SecureMecca

Chrome-Windows-Problems

2011-09-26T20:04:00.000-07:00

I have just had a huge battle with trying to understand why I kept getting first strange pop-up object messages for almost a year now. I didn't make the connection that they may have appeared only after I installed the Chrome browser. I had no idea what was causing them. For the last month or so these popups changed to display this message instead:

proxy pac file loaded

That is the message you get if any of the debug flags are set in the PAC filter file that Internet Settings uses. There is a huge problem with that. IE can use the dbgproxy_en.txt and dbgproxy_fr.txt files but the pop-ups will drive you nuts. But if you set Internet Settings to use the dbgproxy_en.txt, dbgproxy_fr.txt files or the pornproxy_en.txt , pornproxy_fr.txt files (without changing debug to be debugNone) the very first alert call causes the PAC filter load to fail for both Opera and Safari. Ergo, the dbgproxy_en.txt and dbgproxy_fr.txt files should probably never be used in Internet Settings except for temporary debugging in IE. The pornproxy_fr.txt and pornproxy_en.txt files can be used but ONLY if you set debug to be debugNone. Be sure debug is set to debugNone for the file used for Internet Settings when you are done. Finally in exasperation I removed ALL of the debug statements in the proxy_en.txt and proxy_fr.txt files which is all I ever set Internet Settings to use. The pop-up problems continued. How can this be? According to Intenet Settings I should never see the message since it isn't even there any more. But I tested IE, Opera, and Safari and the PAC filter was up and enforcing when I used either the proxy_en.txt or proxy_fr.txt files for Internet Settings in all three of those browsers with all of the debug lines removed. So something else was causing the popups. Chrome, IE, Opera, and Safari all use the Internet Setttings for configuration of the PAC filter. I finally removed Chrome as a test and the problems went away completely. So with Chrome still removed I just made the following copies first in the C;\etc\ folder (since I had removed all of the debug lines in proxy_en.txt and proxy_fr.txt):

del proxy_fr.txt
del proxy_en.txt
copy dbgproxy_fr.txt proxy_fr.txt
copy dgpproxy_en.txt proxy_en.txt

and then altered this line in the dbgproxy_en..txt and dbgproxy_fr.txt files:

var debug = debugNormal;

to be this line in the proxy_en.txt and proxy_fr.txt files:

var debug = debugNone;

With Chrome removed and Interent Settings set to use either proxy_en.ext or proxy_fr.txt the mysterious pop-up never came back and things worked properly in IE, Opera, and Safari. So I put the dbgproxy_en.txt to differ from the proxy_en.txt by only that one line and the same for dbgproxy_fr.txt compared to proxy_fr.txt in the build folders and left them that way. They only differ by that one line now. Ergo, the OpenPGP signing of the proxy_en.txt and proxy_fr.txt files is sufficient again to say that dbgproxy_en.txt and dbgproxy_fr.txt are also good to go.

As best as I can tell, what is happening is Chrome is running through ALL of the files in the C;\etc\ folder on Windows. I think it does it only when it checks for an update but I don't know that for sure. There are a LOT of files and two folders in that folder for me and unless you remove them you would have the same thing:

AutoPac_EN.msw\
AutoPac_FR.msw\
dbgproxy_en.txt
dbgproxy_fr.txt
dbgproxy.txt
hdate.txt
LastUsedHFHost.txt
LastUsedSMPAC.txt
olddbgproxy_en.txt
olddbgproxy_fr.txt
oldproxy_en.txt
oldproxy_fr.txt
pdate.txt
pornproxy_en.txt
pornproxy_fr.txt
proxy_en.txt
proxy_fr.txt
proxy.txt
SaveRules.txt

That counts up to seven files that have debug turned on which seems to coincide nicely with the number of pop-ups I get. I have no idea what it does with the non-PAC filter files or the download folders. If it does it sequentially I have no idea what it will do with the SaveRules.txt file which may be what it processes last. This strange behavior happens only on Windows. Chrome on Linux has no problems. You don't benefit from having debug set on Linux since there is no way to display the alert messages there. I think this only happens when Chrome on Windows goes through it's automatic update process which for me seems to always be colliding with my Windows patch upates and AV updates. I would much rather updates be done only on the Chrome browser when I open it with a timed delay. If you want to force the update right now that can be done when you select "About Google Chrome". The problem is, Chrome is constantly checking to make sure it is up to date on its own fairly frequently. I guess they can continue to do it that way if they want to but I wished Google's Chrome developers would fix this PAC filter (Internet Settings) problem. They should NOT be opening up and reading every file in the folder indicated in Internet Settings. IE, Opera, and Safari don't do it. They use just the one file indicated in Internet Settings. They block properly and the messages disappear. I think it is reasonable to expect that Chrome should do the same thing.

Will Google fix this problem in the Windows Chrome browser? I don't know. I do know that it is aberrant behavior that needs to be fixed since the PAC filter doesn't just block ads and trackers. It also blocks malware and WebBugs. I encourage Google to fix it. If they don't then you have a decision to make. It will be the following three choices

1. Windows plus Chrome browser minus PAC filter

2. WIndows plus PAC filter minus Chrome browser

3. Windows plus Chrome browser plus PAC filter and ignore the popups.

Temporarily for me it will be option number 2. Each user account on Windows has its own Chrome files rather than putting them in %ProgramFiles% for sand-boxing purposes. So I will remove all of the Chrome browsers in all of the user accounts. Each time they ask me why I am removing Chrome I will point them to this blog entry. I am sorry but that is the best I can do. Google has no obligation to fix the problem. Unfortunately they also probably have 0% inclination to fix the problem. I would count on this never being fixed. There is nothing I can do about it.

Update One on: 2012-01-18:
This seems to be a shared problem with Microsoft and Chrome with most of the blame going to Microsoft. I am now testing a sub-folder named OneFile (C:\etc\OneFile) that has only the proxy_en.txt or the proxy_fr.txt file with no debug lines in it that is used by Internet Settings. If that works then I will alter the files, instructions, and scripts. It is a kludge, but it is the best I can do. It was either the Microsoft super Tuesday patch in October or an out of band Microsoft patch at the end of October where the strange behavior showed up. I have no idea why Internet Settings is reading every file in the folder and no idea why they aren't using the JavaScript properly. Both are the cause of the problems because I tried just the separate folder and still had problems until I removed ALL of the debug lines. Previously, I had removed all of the debug lines but left the stripped files in the etc folder with the dbgptroxy_en.txt and dbgproxy_fr.txt files. That didn't work either. What seems like it will work is only one file in the folder with NO debug lines in the file because there is a failure of somebody to implement JavaScript properly.

Sorry..

Real-Mac-Malware

2011-06-01T19:40:00.000-07:00

In case you Macintosh owners haven't picked up on it yet. the scare-ware has moved from Windows to Macintosh. Here was Apple's take on how to handle the situation:

http://support.apple.com/kb/ht4650

I hate to say this Apple, but it is a case of too little, too late. You are having the spin doctors write this so you need to have them back-track and give Apple owners all the things that they can do to make themselves safer. Why? Within a few days these hackers not only have it installing the new software using two packages, a mini-downloader and then the main package, but now no password is required to do the install. Why is no password required? Because the first account created for a Macintosh is an administrator account and it doesn't need a password. The only thing that is reminiscent of it in the Linux world is Fedora 12:

No Password Required

See comments 72 by Garry Dolley and 77 by Keith G Robertson-Turner. It is one of many reasons I abandoned the Fedora effort that an admin password was not required to do an install of software. But Garry has now acquired new knowledge. It is now obvious to the entire world that you can install software into the Macintosh system's (as opposed to the user's) Applications folder and that no password is required. There are at least three problems on this score. First is that it seems Apple shows both the system's Applications folder and the user's Applications folder as being one thing in the GUI. Hopefully I am wrong about that. Most of the time I guess it doesn't matter because very little to almost nothing is ever put in the users Applications folder on most people's machines. But by making things easier for the user, they have made the mistake of obfuscating what is really going on. If I owned a Macintosh I would be finding out real quick how everything is set up. The problem is that they have departed so far from the old Unix model that can be at times confusing. In case you are wondering, I used to own a NeXT machine. Mac OS-X is only faintly similar to it. But it is especially irritating when you talk to people who don't know what is what on a Macintosh that own a Macintosh. In case you haven't guessed it yet, that is over 95% of Macintosh users. I contrast their privilege escalation model to sudo, except it seems it isn't because there are tens of thousands of Macintosh owners with infected machines that did nothing. So it is sudo with a twist to make it less secure. It seems you don't need an admin password to do an install into the systems Applications folder if you are an administrative user. Dumb! Really dumb!

Ergo, I am now rescinding all previous advice to move from Windows to Macintosh to enhance your security. I still don't like sudo only ways of doing things. That is just the closest model I can use to describe how the Macintosh works. But all of this is pointing out that the following things need to be done:

First, Apple is going to have to put in a password request for all software installs. At one time I used Fedora. I don't care that they put in a patch and went back to a more secure way of doing things. Both Fedora and Apple having once done this wrong leave me pondering just how much else they have done wrong. They have fallen into the trap of not realizing security comes through several redundant layers of defense.
Second, Macintosh owners are going to have to modify at least one of their Safari browser settings on Downloads so that the dmg (which is really just a zip with special formatting of folders, etcetera), zip and other files like that so that they are not automatically openend. Here is a good place to start: Safer-Safari-Settings . Warning! Do not download, unzip. or run the program at the bottom of the page without checking them out first! Get the idea? It may very well be, you guessed it, something like MacDefender! How do I know? IfThenSoft.com is at a GoDaddy pseudo-park IP address notorious for redirecting to malware and this one does a redirect. Not only that, but the host they redirected to is redlined at the Web of Trust. (2011-June-21: I submitted it to the AV companies and my look at it and theirs comes up clean so it is probably safe to use. That still does not excuse the author for doing the things he did and I gave him pointers for how to do it better - like redirecting to the download hosts instead of a host that is red-lined with MyWOT.com.) The information on safer browser settings is correct. That is my only reason for giving you this web page. But why are they telling me to use IPassword? Does it have a security hole? An AES-256 encrypted file may not be as convenient but that is what I use. You can also use Intego's blog information which is always changing. Here is where Intego's blog is at: http://blog.intego.com/ . Do not stop there. Rummage around and tighten things down in Safari, even if you no longer use that browser but use Firefox or another browser instead. There is a slight chance the other browser will message Safari to do some of the rendering. Even if it doesn't, cross browser scripting attacks are quite common.
Third, if you shifted to using Firefox instead, back up and tighten down Safari anyway. Then do about the same thing with Firefox. A lot of mine have been transformed to "Always ask" except for zips and exe files which are automatically downloaded into my /tmp/Quarantine folder. The default is "lets be helpful and unzip that zipped file for you." That applies to tbz, tgz, zip. If you install 7-zip it may try to unzip that as well. It is almost as bad as Windows unzipping zipped files that are just sitting there on the desktop. Browser, keepa your hands off and let me handle it! All downloads go to /tmp/Quarantine for me with all browsers (Chrome, Firefox, Opera) on Linux.
Fourth, consider using an antivirus program. There is a secondary reason for me having a ClamAV user on both of my Linux systems. I can login as clamav and clean out any user infection. This especially holds for sudo oriented systems which is what I have to lump the Macintosh into being. It is not really that but that is as close as I can come to what they are doing. You noticed I mentioned Intego. I have nothing to do with them. Just be sure what ever you get is the real thing. Intego pointed out that somebody posing as HuffPost Community Moderator was plugging the malware as the solution to get rid of the malware. That is probably good for several hundred thousand Macintosh owners. That is one of the things the hackers do - confuse you into putting on the wrong thing. But Apple is already going the wrong way by enumerating the bad and giving you a warning on known bad package names. The hackers will start using new names all of the time and the AV packages will fail to detect what is bad when it is too new. If you have a no questions asked install, as long as just 5% of Macintosh owners get infected the hackers consider it to be a good ROI. Paradoxically, they haven't used rootkits yet, which are a malware problem that came from Unix systems to Linux and then on to Windows. It doesn't matter whether it is McAfee, Symantec, or Intego. Just make sure it is legitimate AV software. What I am leading you toward is this final step which is the most important.
Fifth, create an administrator account called admin, god, or something like that first but then use that account to create another user account and only use the second account to do your normal work. If you can, make the second user account you use all of the time a non-administrator account. It will enhance your security considerably. It doesn't help in this case if you also make your second user account an administrator account. because Apple just gave the hackers the keys to the kingdom with a no questions asked install. I am thinking primarily of scrambling to a second administrator account to clean out a user infection. But why should a hacker do that when Apple just handed the hackers the keys to the kingdom in allowing them to install the system area? Effectively, Apple took out the Mandatory Access Control (MAC) protection of Unix file permissions and threw them out the door. Make that second account you use all of the time a normal account until you understand how the Macintosh works thoroughly. But once you understand how it works in depth it will probably stay that way until Apple does point one here. You still may do it if you think you can be conned into accepting the fake. If the bad thing cannot be installed at all it can never hurt you. If it can be installed only if you supply a password, then it may hurt you. But if it can be installed with no questions asked all you are counting for your protection is the luck of the draw in never encountering the bad stuff. Actually the odds are much better than you think if you stay away from porn and other trashy areas of the Internet and don't click on that link in your Facbook account that promises you the low down dirt on some person of interest. If you click on those more likely than not you will be one dead duck.

So there you have it. For the first time Apple may be running scared, but I sincerely doubt it. They should be. The regular hackers only use one vulnerability at a time. The reason for that statement is that Stuxnet used multiple vulnerabilities. Vulnerabilities are precious resources that normal hackers hoard and use only one at a time and constantly search for new ones. One of the vulnerabilities is Java. If you don't need Java, remove it. Another vulnerability is flash, although that has become better over time. The problem isn't the flash but that Javascript that can be hidden in the flash file. All of this brings to mind those stupid Mac ads where they contrasted Macs with Windows PCs. I found the ads offensive. Linux users don't chortle. I can see ways that can be employed to foist off stuff on you as well. Yes, now that the Fedora 12 debacle is in the past you can at least count on having to type a password. But if the hackers can fool you into seeing something as a system upgrade (how do you tell the difference between a system panel and something the hackers pops up that looks just like it?) they are in. That is exactly what they have done on Windows and now they are doing it on Macintosh as well. Not only that but now they are finally detecting your OS and browser to deliver the correct payload. That is rather strange because for many things I use wget instead of a browser. I almost always use wget instead of the browser download if I can help it and when it comes to pulling down the malware try to always use wget instead of the browser.

All of this brings to mind me trying to get my sister to see what the scareware links looked like two years ago. She didn't understand that I made sure it only led to Windows malware. I just wanted her to see what it looked like so she could prepare for the future when it came to the Mac. Well, that opportunity is past. I cannot count on something that didn't do OS detection yesterday still doing it today. Since I am on Linux a lot of these scare-ware links in web pages won't work for me any more once they detect I am not using either Windows or a Mac. In that case when they do the browser detection they just do nothing with either wget or a browser on Linux. It is rapidly approaching the point that where there is nothing I can do any more. The Mac owners and Windows owners get infected and I see nothing. So far, all I have for Linux are two browser toolbars that don't uninstall completely and continue reporting every place you go and what you do back to the toolbar data collection servers. I block them in my filters. Actually for the second tool-bar, you must use the blocking hosts file. Over seven million of these tool-bars were installed through Mozilla because they used to list it as an add-on.

Advanced-Persistent-Threat

2011-04-28T18:56:00.000-07:00

I think I better make this a little bit more clear even though it really is an extension of the last post about using email safely. I see RSA being hacked into, then Oak Ridge Laboratory with something some people are calling "Advanced Persistent Threat (APT)". There are sure fire ways to increase your odds of not falling prey to APT. They are almost in reverse order of importance but to do that you need to swap numbers one and two. The problem is the first is needed to make the second possible. Here they are:

Use POP email rather than web-mail and do not use Outlook or any other email client that specializes in rendering HTML email messages. Instead use Thunderbird or some other email program that does not render HTML. That makes those phishy links where they have a mouse over that replaces the URL you go to if you click on it with another one that looks safe with a mouse over impossible to achieve any more. With Thunderbird, Claws Mail and other email programs that don't render HTML, the malicious URL is no longer hidden. It stands out like a sore thumb. That helps prevent your users from falling prey to APT spear phishing email messages.
Use OpenPGP encryption. For some place like Oak Ridge do not put your keys on the key servers. Share them privately. Make your keys to last no more than ten years. If a message from HR or a colleague appears, if it has attachments or embedded URLs you should require that it be signed. You can go either the commercial route and purchase PGP encryption (owned by Symantec as of 2011-04-29) or download GPG4Win for Windows machines. Here is their link: GPG4Win. You get GPG on Linux automatically and it is also available for Macintosh. But again, on Macintosh do not use Apple Mail since it renders HTML email. I really wanted to list this one first since it is actually the least important but you need Thunderbird or Claws Mail to do this on Windows anyway. Do not depend on engineers to figure out how to create their own OpenPGP keys. Engineers are bright people but they still need help in making their encryption keys the first time around. It is a lot harder to understand public/private key encryption than you think it is. The hardest thing of all though is to come up with a suitably long passphrase. I advise only alphanumerics although some punctuation marks are okay. Your pass-phrase should be almost impossible to guess, yet easy to remember, and not too difficult to type.
Do not use Microsoft Windows! Here are some links on what file permissions do to protect you on Unix like systems. Simple-Perm-Example. Elaborate-Perm-Example. Unix-File-Permission-Table. Even though I give them for this particular system / OS, OpenVMS, OS/400, VM/CSE, and most other operating systems all have file system protection schemes. Microsoft didn't wait for them with the NTFS file system. But even before you get to how these would protect you from getting infected with a binary for your particular system because it comes down in a form where it cannot be run because the execute bit is not set just keep one more thing in mind. You are probably not going to get it anyway. Instead, the hackers are going to send you a link to a Windows binary that depends on an IE flaw or something else similar on Microsoft Windows. So when your Chrome, Firefox, Opera, or Safari browser on Linux, Macintosh, or Unix sees it the browser would just say "Huh? What do you want me to do with this exe thing?" I tell the browser to download them into the usual - a folder that is named /tmp/Quarantine. I then feed it to ClamAV and I am still keeping a back-end channel open although very little goes in it any more for the AV companies. But it is there to help them to detect new threats as I encounter them.

So there you have it, a way to protect you from Advanced Persistent Threat (APT). Actually, I see nothing persistent about it except that people persist in continuing to use the very things that make the threat possible despite the fact that there is an alternative. It may or may not be "advanced" but the main reasons it works are because the hackers blind side you with something that is tailored to sell and you are using the wrong thing that makes it easy for the hackers to hide what they are doing. If you cannot see the bad URL you are already off to a bad start. Actually, I do like John Pescatore's definition of APT: "Advanced simply means it got past your defenses and persistent means it took you too long to detect it once it got in." But shoving the responsibility entirely on people that are working 70 hours per week is not a formula for success. For others like me that 70 hours per week may ballon into 90 hours per week. I am older and not as quick as I used to be. To detect something phishy you need the right tools that help people do it when they are sick and overworked. If you use the wrong tools a disaster is going to happen just like it did at RSA and Oak Ridge Lab. So take your pick but I really advise using all three of these improvements to make you far safer. Who is going to use all three of them? Just me. Who is going to use none of them? Almost everybody else. C'est la vie. So whose fault is it that they click on something that it would be possible to see the threat if they had the right tools? The person making the decision of what they use is the responsible person, not the one clicking on something that is carefully tailored to look legitimate.

email safety

2011-03-09T23:08:00.000-08:00

I don't have to go out and get the malware. It comes to me! I received a Zeus trojan in my email not just once but twice, six days apart. It came as file named "images865392.zip" zipped with password "123456" from the very same gaxeee GNAT gmail.com email address. When unzipped you have a fille of the same base name but it is an exe, not a zip file: "images865392.exe". I submitted it to ClamAV and it percolated out from there so that now Avast and AVG are detecting it. Here is the scan of the Zeus trojan at VirusTotal:

http://preview.tinyurl.com/4fct5pz

Don't expect this to stay around forever. There are at least dozens and perhaps hundreds of new malware each day and eventually this URL will drop off the chart. Actually, 29 / 41 isn't bad even though six days ago it was 27 / 43. But what was it like when it was first found and what if you are using one of the AV products that does not detect it? Even worse, it took the ClamAV team almost six days just to finally detect it. Why does it take so long? They have too much to do so you are lucky that they got around to detecting it at all. The rather amazing thing is that the second file was exactly the same as the first. It had the same zipped and unzipped file names, same password, and the two executable files were identical. Before I got it, who knows how many other people got the same thing? How many of them unzipped it and let it run? I don't know but enough of them do it that it was successful. Use some common sense people. Even if you got an attachment from somebody you know, pick up the phone and ask if they sent it to you. If you think this is trivial, it isn't. Almost every spear-phishing attack is only slightly different than this one. The surprising thing to me is that it still works even though it has been done for years. It seems like people would be on to this game by now but you would be amazed at how successful this kind of email born attack still is. Half of the fortune 500 companies in the United States have severe problems and although it may not be their fault for browse-by (as long as they use some sort of filtration) attacks, in this case it is wholly their responsibility. Even worse are the email messages that immediately run when you click on an HTML link. Beware of all HTML links in email messages. Also, unless you use something like Thunderbird or other email programs that make no attempt to render HTML messages, you need to be aware that they usually put in mouse over commands on the link to substitute the real URL with one that displays in the email program that appears safe. This is also usually done with phish. Am I fooled? No. I use Thunderbird. Richard Stallman of GNU Corporation uses something else but they both do the same thing - they shows the real links. I got the same email message that did in Google several years back and it looked positively amateurish to me.

