‘The way things were’

Most of us are our family technicians, we are the people that setup Mom’s surround sound. When spyware/adware started to get bad we would get the call to come and take care of a friends computer. Often the computer would be spontaneously popping up ads and slowly chugging along hogging what little bandwidth the dial-up had. Along comes the tech friend with a few minor tools like hijackThis and a boot disk and hunts down the offending executable.

The old method for malware writers was a game of hide and seek. Without getting into too much technical detail there are a large handful of places to hide something to make it run at boot on a windows system. Hiding a request to make some code start up and obfuscating the where and the how is all malicious software could manage. In this day anti-virus software was very handy most of the time because it was trivial to remove most problematic programs when they where found. The scanning software did not need to be too fanatical about things since most badware really wasn’t that bad.

In the old days of bad software the payload was often something trivial, funny, or annoying but rarely if ever truly malicious. The Whale Virus filled your hard drive up by replicating itself zillions of times. The Yankee Doodle Virus made your internal speaker play the song for which it was named relentlessly. Most virus writers where not bad people and the few that where bad people knew that when a virus obliterates the system it is on it no longer has that system under its control and can no longer replicate itself.

At this time I recommended and sometimes even used anti-virus software.

And then things changed…

‘The way things are.’

Most systems are infected with some form of malware according to some statistics as high as 80% of all Windows systems are infected currently. Only in rare situations will malicious software make itself known to the user in any way. Most often it will lay dormant on the computer utilizing your system in various ways I wont get into here to generate cash. You could be (and likely are) already affected by such software. How did this happen?

Two huge factors caused this paradigm shift.

1. Monetizing virus writing. Virus writing moved out of the realm of the hobbyist and became a way to generate serious money. This is topic for one or more other articles. In short virus writing to obtain zombie systems to generate massive botnets became the new goal not making someone listen to Yankee Doodle. This factor made virus writers ruthless and aggressive and was a huge game changer.
2. Rootkits. The administrator account on a Unix/Linux system is called the ‘root’ account. Rootkit started out as a term to describe a set of tools used to gain administrator access on a machine. It has now came to mean something very different, a method used to con-seal the presence or hinder the removal of some code on a system. In short rootkits attach themselves to a portion of the operating system that makes their removal very difficult or impossible without damaging the operating system.

Because its a different game now days viruses keep under the radar often far enough under the radar the user has no idea they exist. Detecting these viruses is much harder then it once was thanks to code that allows them to reorganizes themselves confusing virus definitions. After the fact it is all but irreversible no longer can your friendly neighborhood tech rout out all the problems. After a rootkit style virus has its hooks firmly planted in your operating system it can make itself almost entirely invisible to all other software including your virus scan software. The only sure removal technique is a full reformat and reinstall…

‘OK so anti-virus is almost useless what do I do?’

• Secure your system. - Keep updated regularly and follow security best practices. I will get more into this topic in future ‘best practices’ posts it is far to large a topic to give justice here.
• Keep regular backups. - If you have one copy of anything you are in immediate danger of losing it at any time not just to bad software but hardware failures as well.
• Keep sensitive data secure. - Using methods I explained in my TrueCrypt software recommendation keep sensitive data secure and keep very sensitive data very secure.

Once you are infected it is too late and even the best virus scan software wont save you, so don’t let it happen. Virus scanning software is no replacement for a good understanding of how viruses spred and how to keep yourself safe.

When researching this article I ran across a post on another site that was a good enough start at securing your system that I didn’t want to reitterate what was said. Please read Lifehacker’s ‘Low-Hassle Ways to Secure Your Computer System’.

I do recommend people use virus scan. But only because I don’t want people to blame not having anti-virus when they get infected.

Below is how I handle e-mail it may not be the best way but it has worked well for me for several years. This is how you can have a nearly unlimited number of e-mail address and only ever have to check one.

