James Friesen's Tech Blog

Happy Holidays

Tue, 25 Dec 2007 08:40:00 -0500

Just to wish all my friends and family, including my extended families the best holiday wishes.

Have a Merry Christmas and a joyous New Year!

Apple's Lack of Security Awareness Appauling

Sat, 15 Dec 2007 10:37:00 -0500

Finally, a "critical" Java runtime update from Apple by ZDNet's Ryan Naraine -- Apple has shipped a long-overdue Java runtime update to plug at least 30 vulnerabilities that expose Mac OS X users to remote code execution attacks.

This article really only highlights the issue. Quicktime has (and still has) many bugs so many that I'd simply deem it the 'Buggiest and Most Insecure Application of ALL TIME'Anyone who uses Quicktime should REMOVE IT immediately, and then clean there system. I'd even recommend cleaning the registry of any APPLE or QUICKTIME entries, something I'm typically loathe to do under any circumstances. Apple simply seems to not understand the security climate in todays world, or doesn't care about it's users. Either way it's reprehensible that they are doing so well in the technology markets without putting security first. Apple could learn a lot from Microsoft on this, but I'm not saying Microsofts approach is superior, I'm just saying it's actually far more committed to keeping it's user base informed. Apple seems to prefer just keeping us in the dark, or to use an alliteration, they prefer to keep the apples on the tree so they don't bonk someone on the head and perhaps wake them up to reality. Apple's products and OS is really insecure!This is like many ignorant companies that seem to think if 'we have a security breach, we keep it secret', and this is the approach I find criminal. I for one am lobbying governments to change this, and FORCE ANYONE with sensitive data or source code to proprietary OS's to FULLY DISCLOSE vulnerabilities to reduce ones exposure to 0-day attacks.It took Apple 6 months (!!!!) to come up with the latest patch, and it didn't fix all of them, actually of the 30 it claimed, only 18 are TRULY fixed.This type of lying is not warranted, nor does it reflect a company that cares about it's clients. And yes comparing apples to apples, I'd call it lying...I don't mix my fruit up.

Review of Enterprise Class Security Suites

Wed, 12 Dec 2007 08:51:00 -0500

I recently came across an article from 'Information Security' that reviewed several "Enterprise" class security suites. I have reviewed several here on this blog in the past year and have found very disappointing results. There have been a couple of new comer's to the land of the personal desktop namely 'Blink' by eEye that I have been testing for several months. The tool isn't ready for personal use, but it's professional version has been commended for a while. This article compared Blink's Enterprise tool (at time of writing I haven't been able to confirm the differences between Pro and Enterprise).

For most readers of this blog, they may dismiss reviews of enterprise class applications but I decided to include it since for most of these vendors the Enterprise version represents the 'best of the best' of their offerings. As this review compares all the top providers including Symantec, CA, Trend Micro, ISS, eEye and a few others I decided it was worth while comparing them.

The article can be found here:

(I included the print-friendly version of the article as it's a 15 page review, and 15 pages is ridiculous since every page is barely a screenful on my PC, I prefer reading to clicking links and waiting for advertising to load so...)

A lot of these offerings are strictly for Windows machines, very few have linux offerings or Mac. Something to keep in mind if your network has blended OS's you will have to seek other options for a network wide protection. However if your network is mostly Windows bases these products will meet your needs.

The offerings were presented and reviewed by many criteria, such as 'ease of information gathering' to usage, to malware detection capability.

The most interesting note to this is that NONE of the products had 100% detection. NONE! The best came in around 92% detection.

It's also important to note that some were plainly incompetent at detecting malware that was present and moving around a machine. This too was a interesting consequence of the article.

Here is the features offered in the product.

The real nice extra feature that only two of the above offer is vulnerability scanning. This is a must to ensure your machines are patched and up to date. However the features can be very valuable in a work environment that can have strict policies, in a home environment it's benefits will be less. My experience shows that they typically have inaccurate results so being able to use this as a guideline rather than a definitive state is important. It's still very valuable.

Since we like Blink, it's also important to note that even the Personal version of their product offers all these features, most of the other vendors are not so accommodating for their lower end versions of the product.

So this review does in fact support our arguments regarding malware. There is NO 100% effective solution, so a multi-tiered approach to malware is wise.

It also proves our case about not relying on a traditional antivirus product alone. This type of product has pretty much no life in todays market. A blended product is what is required which most of these provide. It's unfortunate that most of these companies cannot improve their offering to be more effective.

Additionally it's important to note that 'false positives' are the #1 problem with most of these packages so it's critical to compare 'detection results' with other products before making a decision to buy. As a lot of spyware vendors like to do with their product offerings is to have LARGE numbers of detection, regardless of it's importance or even accuracy.

Shaw offering Free Broadband for a Year? Or a Phisher?

Fri, 09 Nov 2007 12:53:00 -0500

Really? A FREE YEAR of Broadband?!? Nobody gives away a free year...

Recently I've received copies of a Phishing Attempt that looks like it's from Shaw (a cable/internet/telephone service company in Canada). This phishing attempt is congruous to the Ebay and banking phishes of the recent past, in that it actually does NOT resemble a 'real' email, rather a fictional email to get people excited, in this case instead of warning the user it attempts a positive reaction from "getting free internet for a year". Whoopie! A years worth of internet from Shaw isn't that expensive. Phishing attempts are typically NOT viral or malware orientated but certainly can and do use such methods. In this case it looks like a standard email spam sent via exploited web sites.

This is a sophisticated method. It uses a similar style as Shaw uses in their correspondence and uses a legit; if inappropriate, email address. The email was generated and sent using multiple methods so tracking it will be harder to accomplish. Additionally, I shall show the details of the spam and my analysis. Our whois data will be included in the rest of the article.

