So what about PDF files?

An email from Google!


From: Google  Incorporation ® <test@lateliernyc.com>
Reply-To: Google  Incorporation ® <daviddrummond2015.guk@googlemail.com>
To: undisclosed-recipients:  ;
Subject: Google End Of The Year Winning Letter®
Parts/Attachments:
   1 Shown   ~33 lines  Text
   2          80 KB     Application
----------------------------------------

Dear Google User,

You have been selected as a winner for using Google services. Find attached email with more
details.

Congratulations,

Larry Page
CEO of Google

©2015 Google  Incorporation ®
Of course, it isn't. But a pdf file was enclosed.

SHA1 aee4153e0b9f4fd0ab9a59957860fe410cff5dc6

SHA256 e4014fc00c263f1a821964ecb66d9b269876b92b7008e884fd4f2cc2ef788256 

 

I sent it off to Jotti, Metascan and Virustotal, and they all reported that it's clean. Virustotal told me that it was first reported on October 18, 2015, six weeks ago.

Given that Larry Page isn't one of my usual correspondents, it's obviously something bad. Maybe it's a scam, not malware? I don't have a virus lab, so I'm not going to load it to find out.

This also arrived:

 

From: orders@kidd-uk.com
Subject: Sales Invoice OP/I599241 For ANDSTRAT (NO.355) LTD
Parts/Attachments:
   1 Shown      6 lines  Text
   2          132 KB     Application
----------------------------------------

 Please see enclosed Sales Invoice for your attention.

 Regards from Accounts at James F Kidd
 ( email: accounts@kidd-uk.com )

Also a PDF file, according to the extension, but actually it's a DOC file!

Jotti: One product (Kaspersky) out of 20 flagged it.

Metascan: Two products (Kaspersky and ThreatTrack) out of 43 flagged it.

VirusTotal:  6 out of 54 flagged it.

Hancock's Half Hour

I just found the old Hancocks on Youtube. Either you know what that is, or you don't.

Blocking doc malware

In this blog, I've been discussing the fact that of the 55 scanners examined (which is pretty much all available products), they all fail to detect malware in emails.

Yet all of them come with all sorts of claims, recommendations and certifications. How can this be? And what can be done?

The claims are similar to "detect 99.9% of in-the-wild malware". The problem is, that's not tackling the actual problem. The actual problem, is the malware emailed to me (and, most other people) every day, and the scanners don't detect anything bad in those. I dare say that the testers have 100,000 files collected over the years that these products do flag as malware. But that's not the problem.  I'm getting a hundred or more emails per week with malware attachments, and if I relied on scanners to keep me safe, I'd be getting hit dozens of times per week.

So what can be done?

In other posts, I've explained what can be done. But talk, as they say, is cheap. What counts is action.

So I've taken action. I have, running on a Raspberry Pi, this page.

To use it, you click on the "Browse" button, choose the file that you want cleaned, then
click on "send the file".

The file uploads to my server, and then it converts the file to A) a pdf file, B) an rtf file and C) a text file. You can download any or all three of those, and read them. The pdf, rtf and text file format, does not support the existence of macros. So any macros that are in the doc file, whether malicious or benign, are not present in the pdf, rtf or txt files.

This doesn't tell you if there was anything malicious in the doc file. It just creates files that don't include macros.

You still have the original doc file, of course, and you'll probably want to delete it.

This service is free.

I'll be expanding it, if there's demand, to cover xls (Excel spreadsheet) files and possibly others. Another possibility would be to convert the file into a doc file but stripped of any macros.

Even better, would be to install something on your computer that did this automatically, but I'm not going to do that; I'll leave that to the 55 antivirus vendors that are capable of writing this software, but, as far as I can tell, have not.

Mostly, this is a demonstration of what can be done. Ask your antivirus vendor why they haven't.

Email from a friend.

But surely you can trust an email from a friend?

Yes and no. Maybe it really is from your friend, no if it's only pretending. I'll explain.

Here's what happens. Your friend visits a web site that installs software on his computer - this software gives complete control of his computer to a Bad Person. Or he clicks on an email attachment that does that. So now a Bad Person has control of your friend's computer.

The Bad Person can now email everyone on your friend's contact list. Or email everyone who your friend recently emailed (by checking the "sent email" folder). Or email everyone who emailed your friend. And that email comes from your friend's computer, has your friend's name and closing lines (signature) on it, and asks you to do whatever the Bad Person has in mind. Which is probably a Bad Thing.

There's another wrinkle to this. When you get that email (as do umpteen other people), you might realise that it didn't actually come from your friend, in which case you might email your friend and tell him that his computer has a problem. And then your friend will get rid of the trojan.

This, from the point of view of the Bad Person), is bad. So what I'm seeing now, is that the email to everyone on the contact list, is being done from *another* compromised computer. So if you just hit "reply" to tell your friend about the problem, it won't get to your friend. And the trojan survives to do more damage.

So even if an email seems to come from a friend, don't visit any suggested web site, and don't click on any attachments, until you are *sure* that your friend really did send it.

And a doc file

From: Bruce Sharpe <bruce@alinepumps.com>

Subject: Aline: Tax Invoice #40525

Good day,

Please find attached Tax Invoice as requested.

Many thanks for your call.

Bruce Sharpe.
 

A doc file.

 

SHA1 5836a7ac46981dad66b056ab64f6ecb583fc92c3

SHA256 feb034075eb65662db187dff2e4441740a62609cec23786854acdebeedc903d5 

 

Virustotal - all 55 products passed it as clean

Metascan - Baidu flagged it, the other 42 passed it as clean

Jotti - Quickheal flagged it, the other 20 passed it as clean

Payload security  - contacts a server, downloads a file, drops a file rudakop.exe. When I google that, lots of results say it's malware.

Antivirus products don't block doc files, because a doc file is a legitimate way to pass documents from place to place. But most documents won't include macros. 

 

As you can see from the above,  a file that arrived in my inbox (actually, they sent me three copies so far) is malware, and isn't flagged by antivirus products.

 

My doc file reader doesn't allow macros to run, because I set it that way.

Does yours?

html enclosed

Does your email filter check for html files? If so, what does it do?

I just received one.

From: PayPal <intl2@security.net>
Subject: Online Account Verification
Parts/Attachments:

Dear Customer

Please take a few minutes out of your online experience to know why we have limited the access (temporarily) to your account.

The time it takes to restore the access is usually uncertain; depending on the type of issue, it may take our security team a few minutes or hours to resolve the problem.

There are a variety of reasons why an account is set to Limited; One of them is un-authorized access (another user tried to use your account without your consent).

An attachment is given to you through this notification. Please download and open it in your browser to verify your account.

Our security team will immediately review the information you have provided, and your account should be restored back to normal.

We would like to thank you for your attention to this matter.

Sincerely,
PayPal Account Security Division

It includes an obfuscated javascript program. I'm not going to try to de-obfuscate it, because the obfuscation is clear evidence that it's doing something fishy.

SHA1 8ab4172e11f81cee016dff09cfd50a3e86f94810

SHA256 713a848d3613d1f9243574a171bec958e2127695fe6e3f60df0f353c654eb081

Jotti says that only Sophos flags it, 20 other products say it's OK.
Virustotal says that only Sophos flags it, 54 other products say it's OK.
Metascan says that only Sophos and Preventon flag it, 41 other products say it's OK.

 "Ah, but," you might think, "I'm running NoScript, which will prevent dodgy javascripts from running." And you're probably wrong. NoScript blocks javascript based on which web site is running it; if you allow a web site to run javascript, then you're trusting it until you change your mind, which probably won't happen, because why would you? And if you click on this html attachment, the javascript is being run from your own computer and you've probably already decided that you can trust yourself! So the script will run, and although I can't tell you exactly what it does, I'm pretty sure it will be something that you really really don't want.

So does your email filter check for html files? If so, what does it do?

Fake paypal email

Today, I got another fake paypal email, by which I mean that it claimed to be from Paypal, but wasn't.

I get a lot of these, which means two things. 1) A lot get sent out and 2) there must be some people who fall for it.

From: PayPal <PayPal@inte.com>
Subject: Your-Account-Has-Been-Limited-Case-ID-PP-033-821-136-967

They aren't even trying very hard. They say that the email came from Paypal, but the from-address is at inte.com.

They want me to click on "Confirm my account now", but when I look at where that goes, it goes to http://is.gd/cVCDtF. I visited that address, it invites me to login. I logged in using some made-up information - username and password, and that took me to http://keypad-infosecure.com/login-secursecureserver.nete/websc-limited.php. That got me to a log out screen.

I checked out that domain using "whois keypad-infosecure.com" and it gives a name and address  in the USA. My guess is that it's a fake name and address, or maybe a real name and address, but not that of the Bad Person. It was registered yesterday.

So some Bad Person now has a username and password that they hope is my Paypal details - if I'd given my actual details, you can imagine what they'd do with that!

