Monday, March 30, 2009

Media reports prosecutions for "threats" related to Va Tech, other incidents; Internet users should take notice

Starting around 1999, the major media started reporting occasionally people being arrested and prosecuted for transmitting threats by email other otherwise through the Internet, as on webpages or sometimes in user groups. These incidents probably picked up as a result of the Columbine tragedy, and then again after 9/11. There is a website called “The Trenchcoat Chronicles” that, using the blog category feature, provides a long list of such incidents over time, here.

So there is a Metro section story in the Washington Post this morning (Monday March 30, 2009) by Allison Klein about the federal prosecution of Nevada resident Johnmarlo Balasta Napa, for transmitting emails, reported as threatening, to two Virginia Tech students right before the anniversary of the tragedy sprung April 16, 2007 by Seung Hui Cho. The Post link is here. The newspaper story (perhaps out of prudence) does not reproduce the text of the emails (other than to say that it included reproduction of some of Cho’s “manifesto” and other violent materials), so one is left to presume that the words really did convey intention to do harm. But the public defender is making the perhaps bizarre claim that the defendant intended to “initiate a discussion on the causes of school violence.” The arrests and indictment were apparently based on the emails, but subsequent police and federal investigation showed that the person had a cache of weapons. But the cache, while it might "eventually" generate separate illegal weapons possession charges (actually, law enforcement admitted that so far the weapons appeared to have been acquired lawfully), doesn’t seem related to the original accusations. Napa has been held without bail since April 2008.

The FBI’s website (Richmond, VA office) has a report on the indictment, on May 22, 2008, here.

The Post story also mentions the conviction of Steven Voneida, who had apparently been a student at Penn State in Harrisburg, for making a related threat on his Myspace posting. The Penn State Daily Collegian has a more detailed story, Feb.13, 2008, by Katharine Lackey, “Student convicted for Myspace post”, here. The posting did contain an “existential” judgment that itself (however offensive) should have been protected by the First Amendment but also made another alarming statement that most reasonable people might take as predictive of future behavior ((look up the “fighting words” doctrine on Wikipedia). The material included a violent “poem” which apparently was authored by the speaker or extracted from Cho's "ballad". Apparently another Penn State student notified police, but the speaker had apparently removed some of the material (after warnings from the campus authorities) before the arrest.

All of this relates to the question of “implicit content”, which I’ve discussed sometimes on my main blog and my COPA blog.

VPI professor Lucinda Roy has an upcoming book “No Right to Remain Silent: The Tragedy at Virginia Tech” (Harmony Books, due March 31), reviewed by Dave Cullen in the Washington Post Sunday, here. Roy warns about the signals of “violent inclinations in advance, often in fiction, poetry or other creative outlets.”

All of this is a huge problem for school officials, most of all public schools, and to some extents colleges and universities, who necessarily have a short fuse in how they interpret alarming material posted on the Internet by students, even from off campus. The Newsweum First Amendment exhibit in Washington DC takes up this problem (the “When is a doodle dangerous” placard on level 5).

But Internet users (when sending emails or making public posts) need to be wary of the “intention” that may be read by others into their posts apart from the literal or “ironic” meaning of the content. I encountered this problem myself on another issue in 2005 (see the main blog, July 27, 2007 post and follow the categories).

Note: the Blogger profile contains the links to other blogs which also take up these kinds of problems, and each blog has a category list.

Update: April 29, 2009

The Washington Post reported today, in an article by Allison Klein, that Johnmarlo Balasta Napa had plead guilty April 28 to the charges discussed above, story here.

Update: July 13

According to a story by Sue Lindsey, the man was released from jail on condition of receiving psychiatric treatment, AP link here.

Friday, March 27, 2009

ACSLANG (AOL), A0031154 (Dell?) show up in McAfee scans and get quarantined; are these false positives?

Well, today, I found six more potentially false positive “Trojans” on my “Friday morning music club” McAfee scan of my 2006 laptop, which is not used that much.

A couple more AOL backup items were ACSLANG.EXE and ACSSETUP.EXE. I found an inconclusive discussion of these on an Avast! Forum here.

