Everything, Everything - March 2007

2018: J F M A M J J A S O N D
2017: J F M A M J J A S O N D
2016: J F M A M J J A S O N D
2015: J F M A M J J A S O N D
2014: J F M A M J J A S O N D
2013: J F M A M J J A S O N D
2012: J F M A M J J A S O N D
2011: J F M A M J J A S O N D
2010: J F M A M J J A S O N D
2009: J F M A M J J A S O N D
2008: J F M A M J J A S O N D
2007: J F M A M J J A S O N D
2006: J F M A M J J A S O N D
2005: J F M A M J J A S O N D
2004: J F M A M J J A S O N D
Saturday 31st March, 2007 14:15
The 15 Royal Navy personnel held captive by Iran could stand trial for "entering Iranian waters", a senior Iranian diplomat has said. The UK government continues to state that the captives were seized in Iraqi waters and has demanded their "immediate" return. One of the many reasons why I suspect the UK are telling the truth is because of Iran's inconsistency over the events:
  1. HMS Cornwall was south-east of a merchant ship, both were inside Iraqi waters
  2. Iran tells UK that the merchant ship was at a different point, still within Iraqi waters
  3. The UK (perhaps feeling rather smug?) points this out
  4. Iran provides alternative position, now within Iranian waters (according to "seized GPS equipment", the crew had allegedly previously entered Iranian waters at several points)
US state department spokesman Sean McCormack has already rejected suggestions that a swap could be made for five Iranians captured in Iraq by US forces in January. The Iranians, believed to be members of the Revolutionary Guard, were taken in a raid in the city of Irbil, along with equipment which the Americans say shows clear Iranian links to networks supplying Iraqi insurgents with technology and weapons.

It looks to me like Iran is spoiling for a fight. I wonder if the US and UK will give them one. At least there's plenty of evidence this time.
Friday 30th March, 2007 16:28
Six F**king Hours
Tuesday 27th March, 2007 14:51
And we still haven't reached nmap.
Hot Deli Girl
Tuesday 27th March, 2007 12:57
Brunette, obviously. Might have to come here the rest of the week.
The World's Slowest Training Course
Tuesday 27th March, 2007 12:05
We arrived at 9, it eventually kicked off something like half 9 (I didn't even bother trying to keep track of time), and it's now midday and we're still covering WHOIS. We'll progress to DNS in a bit. No wonder it's not meant to finish until after 6PM tomorrow and Thursday.
Spotters To Report On Terrorism
Monday 26th March, 2007 17:36
Police have enlisted the help of plane spotters to safeguard Bristol Airport from criminal and terrorist activity. Mr Ware, who is in charge of the airport's police team, said enthusiasts have been told what action they should take in response should they spot suspicious activity.

Is it just me, or does that sound stupid and a complete waste of time? If I were a terrorist (and I'm obviously not), I'm pretty sure that I'm not going to do anything dodgy while I'm at an airport. It's not like I can reasonably jump over a fence and/or steal a plane. It's not like I'm going to start mixing all my liquids in a cup as I board the plane. It's not like I'm going look shifty and carry a big bag with the word BOMB on the side. If I were a terrorist that intended on hijacking a plane, I would do my best to act naturally until the plane had taken off and was well away from the airport. And then I'd mix my explosives/break into the cockpit/whatever other cunning plan a terrorist might think of. The last thing I'm going to do is give the game away while I'm still in the vicinity of the airport and all those police officers with their guns.

Of course, detecting other criminal activities might be more reasonable, but you'd think there were enough safeguards and security in place that there wouldn't be any benefit from using volunteers.
Upside Down
Sunday 25th March, 2007 23:00
Even though I'm male and I have brown hair, I sometimes have blonde moments. I just noticed that I accidentally fitted the CD-RW in the (temporary, as I have a Lian Li PC6070B waiting for these components) case of my P4 machine upside down!