First off, I will advise of the RED FLAGS in this phishing attempt
#1- "A Free Year of Broadband" - This doesn't make sense. Shaw has trademarks and service marks that it would use to advertise it's broadband internet service. Only someone ignorant of Shaw's trademarks would say this. It's really unlikely anyone who really works for Shaw would make this error.
#2 - Canadian Law states that any 'contest' or 'giveaways' contain details of said event. In most cases it's prudent to disclaim whether or not the contest is allowed in Quebec, since the law is vastly different, and Quebec law generally does NOT allow this type of Contest. (disclaimer: I'm in no way a lawyer, but I am aware of consumer rights.). Missing the disclaimer is a definite flag
#3 - The email that is seen in the From: header is not a normal Shaw correspondence email account.
#4 - The link clearly shows a 'secure' link, but in no way is it going to a 'secure' site.
#5 - Typical email headers (on email from Shaw) missing

So just upon a quick review of this email we can deduce that it's not a valid email. To get more pertinent details I'll analyze these email in detail. I won't paste the email headers in entirety, any ambiguity will be displayed by 'XXXXXXXX', to avoid email harvesting, but I will show you what details were more noteworthy.

The return-path was interesting. One was:

apache@utel16.besthosting.com.ua

, the other one was:

nobody@omega.omc.net

This would indicate to me that the web server sent this email, and in typical hosting fashion, it would be doing so via script on one of the hosts or virtual hosts on the system.

None of the received headers would indicate anything unexpected here, "omega" even has SSL/TLS

enabled but verify set to no.

The header in one of the emails is very interesting:

Date: Thu, 08 Nov 2007 20:49:28 +0200From: "Shaw Communications Inc." service@shaw.caSubject: Win a year of free broadbandTo: XXXXXXX@shaw.caReply-to: service@shaw.caMessage-id: XXXXXXXXXXXXXXXXX@utel16.besthosting.com.uaMIME-version: 1.0Content-type: text/htmlX-PHP-Script: 213.186.117.120/~loveterra/indexzz.php for 82.208.212.146

Date and time indicates a East European Time zone. I know Shaw doesn't have any servers in Europe...

The X-PHP-Script header shows a very interesting detail of where this email came from. We'll come back to this IP in a bit. But this is a key indicator of an exploited web site on a hosting company or something similar. This IP definitely hosts a web server, and with the above mentioned user account, but at time of checking this link generated a error.

The for address 82.208.212.146 is interesting as it resolves to:

whois -h whois.geektools.com 82.208.212.146 ...GeekTools Whois Proxy v5.0.4 Ready.Final results obtained from whois.ripe.net.Results:% This is the RIPE Whois query server #1.% The objects are in RPSL format.%% Rights restricted by copyright.% See http://www.ripe.net/db/copyright.html% Note: This output has been filtered.%       To receive output for a database update, use the "-B" flag.% Information related to '82.208.212.0 - 82.208.212.255'inetnum:        82.208.212.0 - 82.208.212.255netname:        ITSOLUTIONSNETdescr:          ITSolutions, Obrenoviceva 124 4/10descr:          18000 Nisdescr:          Serbia and Montenegrocountry:        CSadmin-c:        IS1188-RIPEtech-c:         AZ919-RIPEstatus:         ASSIGNED PAmnt-by:         PTTSRBIJANET-MNTsource:         RIPE # Filteredperson:       Ivan Stankovicaddress:      ITSolutionsaddress:      YUe-mail:       i.stankovic@my-its.netphone:        +38118512796fax-no:       +38118512797nic-hdl:      IS1188-RIPEsource:       RIPE # Filteredperson:       Aleksandar Zakicaddress:      ITSolutions NETaddress:      CSe-mail:       a.zakic@my-its.netphone:        +381-63-222-361fax-no:       +381-18-512-797nic-hdl:      AZ919-RIPEsource:       RIPE # Filtered% Information related to '82.208.192.0/19AS13091'route:        82.208.192.0/19descr:        JP PTT Srbijadescr:        PTT Srbija Netorigin:       AS13091mnt-by:       PTTSRBIJANET-MNTsource:       RIPE # FilteredResults brought to you by the GeekTools WHOIS ProxyServer results may be copyrighted and are used with permission.

Reviewing the other IP address of the X-PHP-Header gives us this info:

whois -h whois.geektools.com 213.186.117.120 ...GeekTools Whois Proxy v5.0.4 Ready.Final results obtained from whois.ripe.net.Results:% This is the RIPE Whois query server #3.% The objects are in RPSL format.%% Rights restricted by copyright.% See http://www.ripe.net/db/copyright.html% Note: This output has been filtered.%       To receive output for a database update, use the "-B" flag.% Information related to '213.186.117.0 - 213.186.117.143'inetnum:        213.186.117.0 - 213.186.117.143netname:        UTEL-DC5descr:          Utel DataCenter networks. Colocationcountry:        UAadmin-c:        UNOC-RIPEtech-c:         UNOC-RIPEstatus:         ASSIGNED PAmnt-by:         AS6877-MNTremarks:        INFRA-AWsource:         RIPE # Filteredrole:           Utel NOCaddress:        101, Volodymyrska str.address:        01033, Kyiv, Ukrainephone:          +380 44 2359001fax-no:         +380 44 2304560e-mail:         noc@utel.net.uaadmin-c:        OLE-RIPEtech-c:         BES100-RIPEtech-c:         OLE-RIPEtech-c:         JIM-RIPEtech-c:         ALT-RIPEtech-c:         UHM-RIPEnic-hdl:        UNOC-RIPEmnt-by:         AS6877-MNTsource:         RIPE # Filtered% Information related to '213.186.112.0/20AS16124'route:          213.186.112.0/20descr:          Utel DataCenter, Ukraineorigin:         AS16124mnt-by:         AS6877-MNTsource:         RIPE # FilteredResults brought to you by the GeekTools WHOIS ProxyServer results may be copyrighted and are used with permission.

