Category: technology

Windows WMF Metafile Vulnerability fix from reverse engineer

Well is this is a good way to start 2006 Microsoft. A very serious exploit was found in Windows during last week, and this time its a 0day exploit which means there's no patch available from Microsoft yet. Actually Microsoft are advising people to unregister the shimgvw.dll which is not a fix in anyones wildest imagination.

But luckly some reverse engineer called Ilfak Guilfanov has reversed engineer the shimgvw.dll and written a patch which runs on all 32/64bit Windows (aka no 95, 98 or ME support). From what I've read, it sounds like the patch is pretty safe (llfak has actually open sourced the code I believe) so I would recommend you download this patch till Microsoft sort out an official patch. And honestly do it now as there are tons of worms written for this exploit and there coming from many different directions. IM, Email, Browser, etc, etc. Oh by the way theres a checker too.

Pass this information to as many people as you can…

Comments [Comments]
Trackbacks [0]

VPN tunnel your way to safe ground with Hamachi

Hamachi on windows

What is Hamachi?

Hamachi is a UDP-based virtual private networking system. Its peers utilize the help of a 3rd node called mediation server to locate each other and to boot strap the connection between themselves. The connection itself is direct and once it's established no traffic flows through our servers.

Hamachi is not just truly peer-to-peer, it is verifiably secure peer-to-peer.

Believe it or not, but we are able to successfully mediate p2p connections in roughly 97% of all cases we dealt with so far (few tens of thousands as of early March). This includes peers sitting behind different firewalls and/or broadband routers (aka NAT devices).

Oh my goodness, if you have not tried out Hamachi and want access to your home network from elsewhere. You need to try it out! I heard it about it ages ago but dismissed it because I didnt really see the need. Well that was before I learned about how insecure Wifi can be. So during hearing this week's Security Now podcast

I spent a hour checking out Hamachi. At the moment it runs on Windows and Linux but after verison 1.0 (there currently 0.99) it will be developed for the Mac too. I dont see why you cant run the Linux version on a Mac command line but I'm sure there is a reason. So anyhow once you got it installed you can follow the Wizard which is a little too simple but good for those not deeply into networking, its easy to escape at anytime.
Once your setup its just a matter of making a new network or joining another one. You can easily make one and the the security is then all hanged off your stupidly impossible to crack password. GRC recommends some 63 character password string which can be generated here at the High security password generator. I actually went for a stupid 96 ASCII character password with all types of characters. I'll switch it down to 63 because Hamachi uses a 256bit AES crypto for authentication. After setting the password and name of the network you can go to another machine and do the same but this time hit join and enter the same details.

Before you know it your on a new type of network. Actually a 5.x.x.x IP address. I didnt even know you could actually have one of those for a network, I always thought 10.x.x.x was the lowest things went. Ok so once you got two machines on the same p2p network your away. I was able to tunnel out of my work network and on my own computer at home and launch VNC and access the net and machines attached to the same physical network. Everything is accessable and the speed is amazing. Oh yeah by the way, I only had to open one port on Smoothwall for it to work, most firewalls and NAT environments can be traversed without opening ports and port forwarding according to the Hamachi creators. I did nothing to the work network, like Skype it just worked. Crazy but true. I also tried using Hamachi with some of the sniffing tools out there and glad to say it works perfectly. All traffic is secured and even insecure connections like POP3 retrivial can not be discovered as it all looks like normal web traffic. Honestly I cant wait for version 1.0 of Hamachi. Its solved so many of my problems its untrue.

Comments [Comments]
Trackbacks [0]

Nokia I understand, but I would have pimped the N90 too

Loic with a Nokia N90 phone

Nokia you missed a trick here. Yes I understand you wanted to get the N90 out there by bribing certain bloggers with by giving them a shiny Nokia N90. But I've been talking about buying one for quite sometime now, you may have considered sending one this way. Hey I would have wrote a nice long entry about it and maybe influenced some people to buy one. Of course I would have told everyone that it was given to me and that I'm now a temporary pimp for Nokia N90 phones. But thats not really a problem is it? Oh well my Z list status makes its difficult for these things to happen.

