mld, June 5, 2002 at 8:20:06 PM CEST

The Never-Ending Story...

... of IE security bugs...

This is a public service announcement for my faithful readers. I assume that most of you have lives, and therefore can't afford the time to monitor this sort of thing. It's just about a full-time job with M$ stuff.

So, despite my protestations to the contrary, here's another post on this subject...

There's a new security bug discovered. It uses a hole in the gopher protocol, one of the original seven protocols [1] used by the internet. It's now largely unused and ignored, but malicious html code can open the hole, even if you don't start up the gopher protocol...

For those of you interested in the details, you can read the full article.

Those of you that could care less, but want to be protected from the exploit, should do this...

"Online Solutions recommends that until Microsoft releases a patch, IE 5.5 and 6.0 users should disable Gopher by going to the Tools menu and accessing "LAN Settings" under "Connections." They should then open the "Use proxy server for your LAN" box and access the "Advanced Tab." Finally, users should go to the Gopher text field and enter "localhost" and "1" in the port setting box."

Those of you with a locked up tight, properly configured firewall probably don't need to worry. I strongly advise one, even if you just use dialup, but especially with broadband. I use Tiny Personal Firewall on Windoze boxes. It's free and once it sets up, your computer becomes invisible on the network, and locked up tighter than Mother Teresa's... uhh, never mind.

You can get it here.

After you do that, you need to look at your machine to make sure it's set up securely. You can pay somebody about a zillion bucks to do it for you, but an excellent free security audit is available here.

It will scan your machine for open ports, etc., list your security problems, if any, and offer advice on how to fix them.

I have no clue what you Mac users should do. (Actually, I do. Buy a PC :-)

Back to your regularly scheduled programming...

[1] The original seven are: mail, http, archie, gopher, ftp, wais, and telnet, if you care.

 

... Link (0 comments) ... Comment

mld, May 31, 2002 at 12:56:00 AM CEST

Must.Resist.Temptation.

...to make this entire journal about nothing but the seemingly endless parade of bugs, and security holes in Microsoft timebombs products. There are other people that are doing that very well, and it's my intention here to write original stuff - stories, pics and opinions that you can't find anywhere else on the net. The world has enough bloggers recycling each others links in an incestuous wheel of gab, thank you very much, and most of them do it better than I could.

I suspect I will not always be able to conform to that standard...

The problem is, I know of a few of you that read this that are not geeky type computer buffs that spend a few hours each day reading the news, to include security alerts and such, but I'm the one you're gonna call when your hard drive gets hosed and your data's trashed. So, I'd prefer an ounce of prevention every now and then.

This post is for you, my enduser friends, you folks who use computers to do your jobs, as opposed to those of us where the computers are our jobs.

While I've always discouraged you from using M$ stuff any more than you have to, I have to give the devil his due, and admit that of all the products that M$ puts out, Office is the big one that even people like me can't live without.

None of the other suites, even the open-source ones, have caught up, at least not yet. So, I've always grudgingly kept it on my machines(s), even tried to learn the advanced stuff on the different apps, so I could help you with your questions, and so I make make the odd simollion every now and again with a training gig, or whipping up a simple little Access database.

I've begged and pleaded with you to quit using LookOut Outlook, as it has been, along with IE, the gaping hole through which the hacker masses have galloped without even much slowing down on their way to control of your machine. I don't bitch at you too much about the flea-bitten, security nighmare, enterprise-level apps such as Exchange, as you never even lay eyes on one of those machines, and the professional idiots that use that stuff both know to keep patching, and get what they deserve.

Just stay away from Outlook, use a different browser and email client, keep your virus definitions updated, and you'll mostly be OK, I've said.

That was then, this is now.

It seems that as M$ has continued in its quest to integrate the enduser applications with both each other and the internet, the programming links between what we used to call "standalone" applications have grown to the point where it is hard to tell where one app takes up and the other leaves off. Thus, the security of any of them has now become a function of the weakest of those integrating links. And that's purty dogggone weak these days.