Here's the thing. When I used my mail reader, next to "Confirm My Account Now" it told me that the link actually went to [is.gd], and that's a clear indication that something fishy is going on. When I checked that out, it's a URL shortener site that is (probably without realising it) redirecting for lots of malware, based at Cloudflare in Arizona, USA. The Bad People use URL shorteners to hide the domain name that's actually hosting the malware.
I've reported the abuse to the URL shortener people. And they have already reacted! Now when I visit that URL, I get:

WARNING: A user has reported this shortened URL to us as being in violation
of our terms.

   We haven't had chance to check it out yet, but we automatically show a
   preview page for shortened URLs awaiting our investigation. Please
   proceed with caution, especially if the original URL looks suspicious
   or if you received it from a suspicious source.




I've also reported the keypad-infosecure.com domain to godaddy.com (who are the registrar).

But given the volume of this sort of thing, whack-a-mole isn't the answer.

My mail reader always tells me where a link really goes.

Does yours?

Trojan spreadsheet

From: Lucie Newlove <lucie@xxxxxfoods.co.uk>

Please see attached Invoice Document SI528880 from xxxxx FOOD IMPORTS LTD.

ARE YOU AWARE THAT OUR NEW WEBSITE IS NOW AVAILABLE?
Please contact our Sales Department for details.

xxxxx Food Imports Ltd

REGISTERED HEAD OFFICE
Wiltshire Road,
Hull
East Yorkshire
HU4 6PA
Actually, it came from 191.250.48.88.dynamic.adsl.gvt.net.br, which means a broadband line in Brasil. The spoofed from-address is fake, and the people sending the email have nothing to do with the food importing company (whose name I've redacted).

And, of course, it's malware.

SHA1:ce7ec62fbc443b580c1c397af95d7a22c16dde98
SHA256: 1ecc514d0bf2b4f340d3c45b832e72d0be1cc5a86182e193221740041bb15052

Using VirusTotal, only AVware and VIPRE (out of 54 products) flagged it. Using Jotti, only Arcabit and Kaspersky (out of 21 products) flagged it. Metascan says that only Kaspersky and ThreatTrack (out of 43 products) found it.

Poor, very poor. You MUST NOT rely on your antivirus product to block malicious software in emails. The macro in the xls file does a lot of obviously bad stuff - it contacts a server, downloads something, installs something on your system.

Full report here.

And here's the problem. It's a spreadsheet. It could equally have been a doc file. It can come with a very plausible email; for example, I had one recently that said that my Fedex parcel couldn't be delivered, and I should read the doc file for details of how to proceed. As it happens, I was expecting a parcel - that must be pretty common. And I have no idea which courier the vendor would use, Fedex is plausible. So there's a good incentive to read the doc file. But if you load it into Word, your computer is no longer yours.

My advice. Change your Word and Excel settings so that they don't run macros, and resist any temptation to change them back. Also, don't click on any attachments unless you're certain that they came from a good source. And remember that your good friend Bob might not have been so careful and if his computer has been taken over, you could be getting malware that's apparently from Bob.

I'm offended

I'm offended. Lots of people are offended. Some people are offended on behalf of other people; some people are just-in-case offended; offended against the possibility that other people might be offended.

Lots of things offend me. I have a hair trigger for offence. I'm immediately offended by anyone saying that they're offended. Indeed, the very word "offended" offends me.

But there seems to be a growing feeling that people have a right not to be offended, and that offensive speech should be banned. I, of course, feel that this proposition is offensive, and people should not call for offensive speech to be banned, because that offends me. If they think that people have a right not to be offended, then they should stop campaigning for that right, because their campaign offends me.

Pew recently did a survey.  40% of American Millenials (aged 18 to 34) support government censorship for offensive statements about minorities. I, of course, am a minority - I'm the only drsolly in the world. So don't say anything offensive about me, or I'll be offended. 28% of all Americans agree with this.

38% of Brits favour censorship of offensive statements about minorities. I'm appalled. And in Germany, that's 70% - that's the effect of recent history, I guess.

We're already part way there. "Hate speech" is illegal in the UK, and many other countries. The act also says:

Nothing in this Part shall be read or given effect in a way which prohibits or restricts discussion, criticism or expressions of antipathy, dislike, ridicule, insult or abuse of particular religions or the beliefs or practices of their adherents, or of any other belief system or the beliefs or practices of its adherents, or proselytising or urging adherents of a different religion or belief system to cease practising their religion or belief system
So I can criticise a religion. Whew! But in practice, on 20 April 2010, police arrested Dale McAlpine, a Christian preacher, of Workington in Cumbria, for saying that homosexual conduct was a sin. Now I think he's wrong, but I also think that he should be allowed to preach his wrong ideas. Eventually, the police apologised for arresting him, and he got several thousand pounds compensation.


I believe that offensive speech is very important, and should be protected, not censored. Because who decides what is offensive? Any expression of opinion could be shut down, merely by someone calling the police and saying "I'm offended".

And criticism of ideas is important. How can we debate the worthiness of political, religious or cultural ideas, if we cannot criticise them? If all that is allowed is praise?

There should be no censorship of offending speech. There should be no right "not to be offended".

I'm offended at the mere thought that there could be.

How to buy from auction sites.

As you've probably realised from various blog posts, I'm rather careful about security. But I buy stuff from people in far-away countries, and I really don't know who they are. So far, I've been OK.

It starts off with a credit card. Credit cards have a particular property that debit cards don't have. In UK law, even if the vendor or auction site won 't give you a refund, the credit card company must, under Section 75 of the Consumer Credit Act 1974. This covers purchases from £100 to £30,000. So if you bought something for £99, this won't help you - in theory. In practice, your card company might well do the refund, because they can claw it back from the vendor.

So I took out a credit card from a well-known shop, and put a limit on it. That's easy to do; supermarkets are very keen to give out credit cards. I mostly use it to buy diesel for the Freelander. And I will *not* use it at the pump, that's far too dangerous. I use it in the "kiosk".

Then I opened a Paypal account; again, easy to do. And I gave that credit card as the source of funds.

Paypal also have a refund policy, they call it "Buyer Protection". This covers any purchase you made using Paypal, but you must open your case within 45 days of the date you make the payment. So if you have a problem, remember that timing - after 45 days, you're not able to claim.

I buy things using either Amazon or Ebay; mostly Ebay. There are other auction sites, and I don't know anything about them (with one exception, which I'll cover later), because my feeling is that if a vendor puts an item anywhere, they'll put it on Ebay, because Ebay is BIG. On Ebay, I pay via Paypal; on Amazon I use the card explained above.

Ebay also has a refund policy. To use it, you have to make a claim within 30 days of the actual or estimated return date.

So here's my procedure. If I receive goods that are faulty, I don't give Ebay feedback just yet, but I contact the vendor. Problems I've had are:

- I bought a pair of arm coverings that were "one size fits all", that were actually "one size fits very skinny girl". I complained to them, I got a full refund.
- I bought five cables, and only one arrived. I emailed the vendor, they sent the other four.

Problems I haven't complained about, are:

- I bought several wrist supports. ALl of them arrived, but one was useless and two of the others weren't much good. One was OK and one was good. I didn't complain because A) it was only a pound or so each and B) the products were as shown.
- I bought a mouse mat with gel wrist support. It isn't much good, but it only cost a pound, and I am actually using it.

So my experience is that vendors do make mistakes, but are keen to rectify them. And some goods are inadequate, but when I explain why, I get a refund.

I haven't needed to complain to Ebay, but it's nice to know that I can if necessary, and it's an incentive on the vendor to make things right. If Ebay doesn't help, I can always complain to Paypal, or the card company.

The other main place I buy from is Amazon. From Amazon, it's mostly books that I buy, and there's not much can go wrong with a book. Occasionally, I've bought a second copy of a book, but that's my fault. I also buy other things from Amazon - that's where I buy my Hitec boots, for example. Once I bought a book that had half the pages missing - some kind of binding error at the printers. I should have complained, but I didn't.

I've also looked at things from Alibaba, which is a Chinese auction site. It is, indeed, an Aladdin's Cave, but you often don't see the prices (you have to ask each supplier) and often there's a large minimum quantity. There'a also Aliexpress, which is more aimed at consumers. I bought something from them once, but I'd only use them if Ebay and Amazon didn't have what I want.

I buy quite a lot from Hobbyking. They sell radio-control stuff. From them, I get my bike batteries, because they're a lot cheaper than any alternative I've found, and they are reliable. Once, they shipped me an order that was completely different from what I orderd (I'm guessing they got two orders mixed up). But they sorted it out, and I got what I'd paid for. Lipo batteries from Hobbyking are about half the price of those on Aliexpress.

I bought the bike motor that I currently use direct from the factory, Xiong-da. That was before anyone was importing them, and I wanted that one because it is dual-speed. When I'm on rough ground, or steeply uphill, I use the lower gear which pulls the bike a long like it's being winched. On tarmac, I go into high gear, and it's as if I just lit the afterburner.

