26 April 2005

Malware: Defending the difference

As at April 2005, we see malware as being of two different types:
  • Traditional malware (worms, viruses, trojans) that have unbounded malicious potential, and which should be tackled formally (i.e. without running the OS they infected)

  • Commercial malware (spyware, adware, dialers, various revenue-redirection scams) that have to curb abusive behavior so their creators can plausibly deny malware status, and which are thus safe to tackle from within the infected OS
This difference is maintained only through legal challenge; it is not a boundary that can be defended technologically. And this is where we are asleep at the wheel.

Currently, several commercial malware push the envelope:
  • Clickless attack through software defects, e.g. Java exploits
  • Active in Safe Mode
  • Resist termination of in-memory threads
  • Resist or DoS anti-malware removal tools
We have yet to see destructive payloads or peer-to-peer spread, but in most other respects, the boundary is blurring and the time is near when we will need formal tools to clean up commercial malware. We are ill-prepared even for traditional malware; the de facto maintainance OS for NTFS-bound XP is a free download that could vanish in a fit of vendor licensing pique, and av tools that run on this are rare and costly, reflecting the FUD and financial risk that developers must face here. There are no mOS-ready scanners for commercial malware as yet.

As long as the legal climate allows vandalism in the name of commerce, we can expect the boundary between commercial and traditional malware to be poorly defended. As technologists, we should get our tools ready; the need may soon be at hand.

20 April 2005

LUA and the One Hand Rule

LUA stands for Lowest User Access (rights), and is the concept that in a world full of rampant malware, we should cower in a basement panic room rather than stride masterfully about the house with a vast array of weapons and power tools to hand.

Personally, I'd rather live in a "Home", i.e. a physical location where safety is assured. In the real world, I live in a house with thick walls, barred windows, and clearly-defined doorways that are locked. In the infosphere, I live in a "network client" that takes candy from strangers, so LUA has its charms until we can get the Home Operating System to "grow up".

Put it this way; if you were forced to live in the middle of an open football field, would you carry weapons and power tools with you at all times? Would you be able to fend off those who would use these against you, 24 hours a day? If not, you'd probably want to lock those valuable, dangerous things somewhere safe until you need them - and that's what LUA is about.

But there's a user acceptance problem; no-one wants to be less powerful, so we like the idea of can-do-anything administrator user account rights. Frankly, when it's out own home computer, we feel we should accept nothing less; we should be safe in our own homes.

The One Hand Rule

Folks who work with big electricity for a living know this safety dictum, and that is; at any given moment, you don't have both hands touching sparky metal stuff at the same time. A veteran electrician may instinctively put his left hand in his pocket as he reaches with the right, in deference to this rule.

The Internet is not a network, because it excludes none. If you like to think of it as a network because it is built out of networking technologies, then consider it the mother of all infected networks that can never be cleaned. Also, try not to think of furniture as trees, just because both are made of wood!

So the "One Hand Rule" for computers is; never have one hand in the Internet while the other has a power tool or destructive weapon in it. This is the key to breaking the "Everyone Loves Admin" deadlock; make the administrator account a drab workplace where no fun abounds and only administrative work can be done. After all, Safe Mode lets you do "more stuff", yet you don't see users wanting to run in Safe Mode all the time. A game that would only run in Safe Mode wouldn't sell, yet most games that require admin rights sell just fine.

The Janitor Account

I'd combine a malware-safer Safe Mode with strong admin rights, as the only place where strong admin rights can be applied. Just as we expect weilders of power tools to be clear-sighted, sober, and knowledgeable, so we should expect the Janitor account user to be undistracted by dangerous fluff such as rich media, and up to speed with a no-frills user interface that shows things as they are; no self-defined icons, persistent handlers, custom screen savers, hiding of dangerous files and so on.

The reason is not simply to punish the user for being in the Janitor account - it has to do with safety. Hiding file name extensions, files and paths hides risk-relevant information that a wielder of power tools needs to know. Normally, you don't care where the mains wiring runs within the walls; you'd rather look at the wallpaper. But if you are drilling holes in the walls, then you need full access to that risk-relevant information.

The other safety aspect is that whenever the system "reaches ahead" of the user, dipping into files to show you custom icons or do other persisntent handler stuff, it exposes a potentially-exploitable risk surface to that material - material that you have as yet indicated no intention to handle or assume safe. I might choose to list files that I know are dangerous, in order to delete them; I do not want the system running content within these files before I can do so, as a misguided "service" to me.

For the same reason, the Janitor account wouldn't run custon screen savers or offer any other automated running of arbitrary software. You don't want arbitrary software running with strong administration rights, and while we remain blinkered into thinking of such rights as applying to everything a user does during that login, these things have to go when such rights are in effect.

