Saturday, May 21, 2016


I have heard that Mozilla is deciding to scrap Thunderbird.  I hope this is not true because I have standardized on it.  Why?  Because once you pick a POP / IMAP email client you don't want to change It.  Here is why.  I have mine configured for multiple email accounts which are separate from each other.  When I encounter messages I want to save I move them into the Local Folders area.  Ergo, if Thunderbird vanishes there went my history and it is back to thrashing around finding and taming a new email program that will inevitably be worse than Thunderbird.  Why did I select Thunderbird besides these book-keeping and history reasons?

I want a POP / email client program that won't render HTML  Remember that I am coming at this from a security standpoint. Rendering HTML is a great way to open yourself up as more vulnerable to phish.  So I don't want HTML rendering except maybe on a toggle on temporarily basis.  There are times that I am sick or distracted and everybody makes mistakes.  So if the Thunderbird team changes this aspect of rendering HTML, at least make it configurable via some easily found method to turn it on or off via about:config.  I can understand a turn on temporarily for a particular message but in general it is nice to see white space.  Somehow for the vast majority of my all email messages all white means there is nothing for me to click on and invariably it is something bad.

I can already hear somebody saying to me, "Thunderbird has about:config?  Where do you type it?  Well you don't.  For me on Linux you go to Edit (Preferences may be some place else on Windows or Macintosh), then select Preferences.  Set that window's tab to General.  Then click on the Config Editor button.  Here is picture of what that will look like:

I just got a tip from my colleague in France that I know by the nom-de-plume of Airelle that this is good thing to use for taming the Locky or Ransomware I get so much of in my email box.  Locky and Ransomware is a zipped Javascript attachment in email right now and for the foreseeable future.  They normally use zip but some times they use rar and I even have one where they used gzip to zip the file.  Anyway, once you have clicked on Config Editor you will have to click affirmatively on the "I'll be careful, I promise" query.  It is always there for me because I don't go in there all that much and want to be warned I am inside where I can maybe harm myself.  Okay, so far we are okay.  Now start typing "javascript" in the Search box.  Find this item:


position the pointer over the Value which is probably set to true and right click on it and select Toggle.  That should change it to false.  Does it help?  I hope so, but I still some times see a scripting message when saving Locky zip files.  So it may not help but it doesn't hurt.  If somebody wants to tell us how to do this with other email client programs I would be grateful. This is especially true if you give it for Outlook.  It is probably the number one email client program used for POP and IMAP email.

I have also used about:config to also change these two settings for Thundebird because I am always typing "attach", "attached" and other words derived from "attach" with no intentions of using an attachment:


I changed both of them via Toggle from true to false.  Now, if somebody could tell me that there is some way I could use about:config to make it show me the full From address I would appreciate it.  That is about the only thing I would change on Thunderbird.  I would change it to show the full email address.  I did see that they had this one:


I don't know what it does, but all of my Locky malware is sent from special pupose send-only SMTP servers dropped onto hacked Windows machines.  I can tell because of the X-Originating-IP line in the header that qmail thoughtfully provides.  The IP address given there never matches the A record for the MX hosts for the purported sending domain.  But what I am trying to prevent there is somebody or some bot sending you email that says just "YourBuddy" where your buddy is at "" and the message you have is supposedly from "" but actually comes from a hacked machine place else.

I guess it could be worse.  At least one Microsoft Exchange SMTP server ignored the originating IP address and instead looked up the MX record for the purported sending domain (mine doesn't use my domain name in the MX record that handles it email) which was mine, and then looked up the IP address and substituted it.  How do I know?  There is no such user as dfad452xz  at my domain and thus no way of sending email from them.  But email is configured to accept email to any valid sounding user name so I have a dandy mini honey-net whether I want it or not due to how my IMSP / IWSP configured it.  After taking almost two years to educate email admins not to bounce Locky type messages to the purported from domain.  I wonder what Microsoft Exchange will do on those domains I encountered that didn't even have MX records because they were parked?

So, Mozilla. please keep Thunderbird going.  I shudder to even think of using any other email client program for email.

Thank You!

Thursday, May 5, 2016

We need your help

Locky Malware in Email:
While processing the latest batch of what is called Locky or Nemucod malware in my mini honey-net I came across some pretty surprising stuff.  For those that don't know what Locky is, it is zipped Javascript attachments.  They can be zipped with either RAR or ZIP, which means that you need either unrar or unzip which is kindly provided in all browsers (webmail) and all POP/IMAP email clients.

Okay, the first surprise was in how I analyze (triage, not full analysis) them.  I am on a Unix-like system so I unzip them or unrar them manually which gives me one or more files with at least one of the files being a Javascript which means a file with a ".js" extension. All of the email clients will obligingly unzip the zipped files for you when you click on the attachment. So if this is far as you can read, just don't click on those attachments or links in email! So far, so good.  But next I edit the main Javascript file (some times they have multiple copies of it as well) with an editor called Vim.  Well, this time the start of the file had such a huge comment that vim could not see the whole comment or past it.  So I loaded the JavaScript files in a binary editor called hexedit.  Now I could see the obfuscated Javascript at the very end of the file.  Can your browser or POP/IMAP email reader scan past that huge long comment when the Vim editor fails?  Right off hand I don't know.  I kept giving the AV companies a heads up to stop looking at zipped JavaScript too carefully in the comments section.  But the reason for the comments was to tell them to just mark these as bad ASAP with some sort of heuristic.  How many of them are really bad?  I estimate less than 20% of them.  But even if they are bad, the detection at VirusTotal is deplorable.  usually only 4 out of 56 AV packages show it as bad in 24-48 hours.  Even after a month, I rarely get more than 32 out of 56 marking them as bad and have never got higher than 36 out of 56 of the AV at VirusTotal detecting them as bad.  So you cannot depend on your AV to protect you.  You have to depend on your own, hopefully not flawed judgement to protect yourself.