But joking aside, there is something I'm a little uneasy about with Nokia and this story. Will it stop me from buying the phone, hummmm maybe not but I cant help bribinginfluencing people is not the best way to get a product out on the web. But hey what do I know, as the story says Microsoft's being doing it for years. I'll have to see the real details of the arrangements, some rumours were saying Nokia are going to take them back at some point in the future, they would take away the phone if you wrote anything negative about it or wrote nothing at all?

I still can not believe its still not available in the UK under contract on Orange or any other network. There's no way I'm paying 430 pounds for a phone full stop. I'm also hearing rumours about a 3g Microsoft Smartphone device coming in January, so might hold off. Too bad Nokia

Comments [Comments]
Trackbacks [0]

The Fall out over the Sony Rootkit/DRM

Sony BMG logo

The backlash against the SonyBMG rootkit and DRM has been one heck of a rollercoaster ride which doesnt seem to be ending anytime soon. Here's some highlights in case you have missed them. interlaced with some Cluetrains.

A couple of lawsuits have been filed against Sony for breaking there EULA.

Then Sony issued a patched which is impossible to find (everything sony is impossible to find on there site to be truthful) and does not actually remove the DRM, well what do you expect?

Talking about the EULA, some very interesting clauses and points to consider when buying your next CD

Sony's Exec, Thomas Hesse (President of Sony's Global Digital Business) replied to the whole issue of Rootkits and DRM by saying What users dont't know cant hurt them… (A must listen by the way!). And echoing Miles thoughts, Apple and Microsoft must be pissing themselves with laughter. Thomas Hesse has some balls saying what he said and the bloggers will have the last say about his ridiculous comment.

#14 Corporations do not speak in the same voice as these new networked conversations. To their intended online audiences, companies sound hollow, flat, literally inhuman.

New virus uses Sony BMG software, yep that very badly written code for the RootKit has been lerverged for a virus which hides via Sony's Rootkit.

The complete list of SonyBMG Rootkit CDs at the EFF

Apple Anti rip software found on the same Sony BMG CDs. Usual discussion on Slashdot about Mac users and will Sony bring DRM to linux too?

The power of the blog outlines what's been already seen by in other areas like the Kryptonite lock. When will the mainstream media actually pay attention to what there children are reading online?

#6 The Internet is enabling conversations among human beings that were simply not possible in the era of mass media.

#94 To traditional corporations, networked conversations may appear confused, may sound confusing. But we are organizing faster than they are. We have better tools, more new ideas, no rules to slow us down.

And of course some fun, Sony I download your music


At long last, Sony halts production of 'rootkit' CDs

Sony BMG Music Entertainment said Friday that it will suspend production of CDs with copy-protection technology that has been exploited by virus writers to try to hide their malicious code on PCs.

The decision by the music label comes after 10 days of controversy around the technology, which is designed to limit the number of copies that can be made of the CD and to prevent a computer user from making unprotected MP3s of the music.

Security experts blasted the technology because it uses “rootkit” techniques to hide itself on hard drives and could be used by virus writers to make their malicious code invisible. The first remote-control Trojan horses that took advantage of the cloak provided by Sony BMG surfaced this week.

“We are aware that a computer virus is circulating that may affect computers with XCP content protection software,” the record label said in a statement Friday. “We stand by content protection technology as an important tool to protect our intellectual property rights and those of our artists. Nonetheless, as a precautionary measure, Sony BMG is temporarily suspending the manufacture of CDs containing XCP technology.”

Lets hope thats the end of XCP and its rootkit. Somehow, I know it wont be.

Comments [Comments]
Trackbacks [0]

My phone is also made of human ass

When I heard Merlin from 43 folders talk about his phone, I instantly knew it was a Panasonic phone before he even said it. Then I looked up the picture of his phone and laughed. Me and Sarah have been generally pissed off about our home phone for the same reasons for about the last 6 months. The rubber keys are a nightmare once they start to wear, I cant tell you how many times I've pressed 5 and its dialed 3 5's. The battery life on the phone is also a nightmare and its about the same weight as my ipaq which is simply wrong.

So anyhow we did change it recently to a philips 5115 phone which was a pile of crap, riddled with bugs and a difficult navigation to boot. Just 2 days ago we bought a couple of NTL DECT phones (would link to picture but Argos.co.uk dont seem to have it, although I bought it there) and according to my wife its really good. The question is now, what do we do with the old panasonic phone? And the only thing which I can think about is to give it to a charity shop as it still works, its just a pain to use.