15 April 2005

Reclaiming Your PC

If Microsoft's security Rule #1 is "If a bad guy can run code on your system, it's not your system anymore" is as true as it is, then it beats me why we are so eager to allow web sites, unsolicited email "message text" and "data documents" to own our systems.

By design, each of these were left to automatically run scripts, which can escalate to raw code. Modern Windows and MS Office are less inclined to automatically run scripts in "messages" and "documents", but web sites and even media files are still getting unwanted traction on our PCs.

So, what do you do when it's "not your system anymore"? You try and get it back! A corollory to Rule #1 might be "If the bad guy's code is not running, you may be able to reclaim your PC", and that informs how I approach such matters.

I found a useful article on this topic here...


http://defendingyourmachine.blogspot.com/2005/01/defending-your-machine.html

...though in some ways it differs from my own approach, which is (terse version)...

Clean the system:
  • Isolate the PC from all networks, i.e. LAN, Internet, Bluetooth, WiFi, IR
  • Formally scan for traditional malware, detect only, log results
  • Read up on the malware found, clean according to caveats (warnings)
  • Safe Mode Cmd Only scans for commercial malware
  • Read up on the malware found, clean according to caveats
  • Manually visualize integration points, manage what you find
  • Repeat for each user account
At this clean point:
  • Purge all web caches, set a sane cache size (e.g. 20M), for each user account
  • Purge Temp files
  • If system running OK, purge all System Restore, manage SR size
  • Create new System Restore point
  • Defrag file systems
  • Apply risk management settings
  • Apply malware wall-outs e.g. Spyware Blaster or similar
  • Set new baselines e.g. for HOSTS backups, etc.
  • Create new System Restore point
  • Make sure firewall is enabled / installed
  • Review LAN network shares; do NOT full-share any part of startup axis
  • Remove File and Print Sharing from unwanted "networks" (Internet, IR, WiFi etc.)
  • Create new System Restore point
Now re-enter the world:
  • Repeat cleaning process on all PCs on your LAN
  • Reconnect cleaned PCs to LAN
  • Reconnect to Internet
  • Get and apply patches
  • Create new System Restore point
Here's a cheery, simple and dated description of how to do a formal virus check, from the Win9x days when diskettes were the boot mainetnance standard and when DOS mode access was possible via the FATxx file system. If you're PC has no diskette drive and/or you are using post-FATxx file systems such as NTFS, then you'd have to do something different that meets the same criteria. Think bootable mOS CDRs and frequently-updated data on USB sticks.

13 April 2005

Tech instincts: Maintaining an undo trail

Apology to geeks: I'm writing this in the style of PC magazines, i.e. pages of friendly feel-good waffle with about one tech clue every 2 PgDn keystrokes :-)

I live in a house full of spiders, leading some visitors to believe that I'm interested in them. But they're there simply because I don't kill them, and I don't kill them because I have no particular reason to do so. Now that my intention is drawn to them, I have indeed found them interesting.

Steam and PCs don't mix, so the bathroom is the least cluttered room in the house. Spiders often fall in to the empty bath and I then have to scoop them out. Like ChkDsk, they have no "big picture" awareness and tend to do things that make the task a lot more difficult and risky than it need be.

But spiders are more clueful than ChkDsk ever will be. I noticed that the more panicky they get, the more web silk they chuck out as I chase them about with my piece of paper or whatever (I like spiders, but I'm not as stupid as ChkDsk either).

And that reminded me of a basic tech instinct; as soon as things look as if they may possibly get tough, maintain an undo trail! The spider's silk would allow it to dangle rather than plummet if it ever ran off the edge of something, giving it a wider range of options. Useful, even if you're a little critter with a terminal velocity of about 5 miles per hour.

12 April 2005

Would you trust this hard drive?

As a tech, I wouldn't.
But as a hard drive vendor, would I replace it under warranty?

Full story here.

9 April 2005

Red Flags: Spot 'em early...

I'm a firm believer in theory, as in meta-knowledge that lets you intuitively jump ahead over hours of logic. Intuitively? Well, it's probably because I lack intuition that I have become a fan of laboriously building theory as a structured replacement!

In this spirit, I offer you a few "red flag" indicator phrases...

Why would you want to do that?

The person who says this just does not "get" it. Rewind your argument to try once more to show why TSM ("this stuff matters") and if no joy, consider this person an unmovable rock you will have to flow around. Example:

"Autorunning macros in data files is powerful stuff - but what if someone were to write a macro that overwrote all the files in your root directory?"

' Why would you want to do that? '

People must...

If you hear this in what would otherwise be an enlightened political discussion, then beware; here come the stormtroopers!

"But what if folks don't want to work for the common good?"

' Well, the people must just do the right thing, I mean if ... '

And another thing!