1. Get a domain name. I use 1and1 for all the hosting I need and don’t have means to do at home. You can get your domain name and e-mail forwarding and thats is all you need for this. Starting at $1 a month (50% off for the first 3 months). I even host this site and many others at 1and1. I have a “my first and last name.com” and a nice domain name with my family name in it specifically for e-mail reasons.
2. Set up a master account. The address is unimportant since you wont be giving it out to anyone, but what is important is the interface. I prefer a Gmail account, it is free, has a wonderful interface and uses its massive member database to detect spam e-mail amazingly well. With a nearly limitless number of e-mail addresses pointed at your master address a powerful spam filter is important. I hardly hear a whisper of spam on my master account.
3. Set up your forwards. In the 1and1 control panel (as with most other providers) you can set up a *@DomainName.com e-mail address to forward to your master e-mail address. This will send all mail to that domain to the master account.
4. Set up your FROM address. Gmail will allow you to setup multiple “Send As” addresses. Go to Settings>Accounts>Send Mail As. I set up an Admin@ Webmaster@ me@ and so on for the various domains. So I can send mail as any prefix on a domain I own that I want to at that time.

This entire process should take no more than an hour and should be very easy to do.

Whats the upside?

• Being able to tell anyone your e-mail address is TheirName@YourName.com is cool and gets fun looks. People tend to remember that kind of thing.
• Giving a specific address to a site you register for allows you to keep track of who sold you out to a spam list. If a forum asks you to register you can give it the address ForumName@YourName.com and be able to back that up with an authorization response.
• If a specific address starts getting an abundance of unblocked spam you can always set up a filter to block that address.

If you don’t have the desire to go through the above, services like 10 Minute Mail and BugMeNot offer a quick, easy and perfectly acceptable solution to the spam address problem. But I like my way a lot better.

To keep our things secure we need to understand how someone might circumvent our security, knowing how a lock works or how a lock might be defeated is step one in securing our things. Digital security is no different we must understand how the “lock” works and how someone might “break” it to make it secure.

I have found over recent years that very intelligent, rather technically minded people often have no idea how passwords work. Much of what we know about passwords are wrong and the math behind what makes a good password is a total mystery to us. A few years ago this didn’t matter at all to people and unfortunately it often still does not. As a result our passwords are awful, for the most part, easily guessed and instantly brute forced.

So, why aren’t all corporate networks cracked open instantly by the millions of attackers across the globe constantly beating on our networks? What I call the ‘eggshell effect’, the hardening of the outside of the network has softened the inside. Network Address Translating routers have became the standard I wont go into how they work in depth but they cut alot of the noise out of our home and office networks and kept alot of attacks out. This is great, unfortunately it allows us to become complacent. Since NAT routers protect us from all sorts of “outside” attacks zero day exploits don’t send the technical department scrambling anymore. Network administrators take care of the security holes whenever they get around to it. This means that when someone does get in (and they will) the chance of a major incident is very high.

This situation has allowed the network administrators to go lax on security not keeping up to date in their education or practice. The first security best practice I will be going over is the weakening of passwords. The ‘eggshell Effect’ has made us less interested in internal network security and therefor our passwords have gotten worse. Computing power is doubling around every two years, with multiple cores and distributed computing networks the power available to your attack the yield of number crunching is far out pacing Moore’s Law.

There are just a few minor serious hangups…

1. You have to have your broadband access through Time Warner. I thought we where past this kind of stuff. This smacks of “If we are gonna use my kickball I get to be the pitcher”.
2. You have to be in one of the test markets Green Bay, Milwaukee or Wisconsin. None of the free open beta stuff Hulu is pack’n.
3. No Macs or Linux boxes.
4. 400 hour limit on downloads. This seems silly but I guess its to keep someone from OpenHuluing them.
5. Time Warner givith and Time Warner taketh away. With bandwidth caps in the works on cable connections services like this are designed to get you over the limit to charge you for a higher tier price.

All in all another good day for digital distribution.

*Update*

An interesting note from Paul Miller over at Engadget Vudu has dropped their price to stay competitive with the new Apple TV from $399 to $295. More good new for Digital Distribution.

Encryption problem solved. With few exception TrueCrypt can take care of your every encryption need. Big and small (but not too small) it is all you need. TrueCrypt is not your standard point-click-encrypt software, you do not have any capability to encrypt stand alone files. At first TrueCrypt’s differences are a bit off putting and the user interface is not exactly intuitive. In the end its ability to protect your files better then anything else available is why you use it.
How To…

Download TrueCrypt from TrueCrypt.org’s download page Linux and Windows versions available. The instillation is straight forward a well written documentation page can walk you through the process.