The latest example of this is that doing something as innocous as letting Excel apply a stylesheet to a worksheet can wipe out your machine. That stylesheet can contain any code the technically malicious care to put in there, and without warning, unseen by any virus checker, have their Evile Way with your PC.

So, now it's time for me to say the hell with the whole sorry kit. Be done with the Office suite, my friends. The latest versions of the open source stuff are about where Office was two or three years ago, and you got your work done well enough then didn't you?

Personally, I've been done with M$ crap in all it's myriad forms. I still keep a machine around with Windows on it, as there are a few things I have (still) that won't work with another OS, like my camera card reader, and my Snappy video capture device, and a few programs like PSP that I still use in favor of their open-source counterparts.

Plus, since most of you still use IE, I have to look at any webpages I code in it, just to see if they render the way I intend.

But that's it. I'm never going to spend another dime on a Microsoft product, or buy another piece of hardware that doesn't have Linux support, period. That means my personal use of the OS stops at Win98, right where it is right now.

You Have Been Warned.

 

... Link (1 comment) ... Comment

mld, May 25, 2002 at 1:49:44 AM CEST

Adventures in CableLand

After moving into my new digs last week, I was faced with the decision of what type of broadband service I'd be buying, and who was going to get to sell it to me. The amount of marketing hype and FUD being tossed about on this issue is near impenetrable without a 'Zilla-sized bullshit detector. After several days of checking out websites, calling different tech support lines and asking hard questions, asking around, etc., ad infinitum, ad nauseam, I wasn't much closer to making a decision than when I started.

I flipped a coin and decided to try my local cable provider, after having run into one of their guys in the parking lot one afternoon. The main selling point was that they could get it in within a day or so. He made me an appointment for "sometime between eight and twelve" the next day.

At 12:45 that day, I called the service folks to see where he was.

"Well, he's not supposed to be there until one, sir," the lady said.

"Pehaps you'd like me to fax you this piece of paper I'm holding in my hand as we speak that says he was supposed to be here this morning."

"We'll take off the charges for the first month's service, sir."

Shortly after we hung up the "installer" arrives. I lead him into my office and show him the machine I'd put a fresh Red Hat install on the night before. A P75 with 32 meg of RAM, it's about four orders of magnitude more powerful than than is actually required to run as a simple Linux firewall .

"I can't use that machine, sir. We don't support Linux."

"That's odd, I specifically asked your salesdude if you did, and he said it would be no problem."

"I don't know why he would have said that."

(sigh) I figure I'll just let him get me set up, and I'll tranfer the gear over to the Linux box later on.

"Ok, so what do you need?"

"A P166, minimum, with Windows."

Now my office-to-be looks at that moment like a computer junkyard, as I've hauled all the machines out of storage that I'm gonna use for my home network. Most of them are laying on the ground with their covers off. Boxes of hard drives, video cards, and other assorted electronic innards are heaped in boxes. I look around desperately, and realize that it's going to take me a few minutes to get another machine that'll make him happy put together, so I tell him to go handle the cable box for the TV in the living room while I do.

He's done before me, and waits while I get a machine booted.

"I left the cover off for you, since you need to install the network card."

"Does that machine have a USB port?"

"No. Why do you ask?"

"I don't have any network cards."

"You don't? Why not?"

"They ran out."

"Well how in the hell did you expect to install the cable modem?"

He looks at me like I'm an idiot for wanting them to install the service on a machine that's probably four years old.

"Nowadays, most people have USB ports. We'll just have to reschedule you."

I have a few spare NICs laying around in some box, but I'll be damned if I can lay my hands on them in a hurry. Besides, the NIC is supposed to be included. They only cost around five bucks these days, but it's the principle of the thing.

"Can't you just leave the modem, and I'll just install the damn thing myself?"

"No, we're not allowed to do that."

(sigh) He leaves, and I get back on the phone with customer service. I now have another month free, and the install is scheduled for the next day. I tell them to make a note to make sure the guy brings a freakin' network card.

The new guy shows up the next day, NIC in hand. I point him to the machine, which now has a CD-ROM, yanked off the RedHat box) as the tech the day before said they needed one.