So, it looks like someone possibly in Serbia and Montenegro, ran a cross site script residing on a server in the Ukraine, against utel16.besthosting.com.ua which sent the email. One would actually have to test this out, which I have not done to confirm this. This is a dangerous step I decided to avoid for brevity.

[page_break]

Looking at another similar email we see:

Date: Tue, 06 Nov 2007 23:24:54 +0100 (CET)From: "Shaw Communications Inc." Subject: Win a year of free broadbandTo: XXXXXXXXX@shaw.caReply-to: service@shaw.caMessage-id: MIME-version: 1.0Content-type: text/htmlX-Authentication-warning: omega.omc.net: Host localhost.omc.net (127.0.0.1)	claimed to be omega.omc.net

But we can see the authentication warning from this server. No detail unfortunately.

Regardless, the viewable content of these two emails is identical, including an 'offical' Shaw footer to further reinforce it's legitimacy, but it's futile. These are NOT from SHAW.

The content included in plaintext: However to ensure not even 'google' browses the evil link from our site I have sanitized it so it breaks. Details to fix will be below the actual email content:

Content-Transfer-Encoding: 8bit<DIV><P><IMG hspace=0 src="http://www.shaw.ca/NR/rdonlyres/A6D66548-142E-47F8-AF4A-3CEE597378BC/0/logo.gif" align=baseline border=0></P><P><font color="#0077D4" size="4"> <b>.win a year of free broadband</b></font></P> <p><font color="#000000">To access this survey, and register for relevant offers from Shaw Communication Inc. please take a minute to register by using the link below.</font></p><p><font color="#000000">After downloading and installing  the file below, you will be taken to Shaw Communication Inc. survey.</font></p><p><a href="http://Removed.example.com/~profesor/media/Survey.exe">https://secure.shaw.ca/apps/secure/vhub/Survey.exe</a><br><br><font color="#666666">2007 Shaw Communications. All Rights Reserved.</font></p></DIV><p><img border="0" src="http://www.shaw.ca/NR/rdonlyres/EA718B58-D4FE-4A15-A9DF-C92792A6822A/0/canadaintv_whats_new.jpg"></p>

209.85.15.18 is the address removed above with "Removed.example.com". This address resolves to:

11/09/07 14:19:19 whois 209.85.15.18@whois.geektools.comwhois -h whois.geektools.com 209.85.15.18 ...GeekTools Whois Proxy v5.0.4 Ready.Final results obtained from whois.arin.net.Results:OrgName:    Everyones Internet OrgID:      EVRYAddress:    390 BenmarAddress:    Suite 200City:       HoustonStateProv:  TXPostalCode: 77060Country:    USReferralServer: rwhois://rwhois.ev1servers.net:4321/NetRange:   209.85.0.0 - 209.85.127.255 CIDR:       209.85.0.0/17 NetName:    EVRY-BLK-15NetHandle:  NET-209-85-0-0-1Parent:     NET-209-0-0-0-0NetType:    Direct AllocationNameServer: NS1.EV1SERVERS.NETNameServer: NS2.EV1SERVERS.NETComment:    RegDate:    2005-12-14Updated:    2006-11-28RAbuseHandle: ABUSE477-ARINRAbuseName:   Abuse Department RAbusePhone:  +1-713-579-2850RAbuseEmail:  abuse@ev1servers.net RNOCHandle: NOC1445-ARINRNOCName:   Noc RNOCPhone:  +1-713-579-2850RNOCEmail:  noc@ev1servers.net OrgAbuseHandle: ABUSE271-ARINOrgAbuseName:   Abuse OrgAbusePhone:  +1-214-782-7802OrgAbuseEmail:  abuse@theplanet.comOrgNOCHandle: NOC1445-ARINOrgNOCName:   Noc OrgNOCPhone:  +1-713-579-2850OrgNOCEmail:  noc@ev1servers.netOrgTechHandle: VST3-ARINOrgTechName:   Stinson, Valarie OrgTechPhone:  +1-713-579-2850OrgTechEmail:  admin2@ev1servers.net# ARIN WHOIS database, last updated 2007-11-08 19:10# Enter ? for additional hints on searching ARIN's WHOIS database.

At this point this site seems to be up. Anyone receiving any email similar to this should simply delete it. If you think it really is legit, call Shaw directly and ask them BEFORE you click on the link. I feel this analysis is accurateand is limited in it's conclusions. However I hope it serves to help or assist any other who seeks to eliminate phishers, and other scammers.