After instillation you will need to create a volume. A TrueCrypt volume is a file of size you specify filled with encrypted data of a type you specify. Three of the top encryption methods are available in different configurations of double and triple encryption. To mix and match with three top hash algorithms. There is really no wrong answer (my personal preference is AES/Rijndael) since TrueCrypt only uses known robust encryption methods. After you have created a volume you may mount it through the graphical user interface or command line. TrueCrypt mounts the volume as a drive letter making access easy you can even install programs to the drive letter on a shared computer.

Key Points

• Use Good Passwords - When using TrueCrypt a long password is very important, so important they will lend you a helping hand. In addition to a password you can set a keyfile. A keyfile is a password file added to your password (the mathematics of adding the keyfile to the password is described here). I prefer to use a file I have on hand, a picture, mp3 or other file (that you are very sure will never change) all make great keyfiles.
• Keep Your Password Safe - Their is no saftey net, if you follow the rules and have a good password then lose it the data is gone. There is no backdoor, if you lose your password you lose your data.

Key Features

• Encrypted Headers - TrueCrypt encrypts its headers along with the volume. This matters because well encrypted data is indisguisable from noise so if you do not give a TrueCrypt volume a file extension and check the “Never save history” it is impossible to prove that a TrueCrypt volume is a encrypted volume at all. Since it cannot be proven that it is encrypted information you cannot legally be compelled to decrypt it regardless of its content.
• Hidden volumes - A TrueCrypt volume can contain an unlimited amount of hidden volumes within it. These volumes can (and should) have different passwords and keyfiles then its containing volume. This is important because it eliminates the need to try to hide a TrueCrypt volume. Lets imagine you have a TrueCrypt volume that you keep your families top secret fruitcake recipe in. Within that volume you have 3 hidden volumes. The first contains your finance information the second source code for finished projects and the third is the location of Jimmy Hoffa. It is impossible to prove that hidden volumes exist so lets say your system is seized by a group that force you to divulge your password. Denying that what they have found is a TrueCrypt volume will not end well for you since they are pretty sure it is. They can never be sure if they really have it all, there is always a potential for another hidden volume. This creates plausible deniability you can always say you have given over everything after you have decrypted the first volume (if they are able to prove its a volume at all).
• Portability - I carry a 2GB USB drive with me at all times, its my briefcase and contains all sorts personal and work related vital information. Including the source code to many of my current projects. This is information I can not risk getting out, so the drive contains a 1.8GB (a little wiggle room for the rare unencrypted file transfer) TrueCrypt volume and a copy of TrueCrypt set in travel mode so at any reasonably secure computer I can access my information without installing anything. If I lose my USB drive I don’t have to worry about any of that data falling into the wrong hands. I’m out $15 and have to load a backup onto a new drive but I can sleep easy knowing that the data is safe wherever it is.
• Open Source - I’m not a big open source nut, I use allot of closed applications (Microsoft mostly). And as a programmer I want people to be able to make a living selling code. However when it comes to my most sensitive data its Open Source or nothing. The C/C++ source files for TrueCrypt are available right on the download page I linked to earlier. With an open source application I can truly don’t have to trust anyone, I can (and have) download the source read over it and compile it myself. Knowing full well what went into the making of the application I’m trusting my crown jewels to. As I mentioned in an earlier story Microsofts meta file exploit appears to have been a backdoor coded in by some trouble making Microsoft employee. This kind of thing happens all the time, programmers hide backdoors and remote access in things every day. But not in open source code, open code is like living in a glass house if something fishy is going on the whole neighborhood knows about it in short order.
• Never Decrypted to Disk - TrueCrypt only decrypts to memory not on the hard disk. This gives us a few benefits. First instant off you don’t have to wait for TrueCrypt to re-encrypt everything before you shut it down it is still encrypted. If someone where to jerk your computer or USB drive away from you as soon as it loses power everything is safe again. This system of decrypting the header then decrypting data to ram on the read is very fast. I have many portable versions of my favorite applications in a TrueCrypt volume that I run from the volume with no problems. It uses a similar method to some newer whole disk encryption based systems.

I wont go too in depth here as to all of TrueCrypt’s features as there are too many to mention it is far and away the most flexible encryption application I have had the pleasure of using. With great beginner tutorials a 91 page in depth TrueCrypt - User Guide and well commented source code it has something for every level of user. I use TrueCrypt every day and am very likely to continue to.

