Spam

I don’t get it. Spammers hit this blog with spam every single day. Almost all of it comes in the form of trackbacks for things like brand name drugs, sex sites, and random names of famous people. When this first started happening, I didn’t know how to handle it. Every little thing made it onto the site, and with the default WordPress install I couldn’t figure out anyway to hold it so that the three of you who actually visit this site wouldn’t be able to see it all.

In the last 24 hours alone, there were 606 spam trackbacks. That’s definitely the highest number I’ve noticed so far. Thanks to the Spam Karma 2 plugin, not a single one of them made it onto a viewable page of this site. And that’s why I don’t see the point in sending me this crap. Why bother spamming a site that gets zero traffic and zero spam views? Maybe they just enjoy wasting my time. Well, guess what? It takes me about 30 seconds to delete all that spam, and if I wait long enough, Spam Karma will do it for me. So they aren’t even wasting my time. So what’s the point?

Edit: I should point out that the default WordPress install does include the plugin Askimet for combatting spam, it’s just not turned on by default.

Fighting Fax Spam

I guess I didn’t realize that junk faxes were a major problem, but I guess I shouldn’t be surprised. It’s not really any different from bulk mail or spam email. The Washington Post has a pretty humorous article about the ways people battle the junk fax.

For many home fax machine owners, the junk-fax pandemic has grown into an annoyance equivalent to telemarketing at its worst — before the National Do Not Call Registry struck a blow for privacy and sanity. These dastardly faxed commercials typically break federal law. Like spammers, junk-faxers broadcast the same message to millions of fax machine numbers at once. And more often than not, the faxes promote scams not worth the paper they’re printed on.

I particularly like the lady who taped sheets of paper together to form a loop of paper for a continuous dark fax. It’s too bad there’s not a way to cost email spammers money for their sins.

Catch Up

With all the extra work I’ve been doing from home I’ve gotten really behind on a lot of the news I usually follow. I haven’t been watching the Daily Show as much (there’s a new supreme court nominee, what?), and I’ve been missing out on some tech news stories I might otherwise have talked about. So here’s where I catch up.

  • It looks like Warner Brothers is going to offer classic TV for free. They plan to launch an ad-supported service called In2TV early next year. Almost 5,000 episodes will be made available in the first year with older shows like The Fugitive and Maverick to more recent ones like Babylon 5. Their saying the system may even use peer-t0-pear file-sharing techonology, acknowledging that it does indeed have legitimate, legal uses. I think this is a great idea. I only sort of understand the big three’s motivation to sell their current content after it airs, but I think there’s only a limited amount of people wanting to buy TV, when they can record it for free and oftentimes put it into whatever format they want (if they’re willing to work for it). Keeping it free allows people to enjoy the TV they want, when they want it, and get it delivered in a manner convenient to them.
  • Two teams of engineers decided to try to test the genius of Leonardo Da Vinci. We’ve all seen his drawings of a flying machine, but what about an 80-foot weapon designed to defend castles? Well these engineers set out to build these machines, staying as close to Da Vinci’s specs as they possibly could. The results are pretty sweet!
  • Every Playboy Centerfold from 1988-1997. It’s not what you think.
  • A portable Nintendo 64!
  • This is exactly why I want a Digital Rebel.
  • Sony:
    • First attempt to make up for their mistakes. This took entirely too long.
    • Sony apologizes. Wait, they call that an apology?
    • Here’s a pretty good article summing up the rootkit issue. It also goes into detail on how computer security companies have reacted (poorly). Interesting that tech blogs have done more to protect consumers than Sony, Microsoft, or antivirus software makers combined.
    • The company continues to have problems.
  • Marines get a new weapon. Just check out the photos.
  • Boeing is introducing a bigger and better 747 model. Check out the two interior pictures under Innovation. I like the site design but they overlooked some critical problems (zoom in on a picture and you can still click on the images under it).
  • AIM decided it was going to add some bots to my buddy list. It didn’t ask me if I wanted to add them now that they were available, it just did it without my permission. I deleted them immediately, because frankly I don’t need a bot to tell me when movie showtimes are. I know how to use the internet to find out on my own. This is just another example of why I’ll probably dump AIM soon and move to Trillian or some less annoying app for my instant messaging needs.
  • I saw this article while I was sitting in the waiting room at GHC, waiting to have the pressures checked in my eyes (a strange story for another time – ever had your vision bounce?). I was hoping to find it online because it’s a pretty cool story. A guy in Minnesota spent 11 years trying to make a colored soap bubble that won’t stain. It’s a fun (scientific) read.
  • A new iPod Shuffle may be on the way. I still think the shuffle is the most disappointing iPod to date, and I still wish they hadn’t killed the mini. It’ll be interesting to see if they can improve the shuffle or just succeed in capturing the low price flash market.
  • Newegg.com is now offering a Trade-in Program for your old computers and tech stuff. I’ve got some older stuff I want to get rid of. This could be really cool. Also, here’s an article about what makes Newegg succesful.
  • The next major update to Firefox may come before the end of the month. Sweet.
  • Here’s some bad news for the low lifes that create spyware and adware. The senate has passed a bill to make it illegal.
  • Record companies want Apple to change the flat rate pricing scheme of iTunes. Why? Here’s one idea; he makes an excellent point.
  • The first reviews of Xbox 360 are in and the results are so-so. I had a chance to play one the other day, and while it did look nice, I wasn’t overly impressed either.
  • A Zelda movie may be in the works! This is one game I think has enough backstory that it could actually make a good movie.