Gay Spammer on site

Tue, 23 Oct 2007 12:09:19 -0400

Well it appears that 'supercatalogo.info' is a HUGE source of spam and malware. I have identified the IP as 89.111.180.225 And the following whois details: 10/23/07 10:15:20 whois 89.111.180.225@whois.geektools.com whois -h whois.geektools.com 89.111.180.225 ... GeekTools Whois Proxy v5.0.4 Ready. Final results obtained from whois.ripe.net. Results: % This is the RIPE Whois query server #3. % The objects are in RPSL format. % % Rights restricted by copyright. % See http://www.ripe.net/db/copyright.html % Note: This output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '89.111.176.0 - 89.111.191.255' inetnum: 89.111.176.0 - 89.111.191.255 netname: CENTROHOST-NET descr: JSC Centrohost country: RU org: ORG-JC13-RIPE admin-c: IA327-RIPE tech-c: IA327-RIPE status: ASSIGNED PA mnt-by: PAN1-RIPE-MNT mnt-lower: PAN1-RIPE-MNT mnt-routes: PAN1-RIPE-MNT mnt-domains: IA327-RIPE-MNT source: RIPE # Filtered organisation: ORG-JC13-RIPE org-name: JSC Centrohost org-type: OTHER descr: JSC Centrohost address: 78, Profsojuznaya str., address: Moscow, Russia, 117393 phone: +7 495 3630309 phone: +7 495 3630318 admin-c: IA327-RIPE tech-c: IA327-RIPE mnt-ref: PAN1-RIPE-MNT abuse-mailbox: abuse@hc.ru mnt-by: PAN1-RIPE-MNT source: RIPE # Filtered person: Ivan Albetkov address: Hosting-Center LTD address: 22, Litovsky bulvar address: Moscow, Russia, 117588 phone: +7 495 5445566 remarks: ************************************************** remarks: Please send abuse and spam reports to abuse@hc.ru remarks: ************************************************** nic-hdl: IA327-RIPE mnt-by: IA327-RIPE-MNT source: RIPE # Filtered % Information related to '89.111.176.0/20AS41126' route: 89.111.176.0/20 descr: JSC Centrohost route origin: AS41126 mnt-by: PAN1-RIPE-MNT source: RIPE # Filtered SO Mr. Gay go find another rock to crawl under. Oh, if your looking for details on supercatalogo.info Click the read more to view. Domain ID:D15402764-LRMS Domain Name:SUPERCATALOGO.INFO Created On:22-Nov-2006 14:39:27 UTC Last Updated On:21-Jan-2007 20:32:36 UTC Expiration Date:22-Nov-2007 14:39:27 UTC Sponsoring Registrar:EstDomains, Inc. (R295-LRMS) Status:OK Registrant ID:DI_4743150 Registrant Name:Isaias Stefanski Registrant Organization:Isaias Stefanski Registrant Street1:Devon Rd 67 26 Registrant Street2: Registrant Street3: Registrant City:BATON ROUGE Registrant State/Province:Louisiana Registrant Postal Code:70814 Registrant Country:US Registrant Phone:+1.5043223563 Registrant Phone Ext.: Registrant FAX: Registrant FAX Ext.: Registrant Email:admin@SuperCatalogo.info Admin ID:DI_4743150 Admin Name:Isaias Stefanski Admin Organization:Isaias Stefanski Admin Street1:Devon Rd 67 26 Admin Street2: Admin Street3: Admin City:BATON ROUGE Admin State/Province:Louisiana Admin Postal Code:70814 Admin Country:US Admin Phone:+1.5043223563 Admin Phone Ext.: Admin FAX: Admin FAX Ext.: Admin Email:admin@SuperCatalogo.info Billing ID:DI_4743150 Billing Name:Isaias Stefanski Billing Organization:Isaias Stefanski Billing Street1:Devon Rd 67 26 Billing Street2: Billing Street3: Billing City:BATON ROUGE Billing State/Province:Louisiana Billing Postal Code:70814 Billing Country:US Billing Phone:+1.5043223563 Billing Phone Ext.: Billing FAX: Billing FAX Ext.: Billing Email:admin@SuperCatalogo.info Tech ID:DI_4743150 Tech Name:Isaias Stefanski Tech Organization:Isaias Stefanski Tech Street1:Devon Rd 67 26 Tech Street2: Tech Street3: Tech City:BATON ROUGE Tech State/Province:Louisiana Tech Postal Code:70814 Tech Country:US Tech Phone:+1.5043223563 Tech Phone Ext.: Tech FAX: Tech FAX Ext.: Tech Email:admin@SuperCatalogo.info Name Server:NS1.THEHOSTDIRECT.INFO Name Server:NS2.THEHOSTDIRECT.INFO