Dumb Hackers:
I unzip them with an ad-hoc shell script I key in manually. The command line on Unix is far more powerful than even PowerShell on Windows.  For one of them I got an error.  It turned out that despite the fact the file had a ".zip" extension, it was zipped not with ZIP, but GZIP.  Even doing this manually, either gunzip or "gzip -d" does not like that ".zip" extension and refuses to do anything with the file.  So I renamed the (not the real name) to be badboy.gz.  Now I could gunzip it.  I expected a file named InnerJavascript.js. The names vary all over the place and I used InnerJavascript as just a way to say that the Javascript base file name is NOT the same as ZIP base file name.  What came out of my badboy.gz file?  If you are thinking it would be a file named InnerJavascript.js you are wrong.  If you are thinking it would even be a file named badboy.js you would still be wrong.  What was its name?  Just badboy with no extension.  Does that pose a threat  to anybody (all of these pose no threat to me on my Unix-like systems)?  No?  Maybe, but I doubt it.  I have had these posing a threat to both Android and Windows.  But this should not pose a threat to anybody.  Do the hackers (and I have had Russian in some of the files and in URLs) know it doesn't work?  I don't know, but I can assure you a properly gzipped Locky Javascript file can be gunzipped on Windows or Android and does pose a threat to those systems.  The problem was that this one wasn't gzipped properly.  The hackers don't care because frequently they design only about 5% to 15% of their attachments to be malicious.  What they are counting on is that fools you into believing that since the last one did nothing bad, all of them are that way.  Well, you can count on at least 5% of them doing something bad, especially when they are new.  So I say again, just don't click on those attachments or links in email!

What are the hackers counting on? You being distracted by screaming children, burning breakfast, or a myriad of other things that take your attention off of being careful and one little woops and there it goes.  The reason it is called Locky or Ransomware is because they encipher your files and promise you can get the files back if you send them money.  Can you trust them?  If they will lock the files in the first place, can you really trust them?  Maybe not.  I don't trust them to do just unlock them.  Use of a one-time card is all you should use if you think that is all they will do is unlock the files.

We need help from Email Reader Creators:
Okay, so you got an email message from your good pal Joey.  You can trust his links (but maybe not attachments), right?  Wrong!  I received two email messages supposedly from a friend just like this.  Was it really from them?  I read my POP email from that Unix-like system in Thunderbird.  Thunderbird won't render any all HTML messages.  Unlike the phish URLs I see stripped of everything so us reviewers at Phishtank can see if they still pose a threat, there are various ways hackers can hide the true URL inside email readers from you and substitute a fake URL that you see.  That doesn't work on me because all I will see is white space.  But these email messages were insistent that they came from my friend.  Why?  Because they showed only the visible first name rather than the the entire email address.  All email readers do this!  They should not do it!  But even Thunderbird shows only the name and omits showing the purported sending email address.  So I saved the email messages to files and looked at them in the vim  editor. I could see that the email messages MAYBE came from another email address.  Even that is dubious since you can fake the sending email address and have email sent from special purpose send-only SMTP email servers on both Android and Windows.  You should be able to count on a SMTP receiving server to at least faithfully record the sending IP address.  So what does a receiving Microsoft Exchange SMTP server do?  It strips that IP address off (that IP address is given to you by the routers and just cannot be substituted out by the sending SMTP server), does a look up of the DNS MX (Mail eXchange) records for the purported sending email address domain, does a lookup of the DNS A records of the MX host(s), and then puts those into the headers.  It is enough to drive you nuts.  Why doesn't Microsoft Exchange just faithfully give you the REAL sending IP address?  I can assure you that there really is only ONE user at my domains.  With the qmail SMTP server I KNOW that what I am getting is the REAL sending IP address.  qmail is what powers my mini honey-net. I got the mini honey-net whether I wanted it or not, no thanks to the IMSP.  How good were these hackers with these emails faked to look like they came from my friend?  So good that they had fake domains and MX records that looked like the real thing.  I could even send replies to the phishy looking email messages addresses.  But after a few days, everything fell out of DNS and my reply email messages would then boomerang.  I did look at the URLs in the message (remember, even downloaded Linux binaries won't run on a Linux system because the file permissions don't set the execute bit on download).  Spam.  All that effort for spam?  I expected at least a phish!

So emai reader developers, either make your email readers capable of showing the entire email address or just display the whole email address in the email reader.  With this real (er, purported) email address people can at least see whether the email  address is from instead of a pretender at  Hackers can count on this behavior mostly for phish.  Just because you have a Macintosh you are not immune.  My friend uses a Macintosh.  They clicked on a link in an email.  The hackers were able to read the contents of their email address book in a webmail account!  Get the idea?  All platforms are vulnerable to phish.  Only email readers like Thunderbird give you a leg-up for phish that are all HTML messages.  For those, Thunderbird just gives you a nice white blank message and there is nothing to click on.

If all else fails and your email message really does look like it came from your friend, call your friend on the phone and ask them if they sent you an email message with a URL in it.  Ask them what was in the email message.  Usually you can use your common sense to say "they would never send me something like THAT."  So this advice is only for those email messages you believe REALLY came from them.  That means this particular email  message looks valid.  If it is a targeted attack and the hackers have the time to see what your friend is really like then they can make an email message really look like it came from your friend, right down to even faking the sending email address.  Thus my warning about using your phone.  Don't assume anything, including that you are so unimportant that you won't have a hacker pretending to be somebody you know.  Well, I guess I am that unimportant.  But I use Linux which shrugs off almost everything but phish.  Ubuntu-Mate and Xubuntu are recommended.  They are even more secure than Micintosh as long as you don't offer services. I don't provide services and hide behind two hardware firewalls as well.  Am I paranoid?  Yes!  Am I paranoid enough?  Maybe.

