Category Archives: Vulnerabilities

Nuke it from orbit

Microsoft Says Recovery from Malware Becoming Impossible

Ripley: I say we take off and nuke the site from orbit. It's the only way to be sure. “When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit,” Mike Danseglio, program manager in the Security Solutions group at Microsoft, said in a presentation at the InfoSec World conference.

It’s the only way to be sure.

Vaccination and Hippies

Owen turned four (months) recently, and he was taken to the doctor for that round of inoculations. That reminded me that when Cathy and I were doing childbirth classes we discovered that the lunatic fringe is alive and well in Melbourne. The subject was “Sleeping Soundly”, the opening minutes of which were about vaccination for no reason I could discern.

The World Health Organisation, whom the Choices for Childbirth speakers quote when lamenting (quite rightly, in my opinion) the high medical intervention rate during childbirth, is studiously ignored when talking about how one ought to explore both sides of the “debate” over immunization. The WHO says “No child should be denied immunization without serious thought about the consequences, both to the child and the community”.

Humans are terrible at estimating risk (also known as probabilities). They happily play lotteries (one in millions chance of winning), but then drive their kids to school (running a pronounced risk of a car crash and injuries vs a vanishingly small risk of a perverted old man snatching their kid and having his way with them). Humans are prejudiced machines – they decide things without knowing all the information (pre-justice, or pre-judge). They make decisions based on what they can recall on the subject. And this counterpointed by the news media, which reports news. They don’t report that millions of Aussies got out of bed, went to work and came home again, without incident. That’s not news. Someone being bitten (or better yet, taken) by a shark, that’s news – because it hardly ever happens. Things that are unusual, different, out of the ordinary and notable are part of every night’s TV viewing. A viewing night of four hours – 240 minutes – includes 30 minutes of really unusual stuff, so odd and weird that the TV station sent a film crew out to take pictures of it (ever woken to find a camera crew filming you getting out of bed? “This morning, Josh got out of bed…” No, didn’t think so). And humans think “I better be careful when I go swimming, a shark could get me. I’ve seen that happen a couple of times in the last few months. In fact, just to be safe, I won’t go swimming”. We have crime shows on every night, leading viewers to think “there’s a lot of crime out and about. I’ll drive to the shops”. The news loves a good kidnapping “little girl snatched from her bedroom”, and happily ignores the fact that almost all child abductions are performed by relatives. But we’ll drive them to school, to keep them safe (and fat). So when the Tabloid TV shows announce that a child has reacted poorly to an inoculation, immunization rates plummet, in the same way breast cancer screening rates jumped right after Kylie got it. More often than not, they use their power for evil rather than good.

These same TV shows give equal time to minority and majority opinions, in the interests of fairness. Which would be fine, except humans will go “hmmm, it seems that professional opinion on this seems to be divided down the middle, I’ll just be safe and not vaccinate my child (besides, needles hurt).” It’s dangerous and irresponsible, scaremongering amongst the vaccination decision makers – parents. And they’re being affected by it. Infectious diseases the developed world thought it had eradicated (think whooping cough, which was almost wiped out – ) are resurfacing as a result of the crazy hippies who reckon that this vaccination thing is all a money making scam by the multinational pharmaceutical companies.

Vaccines don’t always work. They are not 100% effective. You can get a disease after being vaccinated against it – the vaccine may not provoke an immune response. And that doesn’t have to matter.

Needles hurt. Vaccines have an inherent level of danger. Injecting pathogens into your body isn’t something it’s really designed for, and keeping vaccines viable for an acceptable time means there’s stuff in them that some bodies will not react well to. Some immune systems go ape shit when they see the disease. Some people die. I’d like to point out how badly the bodies of these people will react when they get the real, live, unattenuated, unadulterated, honest-to-God virulent form of the disease – exceptionally poorly. But none the less, there is a potential cost associated with being vaccinated.

I’m going to talk about Herd immunity and the free loader effect. A certain level of non-vaccinated members of the population is acceptable, but varies from disease to disease – the immunization you’re given may not invoke an immune response in you, but at the same time, if about 90% of the population is immune, generally an infectious disease is not going to become pandemic. Which is fine, and everyone’s happy. Until God damn hippies start running around not getting immunised, becoming free loaders on those of the population who have run the risk of reacting horribly. With enough people unimmunised, eventually the herd immunity effect breaks down, and the kids of the hippies end up getting diseases that we thought no one got anymore. And, no doubt, the hippies whinge about it, but refuse to take the blame for the kids of responsible parents who got the disease despite being vaccinated against it – because their bodies failed to produce an immune response. And those responsible parents will be too grief stricken to blame the hippies for killing their child.