Blog Spammers - NetCatHosting #1 Spammer Sept/07

Wed, 17 Oct 2007 13:40:00 -0400

If you have a web site, chances are you deal with spam in some way. It's become reality in the last couple years and dealing with it can be either finicky and time consuming or you spend very little time with it, thanks to effective solutions. Here we get lots of spam even though the traffic here doesn't warrant it. 90% of the visitors here are bots and only about 2% of those are spammers. We have a great system for dealing with spam and so far we've had great success with it. No spam has been posted on this site that had to be manually removed. However we get an endless number of attempts. One IP 195.225.177.190 has been particularily mindless in their attempt to spam our site got up to 10 to 15 attempts per day. During the latter part of September 2007, this ONE BOT generated over 100 attempts. This is the detail of the identified spammer. 10/17/07 11:25:56 whois 195.225.177.190@whois.geektools.com whois -h whois.geektools.com 195.225.177.190 ... GeekTools Whois Proxy v5.0.4 Ready. Final results obtained from whois.ripe.net. Results: % This is the RIPE Whois query server #1. % The objects are in RPSL format. % % Rights restricted by copyright. % See http://www.ripe.net/db/copyright.html % Note: This output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '195.225.176.0 - 195.225.179.255' inetnum: 195.225.176.0 - 195.225.179.255 netname: NETCATHOST descr: NetcatHosting country: PA admin-c: VR1273-RIPE tech-c: VR1273-RIPE status: ASSIGNED PI mnt-by: RIPE-NCC-HM-PI-MNT mnt-lower: RIPE-NCC-HM-PI-MNT mnt-by: NETCATHOST-MNT mnt-routes: NETCATHOST-MNT mnt-routes: WZNET-MNT source: RIPE # Filtered remarks: *************************************** remarks: * Abuse contacts: abuse@netcathost.com * remarks: *************************************** person: Vladislav Radchek address: IBC Tower Floor 9 PO Box 901-2389 address: Manuel Espinosa Batista Avenue phone: +372 7121250 nic-hdl: VR1273-RIPE source: RIPE # Filtered % Information related to '195.225.176.0/22AS31159' route: 195.225.176.0/22 descr: NETCATHOST (full block) mnt-routes: WZNET-MNT mnt-routes: NETCATHOST-MNT origin: AS31159 mnt-by: NETCATHOST-MNT remarks: **************************************** remarks: * Abuse contacts: abuse@netcathost.com * remarks: **************************************** source: RIPE # Filtered % Information related to '195.225.177.190/32AS31159' route: 195.225.177.190/32 descr: Mark Stosberg origin: AS31159 mnt-by: NETCATHOST-MNT source: RIPE # Filtered remarks: ******************************* * Mark Stosberg * * +1 (202) 657-5440 * * US, 47374, Indiana * * Richmond, 914 E Main St * ****** Send abuse to: ********* * abuse@myfreepages.org * ******************************* Results brought to you by the GeekTools WHOIS Proxy Server results may be copyrighted and are used with permission. This IP is part of the NETCATHOST.COM Domain and is a Web hosting provider. Two IP's in this block were attributed in the spamming the one noted above and this one 195.225.176.177. This is a RIPE address space from the looks of it being used by an ISP in Europe and further used by this American either intentionally or otherwise. Given it's a web hosting account I'd say the server has been compromised. It was interesting that while these bots were spamming me, I received no other spam attempts. [well there were two] Once I blocked this IP block from accessing my site, the other bots started up again. Most curious. I still average about 3 spam attempts per day and depending on the success of this article I may post further major spammers in the coming months.

What NOT To Do With Overheating Systems

Sat, 25 Aug 2007 11:05:00 -0400

In my area of the world, which is Calgary, Alberta; known for it's short cool summers; we had one of the hottest in a long time, at least since 1998. I have had two of my PC's, one being my gaming box hit their temperature ceilings in most cases from the motherboard sensor on three occassions. I don't have air conditioning so when the temperature hits 30 degrees outside it can hit 36 degrees inside the house. With no airflow everything stagnates and stays hot. Anyone who has a plasma display knows these babies run super hot normally (in the winter I think of it as my fireplace) so imagine the grief one can expect trying to run this display under very hot stagnant conditions. Yes I burnt mine out, but it's fixed now.
Anyways, I came across this story today of a kid who nearly killed himself trying to keep his Xbox 360 cool this past summer. Folks this is a lesson on moron proportions. Common sense should dictate you DO NOT do what this guy did, and no one should try this without at least using his head 'first'.

Again, I'm going to tell you that if you wish to kill yourself and maybe even others in your home or business as well as possibly damaging other electronics or even your electrical system, then go ahead and try this. If you would rather LIVE, and not put anything or anyone including yourself in danger 'DO NOT' try this.

The story I found on TG Daily and it just makes me wonder what the hell kids are thinking. A 15 year old kid in North Carolina was having problems with his XBox 360 shutting down every five minutes due to overheating.

His mother saw him playing on his box unaware of the troubles and went next door to the neighbors. After several shutdowns of the box the kid decided to take the power supply out of the machine, tape it up in a plastic bag and submerge it in cool water. As a consequence the live electricity contacted the water, and electrocuted the kid. His mother returned from the neighbors finding him unconscious on the floor. He spent the day in the hospital getting treated for minor burns to hands and feet. Lucky for him!

Now the article states that he did this 'based on information on the internet'. Ok fine, I have done something very similar to this actually we wanted to see if we could run a power supply underwater, we found that this was not very effective, but using a very thick waterproof rubber membrane or gasket we used dry ice and surrounded the power supply and this worked very well. Monitoring the ice constantly to ensure no problems occurred. However it was not practical to run the machine in this state with this power supply in a potentially dangerous situation for any real length of time. The problem with a plastic bag of course is it can melt due to the heat of the power supply creating a poor barrier. Much like water cooling, we don't want water running 'in' our case, we want it simply cooling our special heat sinks. Loose water is dangerous.

So please tell me...who just reads things on the internet and tries them without seriously considering the consequences. I'm sure the average 16 year old is aware that you can die from average voltages when water is in play (think lightning...).

So if anyone thinks this is a grand idea to keep them parts cool in our hot summer, please remember common sense, and don't try anything without putting safety first!

P.S. If anyone reads this and tries this without a safety plan, first your an idiot, and second I hope you kill yourself without hurting anyone else. If you hurt anyone else then I hope you do jail for a long time.

Anti-Spam researchers finally see the light

Thu, 09 Aug 2007 10:21:00 -0400

I came across this article from Info world entitled: Researchers: Take anti-spam fight to the Web and I've finally stopped laughing.

Someone has gotten a clue about how to win this war without taking the entire internet down with it.

I have to ask, are anti-spam researchers all clueless? I hate to start off with such a inflammatory comment, but really. Remember Blue Frog? How pathetic was that! I was fine with the fact that their 'solution' ended up DDoSing their site, but when the hackers scooped the domain because this company was negligent with their abilities they affected hundreds if not thousands of innocent users who thought their product was some solution. Well they were very VERY wrong.

Today, someone has discovered that 'if we seek to take down the web sites rather than the mail servers we could actually make a dent in spam'. WOW....it's taken how many years for 'researchers' to figure this out? Unbelievable. In law enforcement this has always been the approach is to determine where the money is going and stop it at the end. Not to say this has been terribly effective since multi-jurisdictional rules, laws, etc. have hampered most efforts it has been 'very' effective when not hampered by such things.