Upside Down Memorex Drive

In more successful news, the blue and pretty Zalman passive northbridge heatsink seems to be firmly attached to the northbridge thanks to some Arctic Alumina thermal adhesive. It gets pretty warm, but nothing to worry about. Unsurprising, given that the system ran fine without a heatsink on there at all after the old one broke off! That Core 2 Duo cooler is also running very well and extremely quietly on the overclocked Pentium 805D processor (2.66GHz @ 3.6GHz). Once I switch PSUs with my main machine (putting a 460W Xilence Semi Fanless PSU into my machine, I've got one in my other PC and I've never heard the 7cm fan kick in, and then moving the 480W Tagan into the P4 to make it even quieter). Somehow I'm going to end up with 3 almost-silent-but-still-quite-powerful PCs, which is why it amazes me how some people can put up with noisy computers. The final touch will be when I buy a couple of Silent Drive enclosures off a friend over the next bank holiday.
Nearly Better
Sunday 25th March, 2007 22:47
Last week I was taken down by what appeared to be a very nasty virus, the sort that keeps you in bed because you have trouble standing upright and everything hurts. I had hot and cold flushes, which (unsurprisingly for me) resulted in a nosebleed, and I spent pretty much all of Thursday with my eyes closed (I still find it painful to look left or right). I finally felt vaguely human on Friday night and managed to drink something other than water (as I'd already used up all my orange squash on Thursday morning). I managed hot chocolate, but made with water as I didn't have any fresh milk, and I didn't have the energy to walk to the shops to get some. My back still hurts quite a lot, and I know I'll ache again in the morning, but at least I've finally managed to get through a day without taking any painkillers. I hope to be at work tomorrow, as there are a number of things I need to catch up on, and then I'm meant to be heading to delightful Slough for some training for the rest of the week. I'm still not entirely sure how much I'll learn from this course.
My Alibi
Wednesday 21st March, 2007 15:59
It's a good job I was in Scotland on Monday (I landed on the emergency runway at Gatwick shortly before midnight), or I could be a prime suspect for the theft of a lorry containing Cadbury chocolate eggs worth an estimated £70,000. One of the suspects is described as white, aged between 25 and 30, about 5ft 10in tall and with short hair. Mmmm, chocolate eggs...
Wednesday 21st March, 2007 14:20
A friend of Tania posted a poll ages ago on LiveJournal, and finally posted a summary of the results (48 respondants, of which 26 were male and 22 female). Amongst the very detailed study was the following information that I found interesting:

Only 22% of people use scent regularly, 38% of people never touch it, 42% of people don't own any, and women tend to own more than men. When it comes to how other people smell:

Positive Reaction - 32 (67%)
Neutral Reaction - 12 (25%)
Negative Reacion - 4 (8%)

Of 48 people, 6 people didn't really notice smells and 6 didn't really care at all, so that means 25% of the sample wouldn't care what you smell like. 4 people actively disliked perfumes and aftershaves on other people, finding them excessive and a bit much. But they only made up 8% of the complete sample.

The most interesting thing I came across in her study was the sex difference. Women's answers were split:

Positive: 17 (77%)
Neutral: 3 (13%)
Negative: 2 (10%)

But the men responded with:

Positive: 15 (58%)
Neutral: 9 (35%)
Negative: 2 (8%)

This seems to imply that women are more swayed by scents that men are, with a whacking great 77% (over 3/4 of all women who responded) will react positively to scents on someone. Implicit in the same results is that men care less about scents with 58%, so somewhat over half of the male respondants reacting positively, but with over 1/3 not really giving a damn one way or the other.

Perfume advertising is generally aimed at women (the ones who care), and often implies it will make you more appealling to potential sexual partners. We live in a predominantly heterosexual culture, so it appears that perfume won't work as well as they'd like women to think.

I guess I should try out some more aftershaves.
David Tennant
Tuesday 20th March, 2007 14:40
Doesn't he dress well? I'm tempted to emulate his dress sense, but he only seems to have two suits (which is still one more suit than I own). As the "Tenth Doctor" he chose an outfit consisting of a dark brown pinstripe suit, shirt and tie, a light brown overcoat and a pair of Converse All Stars from the TARDIS wardrobe, a costume which Tennant described as "geek chic". In publicity shots for the third series, he is shown wearing a new blue suit and a pair of red Converse All Stars, but he retains the brown overcoat. In the trailer for series three, shown at the end of The Runaway Bride he is shown wearing both the blue suit and the brown pinstripe suit — the blue suit in Smith and Jones, and the brown pinstripe in The Shakespeare Code. One thing I didn't realise was that Tennant's name was put forward as a possible candidate for the role of the Ninth Doctor for 2005 series (the role went to Christopher Eccleston instead), and that being the Doctor has been a childhood dream, so I don't feel quite so bad about him taking over after the success of Casanova.
Tuesday 20th March, 2007 13:21
The good news is that Firefox 3 is going to catch up with IE6 SP1 and support Microsoft's extension, HttpOnly cookies. The web developer can set a cookie to be HttpOnly (both ASP and PHP support setting HttpOnly cookies) and the browser will only ever use that cookie when sending HTTP requests. This means that client side scripting (typically cross site scripting attack) cannot read the cookie. And it doesn't appear to break anything for users with older browsers (it's essentially doing something similar to when you set a cookie as "secure" so the browser will only send it over HTTPS). So how do you do this on PHP? You can either change the ini setting for session.cookie_httponly or, more likely for those on shared hosting/without access to the the ini file, you should be able to use ini_set to change the setting. For instance, the following code will generate a session cookie (PHPSESSID) that's set to HttpOnly:

ini_set("session.cookie_httponly", 1);