There were three items A0031154.EXE (55, 56) which is in a system volume “restore” folder and seems to have little information but may be related to Dell modules. Similar, there is 6B6A7665-DB48-4 which seems related to Dell. When I pull up the McAfee quarantine list through the Security Center restore function, none of these show up on McAfee’s virus database.

Does anyone know anything about these? I find other references to them on the Internet with no real information.

McAfee keeps updating the DAT files and virus engines, and it seems that it may simply be getting “stricter” and quarantining items that it used to let go.

Wednesday, March 25, 2009

Wireless piggybacking can be illegal when it pops up as available

It can be illegal to use a private wireless network without permission. When you have a wireless-enabled laptop, it is your responsibility to make sure you have permission to use it, particularly if you don’t see a pop-up screen saying that it is a public network.]

At least, that’s the law in Michigan, and may be in Maryland, according to a Fox News story by Sara Bonisteel, June 5, 2007, “Michigan man fined for using coffee shop’s wi-fi network”. The link is here. The man was checking email in his car outside the shop when the police saw him. Michigan passed the law to prevent wi-fi hacking. The law extends a 1979 computer crime law to prevent piggybacking on wi-fi.

The man, Sam Peterson II, was sentenced to a $400 fined and 40 hours of community service for a misdemeanor. He could have faced a felony charge with 5 years in prison and a $10000 fine.

In most coffee shops, paying customers presumably have permission to use free wi-fi, which may not be well secured.

It’s common when logging on to wireless enable laptops for local networks to come up as being available, with some requiring a customer-id logon. But presumably one needs permission to use them.

Friday, March 20, 2009

Ecuinst.exe in AOL backup directories quarantined by McAfee

Once again, an AOL-related item appeared on another McAfee virus scan (after it loaded a new DAT and totally new Security Center (build 9.3.137) and anti-virus engine (build 13.3.115, engine 5300.2777) today (March 20). It’s “ECUINST.EXE” which was labeled by McAfee as a Trojan and quarantined. It was in a backup directory with “AOL” and “Program files” in the path name.

Does anyone know anything about this? I have used AOL’s website on the laptop to read email but have not used AOL dialup since the previous scan.

I could not find Ecuinst on McAfee's own virus list.

I have notice a tendency for Firefox to lock up when left open on the AOL inbox on AOL’s website.

Thursday, March 19, 2009

Conficker approaches "April Fools": a note about McAfee subscription verification

John Markoff has a disturbing story in the New York Times today (Thursday, March 19) about Conficker, with sci-fi channel speculations about what will happen April Fools Day when, according to lore, it activates on about 12 million computers, mostly in corporate networks.

Some reports have it evading all modern anti-virus software, and needing only one domain registered in order to steal information and perhaps corrupt financial accounts linked to these millions of machines.

The link (“The Conficker worm: April fool’s joke or unthinkable disaster”) is here.

McAfee’s latest link, that I could find, is here. in Nov, 2008; there is a “gen” version in Jan. 2009 with no description.

I suspect that there will be a lot of bulletins from CERT on this soon.

I’ve noticed another oddity in my McAfee service recently.

Recently, I’ve noticed that once in a while McAfee says “computer is not protected” and requires me to verify the subscription, which always works and turns the green light back on. Recently the subscription date extended because of a price change, I think. Have other McAfee users noticed this?

I do see one interesting anomaly on the account. I had McAfee on an older (Windows 95 era) laptop that I no longer use. From the record, it looks like the company transferred that to one of my other computers automatically to extend the date. Is this how it works? McAfee has some complicated logic on the use of the contract on more than one machine. Can this explain the subscription verification messages?

Update: March 30, 2009

The latest McAfee entry, dated March 10, 2009 is here.

The US-CERT webpage for Conficker is here.

March 31, 2009

NBC Washington is saying that you check to see if you are infected with Conficker by just trying to access the website of a major anti-virus company like McAfee or Norton, or Webroot (for Spysweeper, which Geek Squad likes). I doubt that is correct. I think you should try to run the anti-virus package, and try testing if for updates. Ar least McAfee updated to March 30 early today when queried.