Friday, April 8, 2016


I sometimes slip up and add some hosts into my blocking hosts file that I later regret adding.  Here are two of them that hopefully won't crawl in again and the actions I took to prevent it from happening again in the future:
I put it in the header and commented out the block.  In the past this did cause problems for me.  Now it is down to the nuisance level.  I have also added the host name to my NoBlock list to make sure it doesn't get inadvertently ever added again.  Do other blocking hosts file have it active at all times?  Yes.  I leave it up to users.  I am assuming that all users of blocking hosts file know how to use DNS lookup and many other things.  Example:  It is NOT in the domain, e.g.:

$ hdns is an alias for has address has address

It is in alias to a host in the domain which like the domain before it are both DNSWCD (DNS WildCard Domain).  By that I mean that any characters before either the domain itself or a subdomain (most of mine for this domain are in the subdomains and but some just have the and then what ever the customer uses) yields an IP address in DNS whether it is used or not.  Example:

$ hdns has address has address

No such host is used or exists, yet you get IP addresses.  Things like this are learned by just adding more and more knowledge all the time.  I expect people to know that, but more to the point see the next one.
I will no longer make blocking it even an option.  IOW, the host is now in my NoBlock list and that is where it is staying.  Since it is used to track us I may sneak up on blocking the tracking it is doing that I don't like in the PAC filter.  Even more likely though is that blocking it caused so many problems I will just let them track people.  But I will never again block the host cold.  Most people on Windows only use my blocking hosts file any more anyway.  This host should never be blocked cold.

Somebody besides me should have told me that blocking this host causes severe problems!  I cannot see everything all the time.  Mistakes happen much more rarely now but they still happen.  Nobody (except maybe God) is perfect.


Thursday, September 3, 2015


Just a few weeks ago I was reading an article at the Washington Post about people using ad-blockers and how awful they are.  It has even turned out that Microsoft bad-mouths all blocking hosts files that I and others provide.  All we do is block ads they say.  OH?  Microsoft started with Windows 7 to remove any hosts file entry that has a or at that time and continue the practice now with Windows 8 and Windows 10.  With Windows 7 the work around was to install another AV package that leaves that alone.  What is surprising to me is that Microsoft bad-mouths Mike Burgess of MVPHosts and Steven Burn of hpHosts (  But several years back Microsoft gave both of them MVP status.  Then the other day DuckDuckGo complained about me having an ad-blocker.  Well DuckDuckGo, that is backed up by both my blocking hosts file and my PAC filter.  But I even have a rule for you in my PAC filter:

DuckDuckGo rule in my PAC filter
(earch for DuckDuckGo, and I did turn off ABP for what they block with you)

Well, I don't target ad-servers per say.  But I do target trackers.  But everything is moot - nobody but me uses my stuff anyway.  We will stay at the big safe sites is what most people say.  Oh really?  Then here is something you should read, an article on Malvertisement from el Register thanks to the Security Space Newsletter that pointed to one of their article.  That article had a link to this one:

El Register Malvertisement Article

Those kind of ads are the ones I am looking at to block.  I block DNSWCD (DNS WildCard Domain) named LinkBucks that the ad blocking plugins don't block in my PAC filter. It works on Windows 7 only with a majestic fight by very knowledgeable Windows people.  There again we have that Microsoft we will fight you mentality.  Another way of saying it is either our way or the highway.  I do volunteer work less frequently now at Phishtank.  But even on Linux which is totatally immune to all Windows binary malware (protecting your user browser data files is your main problem on Linux desktops and laptops vis-a-vis malware) you need some sort of protection.  They can trap the browser with JavaScript.  I cannot use NoScript or something similar.  But the PAC filter still blocks some phishing attempts so I need some sort of protection not from the malware but exploits that lock the browser, etcetera. I take the vanilla dbgproxy_fr (remember I am on Linux) and add the few extra rules that I am testing and then do this:

# grep -v Phish dbgproxy_fr > phistankproxy_fr
# vimi /var/tmp/PhishTank.txt phishtankproxy_fr

I need to add mostly GoodDomains rules but I comment out some other rules and activate additional protection against rar and zip files which have mostly Windows malware but I do get a tiny amount for Android.  Then I set my browser to use the phishtankproxy_fr PAC filter and away I go on Firefox 20. Believe it or not, Firefox 20 on Linux is much safer than the latest and greatest Firefox on Windows except for one MITM (Man In The Middle) https attack.  But one of the BadDomains rules that is usually active is LinkBucks.  It is not an ad-server.  I classify what they do as a tracker with a twist - they also redirect.  So they get Web-Bug status.  But one phisher was using them with his/her phish!  Evidently the phisher wanted to find out which of the phish patterns were working best.  I have had redirects to malware with this tracking service.  But blocking them can lead me to an erroneous conclusion that a URL that is safe is anything but safe.  Ergo, that rule is commented out in the phishtankproxy_fr file.  I also had to shift from OpenDNS DNS servers to Google DNS servers because I kept getting this is a phish now that I have IPv6 as well as IPv4.  I need to know the answer to "is it really a phish?", not protection from it.

So companies stop complaining and look at those ads you are pumping out which I can stop with the in your face ABP (AdBlock Plus) or the stealth PAC filter and blocking hosts files.  You are frequently pumping out malware with your ads and the FBI and NSA are too busy also tracking us to kingdom come to do anything about it.

Saturday, May 2, 2015


Hillary Clinton Just Keeps On Going

I knew I had to get this out given what Hillary Clinton has said in terms of both Edward Snowden and her promise to give the government agencies and most especially the FBI the tools to decipher enciphered material including PK (public key) enciphered data.

Before I get started I must say that the gushing articles on both the Washington Post and the Guardian about Hillary Clinton made me mighty suspicious.  I wouldn't be surprised that they and MSNBC or what ever TV news channel the Democrats watched didn't have all the news people at those organizations hypnotized by the Psychiatrists at these various organizations.  How do they do it?  Over the phone.  How can you tell they are doing it?  Well, if you have a dB meter on the phone and it registers volume that a non-listener can see but the listener doesn't hear anything then you are very likely to be hypnotized.  It is one of the most potent weapons the FBI has.