For those that actually look at server headers, this means you'll now see something like:

Set-Cookie: PHPSESSID=2bef439055e0aa0a9f15622cb7854eeb; path=/; HttpOnly

Simple. You can probably do a search and replace on your code to replace session_start() with the additional line of code. If you can't do this setting, pester your hosting company to install a newer version of PHP.
Random Thoughts
Tuesday 20th March, 2007 02:10
I think I've been watching too much Lost, as I sat down in the rear of the plane on my flight to Edinburgh I thought of myself and the people around me as "Tailies". I sat in the middle on the way back, I forgot to make a note of my seat, to see if I was sat in the same place as one of the passengers (AKA Losties).

I finally walked upstairs to the departures gate... to discover a big range of shops, and a Caffe Nero with mains electricity points everywhere! For a fleeting moment I thought I could power up my laptop... then I remembered I'd just checked in my suitcase with the laptop inside of it. Still, the coffee was quite good, and very strong.

The captain was surprisingly cheerful and even made a joke during the flight, saying that the weather in Gatwick was now a "tropical 2 degrees". Why is it that captains always have posh accents? I don't think I've ever heard a captain from Manchester, or one with a strong Glaswegian accent.

I spent over an hour sitting opposite an attractive girl. She wasn't going to be on the cover of a magazine, but there was definitely something about her that made her very appealing. She had dark brown hair that was nearly-but-not-quite black, she wore black shoes with black cotton socks, and a thick woollen black top with an intertwined pattern, and some sort of long sleeved white top underneath, and blue jeans. She appeared to be waiting for someone from international arrivals, playing with her car keys (which had an 8 ball at one end, allowing her to swing the keys around). The person never showed, and she eventually walked off, about 20 minutes before check-in opened for my flight. Which is a shame, as I was thinking of scribbling down on a bit of folded paper (so I'd hopefully have time to walk away while she unfolded it) something along the lines of "I think you are really attractive" just to brighten her day. So if that sounds like you and you were sat in Edinburgh airport yesterday evening, now you know.
Honey, I'm Home
Tuesday 20th March, 2007 01:36
Actually, I got home about 1:15AM, but I've been catching up on email.
Falling Down
Sunday 18th March, 2007 09:53
I was reminded of the film as I ordered from McDonalds. Sadly, airport security had ensured I had nothing to use as a weapon.
Friday 16th March, 2007 15:30
There's a lot of talk about plans to phase out the traditional lightbulb by 2011 in favour of energy-saving bulbs. I don't have a problem with wanting to save energy, but I do think that there are better ways to reduce the amount of electricity that people use across the country. Anyway, the idea is we'll switch to fluorescent lights, which are meant to last 5x longer (and are 10x the price, although the idea is its an investment as they use less power). But by the time it's actually phased out in 2011, I think LED lighting will be a viable alternative.

LEDs are better than fluorescent lights because:
  • You can dim them (fluorescent lights don't work with dimmer switches)
  • They're even more efficient (fluorescents hit 70 lumens per watt; incandescents max out at 15; but LEDs have been produced that emit roughly 100 lumens per watt and are expected to reach 145 lumen per watt by 2008)
  • They last longer (halogen lamps run for about 2,000 hours; incandescent lamps are about half that; LED lights are roughly 50,000-100,000 hours; fluorescent lamps typically last 8,000-15,000 hours as the lifespan is related to the number of times it is turned on - around 6,000 to 7,000 starts)
  • They're directional (good for replacing halogen spotlights, as a 6-watt array of LEDs can produce light equivalent to a 20-watt halogen bulb)
  • With a diffuser, you can make the light omni-directional
  • They don't flicker
  • With quantum dots, they can produce a warm natural light
You have to admit, interior lights like this do look pretty cool. And this one's different, and stylish.
Passive Northbridge Heatsink
Friday 16th March, 2007 09:31
That's all that I intended on buying. Perhaps with some Arctic Alumina epoxy stuff to stick it permanently onto the northbridge chip (as I've lost the last lot I had).

