Home Daynotes Home Week of 5 August 2002

Photograph of Robert Bruce Thompson Daynotes Journal

Week of 5 August 2002

Latest Update : Sunday, 11 August 2002 11:07 -0400

Click Here to Subscribe Visit Barbara's Journal Page

Monday, 5 August 2002

[Last Week] [ Monday ] [Tuesday] [Wednesday ] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Messageboard] [HardwareGuys.com Messageboard] [TechnoMayhem.com Messageboard]

8:35 - I'm still working through the accumulation of email from last month while my mother was in the hospital and later the nursing home. I'm pretty much caught up on my inbox, but now I'm wading through the literally thousands of emails that ended up in my junk mail folder. Some of those are "real" mail, which I'm just now getting sorted from the spam. If you've sent me mail to which you might reasonably expect a response and I haven't yet responded, my apologies. I'm getting through it all as fast as I can.

I didn't quite finish fixing the broken links in PC Hardware in a Nutshell over the weekend. After working all day Saturday on it, I was pretty beat and so took yesterday off. I will finish those first thing this morning. The broken external links (with updated working links where available) are documented here. Those are all fixed, but I still have to create pages for some of the hardwareguys.com links that I mentioned in the books but hadn't yet gotten around to creating.



Tuesday, 6 August 2002

[Last Week] [ Monday ] [Tuesday] [Wednesday ] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Messageboard] [HardwareGuys.com Messageboard] [TechnoMayhem.com Messageboard]

9:05 - All the links are fixed, and the new edition of PC Hardware in a Nutshell is now available on O'Reilly's Safari e-book service. Interestingly, I can't look at it. After I sent in the corrected links to O'Reilly yesterday morning, I sent an "oh, by the way..." message to tell them that it'd be nice if I had a password to look at it once it was up on Safari. They'd sent me one before, back when they first rolled out Safari, but I think that account had expired.

So they sent me a username/password. Because I'm an O'Reilly author, my account lets me access any of the hundreds of O'Reilly books that are up on Safari. All of them, in fact, except (you guessed it), PC Hardware in a Nutshell. It'll show me excerpts from that book, but tells me that in order to see all of it I need to subscribe to the book. So I looked all over for a button or link that said "subscribe me to this book". One looked promising. It said I could "swap" that book into my group, but when I followed the link it just ended up telling me to click on the "subscription" link, which I don't have. Presumably this is either because my setup with Safari differs from the norm or because Mozilla is "hiding" things again. Oh, well. I'll get it worked out.



Wednesday, 7 August 2002

[Last Week] [ Monday ] [Tuesday] [Wednesday ] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Messageboard] [HardwareGuys.com Messageboard] [TechnoMayhem.com Messageboard]

9:54 - Much to-do over this report that Windows is irreparably broken from a security standpoint. This vulnerability is not a bug, but is an inherent part of Windows. That means it can't be fixed without overhauling Windows into something entirely different. Microsoft claims it's not a flaw, but then what else could they say? Basically, if I understand things correctly, this vulnerability allows a programmer who has local access to the machine to highjack a window running with high privileges and use it to execute arbitrary code of his own, including the ability to promote his own application to run at system level. Windows apologists say that the flaw is more the fault of poorly-designed Windows applications than with Windows itself, but the fact remains that no application, however poorly-designed, should be able to compromise the operating system. An application with system privileges shouldn't be able to expose itself to non-privileged users in a manner that permits it to be exploited, and the fact that Windows permits such exploits is a fundamental flaw in the operating system itself. And, of course, there are a lot of poorly designed applications out there just waiting to be exploited.

In effect, by exploiting this flaw, a programmer can sit down at a Windows system that's logged in as a non-privileged user and use the privileges that have been granted to such applications as virus scanners, which run with very high privileges. That's certainly a dangerous flaw, but it's not the end of the world. If it could be exploited remotely, it would be, as it would be if a normal user could activate it by running an executable attachment. But neither of those are apparently true, so all we need worry about is people who have local access. That, of course, is bad enough.



Thursday, 8 August 2002

[Last Week] [ Monday ] [Tuesday] [Wednesday ] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Messageboard] [HardwareGuys.com Messageboard] [TechnoMayhem.com Messageboard]

12:43 - We spent last evening at Bullington observing. For a weekday session, it was surprisingly well attended. Ten or so people showed up. The skies were relatively clear as darkness descended, although some heavy cloud cover moved in around 2200 or so. That cleared off pretty quickly, and we all spent some quality time looking at various objects. One of the guys tried to find Comet Hoenig, but never did locate it. If the weather is good, we'll probably head up to the Blue Ridge Parkway one evening this weekend to observe.