If you catch yourself saying this in the course of an intra-relationship negotiation, you might just possibly be a nag - and a depressed one, at that. If every spark brings out a litany of unrelated complaints, then chances are there's some deeper structural problem that's locking you into a state of conflict and resentment. Do whatever you can to improve your position; the chances are that in so doing, your efforts will benefit more than just yourself.

I spotted myself saying this within my relationship with Microsoft, and am following my own advice!

We can't not install that, because...

"...our system design is bad", is the usual reason. Why would anyone want to not install something? ("Why would you want to do that?") Most likely because there's a risk to it, or some other cost (resources, maintenance committment, price tag) involved.

When the response is "we can't not install that" for some technical reason, then this implies the wrong code has been generalized across the wrong scopes, i.e. that your damage-control bulkheads are in the wrong place. This can be such a deeply-rooted problem you may be reluctant to re-engineer it, but trust me; it's going to hurt, and keep on hurting, until the need to maintain backward compatibility with this design has finally gone away.

Windows XP abounds with examples; Remote Procedure Call, hidden admin shares, the pervasiveness of HTMLwithin the OS, even the consequences of the Win95 decision to flaunt the new Long File Names feature when naming "Program Files". One of the big lessons of XP Service Pack 2 was how painful it is to rewind dangerous functionality later.

Do I really need to flesh this out? OK, one example; Remote Procedure Call. This exposes code to direct Internet access, and this code is non-trivial enough to be exploitable (Lovesan et al). Microsoft tells us that "if a bad guy can run code on your computer, it's not your computer anymore". By design, RPC facilitates this; by code defect, all the more so.

XP is NT, NT was designed as a network OS, and it treats the Internet as just another network. Because it's so tempting to flatten natural hard scopes (see previous blog entry), certain things such as RPC are rolled out to work seamlessly across networks, as if the local PC and network were all one system (as if they'd been smoking Sun's giggle weed).

So now you have a face-hugger dependency; you can't amputate RPC because the local system relies on it to manage itself. See the problem?

8 April 2005

Use hard scopes as natural cover

Let's pull a few unrelated concepts together...

What is possible is often delineated by hard natural scopes, and overcoming these is generally seen as the objective of progress. For example, it's pointless for me to apply for a job in Norway as I can't physically attend the workplace, but if the nature of my work can be transmitted as data, then that obstacle goes away, thanks to the Internet's role as a ubiquitous data conduit.

The Internet's been likened to the Wild West, in that without any overriding curbs on software behavior, objectives are pursued to the point of open warfare. So you're obliged to view the Internet as a virtual battlefield, as if all the bad neighborhoods in the world could suddenly wormhole their way right up to your front door.

Now when you plan your defences, you tend to take natural hard scopes for granted. If your house backs directly onto a mountain cliff, you don't fret about attacks through the mountain. If the PCs on your LAN are cabled together, you don't fret about other entities being on that LAN unless they get in from the Internet.

On the other hand, if you suddenly take those natural scopes away, you may find your traditional defenses have huge blind spots.


Thirty years ago, we would think purely in terms of physical safety. Today we think in terms of Internet threats as well. The two seem quite different; physical threats are localized, whereas Internet threats are anonymous and pose little physical risk.

We know Internet financial crimes such as identity theft on the increase, and it's also been noted that criminals formally convicted of physical economic crimes such as muggings, car thefts, house breaking etc. are switching to Internet crime via off-the-peg tools.

We also know that wireless networking needs a lot of attention to secure. Presenters assert this is indeed possible, if you have a few boxes to act as certificate and RADIUS servers, and you disable a bunch of things that are on by default, such as easy-to-exploit WEP.

I see a huge amount of consumer WiFi kit flying across dispatch counters; it seems like many folks automatically go WiFi at the same time as they go broadband. I have to wonder how many of these first-time home networks will have the faintest whiff of WiFi security in place.

Laptops are easily stolen, and new ones support WiFi out of the box. It's easy to cruise around looking for signal and hook in as part of the LAN, thus bypassing any Internet-facing defences, and combine the anonymity of the Internet with boy-next-door physical access. That's a scary combination, and not only for economically-motivated crime.


In physical battlegrounds, combitants haven't relied purely on personal body armour for a few centuries now. Kevlar notwithstanding, modern combitants make maximal use of natural cover, simply because it works better.

Computer game players know this too. Space Invaders players generally don't shoot away all the buildings to get a clearer shot at the bad guys; they preserve theseas cover and hide behind them. Players may use cheats to be able to walk through walls in Doom, but they sure don't use cheats to let the bad guys shoot through walls at them.

So perhaps we shouldn't be so quick to dissolve natural hard scopes that physically air-gap LANs from the outside world. We can never clean the Internet of malware - it is the mother of all infected networks - so all we can do is harden the edge against it. Hence the classic defensive strategy; put a NAT router and/or firewall between the Internet and our LAN. After all, the inside of the LAN is implicitly hard-scoped by where the cables go - as long as you don't go wireless.