And I found one, the Zalman Northbridge Cooler, and I found another one, the Zalman ZM-NBF47. So I ordered both, as the latter is prettier and the former is meant to definitely support any Intel northbridge (without integrated graphics) - hopefully it'll be fine on mine, as one of the legs to hold the northbridge came off, spurring my search for a new heatsink - surprisingly the overclocked system remained rock solid without a heatsink on the northbridge chip! And then I made the mistake of looking around for other things.

I've been meaning to buy a TV card for my PC at some point so I can abandon the small TV in my lounge, and it's not the best card, but it does analogue and digital TV and works in Vista's "Media Center" and it's fairly cheap. I ordered the Hauppauge WinTV HVR1300 Kit. Which would have been okay if I'd stopped there, but then I spotted that Aria had some more of the Lian-Li PC-6070B Silent MIDI towers for sale, and I love this case a lot, and they've been pretty hard to get hold of (unless you're willing to pay around £120), so I bought one. The overclocked P4 system is in one of those Antec cases, it's allegedly quite a nice one, but it's plastic, it's warped, a couple of clips are broken, and I really don't like it. And then I decided to buy another 460W Xilence Smart Semi Fanless PSU, which I'll put into my main machine and then move the Tagan 480W PSU into the P4 machine, and give my dad his spare (and somewhat noisy) PSU back. I fiddled with the BIOS last night and turned on the clever AI stuff that makes the CPU fan run slower, and speed up when it gets hot, so pretty much the only part of the system making any noise is the PSU. So my ~£10 order ended up being roughly £300 more expensive than I originally planned.
Winter Returns To Britain
Thursday 15th March, 2007 17:13
The Met Office has issued a warning that heavy snow falls are on the way for parts of the UK, starting on Sunday and persisting until the middle of next week. The blizzards will be driven across the country by cold northerly winds and disruption to roads, rail and air travel is likely. The first significant snowfalls are expected overnight on Sunday and during Monday. The change in the weather follows a period of above average temperatures for much of Britain. Experts say the mercury will drop to as low as -4C for parts of Scotland, northern England and Wales. Scotland will apparently "see lots of hail, sleet and snow by Sunday". I'm flying to Edinburgh around midday on Sunday, then getting a taxi to the hotel in Dunfermline. I'll be on-site from 9AM on what will probably be a very cold Monday morning, then flying back from Edinburgh to Gatwick late on Monday (assuming my plane isn't delayed because of snow). Then I'm jumping into my car and driving home (probably with the heater on full). I'd better wrap up very warm.
Thursday 15th March, 2007 12:28
There's been talk about Mac OS X Leopard, as it'll probably appear halfway through this year, and the Apple website has a sneak peek at some of the new features.

Time Machine
Looks identical to System Restore, which Microsoft has had since Windows Me.

Looks a lot like Outlook Express/Windows Mail, right down to the new stationery templates (that annoy everyone), with a couple of features that Outlook 2007 provides (notes and RSS feed support).

I admit this does look quite pretty, but iChat has already had two vulnerabilities discovered in it, unlike Windows Live Messenger - which it appears Microsoft weren't allowed to pre-install with Vista, as you have to click a link to get to the webpage to download the file.

It sounds like a neat trick to group applications to a specific virtual desktop. But that's all it is, a neat trick. If this is one of the big features they're pushing for Leopard, it had better not be an expensive upgrade.

It's still the same application as before, but now with more widgets. Seriously, more widgets as a big new feature? They're really running out of ideas now.

Now with a Quick Look preview. Wow, I bet that took a lot of time to write.

A lot like Windows Calendar. A calendar's a calendar, not something that's usually exciting or worth writing about. I don't remember Microsoft mentioning it at all.

It has a single new voice. Microsoft have new voices for loads of languages. Some of the other features do sound good though, such as braille and positional cues. Improved closed captioning support appears to be part of QuickTime, so I suspect you'll get it if you grab the latest version for free from their website.

Something Microsot and Linux has been able to do for years. For most people this won't offer much of an improvement. It's not like most Macs come with enough RAM to need 64-bit addressing.

Core Animation
Eye candy.