Have I heard Hillary Clinton backtracking on this issue? Chug, chug, chug, chug, Chug, chug, chug, chug, Chug, chug, chug, chug, ...  I tell you she is like the energizer bunny.  She just keeps going and going and she never stops.

Other Representatives Disagree

I read this surprise article in the Washington Post on a legislative hearing on encryption:

Encryption Back-Doors

I don't know whether I would use the term that the back doors are technologically stupid.  I would say it is more like the idea that the encryption back-doors are either technologically dubious or technologically impossible.  That is because I write from the viewpoint of an advanced encryption user who has vetted GnuPG's code several times and came to it from a mathematical background.  Right off hand I don't think you can do it.  I saw them going this way once before with the Clipper chip in the 1990s.  Here is a good central point on what it was:

Escrowed Encryption

What they don't say on that page is that somebody was able to hack the Clipper system.  That is why it is not with us today.  Ergo, maybe the statement that back doors are technologically stupid is more appropriate after all.  What they probably are saying is that what you keep telling us we are going to do is impossible so why do you keep saying it?  By the way, Representative Ted Lieu, have you considered a run to become President of the United States?  The Democratic party needs somebody besides Hillary Clinton.  Don't even consider being Vice President.  I realize that if Hillary wins she will die in office with each of her years being like everybody else's four years in aging her.  But we need somebody to hit the ground running with the right idea on this and other issues.  The Republican party leaders have already de-facto announced that all elements of the draconian Patriot Act will be renewed as is.  Thankfully some of the Republicans have broke ranks on this issue.  They finally realized just how important protecting the fourth amendment to the US Constitution is.  We need somebody to think about that and many other things.  I am not in favor of the Patriot Act at all.  Hillary Clinton is in favor of it.  She is back-tracking fast on other issues important to Democrats now that Bernie Sanders is stealing some of her thunder.  Disclaimer: I have donated to Bernie Sanders campaign.  I think he is one of the few people that can turn this country around.  He cannot do it alone.  We need people in the United States to understand that the only rule that will work is to treat others the way you want to be treated (love your neighbor the same as yourself).

One of the commenters in the Washington Post article said something about what happens if you use OpenPGP security to send a message to multiple recipients.  I don't know what they were attempting to say but I know what happens.  First note that you are not prompted for your OpenPGP pass-phrase.  Why not?  Because you are enciphering it using the public side of everybody's key in the recipient list.  But you have a public key for each and every one of them!  So what happens?  The Enigmail plugin for Thunderbird and the equivalent thereof in Claws Mail and other clients makes a separate message for each and every one of the recipients.  Everybody gets their copy of the message and everybody else's copy as well, at least with Enigmail doing the sending.  Don't fret because that is following the standard.  So what if the intelligence community came along and specified that there should be only one message for all?  That is technologically impossible.  It is also technologically stupid.  So I agree with the congress Representatives after all.

A New Paradigm

But with the NSA hacking Gemalto by exploiting the people that work for them by using those people's Facebook and Twitter accounts it didn't take long before Symantec and others took notice of what was going on.  Symantec purchased PGP Corporation.  Why?  Their business is protecting companies and people from having their financial accounts and other things exposed.  They have provided me with a PDF file of a new way of doing things.  I have it here:

Perfect Forward Secrecy

What is the difference between that and what we have now?  They don't depend on permanent PK keys the way we are doing it now.  Instead they use randomly generated transient session keys.  It won't be something that is used with something like OpenPGP which will change to elliptic curve encryption in the future.  But these people are always thinking forward.  Now in this case I can agree with Representatives.  Thinking you can put a third key way of doing things into a session key really is stupid.  And on this we have more than the NSA to fear.  The Chinese, Russians, and other political powers will want to hack enciphered messages.  So will black-hat hackers who will want to do it for monetary gain.

Rest assured of at least two things.

First, much will change in the future.  Encryption has never been a static field.  It is constantly changing to meet new threats.

Second I don't buy those arguments that the people that are putting encryption into everything including even smart phones are aiding and abetting the commission of crimes.  Daniel F Conley and others are just going to have to learn how to do better police work.  You cannot tell me that enciphering of encryption means they are careful about everything.  The Germans using the enigma machine used outside / inside session keys for each message.  The outer session key was three characters long and was not enciphered using the enigma machine. It was sent in plain text  The inner session key of three letters lenght was enciphered using the outer session key plus message and daily settings  and should have been pretty hard to attack.  So what did they use with outside three first, then a dash, then the inside three keys?  LON-DON, MAD-RID, BER-LIN, and on and on.  The most interesting one was TOM-???  The Bletchley Park cryptanalysts finally came upon TOM-MIX. He was the American cowboy film actor during mostly the silent era.  Why did they do it this way?  "We will use these session keys because they are easy."  That is what the German enciphering teams thought would be good enough.  Why?  They were convinced that the Enigma made them completely invulnerable.  It didn't and neither will enciphering the message today unless you do things carefully.  My OpenPGP pass-phrase is so convoluted it depends on my muscle memory to type it.  If I am too tired I have to rest before I can use my OpenPGP keys.

We still have human rights workers whose very lives depend upon the encryption we provide today.  How far will the FBI go in their lies?  I have had I don't know how many people that supposedly live at my apartment.  I have even had the local police at my apartment claiming that an individual by a given name (why don't they ever show me the written name?) lived at my apartment.  When I asked who gave them the name one of the officers either lied through his teeth or the name given was given to them by the FBI because they said they had it on highest authority that person lived at my apartment.  I showed them around and they must have realized they had a red herring.  Yet again less than a month ago a private investigator came calling with yet another name.  Do these police officers or the FBI ever do anything but lie?  They are awfully sloppy in the data that they collect and they don't do a very good job analyzing it.  I suggest they do much better analysis of data and eliminate spurious garbage.  Adding more data with data harvested from the Internet will do nothing but make it ever harder to do the analysis

On the weakness introduced by the intelligence community we have one more.  I believe I discovered the FREAK problem.  If I didn't here is a good report on it from Symantec:

Symantec FREAK Vulnerability Report

To that you can add the new LogJam MITM (Man In The Middle) attack that exploits the Diffie-Hellman encryption.