I keep reading all this stuff about ImClone, Martha Stewart, and insider trading. What I don't understand is why everyone gets so upset about insider trading. I understand that insider trading is illegal. What I don't understand is why insider trading is illegal. If my friend George who works for ABC Corporation tells me something that leads me to believe the stock price of ABC Corporation is about to rise or fall dramatically, why shouldn't I act on that information? For that matter, why shouldn't George? There are First Amendment issues here. George is Constitutionally permitted to say whatever he wishes to me. Now, if ABC Corporation finds out that George gave me private information, they're perfectly entitled to can him, but that's a contractual issue rather than a freedom of speech issue. But surely the government cannot Constitutionally prosecute George for exercising his Freedom of Speech?

Similarly, if I choose to act on the information George gave me, the government cannot Constitutionally prosecute me. I have done nothing that millions of other people don't do every day--buy or sell stock. If my information happens to be better than that available to other buyers and sellers, so what? That's none of the government's business.

I think the whole basis of laws against insider trading must be that it's somehow "unfair" for well-informed people to take advantage of their knowledge. But why? Stupid or ignorant people are always at a disadvantage. Why should that be any less true when it comes to trading stocks? I don't trade stocks. If I did, you can be sure that I'd make use of every source of information available to me, as would any intelligent person. How then can anyone condemn someone for using the best information available?



Friday, 9 August 2002

[Last Week] [ Monday ] [Tuesday] [Wednesday ] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Messageboard] [HardwareGuys.com Messageboard] [TechnoMayhem.com Messageboard]

9:44 - We awoke this morning to find that the neighborhood had been vandalized. Nothing major. A lot of people put their recycling bins out the night before collection day. The punks had moved the bins around and dumped some of them in people's front yards. Our yard hadn't been trashed but at first we thought it was our bin that'd been dumped in our neighbors' yard. They're out of town at the moment. Barbara was so upset she started to cry. Malcolm offered to fang the punks for her, a suggestion with which Kerry and Duncan heartily concurred. All of them were embarrassed that they hadn't heard and alerted us that the punks were doing their dirty work in the middle of the night. As it turned out, our bin hadn't been dumped, but was just sitting in the next door neighbors' yard.

So we called the cops, not expecting much. Although we know who's doing it, we can't swear to it in court because we didn't actually see them doing it. The cops showed up about five minutes after we called, although dispatch had told me it'd be 30 to 45 minutes. It turns out that ours was the third call this morning. Dave, the guy down at the end of our block is livid. He's also been victimized repeatedly by the punks. He scared the newspaper delivery guy to death this morning. He heard a noise early, looked out his window, and saw the newspaper delivery guy messing with his recycling bin. As it turned out, the guy was just putting it back where it belonged, but our neighbor didn't realize that. He ran out, got in his car, and started chasing the poor delivery guy. All of us have a great deal of sympathy for Dave. Their child was killed some years ago by a speeding punk who lost control of his car, drove up into Dave's yard, and ran over the child, who was playing near the house. One would think that even punks would have enough humanity to leave this guy alone, but obviously that's not the case.

When we'd called the police in the past, they'd always told us there wasn't much they could do because we couldn't prove who was doing it. That sounded reasonable enough, although of course it's unreasonable that we should have to put up with this. The two cops who showed up this morning, J. J. Hurt and C. L. Stewart, told us a different story. They recommended we start getting names, license plates, vehicle descriptions, etc. of the punks who are harassing us. Then they'll have a chat with them. If any of us catch any of the punks in our yards and are willing file charges for trespass, the cops will arrest them and take them down to jail. They may not even be formally charged, and they'll probably only be in jail overnight, or even for a few hours, but that should be enough to cool their jets.