If you want improved accessibility and some extra eye candy, then Leopard sounds interesting. For everyone else, I can't really see why anyone would pay money for features that people like Microsoft would typically provide in a Service Pack. Vista might seem expensive, but it's unlikely you'll have to pay another penny until Vienna arrives sometime in 2009.
Sticky Keys
Monday 12th March, 2007 17:29
For a moment I thought someone had found the Holy Grail, a way to get SYSTEM on Vista without having to be authenticated (much like the old Korean version Terminal Services issue on Windows 2003 a while back). It turns out it's a lot harder to achieve.


StickyKeys is an accessibility feature to aid handicapped users. It allows the user to press a modifier key, such as the Shift key, and have it remain active until another key is pressed. StickyKeys is activated by pressing the shift key or a modifier key five times in sequence and a beep is sounded. Vista does not check the integrity of the file that launches StickyKeys before executing it, which means you can replace it with another executable and run it by depressing the shift key five times. A popular replacement is cmd.exe. After replacement, one could invoke this command prompt at the login prompt without the need to authenticate.


AKA why the world isn't ending. The StickyKeys file sethc.exe is protected by Windows file protection. The default permissions only allow Read & Execute and Read access to SYSTEM, Administrators and Users. The only user that has Full Control is TrustedInstaller.

Aside from getting TrustedInstaller to somehow change the file over for you, you have to adjust the permisions using an Administrator account. Assuming you don't have control of the GUI, you can do this by running:

takeown /f c:\\windows\\system32\\sethc.exe
cacls c:\\windows\\system32\\sethc.exe /G administrator:F

That also needs to be performed in an elevated Command Prompt (unless UAC is disabled; I'm not very sympathetic if people do that and get caught out). The thing is, if you're executing commands with an elevated Command Prompt, an easier method would perhaps be to create a new user and add this user to the administrators group via the net command, then use this account to rightfully log.

net user USERNAME /add
net localgroup administrators USERNAME

Some people might say that an additional user account isn't very subtle (although I believe you can hide it on the logon screen by changing a registry setting); I don't think a Command Prompt coming up whenever you hit the shift key five times is particularly subtle either.

It's an interesting way of getting SYSTEM access without having to authenticate, but if someone already has that much control over your computer to create this rather abstract scenario, you have bigger things to worry about.
Linux 2.6 vs Windows 2003 (vs OS X)
Monday 12th March, 2007 15:07
Apologies in advance for this lengthy and geeky post, but I decided to take a look at Secunia's advisories for 2006.

Microsoft Windows Server 2003 Enterprise Edition:
36 Secunia Advisories in 2006; 9% unpatched (11 of 119); most critical unpatched is rated "Less critical"

Linux Kernel 2.6.x:
44 Secunia Advisories in 2006; 16% unpatched (18 of 113); most critical unpatched is rated "Moderately critical"

Windows 2003 certainly looks better than Linux Kernel 2.6, based on those statistics (probably best not to look at how critical the patched problems have been, as Linux problems tend to be DoS more than root privilege). Let's take a closer look at more of Microsoft's products.

Advisories for 2007:
Windows XP Pro: 9
Vista: 2
Office 2007: 0 (0 ever)
SQL 2005: 0 (0 ever)
Exchange 2003: 0
IIS6: 0
WMP10: 0
WMP11: 0 (0 ever)
AutoRoute 2006: 0 (0 ever)
AutoRoute 2005: 0 (0 ever)
BizTalk Server 2006: 0 (0 ever)
DirectX 9: 0
IE7: 4
ISA Server 2006: 0 (0 ever)
ISA Server 2004: 0 (0 ever)
MSN Messenger 7: 0 (0 ever)
MSN Messenger 6: 0
Outlook Express 6: 0
Virtual Server 2005: 0 (0 ever)
Visual Studio 2005 : 0
Visual Studio .NET 2003: 1
Windows Desktop Search 2: 0 (0 ever)
Windows Live Messenger 8: 0 (0 ever)

Notice how the only ones that have ever had errors are essentially Microsoft products that were designed before 2004 (SDL began in 2002). Practically all of the 2006/2007 versions of products are fine (the exceptions being Vista and IE7, which have had pretty much the entire world looking at the RTM code, as researchers look for fame... I mean vulnerabilities). Very few problems have been found in any of their products since 2005.

Looking at Apple, as there are too many Linux distros - often with third party packages installed by default - to compare in a meaningful way, we can see:

Apple Macintosh OS X:
24 Secunia Advisories in 2006; 17% unpatched (17 of 99); most critical unpatched is rated "Highly critical"

Windows 2003 only had 50% more advisories than OS X in 2006, which is still quite bad, but it probably shows that OS X isn't quite as secure as Apple likes to make out.