However, the drivers for the card are on a floppy, and that machine does not have a floppy installed. (The whole idea of a network is that every freakin' machine doesn't have to have every possible sort of peripheral.)

But it does have a modem, so I tell him I'll get the drivers off the net, which I do. Meanwhile, he hooks his tester to the cable jack in the office, and gets no signal. He borrows a screwdriver from me, (he brought no tools) and pulls the jack cover off. There's no wire running to it. Checking the jack on the other side of the wall, in the bedroom, shows a similar situation. Placebo wiring.

"Well," sez I, "just run some cable then."

It's not that simple. I have to call the cable company, and have a whole different installer come out to do that. Furthermore, according to him, the quality of the cable signal in these apartments is such that using a splitter will not work - the signal isn't strong enough. This means that we'll not be able to use the cable TV sevice and the broadband at the same time!

"You gotta be shittin' me. What does that mean?"

It means we have to get additional lines run. It means that we'll have to get permission from the apartment folks, since this is a first floor apartment, and the lines have to be routed along the outside of the buildings. All at my expense of course. (sigh) So much for free installation. DSL is starting to look real good about now.

The apartment folks allow that they'll let us do it, but they aren't gonna pay for it. I ask the manager if she thought showing an apartment with jacks in all the rooms that turned out to be no more than faceplates screwed into the walls smelled at all to her like it was a bit deceptive. She said, no, not really, they're all that way. I then asked her just exactly who put those psuedojacks in. She said she didn't know. She might even be right.

So, I have the installer just make one longass cable that snakes around from the living room to the office, and figure I'll just stay off the net when CG wants to watch the tube in the evening.

Me, I could care less. The only thing I ever watch is news, science and history stuff, and the odd Astros game. I'm content to get all that stuff off the net, and listen to the 'Stros on the radio. I'm pretty much just listening to the game even when it's on the tube, anyway. I'll be reading a book or writing when I "watch" TV. It's entirely too passive a pastime to deserve my undivided attention, and I'm pretty good at multitasking.

But I digress, as I am wont to do...

Finally, the installer hooks up the modem, a Motorola Bitsurfer. The NIC's working fine, little lights are blinking on it and the Bitsurfer, but we're not getting a connection. We check to make sure it's autodetected the right MAC address, and run through some settings in the Control Panel, everything looks OK.

He suggests that we run the IE Connection Wizard. We do, and there's a problem. The Setup button for a new connection is grayed out. Hmm...

"There's something wrong with your Explorer."

"Well, so what do we do?"

"I dunno."

By now, he's mention pointedly several times that I was only the first of the five installs he had to do that afternoon. He's been here maybe forty-five minutes. I tell him to get on with his other installs, that I'll get it figured out. He leaves me his home number and says I can call him later if I need to.

So, I figure I'll start by getting Exploder unfucked. After a few minutes of head-scratching and ponderment, aided by a cold beer, I decide to start rummaging around in the IE application folder, just to see what I can see. Debugging by Wandering Around. Hmmm, there's a folder called Connection Wizard. Wonder what's in there...

My, my, here's a little icon for an executable called "inetwiz.exe." Knowing that there's always about three different ways to do things in Windows, I'm thinking maybe I can run the setup wizard that way. Couldn't hurt, right? Click.

An alert pops up with an error message telling me that I don't have permission to run the wizard, and that I should contact my system administrator. Huh? I am the dogdamn admin for this machine. It's simple Winblows 98, and I don't think it'd ever been part of a network before, as it was the one I kept at home for CG to use for her word processing and antique shopping on ebay. This is weird.

I'm thinkin' that if this is some sort of Windows bug, I'm not the first person to to have been plagued by it. So, I fire up the dialup, and google the complete error message in quotes...

Lo and Behold! I get a hit on the M$ Knowledge Base. I won't quote the whole dense computerese article, but here is the gist of it. It seems that some internet service providers, EarthLink, in my particular instance, disable the ability of IE to automagically create the settings for a new account when they furnish their branded version of the browser.

I'm sure they will tell you that they do that to keep the clueless from hosing up their settings, while the cynical folks like me see this as an attempt to prevent churn by making it tougher to switch providers.

