Burningbird

Serious Windows security flaw

Post author By Shelley Powers
Post date January 2, 2006

Thanks to Ken Camp we’re warned about an extremely serious Windows vulnerability.

The flaw, which allows hackers to insert malicious computer programs into seemingly innocuous image files, was discovered last week.

But the potential for damaging attacks increased dramatically at the weekend after a group of computer hackers published the source code they used to exploit it.

Unlike most attacks, which require victims to download or execute a suspect file, the new vulnerability makes it possible for users to infect their computers with spyware or a virus simply by viewing a web page, e-mail or instant message that contains a contaminated image.

There is no official Microsoft patch, and until there is, I’m keeping my Windows 2000 dual boot firmly fixed on Ubuntu. If you’re running XP there is an unofficial patch.

In the meantime, if you’re running an unpatched Windows machine, I would strongly suggest that you not follow any links that appear in my or anyone else’s comments — even if the person writing the comment seems to be someone you know. Anyone can use any name with a comment (even someone else’s name), and I don’t filter links.

All you have to do is open one email, IM, or web page with an infected image — or use something like Google Desktop, which indexes such.

Ad Makers are exploiting this vulernability to infest your machines with spyware.

But before you click that link–you sure you want to do that?

A weblogger named Jesper who says he’s a Senior Security Strategist in the Security Technology Unit at Microsoft wrote unofficially on workarounds et al on this issue.
His view of the unofficial non-Microsoft kissed patch is: don’t use it.

Again, it is risk management. If you have extremely high security requirements, you may want to go so far as using something as drastic as an unofficial patch. However, in that situation you are probably not willing to trust a third-party packaged patch anyway. The unknown risk of issues with an unofficial patch is pretty high. The cost of implementation ranges from low in a very managed environment, to very high in an unmanaged environment. If your risk and the cost of the attack is very high then you may want to consider the unofficial patch, but I cannot in the best conscience recommend it right now.

This after listing a bunch of options that even he admits won’t likely protect a computer, especially with the new malware exploits. He’s speaking privately, though, and not officially so we have to factor that in our interpretation–except we have to assume that since he’s a ’security consultant’ he’s fully aware of the impact of his position on people reading his words.

Some folk would say this is the power of weblogging; this real company people writing to real weblogs saying real things. To that I say, “Bullshit!” This is the weakness of weblogging — no one says anything directly. It’s all a game, and those of us who are forced into the game are stuck trying to figure out the rules before we get swept from the board.

Jesper isn’t condemning the patch because he knows it to be flawed or unworkable, but because it isn’t Microsoft. Pure and simple. And he’s doing so as one of us, which is supposed to what? Increase his credibility?

Well, since Microsoft is the one who put out the code, and has downplayed the vulnerabilities (”We have determined that an attacker would have no way to force users to visit such a malicious Web site”–this from a weblog entry), as well as be less than concerned about putting out a timely fix (”we will release a fix via our regular monthly security release…Have a Happy New Year!”), I have to wonder who exactly it is we are supposed to trust?

Weather

Fighting fires

Post author By Shelley Powers
Post date January 2, 2006

We got our first tornado warnings this morning, before a storm came through that blasted light and sound against my windows. At least we’ve had rain, unlike the folks in Oklahoma and Texas, who are battling some fairly serious plains fires. Too bad these states didn’t get the rain the folks in Northern California received.

Speaking of fires, I appreciate Jeneane passing the Pew Survey torch on to me, but I have little interest in doing more than give a quick cursory glance at the findings. There are others who have written in detail on the report. I would say that the researchers had a hypothesis going in, and then found the data to support it. If they had come out saying “Women prefer purple dots on yellow, while men prefer yellow dots on purple”, they would have found the data to support this, too.

Me, I’m more interested in watching the weather.

Connecting Weblogging

Taken

Post author By Shelley Powers
Post date January 1, 2006

“Obviously, your not from my south because down here we hate gay people and we hate your beliefs about this subject Shelley! Oh and I don’t have sex with my horse and obviously your bible isn’t baptist!”

I laughed when I read this, thinking to myself, “You can’t pay someone to write words such as this!” Of course, at this point I realized that yes you can. This comment is so stereotypical of ’southern Baptists’ that I knew almost immediately it was fake.

A little checking on the commenters for my Brokeback post showed that two at least–Holly and Hoss–are fake commenters, coming from known SPEWS listed IP addresses; arriving via search engine. Though Nate and Machelle don’t come from blacklisted IP addresses, they also came from similar search requests, each with suspicious sounding hotmail addresses. The rest of those who commented either had commented here before or have unique, and valid, email addresses.