Let's take a look at Secunia's advisories for Apple in 2007:

OS X: 12
iCal: 0
iChat: 2 (Month of Apple Bugs - MoAB)
iLife iPhoto 6: 1
Quicktime 6: 0
QuickTime 7: 2
Remote Desktop 3: 0
Software Update 1: 1 (MoAB)
iTunes 6: 0
iTunes 7: 0 (0 ever)
Quicktime Streaming Server 5: 0 (0 ever)
Safari 2: 1

So in 2007 there have been more vulnerabilities found in OS X than XP Pro. To be fair, the MoAB didn't help as this raised a lot of issues, but this is partly why I also looked at the statistics for 2006 as it's before MoAB came along. But I think there's a reason why there isn't a MoWB (Month of Windows Bugs), as there aren't many to find. Even the MoKB (Month of Kernel Bugs) only picked up one Windows vulnerability, and that didn't apply to 2003 or Vista as it's already been fixed, the rest were mostly Apple and Linux (or third party drivers).

Apple's IM program has an error (WLM8 has none, nor did its predecessor MSN7). Their browser (Safari) only has 1 error, which is quite impressive, but IE7 is still fighting a legacy background where it interacted with pretty much everything, with many applications relying upon this interaction and the various quirks from over the years. ActiveX support is (AFAIK) also lacking from Safari, which is the main reason why IE7 has so many problems.

The funny thing is that IE7 is attempting to move away from native support for things like FTP, and this has actually annoyed many users (wasn't it the EC that said IE shoudn't be so tightly integrated with the OS?), leading to KB article 928675, Separation of Internet Explorer 7 from the Windows shell:

In Windows XP, you can seamlessly browse Web pages and Windows folders in-place. This behavior occurs because Internet Explorer 6 and the Windows shell were basically the same program but used different user interface (UI) entry points. A key principle of Internet Explorer 7 is that the installation of a new version of Windows Internet Explorer does not update the Windows shell. Such behavior would have a large effect on the user experience, on functionality, and on stability. Therefore, the components that were previously shared with the Windows shell, such as the main window, the Address bar, and the toolbars, are not updated for Windows XP with SP2 and for Windows Server 2003 with SP1. Instead, Internet Explorer 7 installs newer components for its own use. This behavior significantly reduces compatibility risks and the need for corporate customers to test the Windows shell for Windows Internet Explorer updates.

Microsoft is aware that several customer scenarios have been adversely affected by the decision to force browsing into a separate process. In particular, FTP folders and Web folders frequently relied on in-place browsing to preserve context such as authentication state. FTP folders now interact with servers differently than the FTP folders did in classic FTP view. FTP folders and Web folders are arguably the features that best demonstrate the power and the versatility of a Web browser that is integrated with the Windows shell. We have received feedback that the separation has caused problems for customers who are heavily dependent on the integration of the Web browser and the Windows shell. We are continuing to gather feedback and will research workarounds for compatibility issues that result from these major architectural changes. When we have more information about customer scenarios, we can improve the behavior of features that overlap the boundary between Windows Internet Explorer and the Windows shell. However, we believe that the separation of these components will lead to a more innovative and flexible Web browser.

Of course, some people don't like statistics (and some drunk people will even call me a f**king idiot, but thankfully I didn't take it seriously, and I tend to enjoy our heated debates), and I must admit they don't always show the true picture. Especially when you have to consider the motives for discovering vulnerabilities. Microsoft tend to be more proactive at announcing patches. They communicate well with researchers, making them more likely to want to research and disclose vulnerabilities. They get a lot of attention (both from researches and malware writers) because they are responsible for the most popular OS and office software. It's hard to compare security between an operating system that makes up the overwhelming majority of desktop installations and a manufacturer that made up 3% of computer sales last time I looked (and probably less than 1% of daily computer users?). When Apple doesn't have any office software, how do you compare vulnerabilities in Word? You could compare MS Office to applications like Open Office, but the latter is fairly well written open source software from a third party. If it's well written (and Open Office is pretty good) Apple and the Linux community can push how good it is, if it's badly written they can simply blame the developers. Microsoft do have separate OS and application developers, partly because of the many anti-trust cases over the years, but the public lump the two together. Can you really blame Windows for all the vulnerabilities found in Office? If the user installs Open Office on Vista, can Apple really claim it's that much safer to use OS X? Surely it's vulnerable to the same third party issues? Do you blame PHP for all the vulnerabilities found in PHP based web aplications? Okay, so some people do, because some of the default security settings are still a bit lax.