The Australian federal government’s Immunisation Myths and Realities booklet talks about the complaints that hippies put forward. Myths such as the MMR vaccination causing autism.

The adverse reactions a vaccination may produce are mild compared to what would happen if they actually got the disease. The only elevated risk is to those intolerant of egg products.

Let’s have a look at what these diseases do. Because, if you were against immunizing against them, they can’t be that bad, insofar as diseases go, right? Because you’re happy to run the risk of your child catching and living with (and dying from) these diseases, verus the risk of your child having “something happen to them” as a result of being vaccinated.

From the Australian National immunisation program schedule of immunisations, things that you’re innoculated against:

  • At the moment of birth: hemorrhaging. Normally Vitamin K is produced by bacteria in the intestines, and dietary deficiency is extremely rare unless the intestines are heavily damaged. But newborns are nearly sterile – if the embryonic sack is intact, they are sterile. Thus, no bacteria, and no Vitamin K, which is needed for the posttranslational modification of certain proteins, mostly required for blood coagulation.
  • Polio, check out photos of polio victims. The virus invades the nervous system, and the onset of paralysis can occur in a matter of hours. Polio can spread widely before physicians detect the first signs of a polio outbreak – so forget pulling your child from school when someone is noticed with polio, this is not a prophylactic method with any level of success.
  • Diphtheria, check out photos of children with Diptheria, a bacterial infection. Long-term effects include cardiomyopathy (the heart wastes away) and peripheral neuropathy (ie, paralysis).
  • i

  • Pertussis or whooping cough. Doesn’t sound so bad, a bit of a cough. Check out the photos of babies with a bit of a cough. Complications of the disease include pneumonia, encephalitis, pulmonary hypertension, and secondary bacterial superinfection.
  • Rubella, a relatively mild disease (photos) unless it’s caught by a developing fetus. Lifelong disability results. But I guess that’s the fetus’ problem, not yours.
  • Mumps usually causes painful enlargement of the salivary or parotid glands. Orchitis (swelling of the testes) occurs in 10-20% of infected males, but sterility only rarely ensues; a viral meningitis occurs in about 5% of those infected. In older people, other organs may become involved including the central nervous system, the pancreas, the prostate, the breasts, and other organs. The incubation period is usually 12 to 24 days (again, don’t bother pulling your kids from school – they’ve already got it). Mumps is generally a mild illness in children in developed countries. So your child should get it.
  • Hepatitis B – Over one-third of the world’s population has been or is actively infected by hepatitis B virus, so it can’t be all that bad. Hepatitis B infection may lead to a chronic inflammation of the liver, leading to cirrhosis. This type of infection dramatically increases the incidence of liver cancer. Only 5% of neonates that acquire the infection from their mother at birth will clear the infection. Seventy percent of those infected between the age of one to six will clear the infection. When the infection is not cleared, one becomes a chronic carrier of the virus.

There are other diseases, but I’ve only got so much time. Read the Australian federal government’s Immunisation Myths and Realities booklet. And for the love of all that’s right in the world, get your children immunised.

Just because you don’t understand statistics, science or even simple logical reasoning, doesn’t make vaccinating your children a bad thing. Perhaps, if you don’t understand any of these things, you should leave the decision making on vaccination to the professionals?

This is God calling

Yesterday I answered the ‘phone. Because I was home, having a holiday, which is soon to be rudely interrupted by a short working stint, but that’s by-the-by. I could tell that whomever had called didn’t know anyone in the house; the phone’s listed in my girlfriends name. “Hello, Mr [Girlfriend’s-name]?” is a dead giveaway that they’ve pulled the number from the phonebook, and immediately puts me on the defensive. Which is why I have no interest in having the phone in my name. I can spot low-life scum a mile away with the arrangement as it is.

Now, the first thing I do when I have a telemarketer on the phone is to get them to tell me who they are. The lass weasled about, talking about a survey. Surveys don’t care about the identity of the respondent; this was marketting. Eventually she said she was representing the Jehovah’s Witnesses, at which point I terminated the call; religous fundamentalists get up my nostril.

Neither Cathy nor I get any telemarketing calls – oh, well maybe we get a couple a year from local gyms. It’s because we’re signed up to the ADMA’s do-no-call list. If you’re not signed up, stop reading, and go sign up now. The local gyms get the line “we only purchase goods from members of the Australian Direct Marketting Association” and they’re taken care of.