If we can decide to start getting registrars to pull domains that are hosting and/or harboring such web sites, then very quickly we affect their operations. My thoughts on this have been working to stop spammers using this methodology for nearly 7 years and it works well when it stays within a countries boundaries. Unfortunately, most others seek to deal with the spam itself, by trying to catch the spammer, rather than the web sites behind the money. This isn't rocket science, someone is using the spam to sell products/services. When that spam links to the web site your now on the money. The spammer and the email is useless now, it's probably a forged email with bogus details, but the LINKS are what have to be good. Sure they can relay, proxy, encrypt, obfuscate, etc. but it still results in a visit to a web site, and using some means a payment for products/services. Once this happens we can follow the money very exactly to the destination, and nail the recipient directly. Regardless of how legit this company is (I frankly couldn't care if it was Halliburton!) You shut down their domain. Now they have to deal with the spam whether or not they directly participated or not. They "are accountable for all funds ", according to most trade law, so these funds paid via spam can be held for criminal investigation. I'm sure even Halliburton would work diligently and positively to correct this and ensure that they are meeting regulatory requirements. I mean if Visa and Mastercard can refuse to honor payments to companies like allofmp3 because of their 'questionable' practises, whats stopping them from doing the EXACT same thing on spam-directed sales? Getting a clue, in my mind.

Ideally, what needs to be done is a international trade law (UN you paying attention here!?!?) that says any domain shown (not proven) to be profiting from spam activity will be shut down pending investigation, if proven then the domain will be permanently blacklisted for a period of 2 years. This will quickly eliminate evil domains from running rampant, allow the registrars to make more money (since the spammers will likely re-domain somewhere else). If the host or registrar is party to this, then they should be help criminally liable and charged under international law.

Unfortunately with the UN all gaga over CO2 emissions, I can't see this coming to light for another 5 years, but maybe since the anti-spam researchers have learned what nearly every forensic investigator has discovered years ago, perhaps we can see some light heading our way.

Now if we can do something about those stock emails...I have a great idea!

My Old New PC

Mon, 21 May 2007 18:10:00 -0400

Some of you looking at that title might wonder what I've been sniffing (packets I tell you!!, Packets!!) In fact this was an article I created on Sept 26, 2006 and actually never posted it!

That's correct. I typed this article up back then and never published it. I decided that I could honestly publish this now as well I could show you guys some of the pictures I took at the time of building this rig. In early September of last year I finally had all my material for building my two new PC's were in place. The DVR was cheap running in about $500.00 including all the cabling, keyboards and other miscellaneous stuff that adds considerably. Total system costs break down like so: Existing parts used: Video card. Cost: $0. New parts for PC: motherboard, cpu, harddisk, power supply, ram, case. Cost: $388 Reallocated parts for PC: illuminated keyboard, 50 foot VGA cable, wireless mouse, extended power supply cable. Cost: $112 even though I didn't actually buy either the keyboard or mouse at this time, I already had them I included their costs since they were now at home in this system.

Ok I didn't say I'd talk about the cheap system I threw together, I'll get to the actual story from last September

Well this is a little bit older technology, but still on a very high end.

For this Gaming System I've hand picked the parts due to their excellent quality, warranty, and durability. To say nothing of offering the best features and designs to be found anywhere.

The start of our system begins with our case. A Cooler Master CM-Stacker 830. This is a phenomenal case for a gaming rig. However it's greatness is also it's curse. This case alone weighs as much as my fully assembled DVR rig, and I'm adding a lot of weight to this. Total should come in around 45~55 lbs completed. Thank god this case features a pair of handholds at the top of the case.

I could get into more and more detail about the case and it's features but instead I'll discuss them as I use and work with them. There are many. Primary ones are the many locations for fans, the front jack plate onto of the front of the case and the additional (duplicate) jacks on top with the power/reset buttons and HD activity light. Also is the airflow that this case allows by not having really solid walls. The black mesh is a open grill much like is found in many rack mount components. The other major feature this case offers is it's size. It sits 22inches high and 25 inches long! Thats 56cm and 64cm for the rest of the planet. This case will support an ATX motherboard in two orientations, or a BTX motherboard.

Our motherboard is a ASUS A8N32-SLI Deluxe powered with an AMD Athlon FX-60 Dual Core CPU. We are using an ATX in normal configuration due to the heat pipes our motherboard features. This is a very important determination of the setup in our case and we will follow the instructions as directed by ASUS.

This is a very awesome combination which should give us incredible gaming performance. However in order to not bottleneck the CPU any more than required, we chose the recommended and expensive RAM, Twin 1GB's matched with the lowest latency we can get for this motherboard. Using unmatched ram is not recommended and we would much prefer to add another 2GB but�.unless we are using a x64 compliant OS (not XP or less) it will not work. We could run Redhat or Fedora with 4GB but even this is not that easy to accomplish. We will run Vista on this box so hopefully we can eventually accomplish this.

After we have the RAM installed it's time to mount the motherboard to the motherboard tray on the case. This makes working on this system very easy since we do not have to work with the entire case while loading the motherboard, etc. This prevents scratching the aluminum case unnecessarily.

All this makes a great computer except for the true power horse behind any decent gaming system...the video card, or in our case the Dual Video Cards. My choice was the extraordinary eVGA Nvidia 7900 GTX times two! These awesome babies are black with silver heat pipes, just perfect match for our black/silver system. They are HUGE! Each card fills two expansion slots (of course each only using ONE PCI-Ex16 slot) and each requiring it's own power supply connection! These babies are going to get the electricity meter running.