Viruses are now attacking third party software, such as Symantec's AV, to get access to modern systems. AV software tends to have the holes nowadays. In many cases the AV products are more harm than they're worth, creating insecure directory permissions on both *nix and Windows, suffering from buffer overflows, and allowing privilege escalation. You can almost guarantee they'll scan a program/malicious traffic as it enters the computer, and they typically run in the kernel. This applies to both *nix and Windows.

The recent petrol scandal has led Morrisons to run adverts about their nice reliable petrol - even though silicon isn't something that is routinely checked for by any of the supermarket petrol stations - and it could have just as easily happened to them (people using Symantec AV vs people using McAfee). Diesel users (e.g. OS X) could also have a bad batch delivered to a petrol station. Silicon doesn't affect older cars that don't have the sensors, just like modern exploits don't affect 9x users, but who wants to drive an old car/run 9x? I'd rather have ABS, power steering, air conditioning, electric windows, and run the tiny risk of a sensor going wrong.

Most new viruses (such as the incorrectly named Storm Worm) still rely on old unpatched systems being on the web: Storm Worm sets up a server FTP thread and starts to scan 10,000,000 IP addresses in an attempt to find a vulnerable system at one of the targeted addresses (you're more likely to find a Windows box with IIS than an Apple box, so the worm theoretically spreads quicker). The vulnerable systems that it targets are Microsoft IIS installations (versions 4 and 5) that do not have the security patches installed to cover the "Web Server Folder Traversal" security vulnerability as described in MS00-078 (yes, a patch that came out back in 2000, and well before Microsoft's Secure Development Lifecycle began in 2002). No wonder Apple like to quote how many viruses there are for Windows, when most of the new ones won't cause any problems for users that have applied a patch from seven years ago, assuming they even enabled IIS (off by default). And it doesn't apply to XP or Vista, which is what most home users have. To be fair, if they hadn't applied any patches since 2000, it's probably easier to attack the servers using LSASS or PnP. Perhaps they're hoping administrators will have missed an old patch?
Reliable Wireless?
Sunday 11th March, 2007 23:27
I'm amazed. I'm using WPA so the encryption is pretty good. This used to make the last router die fairly often, but my new Netgear is still working fine, even after moving nearly 20GB across. It's faster too, I've been copying data and streaming a TV show at the same time without any trouble. I might try streaming HD later. It shouldn't work, but you never know, my signal is pretty good.

I used to have an ADSL modem that I'd borrowed off a friend (Chris). Then I borrowed one from work. Now I own the DG834Gv3 (like many other ADSL users in the country, I'd imagine). The SmartWizard stuff was a pain, foolishly I stuck the CD into my laptop to see what was on it, and then discovered that I couldn't get into the proper admin interface without doing a reset to the factory defaults. But I got in there, I entered all the details, I even changed the LAN IP address range so it matched the existing settings. And I connected:

Connection Speed 4544 kbps Downstream 448 kbps Upstream
Line Attenuation 28 db Downstream 7.5 db Upstream
Noise Margin 7 Downstream db 27 db Upstream

I used to have a signal to noise ratio of about 5.5-6.0 so I might just be lucky tonight, but the SNR is better and my connection is the highest I've seen it connect in a while. The speed test wasn't very good, but I know I'm getting good speeds with my torrents (as in nearly 300k/s). Might try it again later.
Deaf News
Thursday 8th March, 2007 10:45
Adam Buxton, from The Adam and Joe Show, posted this video recently on his blog, which I enjoyed watching.

This was an idea that I had hanging around since last year when I was doing bits for Time Trumpet but I never did anything with it until a couple of weeks ago. In some ways it's kind of the reverse of Dave Armand's brilliant Johann Lippowitz mime character and it's one of those ideas that feels like it's been done a thousand times but I haven't seen it done recently. I think I may have to do some more when I get the time. Where would I be without BBC News 24 eh?

Info Sender 1.2 (Updated)
Tuesday 6th March, 2007 22:24
Based on Luke's Info Sender Winamp plugin (okay, so all I've done so far is add a very simple bit of error handling around the internet connection and compiled it with a newer version of Visual C++), This basically does exactly what Luke's 1.1 plugin does, except my version won't crash Winamp when you lose your internet connection (or you're working offline). Not bad considering I don't actually know C++. But I can program in several other languages, which helps.