So, in summary, I'd say that buying things from auction sites is pretty safe - I've never needed the additional precautions I take.

More malware analyses

Aryeh Goretsky, who I've know for a long long time, is currently at Eset (they make anti-malware software) suggested to me a couple of places other than VirusTotal to try, so I did.

Dear customer

The confirmation invoice for order 1366976 is attached.

Please let me know if you need any other paperwork.


Best regards,
Nimisha

Nimisha Patel
Marketing Assistant
Abcam plc

Enclosed was an XLS spreadsheet. I'm pretty sure it's malware, I haven't ever bought anything from Abcam. The XLS file has a SHA256

aefc76a6cca8f9b903f78e9829b6da68b8e236ae00aba8218d8f4f1b236e2624

SHA1  e681f239b8bd63af26630410c340d83bad53fe10
MD5   7a2b2afb94c7a5ae18dd3456b559a7c0

According to VirusTotal, 8 products (out of 54) flag it as malware.

AVware
Arcabit
ESET-NOD32
Fortinet    
Panda    
Sophos    
TrendMicro    
VIPRE

According to Jotti, the following four products flagged it:

Eset, Fortinet, Kaspersky and Sophos.

Of the products that flagged it with VirusTotal, Arcabit and Trend found nothing


According to Opswat Metascan online, four out of 43 flagged it.

Kaspersky, Preventon, Sophos and ThreatTrack.

Of the products that flagged it with VirusTotal, Eset, Fortinet, TrendMicro found nothing,


So a threat that arrived in my mailbox, is flagged by about 10% of products.




... update ...

Another file, this one is a doc.


MD5:    8875a13b396384acdf18dc6c231bd477
SHA1:    b09d734e793d64964bc9dcf312197c13e9c2de84

Virustotal - flagged by 18 out of 55
Metascan - flagged by 4 out of 43
Jotti - flagged by 12 out of  21

The DCM, who sell cinema advertisements, have a rule that says that they won't accept religious or political advertisements. I'd guess that this is because they don't want to piss off their customers. If you're going to the cinema to see a good movie, you don't want to by politicked to or prayed at  as a prelude.

The Archbishop of Canterbury is upset. The Church of England says "If they want to be consistent on not carrying any ads that have any connection with religious belief, I'd like them to cancel all ads liked to Christmas as a Christian festival. If they'd like to apply it consistently, ban every ad that mentions Christmas."

Well, not quite. You have to go back to the true meaning of Christmas, which isnt actually about Jesus Christ; the Christians borrowed the date to represent a birth that actually happened in a completely different month.

December 21 or 22, is the shortest day of the year, which means that from then on, the days start getting longer, which is great. And there's a festival to celebrate that, called Yule.

The Romans also had a festival at that time, in honour of the god Saturn. They called it Saturnalia.

In both cases (and I'd guess in numerous other religion's festivals at that time of year), the thing to do was feast, and give gifts. And we do the same - the True Meaning of Christmas, before it got hijacked by the Christians, was:

1) Eat too much.
2) Drink too much.
3) Presents all round.

Pretty much every Christmas advertisement I've ever seen (mostly on television, but also print), emphasises those three principles, and they don't refer to any religious stuff. Why should they? They want you to buy food, buy booze, and buy presents. Some people call this "the commercialisation of Christmas", but it's actually a return to the real meaning of Christmas.

Anyway. The Archbishop of Canterbury is upset. And since it's the season of goodwill to all men (all Archbishops are men), I'd like to make him an offer. I don't usually accept advertisements on this blog, but I'm willing to make an exception. For the rest of this year, I'll accept religious advertisements (from all religions, of course, one mustn't show favouritism). Email me if you want to know my rates.

Hatley heart attack, part 2

I've been off caching for two weeks, looking after ladysolly, but she's a lot better now, and the weather looked good. So I parked in the same car park at Biggleswade and set off.

I did one long circuit of 54 caches; then three extras on the way home. No DNFs.

My wrist wasn't as good as I'd hoped, it's till giving me quite a lot of gyp.

When I did the last cache, it was dark, and because I wasn't paying enough attention, I stepped into a hole and toppled over.  I'm hoping that I didn't do any damage.

When I got home, I had to power wash the bike, because it had gotten dreadfully muddy.

Christmas malware

 Hurrah, it's Christmas!


UKMail Info!
Your parcel has not been delivered to your address November 23, 2015, because nobody was at home.
Please view the information about your parcel, print it and go to the post office to receive
your package.

This was sent to various of my email addresses, but not to the email address that I use for parcels - that's how I knew that it was malware. It's a doc file, and it's asking me to load it so that I can print it and take it to the post office.

I fed it to VirusTotal; 48 out of 55 products passed it as clean, but 7 flagged it as malware.


Make sure you're properly sceptical about emails sent to you.

Canterbury doubts

The Archbishop of Canterbury has said that the terror attacks in Paris made him "doubt" the presence of God.

Well, good for you Justin. But why the doubts?

It's called theodicy. Here's the dilemma.

1. God is totally good.
2. God knows everything.
3. God can do anything.

4. Daesh killed 130 people in Paris.

So how come God allowed this? Hence the bishop's doubts.

There's a lot of answers that religionists go to.

1) You're wrong, there is no evil. The events of Paris weren't evil.
2) In order for there to be free will, the possibility of evil must exist.
3) The challenge of evil makes us better people.
4) Maybe this evil deed brings God's kingdom closer.
5) God works in mysterious ways, you just haven't understood why this is ultimately good.

And lots more.

I, of course, have a much simpler explanation, but if Justin Welby went with that, he'd have to resign as Archbishop. Archbishops aren't allowed to be atheists.

Fedora 23

I installed Linux Fedora 23 on the new server, and it's even better than previous versions.

I have no idea what video or ethernet chipset is on the server, but I don't need to, it worked it out for itself. I told Fedora "I want a server" and "I live in the UK" and that's really all I needed to tell it; the install just worked. Oh, and I had to choose a password for the root user.

All that, is pretty much what I expect from a Fedora install, but when it had installed, it told me about something new - if I access https://10.0.0.155:9090, it gets me to a web-based control system that lets me choose which services are enabled and which are disabled. The "9090" is the port address; my firewall doesn't allow any access to that port from outside my own network. For example, I installed the software for DNS, so it's there in case I need it, but I can choose whether to enable it or not. If there's anything I need that didn't get installed, I can add it with "yum install whatever". And, of course, all the software is free, open source.

So I'm a happy bunny. A £60 server with 16gb of memory and four cores of CPU (I added a couple of hard drives), running Fedora 23. Amazeballs.

Clock repair

Some 30 years ago, I was getting a pain in my wrist when I was typing, and I thought "RSI". That's a horrifying thought for someone who's a programmer and a writer - I use a keyboard a lot. Then I noticed that I was taking off my wristwatch before typing, so I left it off, and my wrist pain felt better. I don't know if there's a connection; the human body is very self-repairing even if you do nothing. But I made a discovery at that time - I very rarely need to know the exact time. So I completely stopped wearing a wristwatch, and never have since then - there's no point.

I was commuting to work at that time, down to the City. To go home, I could go either to Baker Street or Marylebone station, and the choice of which depended on the exact time. I'd get onto the Bakerloo line, and according to the exact time, I'd get off at either Baker Street or Marylebone. So you can see that it was quite important, at that one moment in the day, to know the exact time.

So I went to Dixons, and bought the AQ11 digital clock, kept it on my brieface, and looked at it as the tube approached Baker Street, and made my decision.

Now roll forward 30 years to today. I still have the AQ11, it still works, and it still keeps very good time. A clock I bought on Ebay for a couple of pounds, gains about a minute per week, which is annoying because for it to be useful, I have to keep resetting the time. The AQ11 is dead on.

So it's a good clock, and I like it, but. I couldn't change the time, and I didn't know why. This isn't a big problem, except that when I change the battery. How do I set it to the correct time?

So I decided to dismantle and fix it. I always start from the assumption that I can fix anything, and that turns out to be true nearly all the time. I took out the two screws near the battery, and wiggled and twiddled it until it came apart. Then there's two black screws inside. Once those are unscrewed, the PCB comes out, and I could see the problem.

The way that the time is set, is three push buttons. When you press each of those, a pad touches bare wires on the PCB and that's a switch closing. But for that to happen, there must be something conductive on the bottom of the button, and that was gone. There was a small amount of green flakes there, and a couple of black bits (which I guess are conductive).

So how to fix this? I took out the three buttons, which means that I can now see the bare wires on the PCB, and if I touch that with a screwdriver or similar, that's equivalent to pressing one of the three buttons.

So the fix turned out to be, remove the three buttons used for setting the time, and poke with a screwdriver instead.

And now my beloved AQ11 works!

Cheap server part 3

The server arrived today, and it's everything I'd hoped, and more!