Cookie-Safe Lite Block List 

On this one went through a lot of gyrations with Ubuntu 10.04 (the last gasp of the Gnome 2 GUI).  Carefully preserving what I  had I tried both Firefox 37 and Firefox 38.  Cookie-Safe no longer works.  I was able to import Cookie-Safe Lite and it worked with the cookie block list that I provide:

Microsoft Cookie-Safe Lite Package
Unix Cookie-Safe Lite Package
Cookie-Safe Lite block list (active)
Cookie-Safe Lite block list (visual)

If you have problems here is the downloads folder which isn't linked to in and of itself:

SecureMecca Downloads folder

You will need to install 7-Zip or have some zip program that can handle that zip format.  But it is tested and it works so it is good to go.  Unfortunately for me on Linux with the old version of flash, it crashes every time I encounter flash media that is too new.  That is because Adobe froze Flash for Linux at version 11.  I suppose Mozilla could have embedded it in the browser ala like Chome did.  On that point I did download the new version of Chrome and tried to install it:

# dpkg --install  google-chrome-stable_current_i386.deb
# blah, blah, blah
dpkg-deb: file `google-chrome-stable_current_i386.deb' contains ununderstood data member data.tar.xz     , giving up

I didn't have xz-utils installed so I installed them:

# apt-get install xz-utils

They installed successfully.  I was able to tar my hosts file build folder (Hosts, and everything on 'nix is case sensitive).  Then I compressed the tar file with xz.  Here are some of the results of the various compression routines:

1078068   Hosts.tar.xz
1119844   Hosts.7z
2090641   Hosts.tbz
2343760   Hosts.tar.gz

So xz-utils is worth it when you have spongy files (lots of white space).  I can do this with the Hosts.tar.xz file so tar does understand it:

tar -xf  Hosts.tar.xz

I guess dpkg on my older system doesn't understand it so one of these days I will have to upgrade to kubuntu.  For now I just did the same thing that I did with Firefox 38 that I did  to Firefox 37 (being sure to close the browser first with the Exit):

cd ; umask 077 # this my default but for others I shift to 022
mv .mozilla mozilla.ff37
pak mozilla.ff37

Then I just copied my backup of my Firefox 20 mozilla user folder in place, unzipped it, took the extra PATH to /usr/local/lib/firefox out of my profile (actually dot profile) which was added to the start of the path and logged out and then logged back in.  Oh, what I made to backup up my user Firefox and Opera user folders:

You will have to alter the variables for your particular setup and choose your zip routine.  Just be aware that for something that is not squishy like my Quarantine folder that contains the zips of the PDF and inary files there is almost NO difference between gzip, 7-Zip, bzip2, or xz.  This is where I keep the malware that I ship off to the malware companies.  It makes you wonder what Google is up to by shifting to xz.  Since at least the Linux executables, gif and other image files, and binary files don't benefit by any particular zip routine.  In other words, if it isn't broke, don't fix it!

I am having the same problem with somebody who wants to make all kinds of changes to my PAC filtes.  He doesn't understand that all the people using it are on Linux.  They have that pull folder I provide that compares (diffs) what I had with what I have now and alter their files accordingly.  Ergo me making a huge amount of changes is unwarranted since it will leave them bamboozled.  He is of course free to modify it to his hearts content and distribute the changed file.  He is going to be in for a rude shock on the differences of REGEXP in JavaScript compared to say PERL.  Can he release the changed version?  Certainly!  He just needs to folllow the requirements of the least restrictive GPL license that I could find.

Monday, March 16, 2015



Imagine my surprise the other day on reading that Hillary Clinton had some views on encryption and that the Washinton Post published an article on it.  Here it is:

The positions she takes are similar to what Republicans have and make me wonder if she has any where near enough knowledge and skill to say anything at all about the subject.  I disagree with her about Edward Snowden since I appreciate what he reveals.  I would disagree with Edward Snowden on certain things like complaining about Amazon not using https (PK enciphered) full time when they have an even bigger glaring hole in storing your credit card number without your consent.  What is there to prevent a hacker from stealing it.  Just a year or so ago, every time I ordered something from Amazon the email account associated with it all of sudden would receive a large amount of spam.  But somebody with the pen name LeisureGuy summed up what Hillary Clinton believes about encryption with this statement:

"It's pretty simple in concept: the encryption used must be able to detect the character of the person(s) trying to break the encryption. If they are "good", then the encryption allows them to break the encryption and read the contents; if they are "bad", then the encryption refuses to break.

That's what Clinton wants, and like many who are wealthy and powerful, she cannot understand why, if she wants something very much, it could possibly be something not available. The Dunning-Kruger effect also applies, I imagine: she knows so little of the technical aspects of encryption and cybersecurity that she doesn't understand the depth of her ignorance, so she trusts her "gut feeling" that whatever she *really* wants must be possible."

Dunning Kruger Effect (Wikipedia)

It wasn't just her that had that deep of ignorance.  Others had it too.  So let me look at two recent (within less than a month) things that may change her ideas on encryption and soften her stance towards Edward Snowden.

FREAK Attack
The FREAK attack is because a too soft cipher was mandated to all companies by the NSA and other agencies of the United States government.  Here is a write up on it:

FREAK Attack (Washington Post)

You can test your browser side (there is also a server side to this) here:

Be sure to run the FREAK test named "FREAK Client Test Tool (clienttest.html).  Just remeber that  this weakness was introduced the same way that she purports should be done - a middle way.  My statement on that was that you make encryption as strong as possible and hope it doesn't break.  What happened here?  It broke.  It also shows that Snowden's PowerPoint presentations were correct.  The NSA could crack iPhones.