11:42 - President Bush and many other people think that Saudi Arabia is our ally. They are not, and they are most certainly not our friend. As I've been saying for years now, Saudi Arabia is our enemy. There's been some discussion on related issues on the messageboard, and I posted the following in response:

If I were George Bush and wanted simultaneously to defend US citizens, eliminate the Arab countries as threats, and advance the cause of Imperial USA, I'd: (a) freeze all Saudi and Kuwaiti assets, (b) declare war on Saudi Arabia and Kuwait, (c) invade and occupy Saudi Arabia and Kuwait, (d) depose the House of Saud, (e) annex Saudi Arabia and Kuwait as a US colony, (f) leave a holding force sufficient to prevent incursions, (g) put oil rights up for bid to the major oil companies on an annually renewal basis, such bids sufficient to cover the costs of the holding force as well as the value of the oil, (h) demand that the oil company holding the lease pump Saudi Arabia and Kuwait dry, expanding output by as much as is technically feasible, with the goal of glutting the world oil markets. The goal would be for oil to sell on the world markets for $10 to $15/bbl and in the US for no more than $1 or $2/bbl.

The US itself actually has oil reserves much greater than those of the entire Middle East. But I would suggest to George that we conserve those for later use as feedstocks and use up the Middle East reserves. During the period when we are pumping the Middle East dry, we should be investing that windfall to achieve energy independence from the Middle East, preferably with nuclear power and the first stages of space-based power.

The US military can swat Saudi Arabia and Kuwait like bugs. The war proper would be over in a matter of hours, before US forces ever set foot on Arab sand. The subsequent occupation would require minimal forces, perhaps a division or two on the ground as a holding force with supporting elements and a few dozen front-line fighters and AWACs dispersed to various formerly-Saudi airbases. The large ground forces of various neighbors are really no threat at all. The US simply announces that we will punish any attempted incursion with nuclear weapons. That in itself would probably be sufficient to discourage would-be invaders. If it weren't, vaporizing a few attacking armored divisions one time would show would-be hostiles that we weren't bluffing.

Once we have Saudi Arabia and Kuwait colonized, we can deal with Iraq and Iran at our leisure, installing puppet governments there. They will no longer be in a position to threaten US citizens or US interests, not least because their oil will no longer generate sufficient income to do more than barely feed their populations. That in itself should be destabilizing enough to ensure regime changes. By halving or more the cost of oil to friendly nations, we help strengthen those nations at the expense of unfriendly nations, and by ensuring an unlimited flow of petroleum to the US at a cost little more than that of transporting it, we strengthen the US greatly. Of course, the temptation would be to act as though unlimited cheap oil would be available forever, so some mechanism would have to be in place to ensure that a significant percentage of that oil subsidy went towards developing long-term solutions for energy independence, nuclear initially and space-based eventually.

12:11 - Thanks to Roland Dobbins for alerting me to this vulnerability. It doesn't affect me personally, because I've removed Flash and other Macromedia applications from all of my systems, as much to avoid obnoxious Flash ads as from any security concerns.

If you're running Flash, it'd probably be a good idea to remove it entirely from your system as well. Alas, I cannot provide detailed directions, because the steps required to remove it depend on the version, your OS, and other factors. Also note that you may be running Flash without being aware of it, because some applications install it without asking. For example, when I installed Mozilla, I was shocked (so to speak) when I noticed that Mozilla had Shockwave support enabled, with no apparent way to disable it. As it turned out, Opera had installed a Flash DLL without asking or informing me, and Mozilla had noticed that DLL during installation and enabled it automatically.

-----Forwarded Message-----
From: Marc Maiffret <marc@eeye.com>
To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] EEYE: Macromedia Shockwave Flash Malformed Header Overflow
Date: 09 Aug 2002 02:12:12 -0700

Macromedia Shockwave Flash Malformed Header Overflow

Release Date: August 8, 2002

Severity: High (Remote Code Execution)

Systems Affected: Macromedia Shockwave Flash - All Versions; Unix and Windows; Netscape and Internet Explorer

Description: While working on some pre-release eEye Retina CHAM tools, an exploitable condition was discovered within the Shockwave Flash file format called SWF (pronounced "SWIF").

Since this is a browser based bug, it makes it trivial to bypass firewalls and attack the user at his desktop. Also, application browser bugs allow you to target users based on the websites they visit, the newsgroups they read, or the mailing lists they frequent. It is a "one button" push attack, and using anonymous remailers or proxies for these attacks is possible.

This vulnerability has been proven to work with all versions of Macromedia Flash on Windows and Unix, through IE and Netscape. It may be run wherever Shockwave files may be displayed or attached, including: websites, email, news postings, forums, Instant Messengers, and within applications utilizing web-browsing functionality.