Whew! I hate getting so far behind.

Sony’s Rootkit Woes

For the most part, I’ve stayed away from this subject because it’s really complicated; much more so than the casual user or music listener really cares about. But it is important and it’s something everyone should have at least heard about. I wanted to have a better idea of what has really been going on before I tried to write about it. Most of the pages linked here are pretty technical in nature, but even if you gloss over the tech speak you can still get the gist. If I’ve misrepresented anything here, please let me know so I can correct it.

Starting some time ago, Sony started manufacturing CDs with new DRM software called XCP from First 4 Internet. The discs require you to install a special media player to listen on your computer, but there’s something more happening behind the scenes. This went generally unnoticed for quite some time, then F-Secure identified the software and finally Mark Russinovich made the problem well known. He ran a scan using some software he co-wrote and discovered evidence of a rootkit on his machine.

Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden.

This was a serious discovery, so naturally he started investigating. What he found was pretty scary. He linked a hidden process to the media player installed by a CD from Sony/BMG.

I closed the player and expected $sys$DRMServer’s CPU usage to drop to zero, but was dismayed to see that it was still consuming between one and two percent. It appears I was paying an unknown CPU penalty for just having the process active on my system. I launched Filemon and Regmon to see what it might be doing and the Filemon trace showed that it scans the executables corresponding to the running processes on the system every two seconds, querying basic information about the files, including their size, eight times each scan. I was quickly losing respect for the developers of the software.

If I read that correctly, it’s scanning active processes eight times every two seconds. What purpose could that possibly serve?

But wait, there’s more. Mark wanted to remove the software from his computer. Sony claimed it was possible, and yet it was nowhere to be found in the Add/Remove Programs list, there was nothing about it on the Sony site (this is no longer the case), no help to be found at all. He took matters into his own hands and found that the software loads even in Safe Mode, meaning if something went wrong, you’d have a hell of a time fixing it. He was able to get it off his computer, only to find that his CD Drive had been disabled.

In the following few days, things have only gotten worse. Mark has made many more interesting discoveries and catalogued it all for us: Dangers and Phoning Home, First 4 Internet Responds, and his Uninstall Experience. I’d include more details here, but he’s already done a great job of that.

I’ve put together a summary of the information I’ve gathered from Mark and other articles on this issue.

