Thursday, February 28, 2008

Rogue XP downloads for "security" in comments


Tonight, I found a comment on one of my blogs, that consisted of the word “here” with a link to a blogspot entry. However, that entry had been equated to xpantivirus dot com. Apparently the comment poster had an account and was able to bypass the monitoring of comments. I did delete the comment. If a visitor finds another such comment, it should be ignored. The visitor can email me, but I check the comments regularly for validity, even those that have bypassed monitoring.

I suspect that there will be more said about "comment monitoring security" in the Blogger community soon. Watch the boards for it.

If one clicks on that link, one gets a warning box near the task bar suggesting that the computer is infected, and that the product must be purchase. If McAfee Site Advisor is installed, the computer will simultaneously display the McAfee Site "red rating" page warning (the user may have to re-maximize the browser to see the warning). A quick check in search engines about this item shows that it is fake. The box itself does not seem to hurt anything, but if the product were installed it might act as spyware, or at least try to get the user to purchase "security" products to remove phantom viruses.

Some sites report that when a computer (XP or Vista) is "infected: with XPantivirus, the computer will display the warning task bar box upon reboot.

McAfee’s reference to this issue dates back to Oct 2007 and is here.

Curiously, the item does not appear when searching McAfee for viruses.

Symantec (Norton) has this reference:

Sunbelt software gives this reference.
Sunbelt lists the names of applicable files and registry keys one can check for (with a Windows search) if one has clicked on this site.

When presented with an ad for anti-virus software, the visitor should always research carefully if the company is unfamiliar. Of course, use search engines – and ironically, that makes the whole subject of “reputation defense” relevant – for a novice software company, at least.

Friday, February 22, 2008

McAfee Site Advisor issues


There was an odd problem with McAfee SiteAdvisor Thursday night, Feb. 21. Most sites suddenly started showing “gray” (as if unrated), even the large commercial sites like Yahoo! and CNN. When I tried to connect to “view site details” I got an unknown address. Then, a couple of times, Mozilla crashed or ran out of memory. A few smaller sites kept on working most of the time.

Siteadvisor.com itself would not connect for a few minutes, but it promptly came back and would work manually with URL's keyed in. But it could not connect to URL's entered on either computer in either browser.

I tried it also with Internet Explorer and got the gray box, and tried it on another computer. Same result.

I found a forum on Yahoo! where people were discussing it, here.
You have to have a registered Yahoo! account to comment.

It seems to be working this morning normally

Does anybody understand how this works?

I do find that McAfee is “strict” on rating sites, downgrading them to yellow for sending too many emails, or for selling services that should be free (like “free credit reports”). It will sometimes downgrade for inadvertently linking to “unsafe” sites. Many blogs on Blogger (including this one) still have not been rated yet.

I don’t know what SiteAdvisor does on blogs when comments inserted by users link to unsafe sites (very common as there are a lot of “spam” comments; it’s a good idea to keep moderation on and check links on comments to see that they match the names

Wednesday, February 20, 2008

Lockdown of domain name for whistleblowers raises constitutional concerns, as well as practical ones


The first thing about the story I’m presenting here, and the links I will give, was for me to decide which blog to put it on. I suspect this story will receive a lot of coverage in the media in coming days, and that I’ll have more separate stories to post.

But for openers, I’ll start with the Internet Safety blog. Because the story suggests that an entire domain can be shut down because of the posting of one user. That’s not supposed to happen in the United States because of a provision called “section 230” in the “good” portion of the Communications Decency Act of 1996, and that section is still intact.