Feedback about the site is greatly appreciated and can be sent to my e-mail address found on the about page.

Link dump after the read more…

Ransomware holds your computer at gunpoint for $35.

Can you run it? System requirements test page.

Top search engines to find MP3

Video: How the RIAA/MPAA tracks your BitTorrent downloads

Alan Turing is one of my favorite mathematicians he was an extremely interesting human (although he firmly believed he was a robot) and I would recommend A Madman Dreams of Turing Machines by Janna Levin to anyone even remotely interested in the history of computers.

To boil it all down…

In Turing’s work with artificial intelligence he forsaw a time when it would be necessary to tell computers apart from humans. He predicted a world where a machine that could tell human from robots would be important. That world was closer then he thought. Monitoring the packets that are hitting a firewall we see a great deal of packets generated by automatic systems, zombies, and port scanners. Reality is we deal the automated systems designed to imitate humans every day, referred to further as bots. It is the job of the people who control these bots to procure assets for use in various criminal enterprise. I hope to get more in-depth in a future botnet article. So any publicly accessible system (such as a website) that allows for input from the user could potentially be used by bots unless we filter them out in some way…

The easiest way to understand a Turing test is think of something that is very easy for a human to do yet very difficult for a computer. This is more of a pickle then it appears to be on the surface. The best solution we collectively have came up with is CAPTCHAs you are familiar with them even if you have never heard the term used. They are those letters and numbers that have been twisted in some way that is not all together that hard for a human to decipher but very difficult (currently nearly impossible if done correctly) for a computer to read. You see these when you sign up for a web based mail service or nearly any other online service of any value.

This is what the ReCPTCHA looks like.

ReCAPTCHA is a clever way to kill two birds with one stone. People have worked very hard to develop very powerful Optical Character Recognition software to turn the worlds great literary works into digital documents. This software turns type or even hand written documents into ASCII standard text like you are reading now. The trouble is sometimes the OCR software fails and cannot correctly interpret what it is seeing, something humans are very good at. When this happens to the OCR software used for the archive.org project it siphons off the word it is having trouble with and a word that it is able to get correctly.

It then runs both words through a process that makes them twisted in such a way as to make them even harder for an OCR program. It then displays these words to you in the ReCAPTCHA window (above). If you get the word it does know correct you have passed the CAPTCHA and may proceed it then stores your interpretation of the word it does not know and then recycles that word a few times until it is getting consistent results. According to their website about 60 million CAPTCHAs are solved by humans every day. So why not put all this work to good use.

Graphic taken from http://recaptcha.net/ to help explain ORC.

ReCAPTCHA offers a service to allow you to simply place a CAPTCHA on mail links to keep pesky bots from stealing your address and spaming you into the stone age (and trust me they will). I have implemented this on several pages throughout the site and may reference this article to explain why.

Have you ever wondered why you are able to distinguish between two peoples faces? I know it sounds like a stupid question but to understand CAPTCHA you need to understand why you can do this and a computer can not. We have a special part of the brain that is devoted to this type of pattern recognition. Think about the actual differences between two rocks texture and shape. The differences are far greater then my face is from yours. When someones brain is damaged in such a way as to inhibit this part of the brain from working they are said to have prosopagnosia (sometimes called face-blindness) a disability that keeps people from being able to pattern match. There by keeping them from being able to easily tell people apart, even their close family. It turns out that it takes an incredible amount of processing power to do this kind of pattern matching well. This is also why the police cant do facial matching with computers nearly as well as they can in the movies. How we do this type of processing so well shows off one of the mysteries of the human mind that we can all understand.

The human ability to pattern match better then any computer, spawned more then a few other types of CAPTCHAs that don’t use text. The one credited with being the first is KittenAuth of ThePCSpy.com fame.

The general idea is cute, clever, often imitated and flawed. With only a limited number of pictures available it is easier for the botnet operators to generate solutions and match them to image check-sums then it is to generate new images. So botnet operators can (and do) generate lookup tables to defeat many picture based CAPTCHA systems.

Yes it is true that ReCAPTCHA is a picture system basically and should be susceptible to a image check-sum index type attacks. However there are teams of people (at great expense) working daily to digitize text so the supply of words available to ReCAPTCHA is huge. If there where an equally large team of people constantly photographing kittens we would have a fun and robust picture based CAPTCHA. Unfortunately we do not.