This post is really for my benefit so I can easily access my install file, I hope to update it soon with a newer version that fixes the other bugs (I'm assuming I really have fixed the failed internet connection problem, it appears to have worked, but I haven't really tested it properly), such as proper URL encoding of data (as I gather it doesn't handle & very well, for example). I'll probably call my next version 1.2 too :P sorry! Another (French?) guy has apparently done all of this already, but his server was hacked last month before I noticed he'd made the plugin available, and it still isn't back up and running. It sounds like he's added a bunch of additional (and unnecessary?) features too, which is making it a lot like the other plugins I've seen. I think he might have called his Info Sender 1.2 as well. Feel free to use his once he's back up and running. The radio track list and album picture data certainly sounds interesting.

EDIT: I've updated the code, it now does URL encoding (in a slightly ugly way that might not be 100% reliable) of the song, and I've renamed the files to gen_infosender, and the source code should now be complete (I've edited and compiled it using Visual Studio.NET).

gen_infosender.exe (setup file)
gen_infosender.zip (source code)

EDIT: It appears that I've sorted the bug where it'd send the song twice - I fixed it by switching the code around so it stores the current title as the previous title before performing the GET request. That seems to have fixed it, as I think there was a race condition.
The Hives - Hate To Say I Told You So
Monday 5th March, 2007 15:59
Such a great song. It reminds me of Alias, I'm sure there's a moment in the first season where Sydney Bristow has to steal something and this track is playing. I think I might have to get my DVD box set out.

Yep, found the episode with this song, The Prophecy (Season 1 Episode 16 - first aired: Sunday March 10, 2002).
Razorlight - America
Monday 5th March, 2007 14:34
Is it just me or does this sound a lot like a Crowded House track? It seems I'm not the only one to think so.
The Eclipse
Saturday 3rd March, 2007 23:33
What a let down, I was expecting something far more dramatic. Chris got some nice photos though. And he didn't say anything when I told him I was hoping to post it on my site, so I'm sure that counts as a non-exclusive license to use his photograph on here.

The Moon

The three of us then spent the night playing more computer games, specifically Counter Strike: Source. I haven't played CS since I fiished uni, but I bought Valve's pack of games ages ago and it included CS:S, and it's much prettier than I remember CS was. But a small part of me misses the poor graphics, the lack of flashy useful things. Sometimes things should be left as they are, you don't go back and tinker with them. Just like you don't do a Star Trek movie about Kirk and Spock et al without using the original cast. It's just going to be wrong. And as much as I love JJ Abrams and his shows (well, for the first season or two, until too many storylines fail to get resolved and the ratings drop and it eventually gets cancelled), I'm not sure even he can break the odd number curse.
Welcome To The Year 2000
Friday 2nd March, 2007 16:38
Sky News have just published an exclusive (because no one else would dare publish it?) article, Unsafe: Music File Sharing. Sky's Paul Harrison said Andy Coyle from London was innocently searching for music using such software (perhaps the word innocently should be in quotes?) when he came across other people's sensitive documents. They included passport details of film stars and other celebrities, contact details and other personal data. Harrison said the implications was potentially huge.

Weren't these sort of issues first mentioned way back in 2000? Napster arrived in 1999, but was only really designed for sharing MP3s; it wasn't until Gnutella and FastTrack appeared in 2000-2001 that it became very easy to accidentally share all your files, depending on what options you'd selected in the client. Now, if you'll excuse me, I'm off to download Radiohead's Kid A using Napster over my 56k modem :P

Oh wait, it's the year 2007, and I own the album on CD!
Nmap And Vista And UAC
Thursday 1st March, 2007 13:49
I made a post to the nmap-dev mailing list the other day, and it appears I was correct in my assumption of why nmap wasn't working too well on Vista when UAC is enabled, as confirmed by one of the WinPcap guys, who also provided the necessary registry tweak to make WinPcap start on bootup, so nmap can always be run as a standard user (in the past it's generally been said that nmap has to run as an Administrator account, hopefully this might debunk that myth slightly)! One way or another I will talk everyone into keeping UAC enabled (I know, I should get them to run as Standard Users, but baby steps... baby steps).

EDIT: I modified the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NPF\\Start to the value 2 (instead of the default of 3), and after a reboot of Vista I was able to log in with my Standard User account and run nmap without any trouble!
© Robert Nicholls 2002-2018
The views and opinions expressed on this site do not represent the views of my employer.