Hey I didnt know NTL and Telewest merged?

Comments [Comments]
Trackbacks [0]

Are you a self described geek?

…well do you? Why not? Is it because you failed the Geek test or more likely because you dont like the idea of being a geek? Wikipedia takes the sci-fi route but could it be the mainstream view of geeks which is putting you off? There was a short piece in the telegraph recently, which was sent to me by Birch about the fact that the UK Sci-fi Channel now has more Female viewers than Male. Ann McMeekin's quote is perfect if you swap sci-fi for geek, or even nerd, or even techie.

People have an impression of sci-fi fans being small men who sit in the dark watching Star Trek but it's not like that now

Will this perception change? knowing the mainstream media, not anytime soon. But it is certain that the old boys club of geek culture is being slowly taken apart, and I for one think its a good thing. The other day Sarah made a comment to me while I was watching Rocketboom which just celebrated its 1st year anniversary (26th October, which is also shared with me and sarah's anniversary too). Its great to see you watching a great looking geek girl for once. After a brief discussion about what exactly she meant, I got it. Its true all the geek media I watch tends to have a strong male lead and if there are any women at all, there role is usually irrelevent or very small. And shes right, Geek culture is still mainly run by white males. Take for example Nerd TV which still has no female interview after its 8th show now. To be fair Anina is next on the list but shes the only one, not even Molly or Meg Hourihan is on there.

  • Macintosh OS programmer Andy Hertzfeld (9/6)
  • PayPal co-founder Max Levchin (9/13)
  • Sun Microsystems co-founder Bill Joy (9/20)
  • Internet Archive founder Brewster Kahle (9/27)
  • Internet publisher Tim O'Reilly (10/4)
  • Father of RSS Dave Winer (10/11)
  • Autodesk co-founder Dan Drake (10/19)
  • Intel Capital co-founder Avram Miller (10/28)
  • Anina the WAP Queen
  • Computer mouse inventor Doug Engelbart
  • Former Lotus chief scientist Jerry Kaplan
  • Apple Computer co-founder Steve Wozniak
  • Former Apple chief scientist Larry Tesler
  • Google CEO Eric Schmidt
  • The father of Linux, Linus Torvalds
  • TCP/IP inventor Bob Kahn

Yes I know theres many cultural and social reasons for this but you have to wonder how much things have changed. lets not get started on the different cultures and race point of view either, NPR has a few podcasts about this but its American focused, Reversing Technology's Racial Divide and Black Students and the Future of Technology.

Comments [Comments]
Trackbacks [0]

AvantGo finally supports RSS

So funny, I've been hearing rumours about AvantGo supporting RSS like Russell has for quite some time too. Like him I was told not to blog it but I'm sure it wasnt the same person or group of people. Even without the heads-up, it was certain that AvantGo would have to do something at some point to stay relevent with the huge demand for RSS content on mobile devices. Is it enough to make me switch back to using AvantGo over PocketRSS? No. But is it good enough to recommend to others? Your damm right…

Comments [Comments]
Trackbacks [0]

Why I dont want a Ipod or PSP

Going digital

This post to slashdot by Zonk sums up my thoughts too,

As the owner of a PocketPC PDA I am a very happy camper, with wifi internet access, Skype Voip, video playback, and of course the ubiquitous mp3 playback. In an era were everyone seems to talk about the Video iPod, and the next generation of mobile devices, it leaves me wondering – I already have all those abilities in a PDA that costs about as much as an iPod. My question for Slashdot: Given that modern PDAs have almost all the functionality of these separate devices, how has Palm and Microsoft/PocketPC developers failed in making PDAs a force in this new era of portable media devices? It is the poor marketing, bad media apps, public perception, or do people simply not want an all-in-one for mobile media?

And as I expect, its horse's for course's as my dad says.

Gumber says

Because more functionality isn’t aways better, especially in a smaller device.

You might as well be asking why people buy screwdrivers and pliers instead of a single Leathermen.

Some more comments for thought,

From ciroknight

PDAs might be cool toys, they do a lot that a PC can do, and you can carry it in your pocket. Pretty cool eh? But when it comes down to it, what does the device actually do? Hard to define; it can do calendars, it can do media playback, it can do telephony, it can do internet-related tasks. But on the overall, it's a very obscure device.