The case opens nicely; it's just two catches, no screws. Inside, there's room for three 3 1/2 drives ( might be able to squeeze a fourth on in, maybe). There's ATA133 headers, and no SATA header, but I was expecting that.

Inside, there's two fans feeding into a plastic thing that goes over the CPUs. That's nice, because it means redundancy; if one fan fails, the other one will keep the server running.

The great thing that I wasn't expecting (but did hope for), is that there's a 32 bit PCI slot, and a 1U adaptor, so I can put a card in. So I put in a 32 bit SATA card, which means that I now have a 300 gb ATA drive, and a 2tb SATA drive.

I'm loading it up with data now; I'm planning to make it my main central server.

Eye is better

My left eye is improved! I went today for my half-yearly eye checkup. My peripheral vision is slightly better than it was last time, and the pressure in my eyeball is 18 (12-22 is normal). This is because the eye drops I take each day, are having the desired effect.

More good news - instead of getting two bottles of eye drops on each prescription, I'm getting three, which means that I can get resupplied every three months, the same as all my other prescriptions.

Disappearing default gateway.

First, a little lesson on how networking works.

When a computer needs to communicate with another, it shouts down the ethernet cable, saying who it is and who it wants to talk to. That works fine for the computers on the same local network. In my case, the local network is all computers with the address 10.x.y.z, because all my computers are on that 10 network, because that's a bunch of addresses that anyone can use, but it's only visible from inside my network; anything outside my network can't talk to them. Which is how I like it!

But what if a computer wants to talk to somethng outside of the local network? For example, suppose it wants to talk to 8.8.8.8 (which is google). Then it doesn't just shout down the network to 8.8.8.8, it needs to talk to the gateway. In my case, the gateway is my firewall, which is on the address 10.0.0.1 (so that all my 10.something computers can talk to it). And then the gateway will forward it to the outside world (via my router). So when I do a route -n command to list the routes that the computer knows about, I get this:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 em1
0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 em1

What this means is, for any computer with the IP address 10.x.y.z, that's on the local network, so just shout. For anything else, the gateway is 10.0.0.1, my firewall.

OK, that works fine. But today, suddenly, it lost that last line, which meant that anything outside my local network, was suddenly unavailable, because it didn't know where the gateway was - to be more precise, it had forgotten that there was a gateway. And it also did the same thing, suddenly, last week.

The cure is simple.

 route add -net 0/0 gw 10.0.0.1 em1

That adds the route to the gateway back.

This isn't very satisfactory, because it means that each time it forgets about the gateway, I have to tell it again. I've set up a cron job that tests, once per minute, to see if 8.8.8.8 is reachable, and if it isn't, do the "route add".

What I don't understand, is how come this server (and it is only this one) forgets about the gateway?

Her knee - update 2

She's progressed; she's not shuffling along now, she's hobbling, and she's discarded one of the crutches.

And today she went out for a bridge lesson, and got some shopping.

Education, form 4G

In my third year, the forms were alpha (the top), A, Y and Z. In my fourth year, in what I guess was an attempt at making the inferior forms feel less inferior, they were called G, H, D and S (Grocers, Hackney Downs School). But we in 4G knew that we were really 4 alpha.

I was 13 at the start of that year (1962-63), and being in the fourth form brought three huge benefits. First, our blazers were black instead of blue. A blue blazer marked you out as a young kid, and I was no longer a kid, I was nearly 14! And Barmitzvahed. It was wonderful being post-Barmitzvah, because I no longer had to learn how to be Barmitzvah. I could forget about Cheder at last, which meant giving up those wonderful bread and strawberry jam sandwiches, but also meant I didn't have to spend an hour being bored (three days per week), and three hours on Sunday being bored absolutely stiff and insensate. It was round about then that I decided that I was an agnostic, although in retrospect, I was actually an atheist but philosphically, you can't be 100% sure that there's no god, so I decided I was an agnostic.

The second huge benefit was that we no longer had to wear our school caps, which was a rather silly-looking light blue thing with a badge. The third, and biggest, benefit, was that we could now wear long trousers. I was a mensch!

My big subject was still maths, and maths had gotten a lot more wonderful. We did infinite seres, and how to sum them, and I really liked that, but then we did calculus, and I absolutely fell in love with calculus. It's beautiful and elegant, both differential and integral, and it makes it possible to solve problems that would otherwise be extremely difficult.

We did pure maths and applied maths (which is a bit like physics). And I also liked physics, because it was a bit like applied maths.

Martin Gardner's Mathematical Diversions grabbed my interest, and I made hexaflexagons, the flexatube, soma, eleusis and loads more. I'd recommend all his books to anyone interested in maths.

Chemistry was also great; we learned how to analyse unknown substances to determine what was in them. Which involves pipetting, filtration, weighing and all the other techniques. Back home, my own chemistry experiments involved nitrogen tri-iodide (add ammonia to iodine, filter out the precipitate, let it dry, and then it explodes when you touch it). And interesting stuff with sodium chlorate (which you could buy in big tins from Boots, as weed killer) and sugar; combine those and you get a nice explosive. I also tried to make a Molotov Cocktail, but I used paraffin instead of petrol, and it didn't work.

 I was also getting heavily into electronics. I would find dumped TVs, lug them home, and dismantle them; this gave me a good collection of wire and components. I build a crystal radio, and an analogue computer to play hex.

I didn't swim much, even though now I could, and I discovered that throwing the discus required the least effort of any "sport", and I could get a good distance because using calculus I had determined that the best angle of throw would be 45 degrees. I was by no means good at it, of course. But at least it didn't involve running. I also tried the javelin, but after I bashed myself on the back of the head because it swung around as I tried to throw it, I stuck to discus.

At the end of the year, we did four GCEs, and that was a year before we were due. I did maths, physics-with-chemistry and two others (english and french, I think?). You can see which subjects I thought were important! By taking these four a year early, we could take a relaxed attitude towards the exam; if I failed, I'd just take them in the fifth form as per everyone else.

But we still worked hard to pass, because passing would mean an easier fifth form. And anyway, why wouldn't you work hard to pass? I remember I worked my way through all the past maths papers set in the previous 10 years, because a good way to practise for an exam, is to take previous exams. And I passed, all four, with A grades for the important two.

I got a prize at the end of the year, I forget what for, probably maths. I chose the book I wanted, which was "Seven figure logarithms and other tables". I didn't know this at the time, but that turned out to be totally useless; I never needed to do calculations to that degree of accuracy.

I've left out the really big thing that happened that year. The fire.

On the morning of Tuesday, 19 March 1963, I arrived at school as usual, only to see what you might think that every schoolboy secretly longs for - the school had burned down overnight. Actually, our reaction was far from gleeful. I, for one, was about to take my GCEs in a couple of months. Our reaction was first disbelief, then dismay. What would happen now?

It was slightly worse for me. The previous evening, I had given a performance entitled "An hour of chemistry magic" in the lecture theater of the science block. It was well attended, because I had by then a bit of a reputation. I showed them various liquid colour changes, and the iodine clock reaction. You add one to the other, stir it a bit, and nothing happens. I walk across the room, clap my hands, and it changes to dark blue. This isn't the sound causing the reaction, it's just a delay. And for a finale, I did an ammonium dichromate volcano. Mine was a lot larger than the one in that video, and very spectacular. And when the staff heard that the school had burned down, their first thought was me. Of course.

But it wasn't me, it was a wiring fault in the school theater. The science block was unharmed, so I was immediately vindicated.

But still ... no school. We were told to go home that day. The lower school (years 1-3) were found space in Stamford Hill, which is where I lived. The upper school went to Wilton Way, and I remember that we regarded that as greatly inferior (as were all schools that weren't Grocers) and full of rough kids. But not long after, several prefabs were put up in front of the old school, so we could all return to something resembling normalcy.

As far as I was concerned, nothing much changed. My main subjects were maths, physics and chemistry, and the science block was unaffected by the fire. And for maths, all you need is a blackboard. The school theater was gutted, but I wasn't into drama anyway. The swimming pool/gym was OK.

In June of the same year, another fire destroyed the changing rooms at the sports field.  I was not too bothered. All we did there was football (in winter) and cricket (in summer), and I disliked both.

So at the end of the year, I had four O levels, and in the fifth form, I would take five more.

php malware

A php file was uploaded to my anonymous ftp. An anonymous ftp allows anyone who wants to, to upload files to my server. I read the file, to see what it does. The uploader is hoping that A) I'm running linux (I am) and B) I'm running php (I'm not) and C) he can access the file as soon as it's uploaded (he can't).

Uploads to my ftp, are not visible or accessible to the uploader.

I get one of these every few weeks; it's not as common an attack as an emailed file, but it isn't uncommon. The fact that the attack is being made, is evidence that it must succeed, at least occasionally.

Here's what you should do if you're running an anonymous ftp.

