Dr. Jerry Pournelle

Email Me

Why not subscribe now?

Chaos Manor Subscribe Now

Useful Link(s)...


Hosting by

Powered by Apache

Computing At Chaos Manor:
April 10, 2007

The User's Column, April 2007
Column 321, part 2
Jerry Pournelle jerryp@jerrypournelle.com
Copyright 2007 Jerry E. Pournelle, Ph.D.

Continued from last week...

The Ani Exploit

If you have not updated your Windows — all flavors — and Vista, be sure to do so. There is an exploit in the wild that can turn your machine into a zombie without much cooperation on your part. It's another buffer overflow exploit, and you can find out more about it here. A long discussion by security expert Rick Hellewell is included in this column. Read it.

In addition to the Microsoft patches, Zert has a third party patch that is said to be effective, and unlike the Microsoft patch, does not break systems with RealTek sound processor chips. The Microsoft system and RealTek are incompatible.

The real danger of this exploit is that you don't need to do anything to have your system infected. You don't have to open an email attachment, or visit a bad web site (although either of those actions can bring about the infection). All you need do is visit a web site that has been suitably hacked, and your system can be host to a keystroke logger, general spyware, and in fact can be recruited into the ranks of the army of zombie machines that send out spam — including spam messages that contain this exploit.

My search of Internet discussion yielded the following history. It's not entirely correct, but I leave it here because it's what most of the press is reporting, and seems obvious from an Internet search. A more accurate history is included in Mr. Hellewell's account below. Most accounts say that the ANI exploit — the name comes from .ani files, which are files that enable animated cursors — is unusual in that it was discovered months ago, long before it was in the wild. The exploit was reported to Microsoft, who began working on a remedy. Months went by and no Microsoft update patch was issued; then, suddenly, the exploit was discovered in the wild. A third party patch was issued, and Microsoft rushed out an update which has now been distributed. At this time no one seems to know the extent of actual system infection. There are web sites claiming hundreds of thousands of computers were victims of the exploit, but my inspection reveals no convincing evidence for this — or against that theory, for that matter.

The worst danger of this exploit is that it is claimed that all one needs do is view an infected file in a preview window — even if you are viewing it in plaintext only and do not convert from plaintext to html. I have seen no convincing explanation of how that would work, and I'm not clever enough to figure it out for myself. I find it pretty hard to believe that simply viewing a plaintext file can cause a buffer overflow error allowing infection, but I've been wrong before.

Another story is that the exploit has been used to gain information about user names and passwords on World of Warcraft game accounts; pirates then log on to the account, sell all armor and equipment, and steal the gold. There are also rumors that computers have been infected through playing World of Warcraft. I have been unable to confirm that this actually happened to anyone, but a number of colorful stories are in circulation.

The exploit applies to all versions of Windows, and, surprisingly, to Vista as well. It's true that if you have the Vista User Account Control turned on, you will be warned if the exploit tries to install malware. On the other hand, anyone who has Vista UAC with its endless series of "Accept or Cancel?" queries turned on has probably committed suicide and won't care if the computer is infected.

As usual, the most important thing here is to be certain your computer has the latest Windows updates installed. I would also recommend that you get DU METER (link) which allows you to monitor what your computer is doing: if you see a lot of inexplicable upload activity going on, you can take steps to find out what's happening.

Apple and Linux users are not affected by this exploit. I have asked security expert Rick Hellewell to comment further:

In regards to your question and comments about the Microsoft "ani" (animated cursor) exploit.

I think there are two issues with this exploit: the (apparent) 'zero-day' aspect of this exploit, and the risk of the exploit.

In the first issue, this particular exploit has been around for a while. It was 'responsibly disclosed' privately to Microsoft by Determina back in December 2006. This disclosure allowed Microsoft to thoroughly investigate not only the exploit, but how a patch would affect other parts of the OS or other applications. (You can see a full explanation of Microsoft's investigation in this entry from the Microsoft Security Resource Center (MSRC) here: link .)

Since the exploit was released privately, MS had some time to work on the patch, and investigate other similar vulnerabilities, and how to properly patch things. It appears from the MSRC blog that testing the patch started in Feb 2007. This testing appears to take about two months because MS does very extensive testing to make sure that other systems (internal and external) are not affected by the patch. They reported that they had to resolve over 80 issues, and planned to issue the patch during the normal 2nd Tuesday of April release.

That release date was moved forward after MS was notified by McAfee and other that the exploit was becoming a bit more popular. The press soon got hold of the exploit, the evil hackers started sharing the exploit, resulting in more attack vectors. After a couple of days, the number of exploits caused the Internet Storm Center (link) to raise their alert level to "yellow".

