Category Archives: Security

Safe surfing for the kiddies

Every parent must wonder when their kids get to computer-using age, about installing monitoring/pr0n-site blocking software. I’ve pondered it myself, but not gone down that road yet, since there’s other methods of avoiding nasties.

What I’ve done with my kids is to set them up with an account each on the computers, and set up their browsers (both IE and Firefox) with Google Safe Search turned on. It will stick if your browser is accepting cookies.

They’ve also been shown how to customise their accounts with their own wallpaper, colours, bookmarks/favourites etc, which is a motivation for them to properly logon as themselves when using the computers. Not that it’s hard with XP; just point at the name/face from the Logon/Switch User screen. (One of the two machines is Win2K, so no Switch User capability, but we survive.)

As an added bonus, their accounts are standard users, not Admin, preventing them downloading and installing software. My account has a password, but theirs don’t (surprised they haven’t objected to that actually).

They’ve been taught not to download programs without permission anyway. Through the school internet policy they know to close any browser window/tell an adult if they see anything “making them uncomfortable”.

And I’ve taken the advice that a wise man once told me: while Net Nanny etc have their uses, nothing beats the kids being educated in what they should and shouldn’t be looking at, and placing the computers in a public, visible part of the house, rather than tucked away in a back room.

Nuke it from orbit

Microsoft Says Recovery from Malware Becoming Impossible

Ripley: I say we take off and nuke the site from orbit. It's the only way to be sure. “When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit,” Mike Danseglio, program manager in the Security Solutions group at Microsoft, said in a presentation at the InfoSec World conference.

It’s the only way to be sure.

A message from Apple

Apple embeds a poem into MacOS:

Your karma check for today:
There once was a user that whined
his existing OS was so blind
he’d do better to pirate
an OS that ran great
but found his hardware declined.
Please don’t steal Mac OS!
Really, that’s way uncool.
(C) Apple Computer, Inc.

Enormous house valuation leaves owner unimpressed

Even governments have to live within their means. But the nice thing about taxation, where you figure out how much tax (or rates) someone owes you, is that revenues are pretty predicatable. You say it, they owe it. Nice. I wish I had that kind of lock on my ‘customers’.

Unless you stuff up.

If you stuff up, suddenly the USD$8m you were counting on isn’t coming in, and you have to start sacking public servants. Read the link, that’s what this rant is about. I’m not going to recount it at length. Let’s just say there was a single character typo and leave it at that.

The nifty thing about this stuff up is that it was via a records enquiry system, by an external operator, who accidentally activated a retired program that shouldn’t have been able to affect property prices anyway (what with being retired and all). Valuation on the property went from USD$150K to… tray lots: USD$400m. Any reasonable system would have said “wow, that’s a fairly heafty increase in valuation, you’re going to have to enter several ‘no, seriously, I’m not kidding‘ codes before I actually believe you.”

Daniel, where’s our “risks” category?

I put it to you that few system developers would have considered this could ever happen, acidentally or otherwise, and that when offered the opportunity to spec a system like this it’d be rare that anyone would suggest a check like “if the rate of increase was more than twice that of any other property in the system, or the increase more than ten times the value of any other property in the system, get it checked by a human other than the one entering the data”. But there was no checking, and with today’s inconnected computer systems, the new valuation cascaded into other systems. Such as the county’s budgeting system, thus the surprise sackings to lower costs.

Please, someone tell me I’m wrong. Tell me that this failure has got to be a one-off, that I’m a cowboy, and the industry I work for is fine.

Vaccination and Hippies

Owen turned four (months) recently, and he was taken to the doctor for that round of inoculations. That reminded me that when Cathy and I were doing childbirth classes we discovered that the lunatic fringe is alive and well in Melbourne. The subject was “Sleeping Soundly”, the opening minutes of which were about vaccination for no reason I could discern.

The World Health Organisation, whom the Choices for Childbirth speakers quote when lamenting (quite rightly, in my opinion) the high medical intervention rate during childbirth, is studiously ignored when talking about how one ought to explore both sides of the “debate” over immunization. The WHO says “No child should be denied immunization without serious thought about the consequences, both to the child and the community”.