What happened is that a website called wikileaks.org (no active link available now) was ordered shut down in a permanent injunction by Judge Jeffrey White in a federal district court in San Francisco, on Friday, February 15. Actually, it’s more complicated than that. The ISP domain name registrar Dynakot was ordered to disable the domain name and lock it so that it could not be transferred. The site had been a depository for anonymous “whistleblower” leaks of various alleged misbehaviors around the world, such as in Iraq and Guantanamo. The specific situation that led to the court order concerns the Julius Baer Bank and Trust, an offshore (tax haven?) bank in the Cayman Islands, which claims that a disgruntled ex-employee stole papers protected by confidentiality agreements (something that almost all employees in financial institutions would encounter) posted on the site. In a separate “amended temporary restraining order” the judge also ordered that Wikileaks stop publishing the bank’s documents.

Uuum. There’s a lot here. Yes, it’s generally against the law to disclose trade secrets. It’s murkier when the disclosure is supposedly about illegal activities, but I suppose the proper procedure is to go to law enforcement. We know that this doesn’t always work, don’t we. There is supposed to be a lot of protection in the law for whistleblowers. Further complicating things is the fact that this is an international case, and presumably ICANN’s policies and procedures are involved. Finally, why isn’t it enough to simply remove the specific content? Why block the domain entirely? The idea that this could happen can jeopardize all web publishers, especially those who host the speech of others.

But what is even more foolish is that the site is already mirrored with other domain names around the world, and that plenty of bloggers and news sites have published the hard-coded IP address (which I will in a minute). It appears that the judge did not understand the most basic processes behind how internet domain names are resolved and linked. In the COPA trial, which I discuss on another blog, the judge and both sides went into excruciating detail on both sides to examine how the applicable technology works. These injunctions will almost certainly be appealed. But the judge has scheduled a hearing for leap year day, Feb. 29. Already, law professors are calling the ruling a flagrant First Amendment violation, and one professor compared the order to ordering a newspaper to print blank pages in the “Pentagon Papers” case in 1971 regarding the Vietnam war.

Let’s go through the news links. First, AOL told uses about it on Switched.com, in a story by Tim Stevens, “Court Shuts Down Whistleblower Site,” and here is the link.

The New York Times, today, in the National Report, on print page A14, has a story by Adam Liptak and Brad Stone, “Judge shuts down wensite specializing in leaks, raising constitutional issues,” link here. The Times may require registration (and later purchase) to see the content. The NY Times has an editorial Feb 22 "Stifling Online Speech," here.

The blog at http://wikileak.org/ (notice the spelling of this domain name is slightly different) has some detailed legal discussion of the procedural wranglings.

Some other URL’s for the site are the hardcoded IP address.
And the link in Belgium:
The Permanent Injunction against Wikileaks and Dynadot is here.
The associated Temporary Restraining Order is here.

There are many other substitute URL’s around the world. Since the Times can release these, I presume that I can. In any case, visitors will probably be able to find other URL’s easily.

Wikipedia has an article on this incident, with some basic factual summary of the litigation, here. Wikipedia also has a story under "Wikinews" here.

Stayed tuned. I didn’t see a story on EFF (itself in San Francisco) yet, but I suspect I will soon. I expect this story to evolve rapidly.

This cases is considered a good example of the Streisand Effect, where an attempt to shut something down attracts attention and has the reverse effect.

Update: March 5, 2008

According to Wikipedia, Judge White reverse the injunction on Feb. 29, 2008.

The ACLU COPA blog discusses this case in its Feb 29 entry, here.

Thursday, February 07, 2008


There is a disturbing story about seizure and inspection by U.S. Customs and TSA agents of electronic devices (laptop computers, cell phones, IPODs, etc) at border crossings. The story is by Ellen Nakashima, is titled “Clarity Sought on Electronic Searches: U.S. Agents Seize Travelers’ Devices: Travelers’ Devices Seized at Border,” The Washington Post, p. A1, Thursday, Feb. 7m 2007, link here.

There are multiple concerns. One is that government inspectors have sometimes erased sensitive data. Other is that many times people are carrying laptops belonging to employers and that trade secrets or private information is potentially compromised. Some employers have started cleaning hard drives of laptops before their associates travel with them, at least internationally. They depend on Internet access for all information then, which can present its own security hazards. People are also queasy that their own personal information or web surfing habits are suddenly subject to federal inspection, perhaps a Fourth Amendment issue. People might be exposed to arrest if illegal materials were found on laptops, even if they had never been uploaded to the Internet.

