Sunday, January 28, 2007

ISO info on Vista Upgrade details

It's odd that I can't seem to find clarification on what I thought was a simple question about Vista upgrade edition details. (All versions)

It appears - according to this KB article - that any "upgrade" edition of Vista must be installed from within the previous OS, you cannot do a clean install. It also appears that in this case, since the previous OS must also be activated and verified before you can upgrade to Vista, that the previous operating systems registration key is consumed and may never be re-used again.

This seems somewhat reasonable considering the terms of the upgrade editions EULA until one imagines the scenario of having the re-install that Vista upgrade onto the same exact hardware after a disaster. According to what I can find, the user would have to re-install the OLD operating system, activate it, validate it, then upgrade again to Vista. But . . . since the old PID is deactivated during the original upgrade to Vista, they won't be able to validate the old OS.

A quandary if true.

Is Microsoft really thinking that users will never ever have to wipe and re-install like we do with XP every couple of years or so? Are they thinking a system root hard drive will never fail?

The only answer I can find so far from MS is: "Buy the full retail package, not the update edition, if you ever intend or want to do a clean install or a re-install.

So, any of you have direct links to public knowledge from Microsoft that contradicts this line of reasoning? Perhaps someone perhaps would point me to the right KB article or Microsoft publication? I need to know!


Friday, January 26, 2007

"Free" Wi-Fi network hotspot may be a ruse to enslave your laptop

News today arrives about an old scam gaining new life. Airports and other busy area's around the world are being targeted by hackers that turn on Ad-hoc (known as computer to computer) hotspots to lure business travelers into a connection. Once a victim connects to them, the criminals use man in the middle attacks to steal passwords and account information, infect laptops, even implant zombie spam software.

The hotspots use SSID's like "Free Wi-Fi" or something akin to attract people looking for a connection. Link goes to full article - which includes steps you can take to prevent your computer from connecting to them and how to identify suspect hotspots.

One good practice to follow when using ANY "free" hotspot is to subscribe to and use a trusted VPN proxy service, or use your corporate VPN connection, when you check email or access your online bank account.

You should also turn on the Windows Firewall -- or your third party personal firewall of choice -- and block file and printer sharing while traveling.


Wednesday, January 24, 2007

Habeas corpus struggling for life?

reminded me of an ongoing topic of interest -- the current sad state of habeas corpus. Check out the YouTube video he embedded on that posting.

What I find really disturbing, in addition to the dismal opinions expressed by our Attorney General, is the fact that NONE of the major US media cartels gave this more than a 14th page blink -- if that much.

There was far better coverage on this found from other countries, like New Zealand, or independants, like the FEP.

Privacy and Flash Memory Cards

If you use a camera with flash card memory, or a USB thumbdrive, or any number of other popular miniature electronic storage devices on the market today, then this alert is for you.

Almost all modern flash storage devices use NAND memory. NAND cells have some very cool features, chief among them the ability to retain stored information when you turn off the power. Most digital camera's use a form of NAND memory incarnated as Compact Flash I or II, Secure Memory, XD Memory, etc. The majority of USB storage thumb drives on the market also use NAND memory.

One of the weaknesses of NAND memory is that each bit can only be used reliably so many times. In a perfect world, each cell can be cycled over a million times. However - since cells sometimes have tiny defects and fail randomly, and because we write data in blocks, each block can realistically be written or erased only 100,000 times (or less) before failure. To alleviate the problem and extend the useful lifetime of a storage card, there is a special circuit that forces consecutive writes to be balanced across all available blocks on the device. Each block also has a counter, and the load balancing attempts to keep all counters for all blocks roughly the same.

So what does this have to do with security?

Since "true" erasing is the same as writing, most flash storage NAND devices try not to erase anything to save on wear. They do allow overwriting - but not near as often as you might think. Here is why (by example):

Each time you write a file to that card, it's saved across one or more blocks. Let's use a hypothetical (smallish) file that occupies blocks A through C. Now let's erase that file and write a new file to the device of the same size - a common occurrence with camera's for example. The new file does NOT overwrite the old, it's written to blocks D through F. The erased file is not actually erased -- it's only marked as "cleared." Meanwhile the actual bits within the block are still set to the same state ("0" or "1") as they were when that file was written.