Does anybody know if the secondary threat starts April 1 2009 "local time" or GMT? If GMT, we'll know what happens shortly after 8 PM tonight EDT. If local time, we could look at what happens in Australia now. If someone knows the time zone issue, please comment.

I have a feeling that April 1, 2009 will be busy days for Geek Squad and Geeks on Call.

Tuesday, March 17, 2009

wmlprvse vs. wmiprvse: Is this normal Microsoft, or a real problem?

Some time after making my posting here yesterday about p.c. slowdowns, my own XP Home computer slowed down and I noticed (with ctl-alt-del) that a process called wmlprvse.exe was executing. It was using about 25 meg of memory. I did have Firefox open on many panels, including AOL mail. I ran McAfee instant scan which found nothing, and I could not find any reference to such an item in McAfee. After closing all the panels, especially AOL, the process went away in about a minute.

Online I found vague references to this process as a “Trojan” and a “threat” and a service called Regrun that would clean it and many other similar perils.

Rooting around more, I found that wmiprvse.exe (note the “i” in the third letter -- Windows Management Interface) is a legitimate windows proxy service. For example look at this explanation on Tek-tips. Ot says “To start a provider, each host starts a new process that is named WMIPRVSE. The WMIPRVSE process loads the actual provider. When you use different hosting models, the WMIPRVSE process is started by using different Windows credentials.” The link is here.

There is another piece on “Fast PC Fixes” “How to Fix wmiprvse exe” here.

Does anyone know about the wmlprvse as opposed to wmiprvse?

Again, my own slowdowns seem to happen when AOL is left open for a long time with Firefox open on may sites. Sometimes Firefox hangs memory at 100%. I don’t think it’s a virus or deliberately introduced malware; I think it’s just old “unsafe code,” perhaps on the AOL site.

It also brings back another favorite (Microsoft) buzzword, "Microslop". I suppose this doesn't happen on Linux.

Monday, March 16, 2009

AP, Yahoo! offer basic advice on recognizing home computer virus infection

Jordan Robertson has an important but basic AP story today, “How to tell, what to do if your computer is infected,” link here.
The story was featured today (March 16, 2009) on Yahoo!

Most viruses don’t cause crashes and widespread destruction. But they may cause your computer to slow down, and they may cause unwanted popups. But the biggest danger is that they steal personal information or that they run bots from your machine as a zombie that could infect other machines or possibly transmit illegal content.

There can be other, “benign” reasons why older machines slow down, including fragmentation, software corruption, and some specific problems, such as the tendency for Firefox to hang on AOL mail (memory locks up). I’ve seen corruption from Kodak CD’s and even Adobe before (software bugs, not viruses). Other bugs include a Microsoft Word 2002 problem that would generate extraneous repeated links when converting documents to HTML (because it would generate extra span lines in the XSL element).

There have been rare occasions, as noted on this blog, when people have actually been prosecuted for content placed on home or work computers by viruses. This has happened in public schools and state governments, and in a few cases at home. Hopefully the new administration’s Justice Department will look seriously at the problem of wrongful prosecutions and put a stop to them. (The previous administration couldn’t care less.)

The AP article discusses anti-virus software, but companies like Geek Squad say that the best anti-virus companies keep changing from year to year, and some of the smaller companies are more reliable.

Tuesday, March 03, 2009

Koobface worm (from Facebook messages) is back again.

Multiple media outlets report that the Koobface worm has surfaced on Facebook again.

The Facebook user receives an inbox message instructing her to view a video, which in turn urges the loading of an Adobe Flash update. The bot that it loads listens for traffic on port 9090 and may misdirect http traffic and searches.

A typical story is by Robert Vamosi on, “Malware: Facebook Koobface worm strikes again”, link here. The arriving message exhibits social engineering and may say something like, “You look funny in this new video.”

The worm seems to be a variation of malware that first appeared in August 2008. But the prevalence of the revised virus seems to be very low so far.