Digital Choke Daynotes

What's a Daynote?

"Daynotes" are daily (usually) journal entries of interesting happening and discussions. They are not 'blogs', which are often just a collection of links to other information (although we do include links occasionally). Daynotes are much more interesting (we hope).

These "Digital Choke Daynotes" were inspired by the collection of daily journals of the "Daynotes Gang" (see sites at .com, .net), a collection of daily technical and personal observations from the famous and others. That group started on September 29, 1999, and has grown to an interesting collection of individuals. Readers are invited and encouraged to visit those sites for other interesting daily journals.

If you have comments, send us an email. A bit more about me is here. You might also enjoy our little story about the death of the 'net.

Back from a week's vacation to Dan Seto's home state - the island of Maui (although he lives on Oahu). Very relaxing. Got a condo (called Mahana, highly recommended) on the beach on the west end of Maui as part of the package deal ($2800 for two, air fare and condo). Nice one-bedroom condo with kitchen and washer/dryer, and a killer view of the ocean that is just 40 feet from the lanai (back porch). The condo has wireless access, but (much to the surprise of Pam), I didn't fire up the laptop until Wednesday (we arrived the previous Friday). Did the usual tourist stuff: the "road to Hana" (very nice), walks along the beach (warm water), visited the town of Laihana (lots of touristy shopping with a few historical places), the Aquarium (pretty good), and a bit of driving around in the convertable PT Cruiser (nice, but no trunk due to the soft top).

We were up on the fourth floor of the condo, so had a nice view of everything (including a pod of dolphins one day, and a seal, along with the almost daily rainbow). The beach there is sandy and narrow, but offshore is a bit rocky with coral, so not much beach activity or crowds. The weather was nice (temps 70's to 80's, not much humidity, partly cloudy most days). I was watching the local weather dweeb's 10-day forecast one night: all ten days were just about the same, which made me think that being a weatherperson in Hawai'i might be quite easy.

While I did a bit of web surfing there, these items caught my eye when I wandered through my email on returning. Lots of it is may be old news by now, but perhaps you will find an interesting link or two.

I usually don't like to put a bunch of links in these pages. I don't like 'blogs' that consist solely of links to other places. But I'd bet (virtually, of course) that you find at least three links in here that you'll click on. (Note that all links will open new windows, as is the normal practice around here.)

This first "pile of links" is from the SANS group (newsletter subscription info at the end). I like this newsletter because of the comments that are attached to some of the items.

Microsoft has a good newsletter for home users. Your "Aunt Minnie" might find this info helpful. Subscribe here: <http://go.microsoft.com/?linkid=4188980>. As an example, here's the links for the articles in the one I got last week.

That's the end of the "pile of links". Did you find three that you clicked on? (Did you even get to the bottom of this list?)

Tuesday, November 15, 2005 mail link the story

Reports today in several places about continuing problems with the Sony rootkit. Using their web-based uninstaller appears to open some major security holes in your system. This is a developing story as I write this (800am PST), so further details will be forthcoming.

USA Today is reporting that Sony will be recalling any unsold CD's with that rootkit. The executable-based (downloadable) uninstaller may not have the security problems; this is not quite clear now.

Readers who want to check for the existence of the root kit can use Notepad or similar to create a text file with a filename that starts with "$SYS$". Save it in a known folder, then use Windows Explorer to list files in that folder. If you don't see the file, then you've got the root kit. If the file is there, then the root kit is probably not there (or has been modified).

If you have the rootkit installed, I'd recommend leaving it there for now, but ensure that your anti-virus is current, and be careful (as usual) about "helpful" programs attached to email messages. And I'd install the MS Anti-Spyware program (even in beta form), since there are reports that the next update of that will safely uninstall the rootkit. It appears that current anti-virus programs will detect viruses that try to use the rootkit's ability to hide $SYS$ files.

There's a developing backlash against all Sony products. It may be that this is Sony's "Tylenol" issue, and they don't appear to be handling it very well. (Sony executive: "Most of our customers don't even know what a rootkit is"...so it must be OK to install one, I guess.)

Link to research on the security vulnerability of the web-based uninstall: http://www.freedom-to-tinker.com/?p=927 . Washington Post "Security Fix" column: http://blogs.washingtonpost.com/securityfix .

The "Security Fix" link has some links that list the CD's with the rootkit; there were 47 at last count (more than Sony is admitting). There's also a link to a guy that claims there are 1/2 million computers with that root kit installed. Since the rootkit 'phones home' when the CD's music is played, he looked at the DNS servers to see how many computers are doing a domain lookup for the rootkit's home site.