Humans are terrible at estimating risk (also known as probabilities). They happily play lotteries (one in millions chance of winning), but then drive their kids to school (running a pronounced risk of a car crash and injuries vs a vanishingly small risk of a perverted old man snatching their kid and having his way with them). Humans are prejudiced machines – they decide things without knowing all the information (pre-justice, or pre-judge). They make decisions based on what they can recall on the subject. And this counterpointed by the news media, which reports news. They don’t report that millions of Aussies got out of bed, went to work and came home again, without incident. That’s not news. Someone being bitten (or better yet, taken) by a shark, that’s news – because it hardly ever happens. Things that are unusual, different, out of the ordinary and notable are part of every night’s TV viewing. A viewing night of four hours – 240 minutes – includes 30 minutes of really unusual stuff, so odd and weird that the TV station sent a film crew out to take pictures of it (ever woken to find a camera crew filming you getting out of bed? “This morning, Josh got out of bed…” No, didn’t think so). And humans think “I better be careful when I go swimming, a shark could get me. I’ve seen that happen a couple of times in the last few months. In fact, just to be safe, I won’t go swimming”. We have crime shows on every night, leading viewers to think “there’s a lot of crime out and about. I’ll drive to the shops”. The news loves a good kidnapping “little girl snatched from her bedroom”, and happily ignores the fact that almost all child abductions are performed by relatives. But we’ll drive them to school, to keep them safe (and fat). So when the Tabloid TV shows announce that a child has reacted poorly to an inoculation, immunization rates plummet, in the same way breast cancer screening rates jumped right after Kylie got it. More often than not, they use their power for evil rather than good.

These same TV shows give equal time to minority and majority opinions, in the interests of fairness. Which would be fine, except humans will go “hmmm, it seems that professional opinion on this seems to be divided down the middle, I’ll just be safe and not vaccinate my child (besides, needles hurt).” It’s dangerous and irresponsible, scaremongering amongst the vaccination decision makers – parents. And they’re being affected by it. Infectious diseases the developed world thought it had eradicated (think whooping cough, which was almost wiped out – ) are resurfacing as a result of the crazy hippies who reckon that this vaccination thing is all a money making scam by the multinational pharmaceutical companies.

Vaccines don’t always work. They are not 100% effective. You can get a disease after being vaccinated against it – the vaccine may not provoke an immune response. And that doesn’t have to matter.

Needles hurt. Vaccines have an inherent level of danger. Injecting pathogens into your body isn’t something it’s really designed for, and keeping vaccines viable for an acceptable time means there’s stuff in them that some bodies will not react well to. Some immune systems go ape shit when they see the disease. Some people die. I’d like to point out how badly the bodies of these people will react when they get the real, live, unattenuated, unadulterated, honest-to-God virulent form of the disease – exceptionally poorly. But none the less, there is a potential cost associated with being vaccinated.

I’m going to talk about Herd immunity and the free loader effect. A certain level of non-vaccinated members of the population is acceptable, but varies from disease to disease – the immunization you’re given may not invoke an immune response in you, but at the same time, if about 90% of the population is immune, generally an infectious disease is not going to become pandemic. Which is fine, and everyone’s happy. Until God damn hippies start running around not getting immunised, becoming free loaders on those of the population who have run the risk of reacting horribly. With enough people unimmunised, eventually the herd immunity effect breaks down, and the kids of the hippies end up getting diseases that we thought no one got anymore. And, no doubt, the hippies whinge about it, but refuse to take the blame for the kids of responsible parents who got the disease despite being vaccinated against it – because their bodies failed to produce an immune response. And those responsible parents will be too grief stricken to blame the hippies for killing their child.

The Australian federal government’s Immunisation Myths and Realities booklet talks about the complaints that hippies put forward. Myths such as the MMR vaccination causing autism.

The adverse reactions a vaccination may produce are mild compared to what would happen if they actually got the disease. The only elevated risk is to those intolerant of egg products.

Let’s have a look at what these diseases do. Because, if you were against immunizing against them, they can’t be that bad, insofar as diseases go, right? Because you’re happy to run the risk of your child catching and living with (and dying from) these diseases, verus the risk of your child having “something happen to them” as a result of being vaccinated.

From the Australian National immunisation program schedule of immunisations, things that you’re innoculated against:

  • At the moment of birth: hemorrhaging. Normally Vitamin K is produced by bacteria in the intestines, and dietary deficiency is extremely rare unless the intestines are heavily damaged. But newborns are nearly sterile – if the embryonic sack is intact, they are sterile. Thus, no bacteria, and no Vitamin K, which is needed for the posttranslational modification of certain proteins, mostly required for blood coagulation.
  • Polio, check out photos of polio victims. The virus invades the nervous system, and the onset of paralysis can occur in a matter of hours. Polio can spread widely before physicians detect the first signs of a polio outbreak – so forget pulling your child from school when someone is noticed with polio, this is not a prophylactic method with any level of success.
  • Diphtheria, check out photos of children with Diptheria, a bacterial infection. Long-term effects include cardiomyopathy (the heart wastes away) and peripheral neuropathy (ie, paralysis).