The exploit itself allowed the attacker to run any code (program) on the victim's computer. This brings us to part two: protection from the code that the evil attacker runs once they get control of your computer.

There are lots of choices for the evil hacker. They may want to use your computer to relay spam mail. Or install a keystroke logger that will harvest your financial information or passwords. Or to grab confidential files.

To do this, they need to run the program that allows them to control your computer. That evil program will probably be already known as evil by the anti-virus (AV) software installed on your computer. So although the evil hacker can run a program on your computer, your anti-virus (if kept current) or prior OS patch should be able to catch and block the program's action. Of course, it is possible that the evil hacker also has an unknown (to the AV crowd) program that they will use. I think that possibility is minor.

So, we have the two problems: the initial vulnerability (not yet blocked by a patch/update), and the ability of the hacker to exploit that vuln to run a program to run that wants to do something evil to your computer.

Both of these problems can be mitigated (at least partially, and hopefully completely) by the use of 'safe computing practices'.

1) Ensure that your computer is set to get all operating system and application updates automatically. This is easy with Microsoft's Automatic Updates, which will take care of MS products. For your other applications, it may be harder: some have automatic updates; others don't.

2) Ensure that you have installed -- and keep current -- your anti-virus program. It should be set up to get updates at least daily. And the settings should be such that they protect you against viral attacks.

3) Be careful where you go on the Internet, and what you do there. Be cautious on clicking links, especially from the 'darker' side of the 'net (adult sites, for example). Don't click on links in emails. Don't automatically open email attachments. Don't reply to messages asking for verification of your account information. View your messages in text-only mode. Etc. etc.

4) Install -- and keep current -- anti-spyware program. I like Spybot Search and Destroy (link), and Ad-Aware SE Personal Edition (link) ; both are free for personal use. Be careful about imitations. Never believe a pop-up ad or email telling you that a virus or spyware has been detected.

Regards, Rick Hellewell

Vista Report

I have no reason to change my previous conclusion: unless you have some urgent and special reason to do so, do not upgrade your Windows XP system to Vista. The gains in general won't outweigh the hassles.

If you buy a new Windows machine it will have Vista on it. Be sure it's both fast enough and has more than enough memory. This is not a good time to save money buying cheap hardware. Vista is demanding. Indeed, if you get cheap hardware you might contemplate upgrading it by converting Vista to Windows XP; your machine may well work better. Vista is demanding.

As for me, I'm astonished and disappointed: Microsoft had five years to develop Vista, and when it was over they gave us an OS containing a potential exploit that has remained undetected since Windows 3, and their notion of enhanced security is the obnoxious User Account Control. Years ago I pointed out, both in my columns and in conversations with Microsoft security managers, that it is time and past time to develop operating systems with compilers that do strong typing and range checking, and no operating system should be released if it has been compiled with C or other compilers that will compile nonsense. C compiles fast compared to real system development languages, and in theory allows rapid software development. In practice primitive assembly language compilers such as C will allow all kinds of exploits. Real computer development languages do strong type and range checking.

Five years, and we have buffer overflow exploits and an unusable User Account Control that can't possibly have actually been used by the people who developed the OS. Someone ought to be ashamed.

Vista and Freelancer

The other day I was cleaning off the games shelf and ran across Freelancer, the Microsoft game that attempted to emulate the immensely popular classic Wing Commander Privateer. For a lark I installed Freelancer on a T-series Lenovo ThinkPad. It played without problems, although I didn't get very far in the game. I'm not all that good at fast eye-hand coordination. I was able to win at Privateer using a game joystick and throttle, but after a couple of missions the game story line got too hard for me. I could survive, but I couldn't keep the NPC transport I was escorting alive. So it goes.

When I came home I thought I would give it one more try; my notion was that I'd go back to before the mission, fly a lot of side missions to accumulate money. Then I'd use the money to upgrade my ship and buy a lot of missiles.

Alas, when I tried to install Freelancer on Roxanne, my high powered Vista machine I used for games and writing — I'm writing this on Roxanne now — it wouldn't work. First, the installation disk wasn't readable. I'd insert it, the machine would trundle for a while, and the drive would pop open. I examined the disk. It was fine. I installed the program on an XP machine. No problem.

I put the disk into a DVD R/W drive, and I was able to explore it; but when I ran SETUP, Vista told me that the program couldn't be installed because the machine wasn't powerful enough. I had previously noted on the XP machines where the program worked that Freelancer kept telling me my graphics card wasn't good enough, but it gave me the option of trying it anyway; of course it worked. But that was XP. I never did get it to install on Vista.