1) Don't allow web access to the place that's uploaded to.
2) If you move an uploaded file to a place that's web-accessible, look at it first. And remember that even if it has a file extension that suggests that it isn't php, it still might be.

Also, when any file is uploaded to my ftp, it's renamed on upload.

I checked it with VirusTotal. It was first uploaded to them three years ago, and even now, 20 out of 54 products don't flag it.

SHA256 38fe65d93a95e9f4f051c5a522bd99b3084a70cf61fab64e01061b4752e629c6

Hello, it's Barney

Barney has arrived, and is blowing across the garden.

I can understand the usefulness of warning people about coming storms. I don't see the need to give them cute names.

What's next?

How about naming expected snow? A week of hot weather? A rain shower?

At the Drsolly weather center, we're expecting mild weather tomorrow, but there will be a short shower, named Bob, followed by a dry period, named Colin. After dark, we're expecting a frost named Douglas.

Cheap server, part 2

I couldn't resist it. I went for the more upmarket version for £60, with 16 gb of DDR memory, two dual-core processors at 2ghz, gigabit ethernet, and space for three 3.5 inch hard drives. It only takes ATA133, but I have a few of those in my spares box, plus I have SATA-to-ATA133 converters. It should arrive this week.

George Osborne is not a security expert.

Osborne is talking about attacks by Daesh on our computers. He also said "They do not yet have that capability. But we know they want it, and are doing their best to build it."

And I'd like to acquire a unicorn. It isn't so easy. You can buy a computer easily, but buying expertise isn't so easy.

So what should we do? Here's Osborne again:

the public needed to follow "basic rules of keeping themselves safe" online.

 This could be achieved by installing security software, downloading software updates and using strong passwords. 

 So that's his answer?

1) The main route of attacks today is via emailed trojans and malware web sites. I don't know of any product that protects against emailed trojans, which I think is strange, because such a product could be written, and I've explained in previous posts how to do that. Malware web sites can be countered by disabling javascript.

2) Software updates are, these days, automated. You don't have to download them, your computer does that, and installs them.

3) Weak passwords aren't how the Bad People get access to your system. The danger is password reuse; using the same password at multiple places.

Mr Osborne also announced the creation of a new National Cyber Centre to bring together the country's leading experts.

They haven't asked me yet.

The five second pause

On the "reality" programs - Masterchef, Bake-off and Potter, before announcing the winner (or the loser, as the case may be) the presenter says, "And the winner is" and then there's a five second pause.

I'm guessing that you get the same thing on the umpteen other shows of this kind.

I find this immensely artificial. The presenter already knows the answer, it isn't like he's trying to make up his mind. The five second pause is there, I guess, to "build the tension". Well, in my case, it builds the irritation.

And the worst presenter of the five second pause is .... 1... 2 ... 3 ... 4 ... 5 ... ... ...

Her knee - update 1

It's improved. At its worst, she couldn't stand or sit unaided, and could barely shuffle along (hence the use of the pump trolley). Now she can stand and sit, and although she's still shuffling, it's a much faster shuffle. I'm still on full time duty, but the likelihood of a night call is much less.

The Royal Institution

When I was very young, I attended a lecture at the Royal Institution. Well, I think I did. I seem to remember that I did, but it might be a false memory. Memory is a funny thing.

I seem to remember the lecture theater, but I can't remember what the lecture was about, which is strange, because surely I would?

Anyway, I've definitely seen RI lectures on the television, and now, thanks to the magic that is the internet, you can watch them on youtube.

I recommend them very highly. They are aimed at children, so there's lots of exciting demonstrations, but they don't talk down to you, and they're very suitable for adults too.

I've been watching several of them. Recommended. And show your children.

So-called.

Here's a word that annoys me. So-called. Journalists use it a lot.

What it actually means, is "I'm going to use this word, but I think it isn't really appropriate". It's used a lot by so-called journalists (also known as "journalists") who are too lazy to find out the correct word for the so-called inappropriate word.

Look. If you think you know a better word for what you're referring to, then use it.

Sing sing

There's a server that I use purely to givev me multiple windows on to various servers, and that server started singing to me today.

It's done that before, and I know what it means - the CPU is overheating. Which probably means that the CPU fan has stopped working.

That's annoying. I replaced that fan only a few months ago.

So, without powering the server down, I took the cover off, and sure enough, the CPU fan wasn't spinning. I removed it and replaced it with a similar fan. There was another fan blowing cool air into the server that had also stopped, and I replaced that too. I put the cover back on, and now it's humming almost silently; no annoying singing.

Malvertising

These days, malware is a business.

20 years ago, when I was in the antivirus business, viruses were written by kids having fun. I even met some of them; some after they were arrested, one at a show (he came up to me and identified himself).

But its all changed. Now, the way that Bad Things are spread, isn't via viruses (self-replicating programs), it's via trojans. The way a trojan works is: bang, gotcha.

So how do trojans arrive on your computer? There's two main routes. One is via email, and I've been discussing this a lot recently. The other is via the web.

We all know that visiting the nasty-mcnasty.com web site could rapidly lead to big problems; sensible people avoid the less salubrious parts of the internet. But some parts of the internet come to you, whether you want them to or not. I'm talking about advertisements.

The advertising ecology of the web looks like this. You have a blog, which is attracting a thousand times more people than this one (my typical post gets a dozen readers, two dozen if it's lucky). And it occurs to you that you might make some money out of this. By accepting adverts. But you have no idea who might be interested in paying you to show ads, so you go to an internet ad broker.

On the other end, you're a nifty entrepreneur with a great product or service to sell, and you want to advertise it, but you don't want to contact hundreds of web sites to negotiate rates and conditions. So you go to an internet ad broker.

And that's why, when you're viewing some site with interesting content, annoying, intrusive and irrelevant adverts keep popping up, occupying your screen and irritating the hell out of you.

Enter the Bad People. They want you to run something malicious. A good choice would be some javascript, that accesses a remote server and downloads something really nasty that takes over your computer, and now your computer can be rented out by a third party, to fourth parties who want to send out spam, or attack other computers ... and it's your computer that gets the blame. And since a computer is just a machine, it's you that gets the blame.

So they buy an ad from the broker. This ad includes the javascript, which is checked against VirusTotal so that it passes as clean when checked by 55 different scanners, and for the first 100 accesses, or for the first few days, it does nothing, so that anything that's testing it, will pass it as OK. And then it goes live, working it's evil badness. If your computer runs javascript, you're vulnerable - by default, your computer will be running javascript. And if you don't run javascript, you're going to get so many web sites telling you that javascript is needed for their site, that eventually you'll give in and allow javascript.

I use Noscript. This blocks javascript, java, flash amd other plugins, unless I specifically allow it for that site, on that occasion. I consider this to be a security issue. I also use uBlock Origin (I used to use adblock), because until one day in the future all advertising is certified as malware-free, why would I allow it on my systems? And they don't (and probably can't) certify it as malware-free.

I also use a hosts file. What that does, is resolve a long list of sites such as octopusgirl.com (I kid you not, and I haven't visited the site, so I don't know what it does) to 127.0.0.1instead of to 208.113.186.163 which is where octopusgirl.com really is. You see, 127.0.0.1 means "this computer". So for any domain on the long long list that you can get here, if my computer is told to get something from that domain, it doesn't. As a nice site effect, loading web pages is much faster, because of all the junk that I'm not downloading.

You can set up a hosts file for Linux (you edit /etc/hosts), Windows (look in C:\Windows\System32\drivers\etc) or Android.  If you can do it for iPhone or iPads, I don't know how. I suspect you can't, unless you "jailbreak" it, which many people are unwilling to do.

So you too can avoid malvertising.

Her knee

Ladysolly has a bad knee. We don't know what's happened in there, but it's so bad, she can barely shuffle across the room. She went to the doctor, and showed her the bad knee, and the doctor immediately diagnosed "You've got a bad knee", so that's a help. The treatment is, don't use it too much, which will be no problem because she can barely use it at all. There's also two applicable treatments, one being cold (icebags and suchlike) and the other being heat (hot water bottles and suchlike). Thank heaven for the NHS.

She spent most of yesterday in the lounge on the sofa, but the time came when it was necessary for her to do what is Necessary.

Getting her off the sofa onto her feet, was a challenge, involving a lot of screaming. So then, how to get her the 20 yards to the Place of Necessity. My solution was this.

It's a pump trolley, except mine is red. I use it for computers. When I want to work on a heavy computer, I adjust the height of the surface, slide the computer on to it, pump it up so that it's the same height as my workbench, then slide it to there. It means I don't have to lift a heavy computer at an awkward angle.

So I got it to the right level, and ladysolly sat on it. Then I pumped it up, so that her feet weren't on the ground, and trollied her over to the Place of Necessity, lowered the surface, and she got off.. And when the deed was done, reversed the process. We did this a few times that day.

Now she's upstairs, surrounded by phones and iPads, plus she has a bike hooter to summon her staff so I can rush in and see what Her Ladyship needs.