One more thing, even though I told you I will no longer include the MalwareDomainList file, that doesn't mean you cannot merge what MDL has with my or another blocking hosts file. You can do it with a program called HostsMan. Here is where you can get it:

HostsMan

New Direction

2011-03-07T04:37:00.000-08:00

Although I would like to continue to add MalwareDomainList's (hereafter referred to as MDL) hosts into my hosts file it just cannot be done any more. Here are the reasons why in their order of importance:

I am connected to the Internet through Comcast. I have already been flagged for having a bot machine and even had my ftp access to the SecureMecca.com web-site blocked. Fortunately I was able to still upload to HostsFile.org but the ability to analyze a lot of this stuff is gone and I cannot do it any more. I can assure Comcast that my two Linux systems are not bots. I shut almost all other user processes other than some xterms down and fired up WireShark. Even the normal chit-chat of ARP was held down because I use an /etc/ethers file. Nothing but the local GnuPG check packets were found except for the one machine that did a check for OS updates. They are clean. Some may think I resent what Comcast has done but I think it is a good interim measure even though it would not protect against the z-bot file I got in my email box two days ago (2011-03-05). It is better to have that than what I provide which nobody uses.
I never did like blocking hosts that were just normal hosts that had an infection, especially when many times my PAC filter rules alone would have made it so they could go to the web-site safely.
It was just too much to keep up with. I primarily served as the mop-up crew by analyzing all of the hosts they removed, many time discovering malware still there, and frequently it had very low detection rates. There were also hosts that met my criteria that didn't match MDLs. For example, I block ads and trackers whereas they don't so I need to know whether to keep them or not. Given the massive amount of malvertisement I would advocate that people either use what I have (PAC filter + blocking hosts file) or one of the browser ad-blocking programs I will give below to not necessarily block the ads but to protect your machines. In reality I think it is time for Windows users to either use a Macintosh or put up with the constant thrashing us Linux users have and switch to it. The computer is not an end in itself for me. I use it to achieve my ends.

Since I am not adding the MDL hosts any more, you may want to add them yourself. Here is where they are at:

MDL Blocking host list

I will continue to peruse their URLs for patterns for the PAC filter:

All MDL Downloads

But you may want to check out the BLADE project that tries to block out all malicious downloads:

BLADE Malicious URL Project

I think that Comcast's Dambala anti-bot software, BLADE and other things are pretty ambitious. The PAC filter at SecureMecca.com / HostsFile.org is at best only 15% efficient at stopping malware. It gets a lot better if you disallow the download of all *.exe, *.msi, and *.scr files in the PAC filter but just like the newer malware that disables a proxy, it is trivial to disable the PAC filter. I am glad that Symantec's NAV did flag the PAC filter as a potential problem. It isn't but I have found a few of them that are malicious out in the wild.

There is one big problem in all of this. The malware is coming so fast and furious that some myths need to be dispelled. First, I am getting tired of hearing this day zero garbage. That may have been what it was five plus years ago. But about one to three years ago it became week zero, then month zero. I would discover malware and give it to the malware companies via my back route channel that frequently had less than 6/42 of the AV programs at VirusTotal detecting it. Many times none of them detected it. After giving the malware to ClamAV and via the back-route channel the detection would slowly crawl its way up to only half of them detecting it taking well over two weeks to achieve it. In short what was really protecting most Windows users was just the random chance of not encountering the bad stuff in the first place. With many millions of web sites and only a few thousands infecting you, actually that is usually a pretty good gamble until you hit the bad one that you will be okay. But what happens when you hit them and they are at the low probability end of detection or when they come down via malvertisement? In the case of the ad servers being corrupted with malware, the damage can be pretty extensive with millions of machines running Microsoft Windows getting infected! I have three possible solutions for you in the reverse order of what I actually do:

Purchase either Windows 7 Pro or Windows 7 Ultimate. Do the bulk of your work on the computer in interacting with the Internet in virtual mode. That way when you get infected, hopefully you can shut down and toss all of the changes to the OS away. You still have to put up with booting to the hard mode to update your AV software, and Symantec's NAV is updating at least hourly if not more often.
Use a Macintosh. I realize that they have embedded spying on them but at least you get rid of the Windows malware. To date I keep seeing nothing but POC malware for the Mac and have got none of the malware for Linux. Both Macintosh malware and Linux malware exist but they are the least of your problems. Personally, I don't understand why Apple won't take that tracking out of their systems. That would make it possible for them to pursue many lucrative government contracts. Maybe they already have taken it out. In which case the only objection you can have is cost. But everything you get works and works well. Most people love the GUI the Macintosh has.
Use Linux. There is no tracking but I cannot for example get my printer to work any more with Linux. It is an old mossy HP LJ-4P with a parallel interface. I have nothing but USB on my machines now. So I have a USB to parallel gender bender cable. It works with the XP (all I can afford), but it doesn't work with Linux. I have no money for a new printer. I also hear that the new version of Ubuntu is replacing the Gnome GUI that I standardized on. There is always a flux with the newer versions of Linux and I deeply missed the plain old hexedit that worked in the xterms. But it is free and the Windows malware problems go away. In case you haven't guessed it yet, this is the option that I have chosen.

So there you have it. I will of course continue to add web-bugs, trackers and ad serversto the filters but if you want to primarily block ads and use either the Firefox or Chrome browsers then I strongly advise that you use one of the plug-ins they have for that purpose in those browsers. If you are doing the first on the Chromium OS, just type in chromeadblock.com and that will install it for your session. But when you shut the system down the adblock will probably go away.

Google Chrome browser AdBlocker

Firefox AdBlock Plus

If your browser of choice is Internet Explorer, Opera, or Safari, then you can still use the PAC filter to good effect. I would advise that you not turn the debug on in Internet Explorer, and you can can not turn it on in either Opera or Safari. If you use Microsoft Windows you can also purchase Ad Muncher but they don't do much to protect against malware and I still do it, but usually only in the PAC filter..

I am also devoting a lot of time and effort to get rid of Daylight Saving Time which in reality saves nothing. Every time I turn around the TZ (Time-Zone) database on Linux is being updated for this lunacy.

No More Daylight Saving Time

FPs and Error Reporting

2010-11-18T02:35:00.000-08:00

Case Study at TV.com

Recently I had severe problems with ad.doubleclick.net at tv.com. I went through I don't know how many white-lists of various domains but still ended up with the problem of it saying it didn't like it. The upshot of all the effort was to just comment out ad.doubleclick.net in my hosts file. For a while I commented out the "doubleclick" rule in the PAC filter. I finally concluded you can resolve the prolem resolution in one of two ways:

1. Temporarily disable the PAC filter. See how to do that here but just disable it (unless you don't want the PAC filter any more):

Disable PAC Filter

This correlates with the information I gave in the change log:

Change Log - DoubleClick at #5

2. Leave the PAC filter enabled, uncomment the ad.doubleclick.net in the hosts file and refuse to use web-sites that insist it be allowed. I am not so much opposed to their ads as I am to their tracking so you know this is the option I personally use. I realize this is not most person's cup of tea. I personally prefer Celestial Seasons Bengal Spice. If you like some other flavor or no tea at all (no blocking hosts file and no PAC filter) then pick your own poison.

Number one isn't the best solution since unlike AdBlockPlus, the PAC filter has extensive blocking of malware. As I have said at another place in the blog my order of priorities are:

[a] Trackers / Spies
[b] WebBugs (trapping you, et al)
[c] Malware
[d] Ads

The first three are very closely tied but blocking ads is a distant fourth until they start doing tracking. Guess what? DoubleClick does tracking to the point it may even run afoul of US HIPAA and Sarbanes-Oxley regs (not that anbody really cares). There is a big problem here. By giving a domain a GoodDomains exclusion you have turned off protection. Guess what? That is exactly what has to be done for YouTube because I have observied thousands of hosts shoving malware with the pattern "tube" in it so I block them.. Ditto for FaceBook. But I also have to defend against unknown false YouTubes and FaceBooks as well that are phishing at best and infecting at worst.

But all of this brings up a problem a co-worker had. It seems he had a problem with an apmebf.com host. I have saw this in the past. He was insisting he could not sign up for PayPal and one other financial service which of course brought up red flags for me. That is because in the past, spyware was what was doing the redirecting. He is entering financial information with something like that going on? I could not duplicate his experience on two versions of Linux (OpenSuse and Ubuntu) and two versions of Windows. There is a possibility that the web pages themselves got infected by a SQL injection right before he went there but when I tested the URLs the web pages got cleaned out. But he was claiming I was blocking a legitimate service by blocking an ad server and I still have no blocks of this domain other than the one in December 2008. Like the ad.doubleclick.net problem with TV.com I take these issues seriously. But this time I was not at fault. To wit, before you say the blocking hosts file or the PAC filter is causing a problem you better make sure that is where the problem really lies.