  • The EULA does not disclose the software’s use of cloaking and implies that it can be easily uninstalled (it cannot). It hides itself by modifying the Windows kernel without your permission. Sony denies the software poses a security threat.
  • This rootkit can hide the DRM files as well as anything else set up to take advantage of it (think trojans, worms, and viruses). Sounds like a hacker’s dream come true.
  • The hidden software scans your active processes constantly. 240 times per second. No one seems to know why.
  • If you do manage to get the software off your computer it will disable your CD drive.
  • Sony recently announced to the press that they were making an uninstall tool available, though they made no attempt to ensure their users knew about it. It is virtually hidden in the FAQ section of their website.
  • Sony’s “patch” can lead to system crashes and data loss because of the way it removes the cloak.
  • The rootkit has already been used to get around the World of Warcraft anti-cheat software and now new viruses are taking advantage of it.
  • The Sony CD player establishes a connection to Sony’s site and tells them each time you listen to your protected CD. This behavior could be used to record the ID of a CD and the IP address of the person who played it, though there is no evidence of this. However, simply by logging standard server activity this information would likely be collected. Sony says they don’t use it.
  • Uninstalling the software is a chore in itself with several hurdles to jump through. You have to tell them twice that you want to uninstall. Don’t forget the majority of users wouldn’t know they’d installed the software in the first place.
  • The CDs are trouble for more than just Windows users; they affect Macs, too, though the software comes from a different vendor called Suncomm.
  • This move by Sony likely breaks laws in many countries around the world. Sony claims the CDs have only shipped in the US, though this has already proven to be false.
  • A class action lawsuit against Sony has been filed in the state of California. Expect more to follow.
  • For now, Sony has halted production of the CDs but they have no plans to stop including it with their CDs.

Needless to say, this has people really upset for obvious reasons. I think it’s safe to say this takes the idiocy of DRM to a whole new level of “I can’t believe this.” I guess Sony figured that the only way to make DRM work was to hide it from the user. Maybe someday they’ll learn that you really can’t hide much from the public at all; there’s always a way around (a fundamental reason why DRM will never work). The worst part is that this software opens up a whole new issue with privacy and protection. The fact that Sony denies there is a problem is unforgivable. Their stories change each time new information is revealed which really leads me to believe they never thought anyone would figure out what they were doing. I’m not one to quickly start screaming about boycotts, but I will seriously think twice before I purchase another Sony product.

Thou Shalt Not Blog…

Read:

Students can be suspended for a lot of odd reasons these days — wearing “objectionable” T-shirts, cross-dressing for prom, planning elaborate senior pranks — but a principal at a Catholic high school in Sparta, New Jersey, has added another offense to the list: having a blog.

Ok, stop. I don’t care if this is a private school or not, this is absolutely ludicrous. Who is this guy to say that none of the students at his school can express themselves through a website? I can understand if they want to limit comments made about the school or its staff, and it would be perfectly appropriate to hand out school punishments for violations in that regard. But to say that you can’t even have a blog because of the possibility of exposure to the bad people of the world…give me a break. That’s like saying you should never go outside because there’s a possibility you’ll get a cold that leads to fatal pneumonia. No one can live their whole life inside a box.

What really gets me is that this is an issue for parents, not the school principle. It’s the parents responsibility to make sure they know what information their child is putting out on the web, and to teach them what is appropriate and what is not. The school can certainly teach guidelines (and they should), but for a kid to face suspension simply because he writes his thoughts online is shameful. A school trying to instill values into its students for home life is one thing, but actually trying to regulate home life is something altogether different and completely unacceptable.

read more | digg story

Computer Security Failing

I just came across a study done by AOL and the NCSA (National Cyber Security Alliance) on security of the home PC. Unfortunately, the results seem to follow an all too familiar pattern.

I’ve been helping people clean up their computers for quite some time now. Personally, I’ve been pretty lucky on the whole and only had a few run-ins with viruses and probably only two of them have caused me much heartburn. However, I’ve seen some really messed up computers and I’ll have to say the results of that little study don’t surprise me at all. It’s interesting that the article touches on who is responsible for internet security: software companies or consumers. I believe the responsibility falls on both parties, but there are some big mistakes being made in the industry that aren’t helping consumers hold up their end.