– Indeed, its one of the things which makes it difficult to explain to people. One moment I'm using it as a mp3 player then a video player next moment a skype or im device and at the end of the day I'm using it to take notes at a meeting. It works for me but its a hard concept to sell and it requires installing many pieces of software and some configuration.

There was lots of talk about storage too.

Unless you sprung for extra storage, the space on your PDA is measured in tens of megabytes. On an iPod, it's measured in tens of gigabytes.

I dont think that's the main issue, because the psp has equal storage levels to a modern PocketPC (1/2gig maximum). Yes its nothing compared to the 100gigs which are now possible. But I expect Flash Drive pocketpc will be arriving soon, as hard drives are still very power hungrey.

The impact of Crackberries (backberries) has also had an effect on the image of pocketpc in the business world just like how most pocketpc have moved into the mobile world. Hence the change of operating system name, WindowsCE to PocketPC to Windows Mobile.

As someone said,
People who make generic statements such as “PDAs have failed” are just simply wrong.

Comments [Comments]
Trackbacks [0]

Messy haxoring with metasploit caught on iptv

Its not quite as cool as it may sound from the title. I just watched epioside 13 of my lame-ass iptv soap, The scene. yes everyones got there weakness but if you put this against other soaps like Hollyoaks then it comes out quite well. Anyhow, I got a real kick out of main character trying to get root on windows box hosting a FTP server. They used the well established metasploit to find a flaw and exploit it. To be fair its one step up from the hack in the matrix reloaded and they did do a little homework to use the nice opensource framework metasploit. Its certainly a fine line between security tester and exploiter but the best tools always are.

Talking of which if you didnt catch the Security now podcast number 9 about rootkits, please do as it will give you a good old wake up call. I've been personally aware of rootkits for quite a long time but I didnt know spyware, adware applications were starting to use them just so they cant be removed from a computer. Its crazy, but its true. Honestly I wouldnt wish a rootkit on my worst enemy, I just cant imagine anything worst. Anyhow, Steve and Leo do a great job explaining how rootkits work. It is however really good to know Microsoft and Sysinternals are working on the problem. I did try out SysInternal's Rootkit Revealer on all my machines and I'm clean as expected but its good to be sure. I suggest everyone should give it a try, at least till Microsoft add rootkit scanning to there malicious software removal tool. No one likes to be rooted…

Comments [Comments]
Trackbacks [0]

More than enough memory formats to ponder on?

Ok so correct me if I miss one.
CF, SD, SM, MMC, XD, RS-MMC, miniSD, MS, MS pro, MG, MG pro, ATA and of course MS duo. All make up the complex, confusing and nightmare eco-system of Flash memory.

I personally think Sony memory stick is the worst of all of them with 4 different types of Flash memory formats which seem largely incompatable with each other. The licencing also keeps Memory Stick(s) prices quite high and I believe there are only 4-6 makers which can actually legally make them. I like what Sony do sometimes (psp and playstation) but come on now, its time to let go of memory stick and let the market decide. Ok enough about Memory stick for now. MMC, ghezz dont start me off. Why didnt it just merge into SD? MMC looks the same, acts the same but has odd voltages which dont work with certain devices, SD just works plus it has IO capbilities. Honestly I dont care if its called SD or MMC but they should have sorted it out before the mini's were produced. MiniSD fits smoothly into SD but is the true of Reduced sized MMC? I've not seen any sign of such a smooth interchange. Oh well, at least Smart media is slowly going away but the very odd xD has replaced it. I dont know why xD is around, what advantage does it have over SD and MMC? Lower voltage? What's the point?

On a positive finishing, Flash memory is getting really cheap now. 1gig SD and CF is about 35 pounds now and USB thumb drives are really becoming ubiquious. The 4 gig Flash memory in the ipod nano sounds like a lot now, but Samsung have already showed off 4x the space (16gig). With all this in mind, 2-4gig could be just around the corner but I assume other formats are also just around the corner too. Some suggestions for new names. xD nano, SD micro, SD-MMC, Mini Micro MMC, reduced micro sized SD, Memory stick super duo magic gate pro. Nahh, it will never catch on.

Comments [Comments]
Trackbacks [0]