Here is how you do that:

FPs and Error Reporting

First try to see if the problem exists in another browser using the same user account. Some of the spyware affects only the current browser. If you have no problems with the other browser then that is where the problem lies. As a help here, the Internet Settings on Windows is used by all major browsers now except for Firefox on Windows. IOW, if you have a problem with IE but not with Chrome I can guarantee it isn't the PAC filter since both of them use Internet Settings and the hosts file blocks equally for all web browsers. If at all possible, use the Firefox browser for a secondary test unless that is your primary browser. The reason why is simple. Firefox is the only browser you can use the dbgproxy files with effectively. If you cannot see a block in Firefox's error console you at least know the PAC filter is not causing the problem. That doesn't mean it won't. If you block ad.doubleclick.net in the hosts file and comment it out then the doubleclick rule in the PAC filter springs into action.
Try another user account on the same OS / Computer. This won't help if it is a system wide problem, but it will help if it is a user only problem that may be there because of something in the users personal Startup folder or in their Run registry key (HKEY_CURRENT_USER). If that is the case then another user won't have them. Everybody is of course going to get things started with the All Users Startup folder or the HKEY_LOCAL_MACHINE Run registry key IOW, this may not help a lot but is a good way to test if it is just a one user problem.
The PAC filter and Hosts file combo at best provides protection against only 25 percent of malware. Make sure it isn't an infection that is causing the problem. I did make a start on the apmebf.com problem here Info on apmebf.com . Geeks2Go and lots of other places can work on helping you clean up the problem. That is not my turf so I cede it to them. I will say this much - frequently the only way out of these problems is to reinstall the OS.
It used to take 2-3 weeks before I submitted something bad to the AV companies before half of the forty plus AV scanners at VIrusTotal began to detect it. Over just a 2-3 year time span that has progressively got worse to the point that now it is taking 4-6 weeks for the same halfway point of the 40 plus AV programs at VirusTotal to detect malware usually given by browse-by infections. I don't worry so much about the worms - the AV companies honey nets will trap them. Instead of better time spans than average for the rest of the malware it is actually worse. Let's replace this day zero thing with month zero. What am I saying? I am saying that even when you say you are clean you may not be clean despite all your best efforts. OTOH, there are some idiots who do very little to protect themselves and seem to have some magic pixie dust sprinkled on them and they never get infected. To wit, get some Linux distro and install it on your system. If you can duplicate the problems you are having on Windows and they are the same on Linux, we know it is not just Windows malware causing the problem. Another alternative is to use a Macintosh machine and see if the problem exists on a Macintosh just like it does on Windows. What I am trying to do is isolate out is you having an infection of your Windows OS that is causing the problem.
All of the foregoing cannot eliminate a seemingly random web page problem. But by then you better be firing up Fiddler on Windows or be using wget and WireShark and other tools like that on Linux and that is where I come in. I just don't want somebody pulsing ahead with finances at stake saying that I am causing the problem. If it is your money that is at stake you better be very careful that it isn't stolen. Pick the non-financial stuff to blaze away at the problem. But if you are on Windows keep it in the back of your mind that your OS or some portion of it is what may be causing the problem. It can even be something as simple as a cookie.
Use me to bounce the problem off of. If I can't duplicate what you are experiencing, then go back and try it again. If the second time around you don't have a problem we will know you either cleaned up what was causing the problem or it was just a temporary web server problem. With SQL injections web pages being the cause of the problem is happening more all of the time. But if you still have the problem and I don't several times I can almost assure you what is being blocked is not causing the problems.
Be sure you report any extra rules you have added! One person claimed I was blocking admin.brightcove.com. How can this be I asked myself? He had uncommented my rule to block hosts that start with an "ad.". I commented the rule out with this thrashing that went on with tv.com. What he did was okay so far is it goes but he also deleted the back-slash! When he did that the dot said match not just a dot but any valid 8-bit character. So it matches "adm" and thus admin.brightcove.com that should never be blocked. Once upon a time I added rules to the EasyList, EasyPrivacy, and Liste FR rules that I use with AdBlockPlus. I don't do it any more. Why not? I ran into the same sort of problems as this. I eventually said I would let them handle all of it. After all, what I am providing is on par in many ways with their tracker detection. But I cede a lot of ground to them in blocking ads by choosing instead to block malware and web-bugs. In fact there are just many times that blocking ads interferes with blocking malware and web-bugs and since those are a higher priority than ads they win out. A word of warning is in order here. Do not try to block too much The middle way is usually the best. Also, unless you allow ads many web-sites just cannot exist. Without that profit from the ads they have no way that they can keep their web-site going.

So there you have it. Please do that when reporting the problems. If you choose to disable and uninstall the PAC filter and a blocking hosts file if you have one, good luck and I hope that magic pixie dust protects you forever. That is not a joke. Have you ever heard that some people have all good luck and other people have all bad luck? Well, that really does happen some of the time. The problem is that the people that have all the good luck don't understand that the reason they aren't getting infected is due more to their luck than any effort on their part, especially when they are running Windows 98 or Windows XP with almost nothing done to secure it. Windows 7 Pro and Ultimate run in virtual mode really do provide a great edge in protection over Windows 98. I hate to perf the WIndows FanBoys and FanGirls ballon though. Linux really does provide more protection and OpenBSD provides even more protection. But even on these safer operating systems you still have trackers. So now you know wny I will still provide the PAC filter and hosts file. Even these safer systems can benefit from using them as well. The days of unfettered Internet access was over years ago. It will take just one to two times of you getting an infected system before you finally conclude that steps do need to be taken to protect yourself now. But to block the tracking it is a full time effort. The trackers just keep pouring into my filters. The malware rules also keep trickling in as well. It is just that much of the time a potential malware rule causes way too many FPs.

Windows 64-bit Rootkits

2010-09-05T12:39:00.000-07:00

Sans kindly provided three URLs on Rootkits in-the wild that use the MBR to do their dastardly deed. It doesn't end there. For the first time, Microsoft Windows 64-bit which heretofore was not vulnerable is now vulnerable (2010-08-30). Here are the URLs (I shortened them using TinyURL in preview mode so you can see where you are going):

http://preview.tinyurl.com/3x3lj44
http://preview.tinyurl.com/24llsax
http://preview.tinyurl.com/2bv5pwc

The last URL gave the impression that nothing can be done. To me that is unethical. If you have BIOS protection for the MBR, something can be done. To go into the BIOS on AMD machines, repeatedly tap the Del button right after power-up but before the boot starts. For Intel powered machines, you use the F2 function key button. Turning off the BIOS splash screen helps since then you can see when you need to do it. Once you get into the BIOS, you can usually find the MBR protection in the Advanced menu if it is an available option. I have saw too much falderal about this making changes to the disk itself. It doesn't alter your disks. It just makes it impossible to write to the MBR for the hard disks you can boot from. It is the BIOS itself that prevents it from happening, not the disks. There are three cases where you will probably need to turn off the MBR write protection but only for a very short time span.

1. When installing an additional OS (adding Linux to Windows for example)
2. When upgrading an existing OS.
3. When upgrading the BIOS.

After you have made your changes, if you have turned the MBR write protection off be sure to turn the MBR write protection back on. It is very easy to slip up and forget to do it. If you use a check list, write the turn off and then turn back on into the check list.

There is nothing to prevent hackers (I call them crackers) from shifting to using the PBR (Partition Boot Record) to achieve their aim. Since less than 10% of people that have MBR protection in the BIOS will ever turn the protection on and at least 1/3 of the BIOS don't even have the feature why would the hackers even bother to use the PBR? It is also not a sure deal that use of the PBR would always work properly since the PBR is meant to be a backup in case of MBR problems. Security never comes via one magic bullet. It is built on layers of protection. Hopefully you have more than one layer for each attack vector. This provides redundancy in case one of the layers fails. So if you have MBR protection as an option in your BIOS, by all means, turn it on. It is better than doing nothing and hoping for the best if this option is available to you. But don't depend on it to completely protect you. Shifting to using Linux or a Macintosh is yet another security latyer (but not a security magic bullet) that can be used to protect yourself. The problem is, too many Linux and Macintosh owners do see their OS as a magic bullet. That is why I see strange things like ${HOME}/bin and "." (the current directory / folder) first in the PATH on at least one version of Linux. I want this order gone ASAP. If you must have ${HOME}/bin and "." in the PATH, add them at the end with "." at the very end. I don't even have "." at all in my PATH. Does that tell you something? Prepending a "./" to the binary or shell script in the current folder is not that big of a problem. I have been doing it for 30+ years now. That means I was doing it with Unix long before Linux was even a gleam in Linus Torvalds eyes.

SUDO JUST WON'T DO!

2010-06-02T18:29:00.001-07:00

I recently installed Ubuntu Linux 10.04 on one of my machines and since I am used to a SYS-V way of doing things (I have worked on one variant of Unix or Linux all the way back into the late 1970s) it wasn't without its set of gotchas. I actually cut my teeth on BSD, so a BSD style Linux isn't all that much of a problem in terms of me being happy working on it (it is much better than attempting to use CPM or old DOS) - except for one thing!

Ubuntu, Macintosh, Knoppix, and others have a sudo only way of doing things. Given what Knoppix is normally doing I can understand it there. Knoppix is not really a normal desktop system except perhaps for its author and some other devotees. Most of us other mere mortals use Knoppix to fix some catastrophic problem that isn't easily fixed any other way. I do not understand a sudo only way of doing things on a desktop system and these are the reasons why.

One: I installed Ubuntu and did my usual of importing my ~/bin folder with its set of scripts (had a gotcha with the location of sh - don't always count on /bin/sh or even /usr/bin/sh - I handle it in a very non-standard way by creating a symlink where it isn't to point to where it does exist) and programs which I had to get the rest of the gcc environment to create them. I still need to handle the g++ and other things but one thing at a time. I went to modify the .bash_profile or .bash_login only to find it defaulted back to .profile. With all of the variations of BASH, no big deal. But in .profile I see:

if [ -d "$HOME/bin" ] ; then
PATH="$HOME/bin:$PATH"
fi

I suppose it could be worse. They could have had put dot (".") first in the ${PATH} which is sometimes what I would swear Microsoft Windows does (addendum on 2010-10-09: in fact "." is implicitly first in both the *.exe, *.scr et al path and also first for the DLL path which you can search for information on it and find it):

if [ -d "$HOME/bin" ] ; then
PATH=".:$HOME/bin:$PATH"
fi

I changed it to:

if [ -d "$HOME/bin" ] ; then
PATH="$PATH:$HOME/bin"
fi

If you want ".", add it last. I have used ./exe-file for so many years it is second nature to me now. Why did I change the $PATH? I don't want somebody slipping in some replacements for ps, ls, and other sytem commands so that they can hide their processes and presence in case of me being slipped the mickey and not knowing it is there. Even though there will be some idiots that fall for something to install things outside of the ${HOME} file space, I strongly suspect that most malware on Unix and Linux if it ever arrives will just install into the ${HOME} file space. That is after all where the credit card numbers, phone numbers, addresses and other good stuff are anyway. So far, so good. I will hopefully not have some sleazy trojan stuck into my user account's ${HOME}/bin folder. If it is I should not run a substitute ps command instead so it will show up. I check those startup files for my shell all the time people! I also install ksh so it will be available. Some people use ksh (Korn SHell) as their default shell. With its wonderful integer accessible arrays and lots of other great features I can understand why.

Two: I did the following without giving it too much thought. After all, just because Ubuntu is a BSD style Linux, it still has a root login, right? Wrong? Anyway I added the following for myself in my .bashrc at the end:

umask 077

and altered it to this in .profile:

# umask 022
# the next one is at the end of the file
umask 077

I always save the originals as ${FILE}-MYDATESTRING and put them in an old folder.

Now I am all set to go with things closed down by default with Ubuntu doing it correctly by putting me by default into my own group. Or at least I think I am ready to go.