Hummer HX concept car (left) and Halo’s Warthog (right).

It doesn’t take much of a leap to see the similarities between the two vehicles. One being a serious contender for a future Hummer design and the other the most popular vehicle in one of the most popular video game series. This is just another clear sign that the popular world is crossing paths more often with the nerd world. Or that more nerds are making enough money to no longer be ignored by market annalists. Ether way its a great time to be a geek.

According to GM design director Carl Zipfel, the HX wasn’t modeled on Halo’s Warthog but on “modern-day ATVs” — even though he freely admits that both he and several of the vehicle’s designers play Halo.

Again I’m not an Apple fan but before the Ipod mp3 was not a household word. This digital distribution trend wont come to the people without some help from user friendly companies like Vudu, Netflix and Apple.

But what about the pirates? Should I be worried that with standardization of digital media comes the gallows for my eye patch wearing brothern? Fear not, the music industry has all but came to its senses that digital rights management is not only not what people want but bad business. Amazon, Wal-Mart and even part of Itunes have went for raw mp3 with no rights management at all. The reason this is going to be a loosing battle is simple and its what’s called the “analog hole” (be careful when searching for that at work). The simple fact is our eyes see video and our eyes hear sound the same way cameras and microphones record it. So in order for us to use the media as humans it has to be in a format that is record able by hardware we already own.

I’m not the only one to notice that no media at all is the next gen format. Netflix has been slowly easing us into digital downloads culminating in their unlimited movie downloads on most packages and a set top digital download box. Hulu (NBC and Fox) allows people to watch nearly commercial free (while in beta, expect commercials to increase when it is finished) first run TV shows from their PC.

The future of media is no media at all, its digital distribution. We have already laid the pipes to deliver this content do we really need a Read Only Memory of some type? Do we really need to keep poking smaller holes in foil? Hard disks are getting cheaper all the time cheap enough to use as a place to stash your collection. Even cheap enough to keep it secure from data loss with a RAID (most new motherboards support hardware RAID right out of the box huge raid diagram right).

Much more how I am currently implementing this after the fold.

How I Watch:With my current setup I have a cheap off brand 32′ LCD in the front room that can do up to 720p. The TV is hooked to my cable through which I only get a few local channels I only rarely watch for local news. The TV came with a VGA input and I acquired a 12″ VGA extension cable online for a few bucks. The cable is coiled up on the TV stand when not in use but easily reaches my chair in front of the TV to attach to the secondary video output port on the back of the laptop. This works out very well for me although I hope to build a small media center PC to dedicate to this task.What I Watch:I like to watch movies from the comfort of my home. I predict the end of movie theaters all together in the near future but that’s for another post. So I want to be able to watch movies and premium shows on my TV without leaving the house.The Legal Way:

• Netflix - As I mentioned above NetFlix is a wonderful way to go I don’t use it (currently) but have many friends that do. Allot of people don’t consider the vast amount of premium TV content available on NetFlix.
• Xbox 360 - Standard and high definition versions of new movies and shows available at prices that make me never want to go to my local rental place again.
• Hulu\OpenHulu\Joost\Knocka\And Many More - I use Hulu almost daily and it is now my primary way to watch some of my favorite shows. OpenHulu is basically a Hulu clone with all of Hulu’s content mirrored and embedded. Joost is the first Internet TV service that approached me and I have been active in it since early alpha testing. It is a wonderful piece of software (from the guys that wrote Kazza and Skype) but is lacking content (a problem that has gotten much better since its early days). Knocka is a Joost clone with even less content but is one of the only other services like joost I have actually given a good try. Many other services exist.

The Less Legal Way: (not endorsed, purely theoretical)

• Joox.net - Sites like Joox allow for DVD quality movies and shows streaming directly from the site. In most cases the video requires less than 20 seconds of buffering before it plays on my setup. The DivX web player for FireFox is solid and the site is designed well for it. You can even download the movies for playback latter if you see something but don’t have time right away to watch it.
• Warez-BB - Sites like Warez-BB are vast Internet treasure troves of movies, shows and software. This site and those like it require a slight bit higher technical savvy to keep yourself out of trouble since it would be very easy to include malicious code in with the downloads.