Given the large size I decided to dry run the video cards to see how they would fit and how much they may interfere with the cabling I still need to do. I discovered these huge cards would be very troublesome in a smaller case, even a slightly smaller one, but not for me! Still the biggest problem is denying me access to any of the ports on the motherboard for the front panel connections primarily as well as thinking about using any other expansion slot in the case...it ain't happening!

Another problem with the eVGA cards is the double slot tabs. My case seemed to have very tight slots to attempt to insert this card while using two of them at the same time. What a patience test! One I was able to stretch out enough to get the card to seat nearly perfect, the second one annoyed me so much I cut the tabs off the video card. My first custom modification ;)

Routing the front panel cables was a bit more challenging as they needed to either lie flat on the motherboard or route around the twin video cards. Since I didn't want to use any of additional back plate connections since room is a premium with the eVGA's, I got the connections in as best I could. The case offers a routing rack on both sides of the power supply/water cooler shelf, but I chose the one in the middle between the motherboard and the drive bays. This allowed all the wiring to be routed through and tied up except where it was not possible (one PCI-E power cable just wouldn't reach until it was allow more direct access), or it was impractical (the ATX 12v connector just made sense to use the other routing since it was closer and hid the cable).

The Enermax Liberty Power Supply Unit is one of the nicest PSU's I've bought without a lot on frivolous features. Ok, there were two which I'll disclose afterwards, but I don't want to detract from the nice features of this supply. This 750watt badboy has only built-in cables for the motherboard connections, of which we used all of them except the extra 12v motherboard connector since we are not using an advanced ATX or a BTX motherboard.

The supply itself is enclosed in a black mesh grill aluminum and has round cloth cables on most of the lengths. It features a selection of cables to add which consist of; 2 PCI-E cables; 2 Molex and 2 pSATA connections; and two more Molex and pSATA with Floppy connections also. All the cables come in a Velcro wrap storage bag for convenient and safe storage. I used all but one. Additionally it comes with a key tag necklace for what reason I'm not certain, other than you can wear it. But don't try to attach the power supply to it. It's a tad heavy for this necklace, but it's great for thumb drives and other light weight items

After getting this all in place, like requiring a mounting plate to be removed to install the PSU, I'm now ready to start installing the drives. 4 SATA2 Seagate 7200.10 300GB hard drives go into the original 4-in-3 module. This is going to be converted into a RAID 0+1 array equaling roughly 610GB of storage in a mirrored striped array. Formatting this puppy will take most of the afternoon.

Adding a 5th Seagate on the second SATA controller and installing the 6th Seagate in the external enclosure I purchased so it can be removed and plugged in quite simply. I will have roughly 1.3TB of storage on this box once it's complete. Plus another 610GB for mirroring on the RAID0+1 array equals nearly 2 TB or Terabytes of disk space.

The case handles a total of 9 120mm fans and only comes with one. Ultimately I'm going to have 6-8 fans. The rear fan was replace with a white w/Blue LED fan. A chassis ceiling fan was installed of the same type and a third was installed on the lower left cage in the access door. Four fans will fill this space ultimately. Ensuring all the front panel connections are done prior to installing the video cards is important and routing the power cables also is done roughly. Technically we could boot this machine but first we want to check a few things and ensure we don't need to access anything on the motherboard. We still have a matrix LCD display to install, yes in the case.

To top off the drives we add a Silver NEC DVD 16x burner that supports dual layer disks/ This will become our workhorse drive but with all the storage space we'll put Nero to work building virtual DVDROM's. Below the burner we install our Matrix LCD display. This unit is red in difference to our silver/black/blue theme simply to give the appearance of an eye (ok now you'll have to sniff or smoke something to get that image in your brain...). We still have room to add another 4 drives if we acquire another 4 in 3 module, which to date we cannot get. Bad CoolerMaster rep's...BAD! But realistically we have no capability to run them unless I make them IDE...uh no. However it would allow me to split the 4 drives in the one into two modules and greatly improve airflow between the drives. However my drives run currently a nice 32 degrees so I've nothing to worry about at this time.

With the eVGA video cards installed, now the system looks very menacing and promising. We decide that it's time to exchange the Molex connectors with the UV reactive ones I purchased. The Molex extractor tool is very handy, even though the task is not a highly rewarding one. I simply not using any of them except for the DVD Burner. The other two are attached to fans at the moment and will probably route to the matrix display. Two connectors you will probably never see will glow. Wow...

The time of trial now comes are we are ready to power up the system for the first time. Booting the system the first time was flawless, as everything came to life after powering the system. Quickly went into the BIOS to make a few changes and then rebooted to get the RAID and SATA controllers working. This proved to be a greater challenge. After a few driver upgrades and reconfiguring we get the drives setup, unfortunately our external SATA drive is missing the correct cable, which we will have to get at a later date.

Originally, I had planned to install Vista beta RC1 on this for the time being, later upgrading to the release version of Vista Ultimate 64bit, but none of my tricks could get the OS to see my SATA drives. I did have to install a floppy drive and have the drivers for the SATA I wished to boot from ready to go during OS setup. But otherwise nothing else needed to be modified from my setup to get this up and running.

Vista was not as accommodating. It simply hung during several phases of the install, but popping the DVD out of the drive usually moved it to the next step. This was not foolproof and was ultimately dumped as a choice and I installed XP SP1a instead. I may upgrade this to SP2, but that will have to be decided later. For now I want to get all the drives working and formatted, drivers installed, and get testing this box out.[Author's Note: At this point I have the PC playing with several OS's using various external SATA drives and Firewire drives, and I've now acquired my Vista Ultimate 64bit I'm going to reattempt this.]