Three: Now I did the unthinkable. First, I tried to do my usual on a SYSV style 'nix system which was to attempt to do a "su -l root". Despite me typing what I thought was root's password it failed. So I started an xterm from my custom launcher and in it typed:

sudo xterm -bg ${A-DIFFERENT-COLOR-THAN-WHAT-I-HAVE} -fg black +sb

I type in the sudo password and I get a root xterm which I set to have the largest font size possible and enlarge it to fit almost the entire screen. Then I minimize it to the bar and close the xterm that started it. The root xterm doesn't die immediately. There is no telling how long it will take for init to kill it on Ubuntu or launchd to kill it on the Macintosh. I do know I have run it for at least two consecutive weeks without it dying but we will see how it goes. That isn't the problem. What is root's $HOME and umask?

$HOME is /home/lehobbit
umask is 077

That will not do. Why not? Because if I am correct and what the malware does is install itself into the ${HOME} user space we need to at least partially innoculate the root user from using the same infected stuff. After all, it may change the ${PATH} back to include lehobbit's infected bin folder. Actually, all Ubuntu Linux and Macintosh users need to create a secondary sudo enabled user account which they configure and leave at the default settings to undo the damage done to their full time user account. So I put the following to explicitly set the stuff into a /root folder by adding the following to these files:

/root/.profile:
==========
export HOME=/root
umask 022
# my way of adding /root/bin to the $PATH - LAST!
# more importantly, I do NOT just add to what is there.
# I SET IT so lehobbit's infected bin folder will NOT be
# in the path ANYWHERE!

/root/.bashrc:
==========
umask 022

I also transported my bin folder up there intact and then did the following (using "#" to indicate a root level prompt of that root xterm):

# cd /
# chown -R 0:0 /root
# find /root -type d -exec chmod 700 {} \;
# chmod 755 .
# chmod 755 ..
# find /root -type f -perm 755 -exec chmod 700 {} \;
# find /root -type f -perm 644 -exec chmod 600 {} \;

All of this chmod u+x what ever falderal is insanity at its worst. I am getting sick and tired of seeing it! Set it to be exactly what you want! Here is a tutorial on how to do it (if you don't understand it then write to me and I will point you to the relevant Stevens books):

http://www.SecureMecca.com/public/ChmodTable.txt

Okay, now when I get my xterm with root privs I can type:

# cd /root
# . .profile
# . .bashrc

It has the proper home, my way of starting vim not to give me a history, no darn files ending with tildes, function keys mapped in vim to race around the buffers with saving or not, and most importantly, root now has a umask of 022 and doesn't have that potentially infected /home/lehobbit/bin folder in the $PATH.

Four: Are we out of the woods yet? I would like to say we are but in fact we probably are not! Do you remember that umask of 077 I have for myself? What happens if some idiot does not follow my advice on just setting the file permissions by attempting to add to what I have but counts on me having a umask of 022 when I do a package install via sudo from an xterm in my space? (2010-10-09: guess what, Synaptic did just that and I had to go correct this manually) A similar situation arises when you start trying to do time zone changes to find a TV feed for example. The solution for the time is to contrast everything to UTC, and my machines are set to UTC time for all operating systems. Daylight savings time needs to be cycled out - just tell people to do things an hour earlier in the spring and do it later again in the fall. So every time I install a package or do anything else requiring sudo to get it done, I now have to always type the following in an xterm first:

$ umask 022

There is no guarantee that the forked process won't have problems if it sources my lehobbit .profile or .bashrc file. In that case we are back to having a umask problem again. I suppose it is okay for people to leave their umask to 022 and they can execute a script that every so often does the following:

# cd ${HOME}
cd
cd ..
find ${HOME} -type d -exec chmod 700 {} \;
for FPERM in 644 640
do
find ${HOME} -type f -perm ${FPERM} -exec chmod 600 {} \;
done
for FPERM in 755 750
do
find ${HOME} -type f -perm ${FPERM} -exec chmod 700 {} \;
done

But wouldn't it be much nicer to just have a umask of 077 and open things up as needed?

Conclusion:
What some people have done is taken a mechanism that was created to give limited access to get certain jobs done and made it into a mantra. Even worse, Apple has hidden entirely that is what is being done by calling it something else. But since Apple has replaced init with launchd and nobody gives me the nitty gritty on how it works I have a lot of problems with the whole thing and no time or space to worry about it. I am sorry, but every time I see people who mandate sudo and disallowing either a su (what my sudo of an xterm did in reality) or a logging in as root they don't understand the following things.

1. These people are in many ways novice users. Once they see me racing around at top speed logged in as root they always have to ask me to slow down and explain what I am doing. I have no idea what they would do if they saw my friend Pieter Bowman going about 10x+ my speed. I can understand their reticence. My only counsel is to go slow and stop and think once, then twice, then thrice before tapping that Enter key. Are you really sure you want to remove user nobody and all of his files and folders on BSD? There is no problem with Ubuntu since nobody's home is "/nonexistent" (on old BSD it is "/"). There is no shame in going slow. OTOH, if you mess things up once you usually will not make the same mistake twice. The problem is they are using sudo as a crutch thinking it will save them. If you have a one megabyte file consisting of nothing but zeros named megazeros in the current folder and the boot disk drive is sda, you better not EVER type:

$ sudo dd bs=65536 count=16 if=megazeros of=/dev/sda

OTOH, it may be quite effective to do that on an infected disk (which means it will be some other device other than sda) to clean off all traces of a boot sector virus. That is not enough to erase all of the information. To do that you need to wipe the disk. My way of doing that is to do this first (write a megabyte of zeros to the start of the drive), then fdisk it and allocate it all to an ext2 file system or as many as needed if you can not make just one huge ext2 partition. Then I attach the disk to a mount point and then keep writing files with zeros in them until I cannot write any more. Then I wait eight hours. Then I remove the files and wait a few hours more. After that I unmount the disk partition and follow that up with another dd of a megabyte of zeros onto the start of the drive. What am I saying? I am saying don't depend on users to be protected from learning all of this by sudo! Instead provide some training and help. The reason why is sudo causes just as many if not more problems than the ones it gets rid of if you use it as the only privilege escalation method.

2. sudo should not be hid like it is on a Macintosh.

3. sudo is not a good general purpose mechanism in handling all problems. The best way to clear out a user only infection is to login as somebody else that has the privileges to fix the problem. That user's name is normally root. You can do what I did, but how many Ubuntu Linux users can handle it in this way? How many even know you can do it? Well, all of the ones that just read this know how to do it now until they put in a way to stop it from being done. I am sure that the instant somebody at Ubuntu reads this that my trick of getting a sudo'd xterm that is running as root will be gone. If they do it, so will I (be gone and never use Ubuntu again).

4. sudo creates big problems in doing things in a big lab or work environment unless you can guarantee that only one user uses a machine for the duration of their entire employment / use span at that organization. If you cannot guarantee that to be the case then you will want some other general purpose mechanism other than sudo. You will also want all user's default umask to be 077 and open the folders / files as needed.

5. I don't mind if you limit the su access to only certain accounts. That is fine. But I should not have to bypass it by sudo'ing an xterm (2010-10-09: you can sudo su as explained in a comment here). It only works, sort of; you still have the umask problem. I am still not happy that I can not just login as root some of the time. When I do that I am not using the machine - I am configuring it. OpenSUSE doesn't use sudo as the control mechanism but I haven't found yet where they SET the IP address statically. But then I haven't exhaustively searched for where it is done either. But hiding things usually only creates more problems than it solves. Something that is transparent is always better.

6. The root user really should have a /root folder with it's own startup stuff and that folder should be just as tightly controlled as I am trying to make the lehobbit folder. It is just that root must close its own new folders and files down manually because for everything else root needs - you guessed it, a default umask of 022. I strongly suspect the umask of a normal user was set to 022 by default becuase of the problems it creates for sudo to have it anything else. Unless sudo will automatically reset the umask for the one needed we have a problem. Usually, it doesn't.

7. Nix newbies need some training in how to handle all of this. Most of them want to login and do everything as root. I am changing a lot of things that require it all of the time but I only use the root xterm for those tasks that need it. For everything else, lehobbit is just fine. Unlike Microsoft Windows, 99% of the time I don't need to do anything as root. If I was not doing security work that figure would probably drop to 1% or less for root and 99.9% or more for lehobbit. For example, in using my OpenPGP keys, it doesn't even make sense to use them as root. But for those times when using root is really needed like in cleaning out the new malware to come which will probably be in a user's $HOME folder you need to go at getting rid of it coming at it as anything but that user that is infected. Normally, root would be best. That is what we need the LUGs for - they need to educate people in how to handle this. But we need to banish the idea that sudo is the best general purpose privilege elevation control. We need to send the sudo only way of doing things to /dev/null.

Faster Computer

2010-04-30T09:06:00.000-07:00

I have gone back and forth on whether to block Ascentive, CyberDefender, DoubleMySpeed, FinallyFast, MyCleanPC, and MyCleanerPC among others. Up until now I thought people should check this stuff out for themselves. I have finally put many of these hosts into the main section of my hosts file. Why did I put them there? Because they really aren't malware (maliciels) so they do not belong in the risk section. It looks strange to see them mixed in with ad servers and trackers but there is no other place to put them. (update 2011-04-18: After looking at the cookies they are going back in and I also block their cookies). More than anything else this is a statement that you should have no need of these products if you regularly clean out old temporary files and optimize your disk, etcetera. If you have had more than one AV program, make sure you completely uninstall old versions and that includes removal of the unused registry entries. The products listed here can do some of that for you. Some free alternatives for the pay programs I blocked that you can consider are (given in alphabetical order):

CC Cleaner
http://www.piriform.com/ccleaner

Glary's Utilities
http://preview.tinyurl.com/apmuwj

Malware Bytes
http://www.malwarebytes.org/products/malwarebytes_pro

I may add some more in the future but I would like to keep this a lean list. Some users claim these products work even better than the programs you must purchase.

I have heard that you may need a geek to help you with CC Cleaner or it will get carried away. Also, it is known to remove passwords that you keep in browsers, etcetera. If nothing else, that should prompt you to purchase a password program to encrypt and store your passwords some place safer. Shame on you for leaving your passwords out in the open anyway.

Also, even with something as simple as Java, make sure you unselect any toolbar install unless you really want that particular toolbar. I have read some place that Glary's includes the Ask Toolbar. Other people may like toolbars but I don't like them. If you are like me then you will never fast track an install. I select the inspect everything approach and make sure I don't get something I didn't want.