  1. Most packaged computers come with a free trial of one antivirus software or another. Trials of 30, 60, or 90 days are about the worst idea ever. Don’t get me wrong, I understand the thinking: get a user hooked on your software with a trial so that they’ll be willing to pay for it when it expires. There’s just one problem. The software doesn’t expire in that it stops working, it simply stops updating virus definition files. Therefore when someone tells me they’re having problems with their computer and I ask if they have antivirus software installed, they happily respond “Yes!” when in fact, their software is outdated by a good 6 months or more. By allowing these trials on new machines, consumers are lured into a false sense of security. Meanwhile, their trial quietly expires and the latest virus finds its way onto their computer with ease. “But how did this happen? I just ran the virus scan yesterday and it didn’t find anything?!”
  2. Unfortunately not all software is helpful. Worse yet, most people can’t tell the difference between the good and the bad. Some definitions easily found via Google…
    malware
    a) A generic term increasingly being used to describe any form of malicious software; eg, viruses, trojan horses, malicious active content, etc.
    b) Malicious software that is designed by people to attack some part of a computer system.
    spyware
    a) A general term for a program that surreptitiously monitors your actions. While they are sometimes sinister, like a remote control program used by a hacker, software companies have been known to use spyware to gather data about customers. The practice is generally frowned upon.
    b) A technology that assists in gathering information about a person or organization without their knowledge. On the Internet, “spyware is programming that is put in someone’s computer to secretly gather information about the user and relay it to advertisers or other interested parties.” As such, spyware is cause for public concern about privacy on the Internet.
    adware
    a) While not necessarily malware, adware is considered to go beyond the reasonable advertising that one might expect from freeware or shareware. Typically a separate program that is installed at the same time as a shareware or similar program, adware will usually continue to generate advertising even when the user is not running the originally desired program. See also cookies, spyware, and web bugs.
    b) software that may have been installed on your computer by a remote site. Many free utilities that you download from the Internet will install hidden software that sends details of the websites you visit and other information from your computer (which can include your email address) to advertisers so they can target you with popup ads and spam. See Spam, Spyware.

    Most people have experienced that moment when they find something on their computer that they don’t remember installing. Most simply brush it off, but those that don’t will usually find things that fall into one of those three categories: malware, spyware, or adware (I’ll refer to everything as spyware to keep it simple). One could argue that they are all related and therefore part of the same issue. Security. Privacy. Call it what you like, it’s a problem that is getting ridiculous. I’ve worked on computers with literally hundreds of items considered to be bits and pieces of spyware. The problem isn’t necessarily apathy (although it definitely can be), but more often it’s a lack of education. Users see a box pop up asking them a question and click without thinking. They download a program with some extra stuff along for the ride, and just like that they are infected.

    So what’s being done to combat spyware? Well, there are companies out there like Lavasoft USA and Safer Networking Limited, creators of Ad-Aware and Spybot – Search and Destroy. Both will scan your computer for items considered to be spyware and remove them for you. I recommend both programs and use them every week or two. Finally, some companies are beginning to take a stand on the issue and Congress has gotten in on the act as well, passing anti-spyware legislation. Still, I won’t hold my breath for big changes. Some people must make a lot of money from software like this or there would be no reason to keep making it.

  3. Wireless networking is becoming increasingly popular. It’s everywhere from PDAs and cell phones to laptops and even desktops. And while it makes some people’s lives a lot simpler by freeing them from the bounds of wires, there are big security risks that most people don’t even consider. As of now, there is still no wireless security standard comparable to that of wired networks. The most common form of wireless security simply requires a pre-shared encryption key that once learned will give a person full access to a wireless network. Give me a day or two with the right tools and I could probably learn the encryption key of any wireless network without ever needing to ask for it.

    To make matters worse, most wireless networking components have security turned off be default. And while it may be much simpler to set up your wireless network without worrying about encryption keys, you’re leaving yourself extremely vulnerable. Since I got my laptop with it’s built-in wireless card, I’ve had occasion to visit friends off campus and notice the sheer number of wireless access points available. I’d say 80-90% are unsecured. Not only could people potentially steal internet access, but in the process they’re connected directly to your network with little to no effort.

It’s probably foolish to think there is such a thing as a perfectly secure system. But there are plenty of things you can do to get closer to the ideal. Install a popup blocker (better yet, run a web browser that does it for you like FireFox). Download and use Ad-Aware and Spybot (don’t forget to keep them updated). Turn Windows Firewall on. Oh, and download Windows Updates (something I haven’t even touched here). Slowly but surely, the industry is providing the tools for consumers to protect themselves, but knowing where to look is half the battle. I’ve made it my personal goal to start educating users on these issues by teaching them to respect their systems and explaining why they’re having problems rather than just fixing things for them.