  • i

  • Pertussis or whooping cough. Doesn’t sound so bad, a bit of a cough. Check out the photos of babies with a bit of a cough. Complications of the disease include pneumonia, encephalitis, pulmonary hypertension, and secondary bacterial superinfection.
  • Rubella, a relatively mild disease (photos) unless it’s caught by a developing fetus. Lifelong disability results. But I guess that’s the fetus’ problem, not yours.
  • Mumps usually causes painful enlargement of the salivary or parotid glands. Orchitis (swelling of the testes) occurs in 10-20% of infected males, but sterility only rarely ensues; a viral meningitis occurs in about 5% of those infected. In older people, other organs may become involved including the central nervous system, the pancreas, the prostate, the breasts, and other organs. The incubation period is usually 12 to 24 days (again, don’t bother pulling your kids from school – they’ve already got it). Mumps is generally a mild illness in children in developed countries. So your child should get it.
  • Hepatitis B – Over one-third of the world’s population has been or is actively infected by hepatitis B virus, so it can’t be all that bad. Hepatitis B infection may lead to a chronic inflammation of the liver, leading to cirrhosis. This type of infection dramatically increases the incidence of liver cancer. Only 5% of neonates that acquire the infection from their mother at birth will clear the infection. Seventy percent of those infected between the age of one to six will clear the infection. When the infection is not cleared, one becomes a chronic carrier of the virus.

There are other diseases, but I’ve only got so much time. Read the Australian federal government’s Immunisation Myths and Realities booklet. And for the love of all that’s right in the world, get your children immunised.

Just because you don’t understand statistics, science or even simple logical reasoning, doesn’t make vaccinating your children a bad thing. Perhaps, if you don’t understand any of these things, you should leave the decision making on vaccination to the professionals?

.NET security bites back

I was running a .NET app, and all it did was say:

Request for the permission of type System.Security.Permissions.FileIOPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.
Request for the permission of type System.Security.Permissions.FileIOPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.

After I hit Ok, the app crashed with an exception. I didn’t write it. Others could run it, I couldn’t. What was I doing wrong?

I was running the exe from a network share. Copying the exe to local fixed the problem.

This is God calling

Yesterday I answered the ‘phone. Because I was home, having a holiday, which is soon to be rudely interrupted by a short working stint, but that’s by-the-by. I could tell that whomever had called didn’t know anyone in the house; the phone’s listed in my girlfriends name. “Hello, Mr [Girlfriend’s-name]?” is a dead giveaway that they’ve pulled the number from the phonebook, and immediately puts me on the defensive. Which is why I have no interest in having the phone in my name. I can spot low-life scum a mile away with the arrangement as it is.

Now, the first thing I do when I have a telemarketer on the phone is to get them to tell me who they are. The lass weasled about, talking about a survey. Surveys don’t care about the identity of the respondent; this was marketting. Eventually she said she was representing the Jehovah’s Witnesses, at which point I terminated the call; religous fundamentalists get up my nostril.

Neither Cathy nor I get any telemarketing calls – oh, well maybe we get a couple a year from local gyms. It’s because we’re signed up to the ADMA’s do-no-call list. If you’re not signed up, stop reading, and go sign up now. The local gyms get the line “we only purchase goods from members of the Australian Direct Marketting Association” and they’re taken care of.

So, here we have technology being used for evil. Evil, not only because it’s evangelical fundamentalists at work, but because they claim they’re doing a survey about how people in the local neighbourhood feel about stuff. Because it’s a survey, that would be covered by the Australian Market & Social Research Society, which (they would claim to keep the statistics clean) doesn’t operate a do-not-call list (in spite of the fact that people that don’t want to be surveyed are going to do all sorts of bad things to their stats).

Worst of all, I don’t think there’s much I can do about it, except I remember hearing about a guy who had installed a PABX with and IVR – “if you want to talk to Cathy, press 1 now. To talk to Josh, press 2 now. Pressing 3 now will let you talk at Owen, but don’t expect a cogniscient conversation out of him.” Apparently, in the US, he was getting zero telemarketing calls – which is quite a feat.

Questions:

  1. Has the obesity epidemic reached the point where the Jehovah’s Witnesses can’t be bothered leaving the house to recruit souls so that they can, pyramid-sales-scheme-like, go to heaven?
  2. Why don’t the Jehovah’s Witnesses tell people up front you’re not going to heaven, even if you convert (there’s only 144,000 spots – what are the chances you’ll be goody-two-shoes-super-converter enough to get in)?
  3. Why doesn’t the AMSRS operate a do-not-call list?
  4. Why doesn’t the government ban harrassment like this?
  5. What can I do to stop this from happening again?

Don’t panic, DON’T PANIC!

Oh joy! Reports of a really bad exploit in WMF, which will affect fully patched Windows XP systems. Ed Bott sums it up nicely:

This is a zero-day exploit, the kind that give security researchers cold chills. It works by exploiting a weakness in the Windows engine that views graphics in the Windows Metafile (WMF) format. You can get infected by simply viewing an infected WMF image.

Fun stuff. Until there’s a patch, beware the metafile, my son! The jaws that bite, the claws that catch!

Update Saturday: Some computers are already protected from this, via Data Execution Prevention. Read about it (including how to check) here.