At any rate, the Knowledge Base article gives the registry settings that need to be terminated with extreme prejudice to uncripple the browser. I did this in short order.

(BTW, after talking with several friends, we decided that this might have been the first time in the history of the universe that somebody found the answer to their problem in the M$ Knowledge Base. Certainly the first time anyone found it quickly. I attribute this to all the goodness that is Google. I bet you can't find the damn article using the M$ search engine, but I'll be damned if I'm gonna waste time finding out.)

Now I have it licked, right?

No. I run the wizard, it detects the settings, but still no joy. I get on the phone to tech support, and spend, oh, the next ninety minutes while the tech reps in Dallas point me to the local folks in Spring, and vice versa. The tech dudes insist everything looks good on their end, that my account must not yet have been "activated" by the local folks. The local folks insist they have. I get another free month before it's all over, but I'm wondering if months of no connectivity is much of a freebie.

Eventually, as this dickdance draws to a conclusion, somebody somewhere clicks the right button, flicks the right switch, or whatever, I have connectivity. So I start surfing around, only to notice that this doesn't seem a whole lot faster that my dialup was. Oh, great. Must be that cruddy cable line we have.

I'm tired of messing with this at this point, and it's time to start dinner. Walking back into the living room, I decide, what the hell, as clueless as they were about everything else, maybe they were wrong about that, too. I hook up the TV to the splitter, turn it on, and go check the connection. Seems about the same.

A few days later, I decide to see just how slow this damn connection is. I wander over to DSL Reports and run a speed test. WooHoo! I'm DL'ing at a whopping 61k , but here's the weirder part - I'm uploading at 128k? Something is seriously wrong.

I used some of the tools there, primarily Dr. TCP. This free app works like a charm. I won't bore you with the details, but after a few simple changes, all implemented by simple drop down boxes and such in the GUI front end, (none of that scary registry editing) my connection is tweaked. I've tested as fast as 768 down and 220 up, well above the advertised bandwidth of 512/128.

And that's with the TV on. :-)

Here's the screenshot of the settings you need to use if you've got Charter Cable Broadband service in Spring, Texas, for sure, and probably elsewhere. I tested several other variations, and none did as well

The moral of this convoluted story?

Here we have an instance in which there's really nothing wrong with the product, but the general lack of ability of the installers and tech support folks made it nearly worthless. It would have completely bamaboozled the average user. Hell, they had me tearing my hair out for a coupla days, ready to quit and call SouthWorstern Bell for their DSL service.

I would suspect that most broadband installs are upgrades from dialup service. Yet this guy had no clue how to fix the registry crippler, or how to tweak the system for max speed. I remember him telling me about the cruddy apartment complex cable quality. I wonder how many times he's used that excuse, when the reality of the situation was that the cable modem was trying to suck down packets through a dialup straw. But at least he brought a NIC with him.

I never did find out why the first guy said he'd need a CD-ROM. They installed no software of any type on my machine, (You'd think they'd be passing out Dr. TCP like is was candy on Halloween) They didn't leave me so much as a piece of paper with the names of the Charter mail servers, so I could get my new email account set up. much less the idiot-proof instructions most users require. I had to rummage around on the website to find that stuff. No wizard to let me set up my username. Nada. Zip.

Back in the days, I used to train tech support folks. The company contracted to Gateway and ATT&T, among others, to take their calls. We charged them about $15 per call. I must have made a dozen of them before this was all over, and it all could have been prevented with a bit more training on the installers part, and a CD with a setup wizard that my ubergeek pal Napalm could code up before the pizza gets cold.

I begin to understand now how AOL has managed to get the market share that it does, and why their current marketing campaign stresses how easy they make it to get onto the net. For now, it seems, getting a broadband connection up and running well takes us back to the arcane and scary to most people stuff that existed in the early days of dialup BBS's - manually entering Hayes modem initialization strings and the like.

As for the Cable Guys, as the saying goes, "You pay peanuts, you get monkeys." :-)

 

... Link (0 comments) ... Comment