I'm thinking that this is going to take at least a couple of days to fix itself.

Paris

Awful, just terrible. People ask, why kill innocent civilians? What's the point?

I can't say what's inside the head of a murderer, but I can discuss the political consequences of terrorism.

The purpose is to provoke a reaction, And the purpose of Islamic terror is to provoke a reaction against Moslems. That is why governments try to damp down any reaction against Moslems.

If they succeed in provoking a reaction against Moslems, then there's a real reason for resentment, and a real cause for recruitment.

So If you've been wondering why governments seem to be appeasing Moslems, it's because A) ninety-something percent of them just want to get on with their lives and B) they don't want to turn that ninety-something percent into eighty-something percent.

But if you commit an outrage as bad as Paris, there will be a reaction, it's inevitable. Part of this will be against Moslems living in France - the people who carried out the actions, will have had support, that support would, most likely, have been from Moslems, and there will be an investigation to root out that support. And part of it will be against immigrants from Moslem countries, which will be tough on the people trying to escape from a bloody war.

So the slaughter in Paris will have effects that will further the aims of the slaughterers.

And that's why it happened.

So what can be done?

Well, I don't know, but more of this would be good.

Homeopathic funding

The BBC reports that the £4m per year spent by the NHS on homeopathy, is being reconsidered.

I can't understand why NHS money was ever spent on something for which there's no good evidence that it works. Homeopathy fans, of course, think that homeopathic pills "have a profound effect" on patients.

Two opposing sides -> a controversy.

So let me propose a compromise. My suggestion is that we dilute the £4m being spent on homeopathy with a 6c formulation; this means, divide it by 100 to the power 6. This will, in accordance with homeopathic principles, make it more effective. It's homeopathic funding.

I have no problem at all with spending .0004 of a penny per year on homeopathy, and homeopathy fans will be delighted at the increase in effectiveness gained by this dilution.

Really cheap server

Rummaging through the bargain basement of Ebay, there's some great deals to be had.
This server, for example, is £40, and gets you a 1U box with two AMD Opterons each with two cores, running at 2 ghz. 8 gb of memory, two gigabit ethernet ports. Downside is, the disk controller is ATA, which means you'll only get four 300 gb drives, although I have a little thing that lets me run a SATA drive on an ATA port, which seems to work fine.

I'd expect to pay £40 just for a 1U power supply!

I am *so* tempted. Trouble is, I don't currently have a use for it, and I do have a couple of dozen working servers not doing anything.

A reader's guide to antivirus product reviews

I wrote this 22 years ago, and it's still true. Testing antivirus and anti-malware products isn't easy.




I’m not claiming that all anti-virus product reviews conform to the guidelines below but I can tell you I’ve seen every one of these tricks used in magazine reviews. In some cases, a ‘master reviewer’ has shown such adroitness that he or she has been able to employ several of the tricks in the same review. In many (if not most) cases, the reviewer was unaware that he was using these tricks but in some cases, it looks as if they have been used deliberately.

The main weapons at your disposal are the choice of what features to review and what to ignore and the weights given to the features you do cover. By a careful use of this, even GrottyScan can be the Editor’s Choice.

By the way, GrottyScan and WonderScan are entirely fictitious products and is not meant to stand in for any of the products on the market today. And Grotty Inc. and Wonder Inc. are fictitious companies.

1. Put a lot of weight on User Interface. Then, you can legitimately claim that you liked GrottyScan’s user interface better than the others. User Interface is a matter of personal preference. Some people like a command line, others a full screen. Some people like lots of knobs and buttons, others like a clean interface (i.e., no options). If GrottyScan is optionless, give the most points for ‘a clean, uncluttered, user interface’. If GrottyScan is chock-full of bells and whistles, do a tick chart and give the most points for quantity of features.

2. If GrottyScan doesn’t have a TSR, then don’t test TSRs. You can either just ignore the whole issue or else claim that no-one should use a TSR, perhaps on the grounds of TSR conflict, or on grounds of security, or on any other grounds you choose. In extreme cases, you might say that any vendor offering a TSR is a scoundrel.

3. If GrottyScan doesn’t offer file repair, then don’t give any points for repair. You could claim that repair is insecure and everyone should delete-and-replace. Or you could explain that some products don’t do it very well, so nobody should use it (even though other products may do it extremely well).

4. If GrottyScan does repair but not very well, then give lots of points for the fact that it does repair but don’t actually test it.

5. You’re going to have to do a run against a load of viruses. If GrottyScan is really bad at detection, then use just 11 viruses - that way, it doesn’t look any worse than the others.

6. If GrottyScan is slow, you can mask that nicely with several deft touches:
Scan a floppy disk. That means that the speed is governed by diskette reading speed, not by the product speed.
Scan a hard disk without much on it, on a fast machine. That way, all the products take just a few seconds and there isn’t much in it. If GrottyScan is ten times slower, that doesn’t really look bad if its run time is 10 seconds.
Do your timing test on a disk full of viruses. That way, WonderScan will be slowed down by the screen display and other things it has to do when it finds a virus, whereas GrottyScan won’t be slowed down, as it won’t have found many viruses.

7. If GrottyScan uses its own naming scheme, award half the points for detection and the other half for correctly naming the virus (correct, of course, means using GrottyScan names). Yes, I really have seen this done.

8. If GrottyScan is poor at polymorphic viruses, then use just one specimen of each, this giving it a 100 per cent score. The NCSA standard testing protocol uses this trick.

9. If GrottyScan can’t deal with Stealth viruses in memory, then don’t test with a stealth virus in memory (again, the NCSA protocol does this).

10. If GrottyScan has options to run fast and options to detect most viruses, then choose the Fast option in the timing test and Secure in the detection test. Naturally, you won’t report this.

11. If GrottyScan has a heuristic analyser, then make sure you don’t run it on a clean machine but only on an infected machine. That way, you don’t have to report any the false alarms, you can wax lyrical about the way it can detect new viruses, however.

12. If GrottyScan has a behaviour blocker, emphasise the fact that it can stop viruses. Don’t install the thing and try to use it in daily use, or you’ll have to report that all the false alarms it gives makes it unusable. I’ve seen a journalist rate such an unusable product as the best anti-virus product on the market.

13. If the documentation tells you to install WonderScan in a certain way, then install it differently, then give lots of details about how it didn’t work when it was wrongly installed.

14. If GrottyScan has a five-page manual, drone on about conciseness and how this is much preferable to the wrist-breaking tomes that come with other products. If GrottyScan has a large manual, emphasis the importance of full documentation.

15. If when you phone Grotty Inc. for technical support, you get put on hold for fifteen minutes and then get given dangerous advice, don’t review tech support. On the other hand, if Grotty Inc. gives prompt and accurate support, do a table on how good their technical support is.

16. Take several viruses and patch them; write nulls over part of the virus code. Then, see which scanners still detect the viruses. Patch different places until GrottyScan detects the viruses and the other products don’t - even better, get Grotty Inc. to do it for you. After all, they know what part of the virus to patch.
 
17. You’ll need a test suite. Ideally, you should get it from Grotty Inc. You might find that Grotty Inc. don’t have a virus library, in which case, you should find a collection of files that contains viruses and also lots of corrupted and innocent files. That way, if half the files you use are not viruses, the GrottyScan score of 30 per cent doesn’t look too bad compared with the 40 per cent that the best product will get.

18. Give a copy of the exact test files you will be using, to Grotty Inc., three months before the test (this happened in an American review).

19. If GrottyScan finds false alarms in some of your files, count this as a plus, rather than a minus.

20. If GrottyScan doesn’t do a self-test to see if it is infected before running, don’t test to see if other products do check their own integrity.

21. Use the ‘faint praise’ technique. If you need to say something good about WonderScan, say things like: "suitable for home computer users", or: "the packaging was attractive".

22. Use the magnification technique. If you find some minor, unimportant problem with WonderScan, say that "unfortunately, WonderScan is flawed by ...." People will read that as ‘very bad’ but you can justify the statement by using the dictionary definition of ‘flaw’, meaning very minor defect.

23. If you find some major problem in GrottyScan that you are forced to report, call the vendor and you’ll be able to say, "by the time you read this, this problem will have been fixed". Indeed, since that is true, why bother to tell the reader about the problem!

24. If Wonder Inc. complain and challenge you to produce the ‘virus’ that you claim they cannot find, take refuge behind a non-disclosure agreement that says that you cannot send out the specimen.

25. Don’t use viruses at all. Use simulated viruses. Assume that the simulation is perfect and that therefore all products should detect them.
 
26. Make a mistake in the summary table, accidentally giving WonderScan two stars when you meant four. When they complain, correct this in the next issue, in a little box that no-one will read. You can safely make the opposite mistake with GrottyScan; it is unlikely that they will complain at being given four stars.