Now I have given you some alternatives to what I just blocked. You are of course free to disagree with me and delete the entries in the hosts file or just go back to the default hosts file and get the products that are advertised forever on TV. At one time I used to block Stop-Sign.com but I don't block it any more. If you think what Stop-Sign provides is superior to Symantec, Kaspersky or some other AV product that is your decision to make. Maybe these products I am blocking will mature and I will also not block them in the future. Eventually it all comes down to the fact that the end user needs to make all of these decisions anyway. At least now you are given a second chance to back out until you remove the block to do some research and then decide for yourself what you want to do. At least what I am pointing you towards doesn't cost very much. That is all I was attempting to do in the first place.

Deactivate PAC filter

2010-04-05T01:22:00.000-07:00

Deactivating the PAC filter

Somebody wrote to me implying that they were going to have to format their hard disk drive to get rid of the PAC filter. Don't panic! A caveat is in order here. All of these instructions are for Microsoft Windows. If someone has the PAC filter or other stuff on Linux or Macintosh, contact me personally at this email address: hhhobbit gnat securemecca.com. I will give instructions for how to remove the PAC filter. These instructions for deactivating the PAC filter will work for the Internet Explorer, Chrome, and Safari browsers on Microsoft Windows.

1. Click on Start

2. Select Control Panel. The default is out in the open. If you have changed the way you view what is hanging off the Start menu to be something other than the default then it is your responsiblity to find the Control Panel. You can also do some of this from Internet Explorer instead - if you are going that route select the Internet Options and skip to step 4.

3. Double click on the Internet Options. You can now close the Control Panel window.

4. Select the Connections tab at the top.

5. Click on the LAN Settings button

6. Find the section that has the file://C:/etc/proxy_en.txt string or file://C:/etc/proxy_fr.txt string. If you have the older version of the filter it may be just file://C:/etc.proxy.txt. It should be in the Automatic Configuration section but it may be different depending on what IE version you are using. You were warned not to use the PAC filter if the Proxy Server box was checked. In any case find where the section is that has this string and uncheck it so it is no longer using the PAC filter.

Congratulations. You have now just deactivated the PAC filter for everything that uses Microsoft's Internet Settings. It will no longer function in IE, Outlook, Chrome, Safari, RealPlayer, Opera, or anything else that uses Internet Settings. Okay, now let's handle the Firefox browser.

Firefox PAC Deactivation

Firefox does not use the Internet Settings. Here are the steps you should take to deactivate the PAC filter in Firefox.

1. Click on Tools on the menu bar (for some it will be Edit).

2. Click on Options (under Edit it is Preferences).

3. Click on Advanced at the top of the Options / Preferences panel.

4. Click on the Settings button.

5. You will see the "Automatic proxy configuration URL:" radio button selected. Select the "No proxy" radio button. On older versions of Firefox it may be called "Direct."

Congratulations again. The PAC filter has been deactivated in Firefox. If you are sure you want to remove it all including the hosts file and the Homer pseudo web server read on.

But don't panic! Just deactivate the PAC filter and go from there. Remember, once the PAC filter has been turned off in Internet Settings and Firefox it is effectively not even there any more!

Remove Blocking Hosts File

1. Go to this URL in your browser:

Original Hosts File Script

Not knowing what your browser is in advance it is hard to give specific instructions of how to save the file named "OrgHosts.txt" to your Desktop. I can say that you will have something like "Save Page As ...". Usually it will be under the File menu. If you want to fast track it, on save, change the ".txt" extension to ".bat" instead. That means if you did it right, the file on the Desktop would probably show up as "Org.Hosts.bat" if you have Windows set to show extensions. It goes without saying I strongly encourage you to change the default of not showing extensions to show the extensions of a file as a security enhancement. There are too many exploits where the people have something like Questionable.jpg.exe, and you may double click on it thinking it is an image file when it is really the install file for a Trojan.

2. If you didn't save the file as "OrgHosts.bat" but "OrgHosts.txt" instead, right click on the file (left click if you reversed the mouse buttons), and change the file name to "OrgHosts.bat" (change the ".txt" to be a ".bat").

3. Double click on the OrgHosts.bat file. When it finishes you should see the message "The blocking hosts should be removed now." On the line below it you will see the final message "Press enter to exit."

4. Tap the enter key. If you want to study the script file, change the ".bat" extension back to a ".txt" extension and view it in your default ".txt" editor by just double clicking on the file. If you don't want to study it to learn something, just right click on the file and delete it.

Congratulations. The blocking hosts file is now gone. I must say that I finally commented out the host named ad.doubleclick.net in the hosts file because it is the one host the few web sites that are left that demand you not block ad pushers to use their web site use. My take on that is that I don't go to them if they insist it be allowed. I block it for myself. But blocking ads is number four on my priority list. But the DoubleClick service does much more than just deliver ads. It also tracks you.

At this point NOTHING is being blocked. You could stop here if you want to. If you do not want Homer running look at the next step and if you want it all gone then see the Mopping Up step.

Removing Homer

WARNING! Do not remove Homer which is a pseudo web server if you have either the blocking hosts file or PAC filter blocking enabled. Homer is used to answer the redirected requests by replacing images with a 1x1 clear GIF image, and almost everything with a do nothing response.

1. Go to this URL in your browser:

Remove Homer Script

See the instructions for how you download the OrgHosts.bat script file (first in Remove Blocking Hosts File) and do the same thing here.

2. Rename the "NoHomer.txt" file to be named "NoHomer.bat". See the instructions on how to do that in number two of the Remove Blocking Hosts File.

3. Double click on the NoHomer.bat file. At the end you should see three long sentences ending in "Press Enter to Exit."

4. Right click on the NoHomer.bat file and select delete.

Mopping Up

At this point you should really have no adverse affects from having the filters at all. However there are some registry entries that are left and some files you may want to delete. So lets do them so you have reversed everything you can to a reasonable degreee. First lets clean up the registry even though what is left should cause no adverse effects. But be sure you do this only after you have deactivated the PAC filter for every user on the computer and removed the blocking hosts file.

1. Go to this URL in your browser:

All IE Users Undo Registry

Save the "AllIEUsersUndo.txt" file just like you did for OrgHosts.txt and NoHomer.txt files with one significant exception. You want to change the extension from ".txt" to ".reg" so that you have a file named "AllIEUsersUndo.reg" on your Desktop.

2. Double click on the AllIEUsersUndo.reg file. Some of the entries here were what made it possible to use the PAC filter. Once they are gone even if you try to reactivate the Internet Settings, it will no longer work. You would have to download the install package and double click on the AllIEUsers.reg file again to be able to turn the PAC filtering back on in Internet Settings and have it do something.

3. If you are the only user on the system that was set up to use the PAC filter in Internet Settings then you are all done with the registry removals. If other users are also using it you will need to back up and repeat the deactivation of the PAC filter for each of them. Once that is done you go to this URL in your browser:

Each IE User Undo Registry

You can save the file to their Desktop or alternatively save it to the All Users Desktop, being careful to rename the "EachIEUserUndo.txt" file to be "EachIEUserUndo.reg". You double click on it for each isers just like you did for all of the other files.

At this point you may ask why I didn't do this to deactivate the PAC filter in the Internet Settings in the first place? There are two reasons. First, that setting has a pair of settings to achieve it in two separate registry hives. I can easily delete the one in the HKEY_CURRENT_USER hive but that does nothing unless you also delete the one in the HKEY_USERS hive and that one is a little difficult to impossible for me to delete with a simple script. The second reason is to make sure it really got done. It is best to have the human do that to make sure it really got done.

4. You will probably want to delete the files even though they take up no space. I stored the files in these two folders:

%SystemDrive%\etc\

%SystemDrive%\Homer\

Usually that is:

C:\etc

C:\Homer

I would like to just use deltree, but you have to install deltree before you can use it. So you will have to delete these manually if you want to get rid of them. They take up almost no space and like I said, they are no longer being used. You have all the time in the world to delete them. The pressure is officially off.

Happy Trails To You:

I hope you have a happy, safe, filter-less browsing experience and that your machine doesn't get infected.

Priority Changes

2010-01-24T15:43:00.000-08:00

Priority Changes

The following set of priorities have been the order that determined what I blocked for quite some time, first informally and then formally:

1. Malware (Maliciels)
2. Trackers (Traqueurs)
3. WebBugs and any other bad things that are hard to classify (spam)
4. Ads, especially egregious or in-your-face ones

The new order of priority now (2010-01-25 UTC) is:

1. Trackers (Traqueurs)
2. WebBugs and any other bad things that are hard to classify (spam)
3. Malware (Maliciels)
4. Ads, especially egregious or in-your-face ones

There are quite a few reasons for this change, but fundamentally here are the major reasons for the change in priorities:

Reason 1:
I have detected numerous hosts within the past few months that have a JavaScript that unrolls itself that calls another host to do a pseudo-scan (it uses a flash file) of your computer. It then injects the Trojan Rogue Malware (that pretends to be Anti-Malware) that is hard to get rid of. Frequently you have to just reinstall your OS. Here are the initial results of scanning the file at VirusTotal for one of the many variants of these scripts:

http://preview.tinyurl.com/yd9q9jd (3/41)

They stayed there stubbornly with only Authentium, F-Prot, and Sophos detecting them for well over a month. I suppose if one of those are the AV program you use then you are in fine shape. I finally submitted a sample of the scripts plus quite a few other malware samples to various AV companies on 21 Jan 2010. I scanned it one last time at VirusTotal before I submitted it to them:

http://preview.tinyurl.com/ybny2xo (4/41)

So if you have Microsoft's AntiVirus you are also now good to go on this one. The problems for a hosts only blocker is that they can't enumerate all the hosts where the problems are at. How many more hosts have the problem that I don't have in my file? Tens of thousands of hosts have the problem and I estimate less than 30% are in all of the blocking hosts files combined. But what about using my PAC filter to block them by URL pattern? You want to block "index.html"? How about "index.php"? You will block well over 99% of the Internet! What about the scripts? Their names seem to be nonsense letters all over the wall. I will say that it is now three days later after that last scan and it has not improved at all. None of the AV companies have contacted me except one that did nothing with the last batch of samples I gave to them. I don't think they will do any better this time around. If they don't think it is a problem, why should I consider it to be a problem? If the scan stays the same way after 1-2 weeks it is time to move on where my efforts will be more useful. This is not an isolated incident. It has been going this way for years now as the AV companies focus most of their attention on the more glamorous worms as the low profile Trojans do the job quietly and discreetly.