Gemalto Sim Ki Heist
Here are the first two good articles on this from FirstLook on this:

Gemalto Sim Ki Heist (Breaking In)
Gemalto Sim Ki Heist (In The Dark)

What baffles me is why Gemalto would say none of the Kis were stolen when we have proof from Edward Snowden and other sources that the NSA and GCHQ were actually exploiting cell phones.  We have Angela Merkel whose phone conversations were recorded among other things.  No matter what anybody says, something like this makes other people mad, especially when they are proceding on good faith and not doing anywhere near the same thing.  Okay I will sum up with some points.

Point 1:  There are a lot of people in the United States and other countries that are mad as hell that they are being spied upon.  I can already hear the excuse.  Oh, they are just looking at the metadata.  They throw everything away except for the terrorists that they are after.  Oh really?  Is that why the NSA contract analysts gave porn style pictures and videos to each other as gifts?  They are looking at a lot of text files and pictures solely in the pursuit of voyeurism.  That is strange metadata.  The sad thing is that this Democratic administration is coming dangerously close to doing what the Nazis did and there are many Republicans that will assist in reauthorzing both the metadata collection of phone records and the Patriot act wrongly believing that it will make them safer.  It will not make them safer and the Supreme Court of the United States stands by and favors stripping the American public of their constitutional rights.

Point 2.  You may think we are saying no to a middle way on encryption just based on our feelings.  I don't know about the others but I do know about me.  I have vetted the entire GnuPG code many times and cannot see a way of putting in what Hillary Clinton is requesting.  Others say you can but it would weaken the encryption to dangerous levels.  My observation after studying hackers for years is that if you can put it in that they will eventually learn how to exploit it.  Sometimes it is pure luck but it is always happening.  I still don't see how it is even remotely technically possible.  It is just the way that public-key encryption works.  In case you are wondering, yes, I have the book The Little Book Of BIG Primes by Paulo Ribenboim.  It used to cost $100.  It is a little bit more reasonable now but indicates we are not in Kansas any more.

Point 3:  In all of this most people probably think of enciphering to be the same as encryption and deciphering to be the same as decryption.  You usually just say that encryption involves one of the four activities: enciphering, deciphering, signing, and verifying.  About all I do with OpenPGP encryption is sign and hope that others use it to verify.  Here are two folders on my server where the signed files are at:

Hosts File Changes

Where you will know I am signing you will see for a file named something like "hosts.txt" there will also be a file named "hosts.txt.sig".  The file with a ".sig" on the end of it is called a detached signature file.  Using OpenPGP you test the file with the ".sig" on the end of it and it searches for the file without the ".sig" and uses Digest algorithms and their copy of your key (the public side) to verify that "sig" file which was created with your copy of the key (the secret side) says the base file really did come from you.  What do I do this for?  To make hackers lives more difficult if they try to change the base file.  If the hackers change even so much as just one little teensy bit in the file, the verify fails.  So far, so good.

But that same key that is used for signing and verifying is also used for enciphering and deciphering.  You use the secret side of your key to sign and to decipher.  You use the public side of the other person's key to verify and encipher.  But since it is all bound up and used together there is a possibiliry that if there is a middle way that the CIA, FBI, Federal Marshall's, GCHQ, or the NSA could get some sort of nasty file and sign it with my key.  But surely they wouldn't do that would they?  Do you want to make a bet on that one?  If I did the same thing to Gemalto and was caught I would probably go to jail for at least 40 years.  I am showing just the latest of these things they have done that may be illegal and are immoral.  Do I trust them.  NO!  And there is more to it than I am revealing.


This is a strange one.  Hillary sets up the domain for her email account.  Then a supposed security expert says that it is strange that he sees a construction page.  That is normal for most IWSPs (Internet Web Service Providers) for somebody that doesn't have a web presence yet.  Some IWSPs will even allow you to redirect to another existing web service from these parked host names:

Then I find out she has secured a mail service from

The AV Product
At first I thought that the AV package used was the only thing that McAfee recently purchased.  I thought that McAfee would integrate the heuristics of it into their McAfee-GW-Edition product.  That may have been done but then I learn that McAfee bought the whole company.  That could still be just for MxLogic's one AV product but only time will tell.  But it has never been at VirusTotal, now run by Google that allows you to contrast multiple AV packages to determine if something is safe.  Here is one of my email borne malware I have scheduled to rescan:

VirusTotal Malware Scan

It is much better now than it used to be.  When I got it only two AV packages detected it.  They were Ikarus and Kaspersky.  Here was the scan back then:

Original Malware Scan

But overall, for most email borne malware Sophos is one of the first that detects them.  Kaspersky is also good for email-borne malware as are a few others.  I really would not use what Hillary used if I had a Windows system.  I would want Sophos for the scanner on the email server.  But maybe all Hillary uses is her iPhone.  If so then maybe another AV product that scans for phish would be more appropriate.

What AV do the government email servers use?  I don't know but I can only assume it is much more robust than what she was using.  But they know that they have to defend Windows machines as well as iPhones.

The Anti-Spam Product
At first I thought Hillary had a lot of problems with spam with that number in her user name.  E.g. were there user names with different numbers in them that she abandoned as the spam took over and she created new user names to run away from the spam?  Only the government email people will know the answer to that one since any email received by others on the government email system will have any and all user names that she used.  I stopped looking into this the moment I saw all the problems people were having in getting email into an MXLogic email server.  I suspect you may even need to white-list everybody you want to allow in.  That is how bad some of the people commenting about it found it to be.  Suffice it to say that I think the spam protection is probably one of the better ones out there.  You just have to tune it to get email in and out.  Since the base product is Microsoft Exchange for the SMTP server I of course hate it.  After qmail's nice headers everything else except maybe postfix are sub-standard SMTP servers in my mind.