There's also a new round of "Sober" virus emails making the rounds today. Protection from your favorite anti-virus vendor may be slow (McAfee is aiming for an update tomorrow, but it may come sooner). At the office here, we block all incoming executables, and have already seen a couple of the new variant. Blocking executables is a great way to prevent the 'zero-day' virus outbreaks. For home users, keeping your email client current should help; as will a rule to block executable attachments. My Outlook 2003 seems to detect most of the incoming junk mail. Of course, I've got Microsoft Update set up for automatic updates.

Be careful out there.....

Wednesday, November 16, 2005 mail link the story

"All my base belongs to Google" (see http://base.google.com/base/search?authorid=1028662).

Yep, Google has gotten into the 'classifieds'. So I posted a couple of entries there to see how it works. Not too bad. I put up three items (two trucks and a trailer), but the above link (which is "all items from Rick Hellewell") only shows the two trucks. Not sure why that is; if you do a search on GoogleBase for "Komfort" (the trailer make), the trailer entries comes up.

And since I put a URL in the entries, the link brings you to the pages here. Although there is a URL for the actual item, it's not "linked"; you have to do a manual cut/paste of the URL to see the GoogleBase entry.

But it was interesting to try out. No responses yet; the listings last for 31 days, so we'll see if I get any response.

On the security front, more "Sony fallout". They are getting hammered pretty hard in the press (rightly so). If they don't handle it right, this will be as bad as the "Tylonal" problem of several years back.

And what do you do if the Sony rootkit is installed on your computer (see above for how to tell)? It's not entirely clear yet, although the folks at F-Secure say this (remember that links around here open up new windows):

The Sony DRM case seems to be getting more and more twisted. Our readers might be wondering what the actual risks are at this point and what they should be doing about them. Here's a short recap.

If you have the Sony DRM with the rootkit (aries.sys) still active, you should consider getting the update to remove the rootkit. Do this by using the standalone executable available here. There are already several malware variants that try to hide with the help of the Sony DRM cloaking.

After this you're left with the rest of the Sony DRM software, which might be vulnerable to local privilege escalation attacks reported by ISS X-Force. To remove the DRM software entirely, you will have to wait for Sony to fix their uninstaller and carefully consider using the new version once it's released.

If you have already used the ActiveX uninstaller that was available until Sony stopped distributing it, you are vulnerable to a remote code execution attack. You should remove the vulnerable ActiveX component. If you want, set a kill-bit for it (the CLSID is {4EA7C4C5-C5C0-4F5C-A008-8293505F71CC}) just to be sure.

I'd sit tight for a bit on removal. Install Microsoft's Anti-Spyware program, then let it take care of it. In the meantime, make sure your anti-virus and Microsoft updates are current.

(later)

Jerry Pournelle's mail blog (a few pages down; BTW, there's some interesting ongoing discussions of Google Print and copyrighted works) had a posting from an anonymous reader working for a state government say that their IT staff says that the Sony rootkit had infected servers and workstations there. I sent along this note:

Regarding your entry in Wednesday's mail from the anonymous state employee and their IT dept claiming that "our servers and workstations have been infected with Sony's rootkit DRM" .

It is true that the Sony rootkit 'phones home' almost continually during music playback (every 30 seconds, I think, which causes some high utilization on the user's computer and some extra web traffic). The "phone home" sites are http://connected.sonymusic.com , http://updates.xcp-aurora.com and http://license.suncom2.com , if you want to check your web logs.

But a Sony rootkit-infected workstation will *not* infect *other* workstations or servers. If the rootkit got on a server, it was because somebody played a Sony CD on the server and allowed the rootkit to install. The rootkit will only infect the computer that the CD is played on.

There are several Trojan viruses being emailed that will are using the same technique of hiding their malware files, and that malware will infect other systems through the usual means (along with installing additional programs and keystroke-catchers, etc). But you have to install those Trojans by opening an executable attachment.

Readers might try wandering over to the "Boycott Sony" blog here: http://www.boycottsony.us . And the F-Secure (antivirus) folks have recommendations on what to do if your computer has been "0wned" by Sony here http://www.f-secure.com/weblog/archives/archive-112005.html#00000709 .

As for me: the usual precautions: current OS and anti-virus updates, don't open attachments, and be careful about installing software.

Be careful out there.....you could be eaten by grues.

... more later ...
Last Week	Next Week	Prior Weeks	mail	bookmark	The Digital Choke story	Visitors

Digital Choke Daynotes

What's a Daynote?

Reports

Monday, November 14, 2005 mail link the story

Tuesday, November 15, 2005 mail link the story

Wednesday, November 16, 2005 mail link the story