So, here we have technology being used for evil. Evil, not only because it’s evangelical fundamentalists at work, but because they claim they’re doing a survey about how people in the local neighbourhood feel about stuff. Because it’s a survey, that would be covered by the Australian Market & Social Research Society, which (they would claim to keep the statistics clean) doesn’t operate a do-not-call list (in spite of the fact that people that don’t want to be surveyed are going to do all sorts of bad things to their stats).

Worst of all, I don’t think there’s much I can do about it, except I remember hearing about a guy who had installed a PABX with and IVR – “if you want to talk to Cathy, press 1 now. To talk to Josh, press 2 now. Pressing 3 now will let you talk at Owen, but don’t expect a cogniscient conversation out of him.” Apparently, in the US, he was getting zero telemarketing calls – which is quite a feat.

Questions:

  1. Has the obesity epidemic reached the point where the Jehovah’s Witnesses can’t be bothered leaving the house to recruit souls so that they can, pyramid-sales-scheme-like, go to heaven?
  2. Why don’t the Jehovah’s Witnesses tell people up front you’re not going to heaven, even if you convert (there’s only 144,000 spots – what are the chances you’ll be goody-two-shoes-super-converter enough to get in)?
  3. Why doesn’t the AMSRS operate a do-not-call list?
  4. Why doesn’t the government ban harrassment like this?
  5. What can I do to stop this from happening again?

Don’t panic, DON’T PANIC!

Oh joy! Reports of a really bad exploit in WMF, which will affect fully patched Windows XP systems. Ed Bott sums it up nicely:

This is a zero-day exploit, the kind that give security researchers cold chills. It works by exploiting a weakness in the Windows engine that views graphics in the Windows Metafile (WMF) format. You can get infected by simply viewing an infected WMF image.

Fun stuff. Until there’s a patch, beware the metafile, my son! The jaws that bite, the claws that catch!

Update Saturday: Some computers are already protected from this, via Data Execution Prevention. Read about it (including how to check) here.

Dead USB port

So, in building the broadband access machine I’ve found a gift computer (twice as powerful as anything else I owned) that was ‘not working’. After loading XP onto and futzing with it for a while, I figured out that doing anything with the USB port locked up the computer… after a while. I tested the theory by running up a memory/CPU intensive game and letting it run for a few hours. It was happy until I transfered some files off the USB stick. Fault identified. If I want to transfer stuff off the machine, I’ll need to get a USB card, or hook up a network. And I think I’ll do the later.

With fault identification complete, I hooked up the broadband modem (Netcomm NB5) via the ethernet connection (given the USB connection wasn’t going to be working on this machine). Entered the IP of the modem into the browser, and got the modem’s login screen. Everything was good, and I shut down all access other than web via port 80 using the modem’s built-in firewall. Connection to the ISP was established, proxies entered into Firefox (not IE – CERT says there are no secure versions), and Google was available. Connectivity proven.

The web browsing machine got Fedora Core 3 loaded on (a simple process), and the proxy setup was repeated with the same results. FC3 comes with a pre-release version of Firefox, so I loaded up the CD with the .gz for 1.0.4 and loaded that onto the desktop. Then I spent a couple of hours figuring out that I needed to be root to install the browser, and where to install it. Having done that, I still haven’t got it as the default browser – that’s still the prerelease Firefox. But I can run up 1.0.4 from the command line, so at least it’s available, and adBlocker is installed, so well and good.

I figure that I’m going to lock the modem down to a single IP address it’s going to talk to, the FC3 machine. Anything else that wants data from the net is going to have to transfer it from the FC3 machine and won’t be exposed to the big bad internet, because I’m not ready to migrate our entire PC collection over to Linux just yet.

Which means I need to buy a switch.

Firefox critical vulnerability

Firefox - Safer, faster, betterWith Firefox trumpeting itself as “Safer, faster, better” it’s fashionable to think of the product as being inherently safer than its opposition (primarily IE). It’s not. Mozilla has acknowledged a major vulnerability in Firefox, and with no fix available, is saying that the workaround is to switch off Javascript, and disable software installation.

Switching off Javascript renders a large chunk of the web unusable. Yeah, you can manually turn it back on for sites you trust… but who has the time to do that? And among the general non-geek populace, who has the knowledge to do it?

Of course, the likelihood of actually falling victim to this problem is pretty small. But if you’re tempted to switch back to IE, make sure it’s securely set up. One option is to use a security lockdown registry hack.

Meanwhile the neato Tiger Dashboard widgets facility that Andy’s been talking about appears to have its weaknesses too. Whoops.

Okay, so maybe I shouldn’t be so critical, especially since the stuff I code isn’t necessarily miraculously vulnerability-free. But then, I’m not coding browsers installed on millions of desktops.