Who Has Emails?
This one is where it becomes really problematical.  If the government email system only backs up what is received then it will only backup what she sends to others that are on the government email servers.  But if they backup both what is received and sent then they will have copies of the email that is sent both from her and to her from another user that is using the government email system.  Either way, any emails sent to somebody else that is at a company in the United States that are compliant with the law should have backups.  But email sent to or received from another email system like hers or to a web-mail account will only have what those users keep.

This is more of a transparency issue than anything else.  The idea of saving the records goes back to the 1950s when the first rules were made about saving these government communications.  Only slight modifications were made to update the regulations. I don't know if they are binding laws or not.  I do feel that from this time on that except for extremely extenuating circumstances the government email systems should be used.  All classifed email should of course use a separate, much  more secure system.  One thing that disturbed me is that Hillary didn't have the certs to do the transmissions through her email server using TLS encryption for the first two months of having her email server.  If she sent classified information this way it is traveling in clear text!  That may be fine for her personal email communiques.  But it is not good enough for Secretary of State email messages whether the messages are classifed or not.  That is why I think this needs to shift over to the government email servers where security professionals handle things.  Anything done outside that channel for email needs to be rare or not at all for government email communications from this time forward.  But it should not be done with anything other than with TLS securing the transmission of the messages.  Additional enciphering will be needed for messages with classified material in them.

Update 2015-04-13.  I must add this information even though all of you know by now what has transpired.  Hillary Clinton's aides printed out what they thought people wanted, not realizing that most of the header is not preserved in that process.  But others asked that the whole file be preserved and delivered to them.  Was it?  No.  She had the mail server's disk drive erased.  Okay, let me show you what is in an email's header which usually only people like me see.  This one was created by qmail, the best SMTP engine.  Here it is:

Sample Email Header

Despite the folder name I no longer preserve their spam but only their malware.  This may be from another group other than PerniciousMalware (nee PeskySpammer).  The original group gave me nothing but boomerangs by using fake user names at my domain.  It took me the longest time to educate mail admins everywhere to not boomerang the messages since they didn't come from my or other people's domains but directly from a special purpose send-only SMTP server dropped onto a hacked machine running Microsoft Windows.  But I didn't see that until they made the stupid mistake of adding all their fake from addresses into their to lists.  When that happens you can see that in the email header.  Unlike Microsoft Exchange, qmail does something really nice.  They give you a line with the label X-Originating-IP. Its value for this message is  This is the actual WAN IP of the bot sending me the malware.  I no longer do anything with the spam other than delete.  All I keep is the messages with malware.  I have had three separate days where that has numbered over a thousand email messages each of which had malware attached.  Each of those days it has always boiled down to any where from five to just over a dozen different malware despite all the different names.  So what can I tell by looking at  Well, it is in Kiev Ukraine.  Not only that but it is in the UA-VOLIA-20080404 network belonging to Kyivski Telekomunikatsiyni Merezhi LLC.  More importantly vis-a-vis Hillary Clinton's situation the header preserves all of the dates.  By having the disk drive probably wiped at DoD specifications all of this information that was asked for is gone forever.  If Hillary Clinton was running this as a real business she would have violated the law since all people in the email business are bound by law to keep all emails for a specified time on the server and are supposed to have backups of it on other media that must be kept for much longer periods of time.  At least now you can see the data that is hidden from most of you in your emails.  I see it all the time.  I don't give the AV companies a print-out of the email.  I give them the entire email message saved AS-IS!  There may be other data in it besides the MIME encapsulated zip files that the AV companies need.  By preserviing all of it for them there are no loose ends.

Summing Up

Hillary Clinton is reminding me of the energizer bunny.  She has a fully charged battery and blasts into meeting after meeting without even taking a pause on what she is doing.  This is not a man versus woman thing either.  I know plenty of women who have high order rational thinking.  Two of them are Senators Boxer and Feinstein.  I hear they called her to say things are going horribly wrong.  I strongly suggest that Hillary call and talk to them and others in the days come.  Just remember these other people are very busy and have lots of demands on their time.  But she needs to give serious consideration that she is too old.  What she did with these two issues may show an age related problem.  All I know is that I see one person after another going into the presidency.  They go in bright eyed and bushy tailed.  They come out the tail end with gray hair, worry lines, and aged considerably.  I estimate they age everybody else's four years for each year in office.  That means they effectively age sixteen years for just one term of four years in office.  Ronald Reagan who was famous for doing as little as possible is maybe the only exception but even he aged a lot.  Aren't there any other Democrats that want the position of President of the United States?  I don't want to see Chris Christie in the oval office.  Isn't stopping all the traffic on a major bridge or Interstate an action that a Governor can be impeached for?  It should be.  I will check back for errors later but other than that I consider this post closed.  Post note, I did make some significant changes, most notably to show others just how bad new malware is at not being detected (2015-03-25).  You have a PDF file now to SEE just how bad it is.