Following the search engine trail, I can see the same type of writing used in my comments in comments in other posts, though which ’side’ the commenter is on changes from post to post. I imagine if we did some checking on IP addresses, we’d find that ‘Holly’ commented as ‘James’ or ‘Linda’ elsewhere.

I’m not sure if this flurry of emails is from kids out to have a little fun, or spammers generating ‘controversy’ for a movie in order to increase interest. I do know that next time I want to write on something such as Brokeback, I won’t included the name in my title.

In fact, I’m creating a new category, ‘unclassified’, and adding a robots.txt entry to exclude entries in this category from search engine web bots. There is no value in getting visits from search engines for controversial topics such as these.

In the meantime, I’ve closed down commenting in that post, but left the comments–as a reminder the next time I start to react to a throwaway comment.

Weblogging

Only Nine Hundred and Ninety-Four Shopping Years until the next Millennium

Post author By Shelley Powers
Post date December 31, 2005

A few links to festivities and the last photos of 2005.

*George Thomas Clark presents: John Wayne Reviews Brokeback Mountain. Child safe version at Editor and Publisher.

Inspired by my own post on this movie, or I should say the comments, Ralph has found a replacement for ‘You Rock!’. Henceforth to be used by all the really cool kids.

On to 2006 and future hope:

Lou Joseph does the New Year around the world, summed up by Sheila Lennon.

A wonderous post on unbecoming from Ethan: I want to unbecome a person who does not live his dreams.

A man who is following his dreams is Rob, who wrote: And I would walk 500.05 miles and I would walk 500.05 more just to be the man who walked a thousand point one miles to fall down at your door!

His goal for 2006: 1200 miles.

Ken is dancing the night away with black tie and tux, Maria shows us her footware, as the California storms rage round her, and Phil Pearson snaps sunrise, 2006 in New Zealand.

Have a Happy. Have a Safe. Have a Cookie!

*I had considered posting a link to the Huffington Post version of George Clark’s review, but the comments were more than I could take. Instead, I’ll just repeat what I wrote in my own comments, in response to those who seem to have problems with gay love:

As for displays, I’ve found that watching genuine affection between people regardless of their gender to be uplifting. It’s rare nowadays to see such love and care. One of the most loving men I know is gay and Episcopalian, with a strong true faith, love of gardening, his old dog, his church, and his partner of many years.

I’d rather watch men kissing than killing each other. It amazes me that we’ve made it to 2006 and still celebrate the latter while condemning the former.

Connecting

My digitalized tunes

Post author By Shelley Powers
Post date December 30, 2005

Recovered from the Wayback Machine.

I’m still importing my music CDs into my iTunes. I am now up to 1358 songs, and currently importing the Beatles White Album.

Handling CDs over an extended period, I’ve noticed how the CD packaging and CDs, themselves, have changed over time. Some of my older CDs, such as White Album, have thick, heavy plastic cases; the newer ones are thin, light, or even made of paper. The older CDs are thicker, and seem more durable; the newer are so thin they seem to be made of dragonfly wings.

I can’t remember buying my first CD player, or my first CD. According to this page at Philips, the first CD pressings for commercial sale happened in August of 1982. By the following January, half a million CDs had been sold.

1982. That was one year later than when DOS was invented, and one year before the release of Apple’s Lisa personal computer. That was 23, almost 24 years ago–older than some of you reading this. This means that many of you have never played a record in a record player; or tapes that used to get hung up in the cassette players, and turn into the same curly mess as our afros.

My ex-husband and I had a CD player our second Christmas together, I remember that. Or was it a cassette player? It was one or the other, I remember that. What I can’t remember is the year we got married. For the life of me, I can’t remember when we got married. Was in 1983? I can remember the stereo (it could play albums, still, so it must have been a cassette player); the place we lived (an apartment, with an artificial stream that attracted ducks in the winter); the city (Phoenix); even what I wore Christmas day (a light pink satin nighty with a darker rose satin robe with delicate lace down the front).

We had adopted a pregnant cat who had given birth to three kittens about 2 months before. I can remember them tearing at the Christmas tree and sleeping as a bundle on my lap. I had a perm, and my hair was a thick mass of curls.

I can remember the year we divorced: 2002, in Boston. (Actually it was in 2001: the year the dot-com I worked at closed, started my first weblog, took my one and only trip to London, and then moved to San Francisco because it seemed like a cool place to live.) We still lived together; something the judge commented on–perplexed at our friendliness after session after session of couples loathing one another. When we moved apart, I can remember splitting up the CD collection: his and hers. But I can’t remember the year we were married, or the first CD we bought. It’s in the pile I’m digitalizing right now. Somewhere.