Reason 2:
Microsoft's UAC has made it almost impossible to update either a hosts file or the PAC filters. At first I thought with Windows 7 having a Windows XP virtual the problem would be resolved. Well, it isn't. The XP virtual only exists in Windows 7 Professional and Windows 7 Ultimate. Neither Windows 7 Home Premium or Window 7 64-bit have it. I estimate that well over 90% of the Windows 7 systems will be Home Premium. If you ask me, Microsoft have finally put in so many obstacles into helping people to protect their systems with blocking hosts files or a PAC filter that it has finally become impossible to do it. Fine. That means they believe they have all the protection that they need. Who am I to question their judgement? It is time for me to move on to other things that will help Ubuntu Linux users (I don't currently use Ubuntu) from being tracked. It is just that Ubuntu Linux has moved into the lead of Linux distros used.

Reason 3:
I will continue to put patterns in that would help block malware but in general, malware hosts come and go so fast it isn't worth it. Most of the malware hosts I encounter any more have a life-span less than 24 hours. When I can detect they are hosted on a PC in a DSL IP address block I will block the entire swath of PCs in that address space with a BadNetworks rule in the PAC filter. But since nobody can put the PAC filter on unless they are using Windows XP, Windows 7 Professional, or Windows 7 Ultimate the efficacy of this effort is dubious.

Reason 4:
What I encouter the most are ads and trackers. If you use Firefox, AdBlock Plus with the EasyList or other language subscriptions if they replace it or it and the other language filter in addition if it is a supplement handle the ads fairly well. EasyPrivacy does a good job with trackers. But as some people found out with the New York Times outsourced ads infecting their Microsoft Windows systems, there are holes in any pattern filtration scheme. I suppose the only people that got their machines infected were Microsoft XP owners and those with Vista or Windows 7 pre-release were immune. But I know the hosts they used and they stubbornly resist any attempts to find either patterns or IP addresses (unlike ABP, the PAC filter can block by IP address) to block them. Almost any good blocking hosts file would have prevented people from going to the New York Times in that time period from having any problems. For trackers both the PAC filter and ABP's EasyPrivacy do a good job but occasionally I add stuff EasyPrivacy already has. I don't add it because they have it. I find out they had it after I have already added it. I have no idea if they use my stuff that they don't have, but they are free to do so as long as they do not violate the GNU Public License. After enough time we will both discover what the other knows. It is just that you can't see everything and I see things they don't and they see things I haven't encountered yet. So for EasyPrivacy vs. PAC filter I would say that we are about equal but good complements to each other. Frequently they have something I don't and vice-versa. Just remember that I also have BadNetworks and the PAC filter works with Chrome, IE, Opera, and Safari (just don't turn on debug in either Opera or Safari). For ads, the PAC filter cedes a lot of ground to what I use which is EasyPrivacy+EasyList and Liste FR. But you have to remember I also use a hosts file to cover a lot of that territory. It still isn't comparable though. ABP can block the hidden stuff while at the same time allowing the rest of the content from the host through. But what if your browser of choice is Chrome, IE, Opera, or Safari? The PAC filter comes to the rescue. It is better than the alternative which is nothing. There are many things where I allow the host through but stop something bad from happening in the PAC filter. Also, if you know of something that I don't and inform me I will look at it and incorporate it if it meets these criteria. Why are ads a lower priority than WebBugs? Because in and of themselves ads do not normally contitute a threat. WebBugs and those scripts are a threat. Besides, I have nothing personally against tasteful ads. They frequently enable people to host a web site that otherwise would not be possible without those extra funds.

Reduce Spam

2009-10-05T11:57:00.000-07:00

How To Reduce Spam

1. The most sure way to reduce spam is to not have an email account. I didn't think you would go for that. Then here are the steps to take in order to reduce spam. They start with things you do to the machine only once because they have to be done first but all of the steps are important and work synergetically with each other. In other words, don't omit any of them because they are all important. But do the preparation work before you get the email account, not after you get it. That comprises steps 2 through 8.

2. First, install the Firefox browser. I don't even care if you use mainly IE, Opera, Safari, or some other browser. There is one portion of this that really depends on it being there and you starting Firefox every few days to get rid of Locally Shared Objects (LSOs) which are basically Adobe Flash Player cookies. Here is the main web site for Firefox:

http://www.mozilla.com/en-US/
http://www.mozilla.com/en-US/firefox/all.html

3. Now download and install the AdBlockPlus (ABP) plug-in. Here is the URL for it:

https://addons.mozilla.org/en-US/firefox/addon/1865

4. Pick the EasyPrivacy+EasyList subscriptions. For French add Liste FR. Make sure you get EasyPrivacy somehow! Here is the web page for where they are at:

http://adblockplus.org/en/subscriptions
http://adblockplus.org/fr/subscriptions

5. Install the Better Privacy plug-in and start Firefox every day and let it remove everything at browser close / open (your choice) until you know what you must keep. By everything I mean be sure to check "On cookie deletion also delete empty cookie folders" in the Options. Here is the URL for it:

https://addons.mozilla.org/en-US/firefox/addon/6623

6. If you are sincerely interested in stopping problems, then install NoScript. You may wonder why using this measure that is primarily meant to stop malware is effective in stopping spam. It is because in addition to stopping the scripting that is behind malware injections it also strips scripting that is used to track you that frequently ends up being used to garner information including the names of your email accounts. You can do the same thing that NoScript does for Firefox with what is built into Internet Explorer. Just make the Internet Zone look like the Restricted Zone - no scripting allowed - and put only the hosts you trust into the Trusted Zone (just make sure they can use both https: and http:). Here is where you can get NoScript:

https://addons.mozilla.org/en-US/firefox/addon/722

7. Install my or somebody else's hosts file that has as part of its reason for existence a dedication to stop tracking (spying). Some in addition to the one at SecureMecca.com / HostsFile.org that does this are MVPHosts, hpHosts. SomeoneWhoCares, and Airelle's hosts.trc file. Okay, here they are:

http://www.securemecca.com/hosts.html
http://www.hostsfile.org/hosts.html (duplicate of previous)
http://hosts-file.net/ (hpHosts)
http://www.mvps.org/winhelp2002/hosts.htm (MVPHosts)
http://rlwpx.free.fr/WPFF/hosts.htm (Airelle's lists)
http://sysctl.org/cameleon/hosts (Cameleon's French file - like MVPHosts)
http://someonewhocares.org/hosts/ (Dan Pollock's file)
http://cri.univ-tlse1.fr/blacklists/ (Fabrice Prigent - Toulouse University)

8. Put on my PAC filter. It hones years of experience in detecting patterns much the same as what is done with EasyList and EasyPrivacy. But unlike either of those mine started with an effort of curbing porn first, not ads unless they had extremely bad behavior. The PAC filter always had a secondary emphasis of curbing tracking / spying. It is just that now the primary emphasis is stopping malware. Don't let that fool you. Only some of the anti-porn rules were dropped. All porn rules that are left are there not because they stop porn - they stop malware. Their count at Airelle's hosts.rsk and MalwareDomainLists hosts file were too high so they were retained. But it is a rare month that goes by that I don't add anti-tracking rules that will have an impact on lessening the spam that ends up in your email box. Okay, now we have prepared your machine. The rest of the steps are what you do all of the time to lessen spam as opposed to the one-time settings to the machine itself. Just remember to update it frequently - I am always adding new anti-tracker rules. Today (2009-Oct-09) I am adding piwik\.js (which NoScript strips). Here is where my PAC filter is at:

http://www.SecureMecca.com/pac.html
http://www.HostsFile.org/pac.html

9. If you use web-mail, use GMail. They have the best spam filtering in the business. I had to use my GMail account from library computers that didn't have all that nice stuff I just detailed in steps 2 through 8. It gets 200+ spam messages per week. All or almost all of it goes into that spam folder. I am using it to garner URLs out of the email messages that end up with the hosts inside the spam email going into my hosts file. How good is their filtration? It is better than even the Bayesian filtering in the Thunderbird POP / IMAP Mail User Agent (MUA) mail program. Thunderbird or Claws mail are the MUAs I recommend for filtering out the spam in POP / IMAP email accounts. Everybody else except perhaps Apple's Mail.App are running a distant second or third. But your privacy drops considerably with web-mail.

10. Do not put your email address into almost anything on the Internet. Avoid answering questions in forums, using Social network services, etc. I know, it is hard to do, but not getting your email address stuck into spammer's lists in the first place helps.

11. Never respond to any spam email. The surest way to slow the flow of spam would be for everybody to not respond to it. The only reason for a spammer to have an incentive to send the stuff in the first place is because people respond to it. If we could take away all of the responses to spam it would cease. The problem is Phineas T Barnum was correct - a sucker is born every minute. They open the spam and then stupidly respond. Don't do it! Don't respond to the unsubscribe either - all that does is let them know that the email address is being used so that they can sell your email name to other spammers.

12. Don't join any news groups. By that I mean don't join any at all. Curb the impulse until after you have decided they are okay. I belong to quite a few, but all of them are in the computer / network security area. I don't have FaceBook, YouTube, or other accounts (and have no need of them). But in the beginnings I used to belong to the Firewalls and Firewall Wizards news groups before we knew what the spammers were up to. Yes, you can change your email accounts and I have. But that is so far in the past it is my current activity that may end up getting me into these lists. In case you are wondering, I practice what I preach and it does help. I sometimes go almost a week with no spam in my POP email accounts. See step 11 - it works.

13. Do not forward email from these news groups. It may seem great but most people's Windows machines are infected with malware that harvests email addresses. Also, there are reply back mechanisms within email itself that can inform the original sender with the email addresses of the people you forward something on to. I know for a fact that some of the spam in my POP email accounts came from somebody else forwarding something to me. It is bad form to forward anything anyway. Just don't do it.

14. If you have to, once all of the other things have been done here and you still have a problem, abandon your old email address and start over. But do all of these other steps first or you will end up just as bad as where you are at now.

That's it. Just do these things to slow the flow of spam. If you made a mistake and didn't do all of them at once, frequently it is best to abandon the email account and start all over. Just make sure you do the other steps here. I am sure I am missing something. If I can think of what it is I will add it later on.