I don't suppose it's any great loss, but apparently there are a lot of older games that just can't be installed on Vista.

Free Conferencing and Net Neutrality

It looked like something relevant to the net neutrality argument. An article in the LA Times (link) began suggestively enough: "A legal fight involving two Southern California companies and AT&T Inc. is exposing an ominous reality: Phone companies say they can decide whom their customers can't call." It went on to tell how a small charity had been using free conference calling to connect patients and advisors, and now the cruel and rapacious telephone company was blocking the calls. Surely a case for Congressional intervention in the service of net neutrality!

Actually, it's nothing like that. It's a case of gaming the system, and if the people who provide the free conference call services are doing good, they are also doing well. What's happening is that an outfit called Free Conference Call (link) has been providing the free conference call services, and making a good bit of money out of it.

They do this by locating their servers in rural Iowa, where the local telephone companies are unregulated and can charge AT&T anything they like for a local connection. They charge plenty, collect from the long distance carrier, and split that revenue with the Free Conference Call people. This is legal, but it also costs the big RBOC's (Regional Bell Operating Companies; in practice there are only AT&T and Verizon left), and the big Telco's are weary of it. They don't even get credit for a charitable deduction. They just pay. Thus they want to block calls to those numbers. As Dan Spisak puts it, the big Telco's get angry when someone finds a way to be sneakier about telephone charges than they are.

The key paragraph is toward the end of the story: "Qwest, which has filed legal actions in Iowa against the rural carriers and their conferencing partners, contends that the Iowa and California companies are abusing a system set up to help small-town carriers defray the high cost of delivering affordable phone service to rural customers."

The purpose of the law was to compensate small local telephone companies for stringing wire and providing connectivity in areas where it would not otherwise be profitable. This is an extension of the principle of the mail service: it is in the national interest for everyone in the country to be in communication. Originally this was by mail, but the telephone was determined to be of equal importance.

Unfortunately, the small telephone companies in these cases don't have many subscribers other than the free conference services and other such sites for which they generate traffic by splitting fees. They aren't really contributing to rural communications. Bob Thompson says

It's kind of like those area codes in the Caribbean that you get charged $50 for making a one-minute call to. Then the phone company and the callee split the loot. The Iowa exchanges aren't that extreme, but they charge much higher interconnect fees than most.

The root of the problem is the whole idea of interconnect transfer costs, where the local exchange of the call recipient charges a fee to the long-distance provider of the person who places the call. The LECs argue that it costs them money to maintain the facilities to handle inbound long-distance calls, but that's a red herring. Typical call volumes about equal out for incoming and outgoing calls, so it should be treated as a wash.

It's even less justifiable nowadays, when most long-distance traffic between LECs and the network uses VoIP links anyway.

Robert Bruce Thompson

So: it's not a case of net neutrality after all. There may be a need for legislation, but it's part of a general problem. One less thing to worry about.

MoGo Mouse


It's pretty cool: a Bluetooth mouse that folds up to fit into the PCMCIA slot on your laptop, where it charges up. Take it out, turn on Bluetooth, and you have a perfectly usable external mouse that works on books, magazines, tray tables, and every other flat surface I've tried.

Many people have no trouble using the mushpad mouse built into the ThinkPad (and if you don't like that, there's an eraser head mouse controller as well), but it's pretty hard to play games with a mushpad, particularly games that want you to press both mouse buttons at once. The MoGo Mouse works for that quite well, and it takes only moments store or deploy it. I like it.

Microsoft Wireless Keyboard and Mouse

I have a lot more experience with the Microsoft Wireless Keyboard and Mouse, and I continue to recommend them highly. The keyboard configuration I have uses the sculpted curved key layout, which is about as close to the IBM Selectric Layout as I can find. It still has the backspace key in the wrong place, up on the numbers row to the right of the = key instead of down a row where you now find the ] and \ keys, but I don't know of any keyboards that have the proper key arrangement.

The key feel isn't as good as it might be, but it's good enough. You can't carry it on an airplane — well, you could, in checked luggage, but it's no problem to carry on car trips. The keyboard and mouse fit into a carrying bag, and any time I am carrying a large screen — as I do when I take trips by car — it's worth while to bring this keyboard and mouse along.

I also use this setup in the Monk's Cell, which is the spare bedroom formerly used by the oldest boy living here; now they're all grown and gone, and it's where I write. I carry the t-42p up there, and connect a ViewSonic 19" flat screen monitor as well as the Microsoft Wireless Keyboard and Mouse, and I've done about 40,000 words in the last couple of months with this rig.