Update 2015-04-13.  See the two paragraphs preceding Summing Up added on 2015-04-13. I use 24 hour UTC time (Zulu) for all my computer related activities.  All I can say is that if Hillary ran even a modestly sized business that by expunging all the data on her email server by erasing the hard disk drive with no backups, she just violated the law.  Evidently she believes there should be a separate standard for her and Edward Snowden.  If she cannot see the difference in intent she is blind.  As any good email admin will tell you, you need to make backups of all the email messages and keep them for a long time.  If you don't very bad things can happen to you.  I am afraid Hillary Clinton could never have counted on any Republicans switching sides.  After her actions that is now etched in granite.  Independents like me that advised my state's electoral votes be given to Obama were of course ignored in Utah.  But that isn't what disturbed me.  It was that the Democratic party didn't give us an inkling that somebody else other than Hillary was even considering running.    So I sat down and wrote a snail mail letter that will be sent to the Utah Democratic headquarters.  Basically I was concerned that they were being too quiet about other potential President hopefuls.  When I saw only 100 or so replies in the Guardian on the last announcement I knew she was toast.  The letter will be sent shortly but I discovered on Saturday (2015-04-11) that the Rhode Island governor was considering entering the race.  I encourage the Democratic party to never do this again.  By having nobody but one person the foregone conclusion is that is their only candidate.  It makes it look like the fix is in.  Next time even if they have just a few other people considering don't allow it to seem like there is just one candidate the party will have.  Will the way they did it kill them this time?  I don't know.  I know I go based on the best information at the time of the general election.  I wished I was actually voting for the President directly.  We needed to replace the electoral college system with a direct vote at least a hundred years ago.  It has stifled this country with two parties that for now at least, both parties want to kill Edward Snowden.  He is not a traitor nor is he my hero.  But I do thank him for exposing the corruption and law breaking of the NSA, CIA, FBI, and from the looks of it even now the Federal Marshall's office.  As usual, I hope to add nothing more to this blog entry.

Monday, December 15, 2014

Hosts file and PAC filter on Windows 7

New Way Of Handling Hosts File On Windows 7

Somebody wrote to me saying that my hosts file installer is no longer suitable for Windows Vista, 2008 Server, Windows 7 or if you are crazy enough to use it there - Windows 8.

This is absolutely correct.  The UnxUtils way of using my hosts file on a Windows system is only for Windows XP and for use with something like Homer to act as a pseudo HTTP server (phttpd).  The reason I don't provide anything else is because I depend on somebody else's program to handle incorporating my hosts file on Windows 7 systems now.

If you use Windows 7, use Alex Kowalski's hosts file maintainance program which I provide download space for.  Here is the Hosts file page which shows where the links are:

Hosts File Page

Down at the end you see these two links:

APK's 64/32 Host File Engine Program
APK's 64/32 Host File Engine Instructions

My hosts file is primarily used by Linux people.  They use dnsmasq, Marco Peereboom's adsuck program or similar.  I am the only one using my phttpd.  But all of these people expect the hosts to be remapped to  There is no on Linux like there is on Windows.  On Windows is normally used as an inter-process server.  On Linux and Unix they use a special file construct called pipes for processes to communicate with each other.

Will I remap the entries to something else other than  No.  I depend on Alex Kowalski's program to do that for me.  The reason I mention this is because somebody wrote to me about this 4chan comment on hosts files (which you will note has Alex Kowalski's comment - APK):

4Chan comment on hosts files

What is my statement on using 0 versus  I defer to Alex Kowalski on that issue since it is his APK 64/32 Hosts file engine that automatically does the conversion from to what ever he uses.  Frankly I am surprised somebody wrote to me about it.  You can NOT use my shell file to install a hosts file on anything newer than Windows XP anyway.  Even if you give the script a temporary over-ride you have lots of programs like wget, rm, etcetera, the script calls that do not have the over-ride.  In fact you can no longer install UnxUtils on anything from Windows Vista on.  IOW, attempting to use my script file on Windows 7 will fail.  Even if you can seem to get it to work (I couldn't) use APK's Host File Engine Program instead.  His program does much more than just install a hosts file.  I will say you must use some other AV program on Windows 7 than the one provided by Microsoft with a hosts file.  The AV program supplied by Microsoft will remove every entry in a hosts file.  You must use another AV program to prevent Microsoft's AV program from removing hosts file entries.

New Way Of Handling PAC On Windows


Actually the only people I know using the PAC filter are all on Linux.  Most of the other people that look at my PAC filter don't actually use it.  They just look at my rules and stuff what they want into their company's proxy server.  That is fine with me because I used the most liberal GPL licensing enabling them to do that.

Here the special instructions for putting the PAC filter on Windows 7.  You don't put it on there the same way you do it on XP.  You should change it put all of the PAC filter files which can be used for Firefox in your account in an etc folder.  You also need an extra special folder for Internet Settings and it is mandatory for the Chrome browser.  For example for a user named hhhobbit and assuming your system drive is C: you will have these folders (substitute your user name for mine and it should be just alphabetic or alphanumeric characters):


You put all of the files you think you will need into the etc folder.  I have already tested changing the PAC filters altered so that blackhole goes to and that does not work!  I have not done this part yet but will do it later on today (2015-08-01).

You put one and only one of the files proxy_en.txt or proxy_fr.txt into the OneFile folder.  This is because when you use Internet Settings, the Chrome browser parses every darn file in the folder.  So only one PAC filter file should be in that OneFile folder.  You would need to install Homer in roughly the same area, e.g.:


I found out the hard way that FunkyToad croaked.  So I have revamped the file in such a way that it already has the allclear.gif file in it and that unzipping the file when it is plopped into C:\Users\hhhobbit\ folder you get the Homer folder automatically.  None of this mess files all over the place.

Okay,  What have I tested so far?  This string will work for me in Firefox 39 ( Firefox is the only browser left that can handle the debug) on Windows 7:


To get it in you do a Tools, Options, set it to Advanced, select Network and then click the Settings button.  You then put in the string I just gave (substituting your user name for hhhobbit) in the "Automatic proxy configuration URL" box.  You select that by clicking the radio button next to it.  Remember all of this because until we get a pseudo web-server like Homer working on Windows 7 (I assume it won't work) you will be unchecking it real soon and going back to your default.  I forgot to record the default.  I will do it on my other system.

When I go to something like in the PAC filter with it set that way I get a proxy error message.  I tried changing the blackhole to being careful to and then tried something like say (there is no way to clear the cache any more which is stupid in my opinion) it gives me the same proxy error message.

So today, 2015-08-01, I will be testing to see if Homer works.  If it does I will be back here filling in all the details and putting in the stuff for the other browsers.  Don't expect any of this to work for Windows 8 or Windows 10.  Either Windows XP or Windows 7 is the end of the road for the PAC filter on Windows.  Sorry.