So fan totals: Power Supply = 1 120mm; CPU = 1 80cm; Motherboard = 0; Video Card = 1/each = 2 80cm's; Chassis has 1 in 4-3 mod, 1 rear, 1 top, 1 side, all 120mm. Total is 8. At this configuration motherboard is running at about 49 C. When we add the 3 other fans this should decrease the temps by about 4-6 degrees. [Authors Note: After getting another 3 fans to fill the side grill up with fans the temperature is now running at 44 idle and 46 peak. The CPU also never peaks over 61 and typically is running around 50] The real beauty is how quiet this whole thing runs at. It's much quieter than many of my other systems

All the drivers installed ok, and we installed most of the bonus software that came with the hardware, even the time limited stuff, like Nortons Internet Security. Most of this we toasted including the buggy Forceware Firewall that comes with the product. Many other programs had issues with it.

Today the system still runs great. We have also acquired a pair of Viewsonic VX922 monitors to serve as our dual-monitor setup when not playing games, and perform very well when we reduce the output to one display for SLI mode. We have had many games installed and many framerates peaking over 140FPS. Even games like Oblivion we run constantly acheiving over 40FPS even with all the graphics on the highest settings using a display mode of 1280 by 1024. Yes, we do enjoy the games and the performance of these games on this rig. Now we are planning our next build...something to store a incredible amount of files on.

Installing Snort 3.0.0 Alpha

Mon, 21 May 2007 17:09:00 -0400

I recently took the challenge to try out the new Snort 3.0 alpha that Marty Roesch released upon the world. I was glad to see a new version of this tool available and was eager to see it work. I have had extensive use of snort over the years and cannot say I'm quite happy with the current 2.6.x.x builds. They are however very good working builds and are capable of doing what they're configured for but they seem overly complex for the job at hand.

Honestly I can say that the instructions are very good at installing but like most people...who follows instructions? Don't we all want to trailblaze?

I was at the time running Ubuntu 6.06 and getting ready to upgrade to 7.04 and decided to do the upgrade before I tried to build snort. I had a current 2.6.x build installed and also a 2.7.0.1 beta that were working. I removed the 2.6 build and left the 2.7 beta1 which managed to work with a bit of fixing.

After confirming this was fine and did a complete image backup of the computer. This ensures I can reload this image to disk and reboot the computer immediately. In fact I use disk partitions but I think you get the idea. This is my saving and backup method of choice. I use Restorer 2000 Pro Net to perform these tasks to a networked storage box. Restorer allows you to mount images also to partially restore or to test backups. Image backups can be quite handy let alone time saving.

Well I decide to pop in the 7.04 cd and start the upgrade process. What? No upgrade process? Cheap buggers, well I'll just have to make my own. Using the Synaptic Package Manager, I run a full upgrade check and compare against the latestest versions on the CDROM. Then I force it to apply all upgrades.

This gets to about 25% of the way and then fatally errors with something I don't recall. The system now boots but not completely and even though to some degree I can use it, really it's not.

So, back to the drawing board I restore the original partition and decide to do the proper upgrade to 6.10. Well this worked very well. I was quite happy with myself so much I made another backup after successfully using my 6.10 installation. Then I went ahead and did the 7.04 upgrade. This worked also very well. Afterwards I found myself enjoying my new Ubuntu package I recalled that I was doing this for my snort alpha testing!

Back to work I get the snort alpha copied over to this box using wget, awesome. Unpacking the tar.gz I review the README to discover I need LUA and LIBDNET and UUID in addition to LIBPCAP. Well I have libpcap working fine as I have snort 2.7 working fine. Ok, so I need to get lua and libdnet (at this point) for sure since I'm pretty confident I have e2fsprogs installed fine (which was the recommended means to get the UUID stuff). I attempt to get the source for lua and compile it, but I get stupid errors with readline. I realize the *dev package doesn't version match the readline package and as a consequence doesn't want to compile nice and easy.

Cursing, I decide either I figure out how to get readline to compile or I find out how I revert back to an older libdnet/lua. Then I remembered that Marty mentioned that it worked with 6.10 so I figured this must have had a matching revision for these packages to their devel counterparts! So I went back to the 6.10 install and then tried the same thing. This was a better success, but still ended up encountering errors with libdnet. This was befuddling but this time the errors were specific to finding the files that 'should' be there. Guess what? They weren't. I hadn't installed the devel packages so I realized that I needed to actually 'make' these installs instead of using synaptic. While I was running around looking for the actual downloads, I realized the '3rdparty' directory that actually included both these tar files. Sure lets use these. First I did libdnet and it worked fine. Attempted to make snort again, and it still didn't work, but this time I had no errors on libdnet. So I decided to go ahead and make lua from the snort package and then attempted to make snort. It got past lua and then found a new complaint.

This time it complained about UUID. In fact I did not have the UUID headers and again was dumbfounded over the missing headers. I did a quick google however and came up with a forum for some other product with a similar problem, and everyone complaining about having to download the entire e2fsprogs-devel package to get them. Someone then stated that the uuid-dev package would have them (for debian) and have been recently added to the 3rd party repo's for this very reason. A quick 'sudo apt-get install uuid-dev' did the trick for me I'm quite happy to say.

After this I completed the make of snort and was able to quickly start testing it out.

It looks to have some very effective ways to process traffic, but have only finished the suggestions of the README. I'm curious to see how well it develops into a future version. Using LUA was a big concern for me, but really doesn't seem to be causing any resounding concerns. I've become accustomed to it for now, but I'm not actually using it for development either. Hopefully I'll update my experiments with it in short time.

For now Snort 3.0.0.a1.4 gets a thumbs up as a usable alpha program, now back to testing!