Redirecting Hosts Files

2009-07-05T05:09:00.000-07:00

Proposed: I suggest we change the term blocking hosts files be replaced with the term redirecting hosts files since that is exactly what they do for most people.
After NoScript author Giorgio stated that the 127.0.0.1 in hosts files should be changed to 255.255.255.0 I felt I had to make some comments here. First, he intimated that we were blocking ads. The order of my redirecting hosts file and PAC filter were to redirect in the following hierarchy by priority:
[1] Malware disseminating hosts, hosts that do cross domain cookie setting or something else bad.
[2] Hosts that are actively engaged in tracking
[3] Hosts that were engaged in Pornography since many are also in category 1.
Since almost nobody used what I provided or gave feedback I changed the order of priority to be:
[1] Malware disseminating hosts, hosts that do cross domain cookie setting or something else bad.
[2] Hosts that are actively engaged in tracking
[3] Hosts that were pushing ads. I still advise ABP & EasyPrivacy+EasyList for this for Firefox users.
It isn't as drastic of a change as you think. All of the porn patterns that were identified as high risk by a look at the actual count at MalwareDomainList and my friend Airelle of France, http://rlwpx.free.fr/WPFF/hosts.htm in his hosts.rsk file were retained in the PAC filter. Some needed to be downgraded from URL to host rules. Some of the remaining "porn" rules that are working at the URL level may also need to be downgraded in the future but I do subscribe to the NoScript philosophy of expressly disallow by default, white-list by choice, especially when it comes to hosts that do some particularly nasty stuff.
Now in addressing the change of the 127.0.0.1 to 255.255.255.0, I have only the following to say - do not do it if you are using any but one of the following to handle the redirected requests:
http://sysctl.org/cameleon/
http://preview.tinyurl.com/8ujj9j
http://preview.tinyurl.com/mavx9m
http://www.abelhadigital.com/ (has a program called hostssrv.exe)
http://www.securemecca.com/phttpd.html (only for 'nix machines and I recommend Cameleon)
Almost everybody who uses some sort of redirection mechanism (hosts file, pseudo DNS server, PAC filter, etc.) uses one of these servers to handle the redirection except for AdBlock Plus which rather than blocking them (er, redirecting you to something else) strips them out of the file and then passes that on to the browser. But the only one that is designed to handle them on something other than 127.0.0.1 by default is Cameleon's phttpd. Mine can be used to do that and you could even shift it to a port other than 80 but I would not advise that you do either. The port change would work only for the PAC filter and only if the PAC filter's port is also changed. IOW, you are stuck with port 80. Nobody handles port 443 or 8080 requests. Also, what I have is written in PERL (but it is a true daemon with the double forks and setsid) and IMHO is not up to the level of handling a lot of requests safely. One ponders whether it is safe at all being written in PERL but I don't have time to write one in C and one already exists. I just didn't know about it at the time I wrote mine.
I propose the following change in terminology. knowing full well that the proposal will fail: From henceforth blocking hosts files shall be known as redirecting hosts files. That is because with these phttpds that is precisely what they are doing.
Now, some may think I am angry with NoScript author Giorgio. I am not angry. I still recommend Firefox + NoScript, especially on Windows machines to mitigate some of the problems people have. I still think it is overkill on 'nix machines but the security hole opened up by using Privoxy + PAC filter to allow unrestricted ftp access (and worms and other nasty stuff are now actively utilizing ftp) leaves me no choice - I must recommend NoScript to Windows users. But there are times you have hosts that you don't want to just restrict what they can do. You want no part of them! For these hosts a redirecting hosts file or redirecting PAC filter are your only options until somebody has the time and resources to shrink wrap all of this stuff into the broadband router which is where it should be, especially in a home situation.

Name changes of files

2008-12-11T09:29:00.000-08:00

Since I have created these filters we have begun to add the Français language into the mix. It has caused me no ends of grief not to have a consistent naming method. For example, both the Français and Anglais names for the central file is proxy.txt. What is wrong with that? I have to keep track and use different folders for the uploads. Also, I called the debug version of the filter proxy.debug on Unix but dbgproxy.txt on MS Windows. All that is different between proxy.txt and dbgproxy.txt is that one line that turns the debug on. The only difference between dbgproxy.txt and proxy.debug is substituting LFs for CRLFs. Therefore, I am proposing to make the following changes:

1. That file named proxy.debug would become dbgproxy on Unix. We aren't done yet because I haven't addressed the language question yet. In other words, this is the name sans the language version.

2. The only difference between the Unix and Windows files other than the LF versus CRLF will be that Windows files will have the ".txt" extension. Somebody said I should have either ".pac" or ".js" for all of them. Okay, how do you propose we differentiate between MS Windows and Unix versions of the file? These other extensions may be okay but it works with the "*.txt" extension and I have a dandy way of differentiating the Unix and MS Windows files by just dropping the ".txt" extension on Unix. The file name extensions have no meaning on Unix anyway. Unix systems find out all they need to know about what kind of file they have by looking at the permission flags of the file and just "sniffing" the first few bytes of the file and comparing that with the magic database. With the ".txt" extension on MS Windows, people can just double click on the file name and edit it. It is very difficult to tell a novice how to edit the file with these other extensions. I don't worry about the Unix people. I do worry about the Windows people. I told somebody who has been using Windows for the past five years to close the window I had them open several instructions previously only to have them ask me "how do I do that?" Well, you click on the X in the upper right hand corner of the window. It seems like that would be common knowledge after five years. We are not done yet. We still have the language to consider.

3. I have been caught putting Français versions of the files where the Anglais files should be. That may or may not be a Freudian slip. But the mixup occurred because they both have the same name. I am proposing that the downloads and the proxy files themselves have the language version embedded as part of the name. That means for example that the English version of the main install download will become InstallProxyPkg_EN.msw.7z and InstallProxyPkg_EN.unx.7z for Windows and Linux respectively. That makes it match what it is for the Français version which is InstallProxyPkg_FR.msw.7z / InstallProxyPkg_FR.unx.7z. Ditto for the auto updaters AutoPac_FR.msw.7z / AutoPac_FR.unx.7z and AutoPac_EN.msw.7z and AutoPac_EN.unx.7z. If I do that I will put ALL of the download files no matter what language they are in, in a downloads folder.

3. Since I am also proposing that the names of the proxy files themselves contain the language code in their name, the new names then of the proxy files themselves will be:

Anglais:
   MS Windows
      proxy_en.txt
      dbgproxy_en.txt
      pornproxy_en.txt
   Unix
      proxy_en
      dbgproxy_en
      pornproxy_en

Français
   MS Windows
      proxy_fr.txt
      dbgproxy_fr.txt
      pornproxy_fr.txt
   Unix
      proxy_fr
      dbgproxy_fr
      pornproxy_fr

What this will do is make it possible to make Espanol versions available in the future. I will let somebody else handle the other languages. If you have any objections then contact me at hhhobbit frat securemecca.com to tell me what they are. Otherwise this will be the direction I will go. It just became too much without some sort of standardization to do this and keep up with it. In other words, I was doing this already anyway. I was using the Français version of the file one day and didn't notice that I forgot to put on a terminating ";" in the Anglais (Américain) version on one of the new rules I just added. I didn't have a problem, but the English speaking people did have a problem which would have included me when I switched back to English two days later but somebody else caught the SNAFU before then. Unless I hear an objection (now is the time to speak up) I will be working all Christmas and the few days after that on the name changes. I should have everything straightened out and working by 2009. I do NOT have my fingers crossed - that is when I expect it all to be working.

2008-11-12T04:58:00.000-08:00

SecureMecca.com & HostsFile.org no longer feature the block of pornography.

Some may lament us no longer blocking Pornography. In fact this is not true. We still have that filter and it is named pornproxy.txt. It is just that no more work is being done on it. This was done for several reasons and they are:

1. It became too much work for only one person to handle. Henry Hertz Hobbit was the only one making the changes with Rodney making suggestions. It is just that the suggestions were to add blocks for ads and assuming a rule may cause problems when in fact most don't. Many new patterns could have been added but doing that required more people to take on the work and nobody stepped up to the plate. One person can only handle a dozen or more experimental rules at a time. I (HHH) was maxed.

2. With over 700,000 porn hosts and climbing to over a million with NOBODY in HHH's personal contacts wishing to help by putting on the filter and reporting back false positives it finally became apparent nobody wanted these blocks. But almost everybody is blocking ads.

WHAT DO WE BLOCK?

1. Hosts that abuse the built-ins and add-ons. This includes but is not limited to: JavaScript, Java, Flash Player, RealPlayer, and ShockWave Player. With the exception of the ShockWave Player not being on Linux, these exploits work equally well (maybe we should say badly?) on all operating systems. Just shifting to Linux doesn't alter the abuse that occurs. You can literally trap somebody in the browser using nothing but JavaScript not allowing them to do anything (except to go to another work-space on Linux and kill the browser in a terminal window). Is that classified as an exploit? Yes!

2. Hosts that track what you do and where you go. At one time some people used the word spies in relationship to these hosts. I (HHH) prefer the term tracker (Fr - traqueur) since that most closely represents what they are doing. Primarily they keep track of what you are doing to tailor the ads that are delivered to you but there are other reasons for what they track. We are dedicated to minimize this tracking of people's use of the Internet. That is why I (Henry Hertz Hobbit) will never access the built-in features to track you at SecureMecca.com and warn you what is being used to track you there that is not under my control.

3. Hosts that infect people's machines. This is almost wholly limited to the Windows OS. Although many people say the problem would be just as bad on Linux or the Macintosh, it wouldn't as long as people didn't do stupid things. It is just as easy to write a trojan for Macs as it is for Windows and you can have it installed if you are salivating over getting the dirt on shocking videos of this or that political personality doing this or that. Hiding the fact that what the Mac owner is using is called sudo doesn't help prevent a user from stupidly installing a program running with admin level access. There is no substitute for knowledge. We are primarily but not exclusively using both Airelle's hosts.rsk file and Malware Domain List's files for looking at these host for patterns for the PAC filter. Some surprising things have already come out from this. WE BLOCK CHINA! THE WHOLE TLD! 10% of the hosts that infect Windows hosts at the MalWare Domain List are in this domain. We also block some porn patterns (we have left one in as a red herring) but again, we are blocking them like we block China because they pass a threshold of going over so many hosts (usually we need at least ten plus hosts at Malware Domain List but a very nasty trojan MAY make a count unnecessary) to invoke that pattern being included.

4. Typo servers or somebody else that is doing something wrong. This is a little bit overly-vague but I don't want to be frozen with something that can't handle newer threats as they fruition and develop. You are just going to have to trust my instinct that somethimg is bad when I see it. Active-X exploits that inject a trojan after the browser has been gagged by do-nothing JavaScript that maxes the CPU is just one of the many other things that come to mind that are seemingly endless.

5. WE NOW BLOCK ADS. Before now, the ad-server had to do something else like spying, etcetera, to be included. That does NOT mean use of our hosts file is to be encouraged. Use somebody else's hosts file for that purpose. What you want from us is the PAC filter. Will our PAC filter match the power of AdBlock Plus filters? Probably not. They have had years to hone their filters and we are just starting. Also, there are some patterns that are more difficult to enter into the PAC filter. What is the advantage? Like a blocking hosts file, the PAC filter is stealthy. Nobody can detect that it is there. You will never get a request from a web site to turn it off.

There you have it. The policy may be refined over time, but this is what it is now for what it is worth. Hey, it works for me & Rodney. If other people find it useful that would be nice to hear but it is primarily something created for ourselves.

Henry Hertz Hobbit