6 April 2005

BING'd an XP to new C:, won't boot?

This is a "voodoo" tip, i.e. I know it works, but I can't explain why (oh sure, I can guess for days, but... I'd love to see "feedback 1" and read the answer!)

Here's what happens:
- use BING to copy an XP installation C: from one hard drive to another
- put the new hard drive into the XP installation's original PC
- diskette boot into DOS Mode
- FDisk /MBR to that standard MBR code in place [*1]
- FDisk option 2 to set primary C: as active to boot
- attempt boot into XP from hard drive
- fails with Disk Error
Now comes the "voodoo"...
- boot into BING, partition maintenance (no need to install BING)
- resize C: downwards a few megabytes
- attempt boot into XP from hard drive
- now this works fine
- boot into BING, partition maintenance (no need to install BING)
- resize C: back to original size
- attempt boot into XP from hard drive
- now this still works fine

[*1] FDisk /MBR caveats! This command replaces the Master Boot Record code with standard MBR code, overwriting whatever was there. That's bad in two situations:
  • Non-standard MBR code was required, e.g. boot manager, boot virus, DDO code a la Max Blast, EZ IDE, etc. to work around BIOS limitations

  • No valid 55AAh boot signature was present in the MBR; in such cases, FDisk /MBR will irreversably zero out the entire partition table, losing all partitions!
I've saved off the MBR and PBR and compared them; no differences other than the cached free space value etc. in 3rd sector of FAT32 PBR. So whatever BING is changing after a size nudge is within XP's file set or file system structure, and it's something that BING fails to do (or does wrong, perhaps different PC is a factor) when it did the partition copy.

The next part's also required, but isn't voodoo (as in the classic man, wife, secretary cliche; "I can explain everything" - but won't ):
- diskette boot to DOS mode
- Norton Disk Edit with writes enabled (we're about to "go boldly...")
- copy the pre-code bit from first sector of PBR
- paste this into the corresponding area of C:\BOOTSECT.DOS

Chances are if you're up to speed to do the above safely, you'll understand why you may need to do this if you want a formerly-working hard drive based Boot.ini-mediated DOS mode to work on the new hard drive. Repeat the same procedure to get a hard drive based Boot.ini-mediated Recovery Console to work, substituting C:\BOOTSECT.DAT for C:\BOOTSECT.DOS in the above example.

Today's Google: "this is where your sanity gives in, and love begins"

I've seen a video version of that which is built up entirely of scenes from the movie "Ghost in the Shell". If you've seen the movie, then the video brings it all back in 4 minutes... stunning!

Today's Bonus Google: "scuse me while I kiss this guy"

I wonder why HTML is so ^%$% useless with white space? What you see is hardly ever what you get, even within preview and view within the same program - all too often, contiguous white space is ripped out. This makes it difficult to space out multi-line bullet points, apply the convention of two spaces between sentences, and do ad-hoc bullet points.

I'd also like to know why this editor is so useless at applying a font consistently over a selection of text, and why all HTML editors fail to apply font choice to the numbers of numbered lists. The latter smells like another blind spot within HTML itself. Gah!

4 April 2005

Bug: Win9x Explorer.exe Dwaals, Recovers

I finally got it together to web this long-standing and annoying Win9x bug. To a newbie, it can look like reset button time, and that escalates the impact to file system damage, etc.!

Homage to Hauer

I was thinking about Blade Runner, and how much it was Rutger Hauer's film. The resonance of so many scenes, from the famous pre-death soliloquy to moments such as the revulsion when he first sees J F Sebastian's toys, is 100% Hauer. Acting a non-human with nascant humanity is difficult enough - and Hauer conveys this as effectively as his maker's explicit explanation of the problem, with a mixture of child-like emotions and decisive leadership - but that's just the baseline; Hauer makes it real, and makes us (or at least this viewer) care.

I thought it strange his career didn't take off at the point, but http://www.rutgerhauer.org/ implies he's done far more than Blade Runner followed by blockpopper action roles.

I love P K Dick, but I see Blade Runner as stronger than the "Do Androids Dream of Electric Sheep" story it was based on. As a movie must, it pares down the story, losing the Mercerism thread completely, and re-focuses it on what becomes the dominant theme. It's tragic that PKD is dead, but even more so that he never saw a film that might have changed his mind about "Hollywood". One wonders how much stronger Total Recall and the folgettable film rendition of his "Second Variety" story would have been with his hand guiding the rudder.

Today's tech content; two pages to start off a new "case stories" section at my site.

One is on an atypical presentation of the motherboard bad capacitor problem, and the other being a strange one-site problem with Eudora vs. "spool" files.