Mistakes caused by these techniques are exploited by the marketing departments of all companies in the anti-virus market. At the end of the day, it is you the user who is being exploited.

The bow angle

Much has been made of the angles at which heads have been bowed by verious politicians recently; Corbin was not the only one mentioned. Clarification is neeeded.

We need government guidelines on the exact angles to bow the head in a whole bunch of circumstances, including "Remembrance Sunday", "at a funeral", "in church", "meeting the queen", "meeting a bishop", "getting married", "shaking hands with the Dalai Lama" and many others. Otherwise this terrible angle uncertainty misery will persist.

Url shortener threat

I've been seeing this for a while. When a Bad Person wants to send you to a web site that will install a trojan on your computer, they give you a URL to click on.

Most people are accessing their email via the web using their browser (I don't). When you're making a web page, it's easy to lie about where a link will take you. Because there's the part that the user sees, and there's the part that tells the browser where to go, and they don't have to be the same. So a link that says that it goes to microsoft.com, could actually go to nastywebsite.com, and unless your browser alerts you to the difference, how would you know? My email system tells me, for each link, where it actually goes to, so in the case above, it would say microsoft.com [nastywebsite.com], making it obvious to me that there's something fishy going on. But it might not be so visible.

A link that says that it goes to microsoft.com could actually go to MICR0SOFT.COM, and the difference is that I used a zero instead of a letter o; the upper/lower case doesn't matter for links. Well, that example wouldn't work anyway,  MICR0SOFT.COM has also been registered by Microsoft. But you get the idea.

So what domain name does your bank use? Is it barclays.com, or barclaysbank.com, or barclaybank.com, or one of a zillion other possibilities? When you see a plausible-looking link, do you just follow it? Well, don't.

And what I've also been seeing, is URL shorteners. These have a legitimate application; you want to suggest to a friend that they visit the url http://www.cutekittens.com/stripy/frisky/running_around_looking_cute.html but instead of giving that long URL, they use a URL shortener like tinyurl.com, so the link is now tinyurl.com/r8w7qg5. If you're a twitterer, brevity is important.

But the bad guys can use URL shorteners to totally hide where the link goes. If you're used to urls like go.to/93hy56 then you might be less suspicious than if you saw nastywebsite.com/malware-installer.htm

The advice is, as ever, don't click on links sent to you by email. Not any. Ever. If you get an email that makes you want to visit Paypal, or your bank, or whatever, don't click on the link. Use the bookmark or "favourite place" that you already have set up, or use Google to find the URL.

And if you get a spam that says "click on the link to unsubscribe", then consider this - click on that link, and you just told the spammer that you're alive, active, reading his spam and therefore even more valuable as a victim. And you'll get ten times the amount of spam.

There's 1 born every minute

The current figure from the AV-TEST institute says that there's over 390,000 new malicious programs every day. I'd guess that this could well be correct, and that it would be the result of server-side polymorphism (explained in a previous post).

That's 270 born every minute, actually.

Scanning incoming emails simply cannot work (see my previous blog posts). Here's what you have to do instead.

1. Take a sceptical attitude. If an email claims to come from Paypal, it probably doesn't, unless you only just paid for something, and the email references what you paid. Even then, there's no reason to read it. I buy lots of stuff on Ebay, and get confirmation emails from Paypal, and I don't bother reading them.

Don't trust the from address on an email. It's as easy to forge that, as it is to put a misleading from address on a paper envelope. And the Bad People do just that.

2. If an email includes an exe file, a scr file, a com file or a zip file ... delete it. Do NOT click on the attachment.

3. If an email includes a PDF file, check that it comes from someone you were expecting to get a PDF file from before clicking on it.

4. Set up your word processor so that it doesn't run macros. In LibreOffice, that's Tools ... options ... Security ... Macro Security ... Very High. Then under the tab "Trusted sources" I have nothing. I have zero trusted sources. Likewise set up your spreadsheet.

5. If an email includes a doc or xls file, check that it comes from someone you were expecting to get a file from before clicking on it.

6. If an email includes a link for you to click on, don't click on it. It might not go to where it says it goes. If you do feel the need to visit your bank's web site, do so without clicking on a link in an email.


Even better, would be if there were software that automated all the above, and you could just install it and have your rejection of dubious emails, baked in to your computer. But I don't know of such a product.

A problem is just an opportunity seen from the wrong end. There's an opportunity here for someone.

60 Minutes On This Bicycle Can Power Your Home For 24 Hours!

Why do people capitalise each letter in a sentence? Well, never mind about that, let's examine the claim.

Here's the claim, "from just one hour of pedaling, a rural household can be supplied with energy for 24 hours." and "access to clean, free energy will enable poverty-stricken communities to not only light their homes but to connect to the internet and get educated".

Well, yes and no. The article makes it sound like you're getting rather a lot, for almost nothing - apart from the cost of building the machine. But let's examine the claim.

A fit human can generate about 50 to 150 watts for an hour, unless you're an exceptional athlete. I doubt if I could keep that up for an hour. But maybe the average poverty-stricken villager is a lot more fit than I am.

If you generate 120 watts in one hour, put it in a battery, and use if over the next 24 hours, then you'll get 5 watts. That's just enough to light one small but efficient light bulb. It's not enough to power the router and computer that you'd need to connect to the internet. There will also be energy losses in the conversion of mechanical energy to electricity, and more losses in the storage and retrieval from the battery. And more losses if you need to convert the voltage from what the battery holds, to what the devices need.

So yes, you can have energy for 24 hours, but it isn't enough energy to be useful.

And secondly, it isn't free. Your motor (human) needs to be supplied with fuel (food). In a poverty-stricken community, that's not a zero cost.

So far, every article I've read has bought into this machine; nobody seems to have done the very simple calculation that shows it isn't as wonderful as it seems.

If something seems to be too good to be true, it usually is. Do the sums; always do the sums.

CRDF antivirus test

I went to the CRDF web site. CRDF uses Virustotal for testing, so any caveats that apply to VirusTotal, will also apply to the CRDF results.

The very best product (based on today's chart) is showing a 62% success rate (all the others are 50% or worse), which means that two in five malware files are flagged as clean. I get about a dozen per day, so even if I used the best product available, it would be a rare day that I didn't get hit by malware.

I wouldn't use this test as a guide to the comparative capabilities of AV products, but I would take this as meaning that there aren't any AV products that are actually of any value.

I've been putting this point to the people who I knew from the old days, meaning the people I knew 20 years ago who are still in the AV industry. The answer has, mostly, been a deafening silence.

But there was one exception, who pointed out, correctly, that these results are taken from the command line scanning capabilities of the product, and don't allow for any benefits that products might have by virtue of being connected to the internet, and therefore having access to information from the product vendor's server that might improve their results.

I'm fairly sceptical about how much benefit that would give. Here's the problem.

Bad Person makes the malware. Today's malware isn't made by "kids having fun", which was what was happening in the old days (20 years ago), it's being made by people aiming to make a profit, so it's worth their while investing some effort in their project.  Bad Person then tries it against a few scanners; if it's flagged (for example, by the heuristic), then Bad Person changes the malware. And keeps changing it until the scanners pass it as clean. Because what's the point of blurting out malware that's already detectable?

Now Bad Person mass mails the malware to a million email addresses; it's pretty easy to get a million email addresses by parsing web pages for the "Mailto:". But Bad Person doesn't email the exact same file to each address; Bad Person makes each one a bit different, to make the AV job harder (the technical term for this is "server-side polymorphic"). The malware arrives at these addresses a few minutes later, because email is quick. Maybe some of the AV companies get a copy, realise that it's malware, and start working on it at once. They have to make detection, check that there's no false positives, hope that the copy they have isn't different from the other 999,999 copies, and now they can put their update on their server.

It's a race. While they're doing all that (and doing the same thing for all the other malware that gets emailed), I'm reading my email. It's not surprising that most of these emails won't be flagged by most products.

And this race is repeated at least a few dozen times per week (based on what arrives in my mailbox), and there's probably malware that isn't emailed to me, I have no idea what percentage of all malware is arriving at my mailbox.

We need a better solution than is currently on offer. I've already suggested how this could be done.

How companies can avoid getting negative feedback on Ebay

I know this, because here's what happened.

I ordered five cables on September 4. A few weeks later, a package arrived, containing one cable. I emailed the company about it; I do understand that mistakes can be made, but mistakes can be rectified, and everyone is happy. They asked me to send them a picture, so I took a picture of the one cable that arrived, and emailed it to them. This, of course, doesn't really help them, but they asked for a picture, so I sent it.

A couple of weeks later, a package arrived with the missing four cables. So now I was happy.

Up till this point, I hadn't raised a formal Ebay dispute, because the company was fixing the problem, and I hadn't given feedback, same reason. But now I was happy, so I went to give positive feedback.

And I found that I couldn't.

The reason Ebay gave is, "Item 271903328040 was not found because: This item number does not exist. Or you've already left Feedback."


