually believable. (I'm not going to get into the philosophy of that report.) (Later...well, it turns out it was a hoax...and it fooled me. Looked valid, didn't it?)

Continuing on the FireFox subject, Jerry B sent a note that he was able to uninstall FF 1.0 and install FF 1.01 via "add-remove programs". He found no problems with that technique.

So, I did an upgrade to FF 1.01 without an uninstall. It went just fine, as far as I can tell. I just had to tell ZoneAlarm that FF 1.01 was OK.

And I noticed that someone on one of the security mailing lists says that FF's auto-update is working, at least in his area. Before my update, I tried it again, and still doesn't work here. Perhaps in a few days the auto-update process will work here in sunny Northern California.

 Thursday, March 3, 2005       mail    link   the story

Several items today; sort of a "Thursday Clean Up".

Let's start with the bogus screen shot of the MS Anti-Spyware program "detecting" Firefox as a dangerous program. Although the screen shot was cleverly done, some thought that an indication of the hoax was the different URL for the link: http://surl.se/fzi .

The ".se" might not look right, although it is a valid "top level domain" (Sweden). The "se" domain is run by "NIC-SE", which bill themselves as "NIC-SE operates the national top level domain for Sweden .SE".

It is a valid site, though. It's a place where you can take a very long URL (web address) and turn it into a short one. It's a very handy service, and free. Another place that does it is "TinyUrl" (at www.tinyurl.com).

But it's not as benign as it seems, I think. I looked at the source code behind that link, and there seems to a few concerns:

• links to ads on Google; perhaps used for ad-clicking for revenue generation?
• puts a cookie on your system; it appears to be benign, but not sure
• has a link to a page hit tracking site, probably for analysis of visitors (very common)

These are probably not intrusive, but interesting.

The "TinyURL" site is a bit different. All they do is redirect you to the actual page. So this URL http://tinyurl.com/56dn4 really goes to this page (which I had to split because it was too long)

http://choicepoint.com/choicepoint/joinus.nsf/483e0d1e56144e25852569ab0065ebeb/
5a08bc1d813f6c5e85256e70005ec7b5?OpenDocument

And an analysis of the TinyURL site doesn't have any extra stuff on it, just an effective immediate redirect to the desired page.

So, I'll stick with TinyURL.

On to the subject of FireFox updates. Several readers (yes, I do have 'several readers') are noting that their copy of FF is telling them that updates area available. Others report that the "Update" button is working for them. And there is this quote that was passed along by David:

"The foundation had kept the feature from reporting the existence of this update because of concern that 25 million people downloading the update simultaneously couldn't be supported by the existing infrastructure. This problem was apparently solved by Mar. 1, and checking for updates now reports that 1.0.1 is ready."

They must be gradually rolling it out, since it hasn't hit my area yet. I don't get the notice of an update, nor does the update button report on an available update.

But my main complaint is not that updates are available (or not available), but that if you used the "update" button in FF, it would tell you that there were no updates available. And that the update button doesn't appear to work. Even if updates are available, it's not clear how or where it checks. My copy still says that updates aren't available. So it appears that updates are randomly available.

From their statement, it appears that the 'foundation' was obscuring the availability due to infrastructure concerns -- not enough bandwidth. It would seem that they should have planned for that bandwidth load when they were getting ready to release the update.

I've gotten a few responses to my musing on flashlights. Rob reports that

I'd like to mention that in my truck, I have a 3D Mag and a hand-held spotlight that plugs into the cigarette lighter, as well as new jumper cables with a built-in light. My key ring has two LED lights; one built into the house key, and one slim "Garraty" that's almost as bright as a Solitare Maglite but easier to use -- just push the button; no twisting necessary.

He also notes the specs on the MagLite line of flashlights

• Maglite 2D 18 lumens
• Maglite 3D 39 lumens
• Maglite 4D 59 lumens
• Maglite 5D 83 lumens
• Maglite 6D 106 lumens

Then he tells me about the "Inova X-5 LED" rated at 96 lumens/m2:

If you've ever wanted to be visible from space, the amazing Inova X-5 is your best shot. This top-of-the-range torch features an anodized 2011 aircraft aluminium case and 5 LEDs pumping out 96 lumens/m2. Virtually indestructible, the X-5 is waterproof to 150 feet and comes complete with 2 lithium 123a batteries offering roughly 20 hours illumination. Available in black or titanium finishes.

Hmmm....a quick search finds a list price of $50, but available as low as around $40. One site says "As seen on CSI". Specs include

The powerful INOVA X5 hand-held LED flood-light (4" long). Designed for the most demanding applications, this flashlight offers you the quality spot lighting you need after dark or in low light situations. The INOVA X5 uses five powerful patented LED lamps to project a high quality beam that provides maximum contrast at night or in surrounding darkness. This White LED Titanium Anodized Floodlight has a 2 mile visibility radius, 120' effective range, 110,000+ hour lamp life; waterproof to 150', 2000+ pound crush resistant; a tactical push switch(with holster); machined grooves for enhanced gripping surface; industrial applications to locate UV leaks and other substances that show up under black light; two 10 year shelf life lithium batteries. Operating range -30º to +60º C.

And Barry told me about the www.candlepower.com (oops.... http://www.candlepowerforums.com) site. A bunch of flashlight techies live there. Barry says "Be prepared to spend/waste LOTS of time (and possibly money) there."

Have to think about this. It might be time for a new toy.

 Friday, March 4, 2005       mail    link   the story

Did you notice that today is "3-4-5"? And does that mean anything, other than being a bit geeky to notice it?

A correction about the flashlight site mentioned here yesterday; I got it wrong (now corrected up there). The correct site is here http://www.candlepowerforums.com. Thanks to Donald M for pointing that out.

And SANS "Internet Storm Center" is reporting problems with global DNS here. Check back there for more information as this 'story' develops. (That's a good site to bookmark, by the way. It's one of my daily stops.)

A bit rainy today, but the weather dweebs say it should clear up for the weekend. Which is more than I can say about my sinuses, having started my usual "change of season" cold. Right now, at the scratchy throat stage, with mild congestion. I'd planned to do a bit of yard work out back, mostly spreading out some new shredded bark for ground cover. We'll see how that plan works out.

Sudden thought ... Did the DNS poisoning start at 12:34 on 3-4-5 (GMT)?

Excuse me while I find my tin-foil hat....