There used to be a common procedure at airports of asking people to turn on laptops in security lines. A traveler might need to be sure that his battery was operational and fully charged. I have been asked to turn on a laptop only once in perhaps fifteen trips with them, but I have never taken a laptop overseas.

The Post story indicates that Electronic Frontier Foundation will try to force the government to disclose its policies on border searches. The latest EFF link on the issue seems to be “Travel Screening” and it talks about ATS (Automated Targeting System) and “CAPPS II and Secure Flight”, here.

Sunday, February 03, 2008

PC Magazine has The 72 PC Safety Steps -- and more


PC Magazine’s February 2008 issue has a feature story “72 Essential Security Tips: Everything You Need to Know to Protect Your PC,” on p. 71, by Eric Griffith. Most of it is pretty familiar, and I guess, yes, you should buy the mag. (I couldn’t find a link there yet to see the 72 points online, more below). Some are noteworthy. He recommends bidirectional firewalls, and using a router at home if you have broadband service even if you have only one computer for it. He feels that Firefox and Opera are safer than IE because they are not as tempting as targets – that idea can be debated. He gives the good advise on suspicious emails that are probably phishing scams: don’t click on their links, but run the mouse cursor over them and see if the URL displayed by the email program matches that shown (usually it doesn’t). Banks never tell customers to send them personal information in emails. He advises to supervise their kids’ use of computer games (Xbox, etc) carefully. (That may not be easy; one relative of mine thinks that two cats and two dogs -- real live sentient beings -- are much better companionship for a daughter than a computer, and he’s right.) He notes that biometric password access (retinal scans, fingerprints, etc) are likely to be developed quickly for common use in the future. It seems to me that retinal scans could actually have the unintended benefit of possibly detecting eye disease early.

On p 104, there is an article by Larry Setlzer, “Don’t Click That Ad … or Even Look at It: When you go to a Web site, you have to trust everyone it’s in bed with.” He wrote about a glitch in ynetnews.com (the English language site for an Israeli newspaper) about unintended redirections, which he traced to bad iFrame coding in one of the embedded ads. A story like this sounds like it could undermine the whole business model for online advertising – the understructure for “free” web content, blogs (like this one), and search engines. Hopefully companies will develop stricter coding standards for the ads they accept (which would include companies that deliver automated ads by sense). “Coding standards” are something every programmer knows about, anyway, even from mainframe days. I haven’t had redirections recently myself, but once in a while, after certain ads (mostly on major newspaper sites or imdb) by cursor starts blinking and jumping until I close Mozilla and restart a new session with it. That sounds like the same thing – some bad code in an ad that is writing over memory or not releasing memory properly.

The online website for pcmag has an article by Oliver Rist, “Your PC’s been arrested – now what? If anyone misuses your network, guess who’s liable”. Yes, guess. The author recommends that employers publish their acceptable use policies and enforce them to the letter, and keep attorneys around. What’s worrisome is the downstream liability issue for home network users (what if it becomes a zombie for a DOS attack) even though we don’t hear a lot about actual cases. People have talked about “downstream liability” for the past ten years; I remember a long discussion about this one time with a technology lawyer and AOL consultant at the Libertarian Party of Minnesota booth at the Minneapolis Gay Pride festival in 2000 in Loring Park, that far back. The link is http://www.pcmag.com/article2/0,2817,2250645,00.asp

Now, here’s the rub. I’m not giving the active hyperlinks on this post because – guess what – pcmag.org got a Yellow Rating (caution) from McAfee Site Advisor today (Feb. 3, during the Super Bowl Halftime show) on my machine, and this blog could get downgraded if I link directly to it. Hopefully, this is a false positive, and PC Magazine will get this fixed with McAfee in a day or two. Check back.