But the item does exist and I have not left feedback. And, according to my  Ebay "purchase history", I didn't buy it. Except that I did, because I have the cables and the company has my money. I'm a bit baffled about this.

So if something had gone wrong, I would have been unable to raise an Ebay dispute, and this is because Ebay have a 45 day period for opening a dispute.

So here's the thing. Even if the seller is working towards fixing things, you should open a dispute within 45 days of the purchase. A dispute isn't a claim, it's just putting down a marker. You then have 20 days after that, to escalate it to a claim (or close the dispute).

In my case, it was only a few pounds worth of cables, and had a happy ending. But it's worth knowing about the time limits for future reference.

Possible new server

I've been thinking about my next generation of servers.

Some months ago, I decided that 2gb of memory isn't enough for my workstation, because I have dozens of windows open at once, doing loads of things at once, and I noticed that I was getting some significant slowness. I diagnosed this as insufficient memory, but with the usual motherboards I use, 2gb is the most I can install.

So I got a motherboard that can take an AMD six-core processor, each core running at 1.4 ghz, and put in 8 gb of memory, and now it runs just fine.

My first generation of servers were Pentium 3 and Celeron, running at 533 MHz, with 512 mb of memory. My current generation is Pentium 4 and Celeron, running at 3.4 GHz, dual core, with 2gb memory, socket 775.

So I'm thinking that I want quad cores and 64 gb memory, and I priced this up and came to £650 for motherboard, cpu and memory.

Today, I had a thought. It's a general rule that A) corporates and businesses don't buy second-hand kit from Ebay, and B) end-users don't buy corporate-spec kit from Ebay, and C) when a corporate sells old kit, they sell it for peanuts to an IT reclamation company, who sells it for not a lot more to people like me. The reason it's not a lot more, is (see A and B). That's how come I get things like Cisco firewalls at a tenth of the brand-new price.

So I had a look at what I could get, in the way of high end servers. And I was shocked. Shocked, I tell you, shocked.

I could get an HP Proliant with four quad-core Xeons (so, 16 cores, four times as much as I was thinking) running at 2.93 ghz, 128gb ram (twice as much), four PSUs (so if one fails, the computer keeps working), video, two gigabit network ports, and it supports Linux. This is a vintage 2008 computer, but it looks to me to be a lot more powerful than most modern computers. And it's on offer for £325. There's also a couple of 72 gb hard drives, but I'd just use those for the operating system. It has enough space for 16 hard drives, and since I am now getting 8tb drives, that's 128tb. It would use 1200 watts of power, which is several times as much as my existing servers, but since it would replace several servers, that's cool.

I could use this 4U beast to replace pretty much *all* my customer-facing servers. I'd still want my Secure Server to be a separate machine, and I'd still use a bunch of Raspberry Pis for various purposes.

I'm not actually going to buy it, but it shows me what's likely to be available when I do buy.

Hatley Heart Attack, part 1

Hatley Heart Attack is a series of 479 caches, and today was my first bite at it. I was handicapped by a bad left wrist, and although I had a sturdy splint on it, cycling was causing quite a lot of pain, so I did the morning, but not the afternoon. Even so, that came to 34 caches. It should have been twice as many.

One problem with this series, is that that it isn't a circuit, or a series of circuits. There isn't an obvious route from start to finish.

I decided to start at Biggleswade, and found a really good place to park, at N 52 4.904 W 0 14.671. It's a big, free car park. I got the bike out and ready to roll.

Between 284 and 282, there's a ploughed field. I arrived there, and saw this.

It's only 350 meters to get to the far side, but that's a ploughed field. No track, and the field hasn't even been harrowed yet. It would be a major effort to walk across it - getting a bike across would be absolute hell. I'd have to carry it! And that's about 40 kilograms, including batteries and repair kit. So at that point, I turned round and I'm planning to do the other side of that field by approaching it from the other side. I hope there aren't too many more like this!

A tax on luxuries?

Betteridge's law says that "Any headline that ends in a question mark can be answered by the word no." That's true here, too.

Some people seem to think that VAT is a tax on luxuries. It's difficult to understand why people think that. VAT is a tax on "value added", meaning "everything". For more reasons that are difficult to understand, the rate of VAT on some things is zero; books, newspapers, children's clothes, motorcycle helmets. And there's also a "reduced rate", 5%, for children’s car seats, domestic fuel or power and other stuff. Everything else is 20%. How are newspapers a necessity?

A long, long time ago, up till 1973, there was a thing called "purchase tax". That really was a tax on luxuries, introduced in 1940 to help the war effort, and they forgot to get rid of it when the war ended. Big surprise.

So when the UK introduced VAT, at the same time purchase tax was abolished. And that's maybe why people think that VAT is a tax on luxuries.

It isn't. It just isn't. It's a tax on everything, except what's on the list


So I notice a campaign to zero-rate tampons, on the grounds that they aren't a luxury.

The goods and services of the world are either luxuries, or necessities? Like hell. It isn't a binary division, one or the other. Take clothes, for example. One t-shirt, one pair of traousers and my underwear - those are necessary. My "Four candles" t-shirt that I wear occasionally, isn't. Nor is my "Peppa Pig t-shirt". Or my pirate costume. Nor is my 11th pair of trousers, 23rd pair of socks or 17th t-shirt. The division necessity/luxury isn't binary. Some things are both, some things might be either.

But it doesn't affect whether tampons should be taxed, because, and I'll say it again, VAT isn't a tax on luxuries.

Ad blocking

Once again, people who aren't ad blocking, have been hit. This time, it's readers of that august journal, "The Economist", a journal that I used to read assiduously (back when I was an economist - yes, I've had a strangely varied career).

They use an analysis service, PageFair, which tries to estimate how many visitors use ad blockers. PageFair estimate that 500 websites in addition to The Economist were hit. The hit consisted of a download that was claimed to be an update to Adobe, which you were invited to install. I checked VirusTotal; 38 out of 55 products would have flagged this, the following would not:

AegisLab        
Agnitum        
Alibaba        
Bkav        
ByteHero        
CMC        
ClamAV        
Cyren        
F-Prot        
Jiangmin        
SUPERAntiSpyware        
TheHacker        
TotalDefense        
VBA32        
ViRobot        
Zillya        
Zoner    

The malware was a malicious javascript. I use "Noscript" to block all javascript, except when I allow it. Unfortunately, far too many web sites are unusable when I disable javascript. I usually just jog on past those; I'm rarely so determined to view their content that I'm willing to risk my security.

Beware of the dogma

I have no problem with people believing whatever batshit crazy stuff they want to believe, I have no problem with people following whatever batshit crazy religion they want to follow. But I object most strongly, if their insane beliefs influence daft actions that affect me. And this is seen most strongly, when religion exerts undue influence on government. This is what is known as "theocracy".

The barbaric practices of Saudi Arabia are repugnant, but at least they don't affect me. Female genital mutilation is terrible, and should be stopped, but at least this doesn't affect me. I get more exercised when some idiotic religious idea, impinges on me.

So what prompted this rant? Ben Carson.

There's two main contenders for the Republican presidential American president; Trump (a kind of Alan Sugar but with the sweetness removed) and Carson. And there's two main contenders for Democrat; Sanders and Clinton.

When you look at the polls just now, you'll see that given a choice between Carson and Clinton, the electorate prefers Carson. And given a choice between Carson and Sanders, the electorate prefers Carson.

And if you look at the polls for Republican candidate, it's neck and neck between Trump and Carson. This means that, if you believe the polls, Carson is a very strong contender.

He's a Seventh Day Adventist; he's been baptised into that faith twice. He's a commited Adventist, so it's useful to look at their beliefs.

The most noticable of these, is that they take Saturday as being the day of rest. That's a fairly sensible thing to do - after all, it's one of the Ten Commandments, and I have a lot of difficulty understanding why Christians that are very keen on the Ten Commandments, totally ignore the one about the Sabbath.

As a whole, the Adventists seem to me to be no worse than most other religions. But Carson goes further.

He's anti-abortion, including for cases of incest or rape.
He doesn't believe in human-caused climate change.
He doesn't believe in evolution
He's against gay marriage, and believes that homosexuality is a lifestyle choice.
He thinks that the pyramids were grain silos, not tombs for kings.
He said that he was offered "a full scholarship to West Point"; he now admits that wasn't true.
Obamacare is the worst thing since slavery.


The problem is, his deeply and sincerely held religious beliefs, cannot be swayed by evidence, or by the opinions of experts who know more than he does in a field.

By profession, he's a neurosurgeon, and he's good at what he does. But to be a president, you have to take advice from people who know a lot more than you do in various fields, and Carson has demonstrated that where these experts contradict his particular interpretation of the bible, the bible wins.

So which of these four would I vote for, in the unlikely event that I were to be forcibly made into a US citizen? Well, someone recently said to me "It's a turd buffet."

Fortunately, I don't have to partake.