Technical Description: The data header is roughly made out to:

[Flash signature][version (1)][File Length(A number of bytes too short)][frame size (malformed)][Frame Rate (malformed)][Frame Count (malformed)][Data]

By creating a malformed header we can supply more frame data than the decoder is expecting. By supplying enough data we can overwrite a function pointer address and redirect the flow of control to a specified location as soon as this address is used. At the moment the overwritten address takes control flow, an address pointing to a portion of our data is 8 bytes back from the stack pointer. By using a relative jump we redirect flow into a "call dword ptr [esp+N]", where N is the number of bytes from the stack pointer. These "jump points" can be located in multiple loaded dll's. By creating a simple tool using the debugging API and ReadMemory, you can examine a process's virtual address space for useful data to help you with your exploitation.

This is not to say other potentially vulnerable situations have not been found in Macromedia's Flash. We discovered about seventeen others before we ended our testing. We are working with Macromedia on these issues.

Protection: Retina(R) Network Security Scanner already scans for this latest version of Flash on users' systems. Ensure all users within your control upgrade their systems.

Vendor Status: Macromedia has released a patch for this vulnerability, available at: http://www.macromedia.com/v1/handlers/index.cfm?ID=23293&Method=Full&Title=M PSB02%2D09%20%2D%20Macromedia%20Flash%20Malformed%20Header%20Vulnerability%2 0Issue&Cache=False

Discovery: Drew Copley

Exploitation: Riley Hassell

Greetings: Hacktivismo!, Centra Spike

Copyright (c) 1998-2002 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission.

Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Feedback Please send suggestions, updates, and comments to:

eEye Digital Security




Saturday, 10 August 2002

[Last Week] [ Monday ] [Tuesday] [Wednesday ] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Messageboard] [HardwareGuys.com Messageboard] [TechnoMayhem.com Messageboard]

9:00 - Very strange. I've wasted nearly an hour this morning trying to figure out what's wrong with my mail. When I fired up Outlook and attempted to retrieve my mail, it blew up. At first I thought I just had a datacomm problem, but it soon became clear that something strange was happening. Norton AV has a program called poproxy.exe that sits between the mail client and the mail server, scanning inbound mail. That program blew up, requiring a reboot. I rebooted and tried again, and it blew up again. I telnetted over to the server and was able to list and retr mail normally. So I tried again, and again poproxy blew up and exited. Barbara was able to retrieve her mail normally. It became clear that there was one particular message on ttgnet.com and two on wsal.org that were causing the problem. All were HTML-only spam messages. I telnetted in again and deleted those messages manually, after which Outlook started working normally. So what could possibly be in a message that would cause poproxy.exe to blow up? I don't know, but it's disturbing. I wish now I'd saved the text of the messages, but I didn't.



Sunday, 11 August 2002

[Last Week] [ Monday ] [Tuesday] [Wednesday ] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Messageboard] [HardwareGuys.com Messageboard] [TechnoMayhem.com Messageboard]

11:07 - We finally did it. We headed up to the Blue Ridge Parkway last night to observe. Unfortunately, the weather was mediocre, with a fair amount of haze and some clouds. Still, it was obvious that the Parkway site is indeed better. It's darker than Bullington, and at 1,500 or 2,000 feet higher, there's a lot less air to look through than there is at Bullington. M31, the Andromeda Galaxy, was a naked-eye object for me last night, if only barely. Similarly, I was able, if only barely, to bag M51 (the Whirlpool Galaxy) in my 7X50 binocular.

We re-arranged AstroTruck yesterday afternoon to make room for our friend, Bonnie Richardson, to ride along with us. We left here about 6:45 p.m, and made it up to Doughton Park around 8:00 p.m. Barbara bagged quite a few new objects, and we finally took off around 2:00 a.m., arriving home around 3:15 a.m. By the time we got Bonnie's stuff transferred back to her car and gave the dogs a quick out, it was 3:30 a.m. The dogs let us sleep in this morning. We finally got up around 10:30.

We'll be going back up again, although we'll still use Bullington for most of our observing. But the Parkway is definitely on our list for special occasions. And now it's time to do the routine Sunday chores, albeit starting a couple hours later than usual. I'll get my shower, get some laundry started, and then head over to visit my mother.



Copyright 1998, 1999, 2000, 2001, 2002, 2003, 2004 by Robert Bruce Thompson. All Rights Reserved.