Repeat for the next several files, until you reach the end of the available space on the card and the underlying load manager cycles back to the beginning block for use. Until the original blocks (A through C) are actually overwritten - which on large cards may take a while - that first deleted file can be recovered VERY easily by almost any file recovery tool on the market today.

Format the drive? No dice - since these storage cards do not allow you to do a low level format. When you format, each block is simply marked as cleared, but - again - the bits are not reset to zero. All the files are still recoverable with those same file recovery applications.

Some manufactures provide tools to force a genuine block by block bit reset to zero - a true erasure - but good luck finding those tools in the retail world. (If I find some, I will post links to them here.) Most do not. Some work around the problem by using encryption whenever you write to the storage device, so that even if the file is not truly erased, the only way anyone can read it is by placing the device into the same hardware where the file was created, or by providing a crypto key via a utility. Such solutions have their own problems though, including lower performance and the loss of your data should you lose your key.

The crux of the matter is thus: if you have an older device that you think has failed that may contain information that you don't want revealed or released, then don't throw it away. Destroy it if possible. Cutting them in pieces is good. Hammers also work very well, as does fire. Just please practice safe card destruction yadda yadda etc etc when you shred/smash/burn your old flash memory cards.

For more information on the problems of undesired data retention on memory devices, check out this excellent resource.


Monday, January 22, 2007

Update on the convicted teacher (malware victim)

See the previous post for original story and links.

He [. . .] is a computer forensic examiner who was called as a defense expert witness in the Julie Amero case.

In an effort to dispel rumor and produce a more accurate understanding of the Amero case in the public, we have offered him a chance to offer his commentary. Tomorrow we hope to have commentary from Detective Mark Lounsbury, who testified for the prosecution at Ms. Amero's trial.

. . .

This was one of the most frustrating experiences of my career, knowing full well that the person is innocent and not being allowed to provide logical proof.

Link to article


Tuesday, January 16, 2007

Spyware infested computer = jail time for victim?

The appeals still have to move through the process, but it appears that a substitute teacher in Norwich has been convicted and may be sentenced to 40 years in jail because the computer she was using in the classroom was infected with adware that caused uncontrollable pr0n pop-ups.

I don't personally have all the facts yet on this case, but my experience with client infections makes me wonder if she may be an innocent victim of fly-by adware. Unanswered questions include: 1) was it her computer, or the schools? 2) if the schools, where were their software security policy and safeguards?

The prosecutor for the case stated she had to deliberately click on certain links, but we security professionals have seen many cases where IE links have been set to their "visited" state by adware popups.

Update: More information and speculation and worse, the prosecution admits that it made no search made for spyware during its investigation.

Sunday, January 14, 2007

Craplets: a new term is coined

Craplets! What a great word to describe a very dirty side of the PC retail industry.

'"We call them craplets," the official said. The term is a contraction of the words "crap" and "applet." An applet is a small computer program or application.'

For years now I have been removing these things from customers computers. Generally right after we purchased them for their company use.

Recently Dell has begun allowing customers to "opt-out" of craplets on certain high end computers, including some of their ultra high performance gaming rigs, and their medium-to-enterprise class business laptops and professional grade workstations. They've also managed to resist the temptation to add these nasties to their business server lines.

But . . . if you shop the "Home User / Home Office" section of Dell, don't expect to see those options.

The infuriating part is that you have to pay Dell extra to not install their extra crap. Actual cost if you opt out of all the craplets available is between 8 and 24 bucks, at $2 per applet. (A recent ARS blog states that the Dell CEO liked the idea of $60, but I note that he did not mention that the option is already there for less on select systems.) You get a clean system on delivery for your spare change, instead of a unit that likely as not already has spyware or adware on it - new out of the box!

Last year I discovered an automated craplet removal script called the PC Decrapifier that is being maintained/updated on a regular basis. Better, since I generally shop Dell these days, it's specifically targeted at new Dell computers. It's free for personal use, and so far my results have been stellar. Your mileage may vary, yadda yadda etc.

They state it will work on most other new OEM systems, although I cannot personally verify that yet . . .

Thursday, January 11, 2007


Click to see the beginning of this mini-blog-plot at UserFriendly.Org

I so relate to this . . . it's really hard to keep up with blogging when life gets complex. Not to mention writers block.