Thursday, May 4, 2000

5/4/2000 7:29:21 PM

• Government alleges new anticompetitive moves by Microsoft. This article in the LA Times spotlights a little-noticed point in last Friday's court filing: an accusation by the DoJ and 17 states that Bill Gates directed subordinates to improve Windows 2000's compatibility with Windows / CE products, at the expense of Palm users. Microsoft angrily denied everything.

5/4/2000 11:35:16 AM

• [05may, 8:54 am] The VBS/LoveLet.A worm.

  Note: Earlier versions of this note referred to the ILOVEYOU malware as a trojan. My brother sent a note convincing me that it is more properly characterized as a worm. The anti-virus companies have settled on this terminology as well.

  [05may, 9:23 am] For the most authoritative description of the worm, see the CERT advisory.

  This worm, possibly from the Phillipines, is spreading like wildfire as we speak. One news report claimed it has twice the velocity of Melissa. I received 8 copies of it in the hour preceding the first version of this note (to no ill effect, as I'm Mac- and Eudora-based). The worm carries a simple VBscript attachment named LOVE-LETTER-FOR-YOU.TXT.vbs. The worm infects Windows machines on which Windows Scripting Host is running and spreads using the Outlook email agent and the mIRC client, if present. If you use another email client you could still be infected -- you'd have to execute the attachment -- but the worm won't propagate further by email.

  Mutations are already in circulation. The first used the subject line fwd: Joke and an attachment named Very Funny.vbs; aside from the name change it's identical to VBS/LoveLet.A.

  [05may, 8:54 am] Subtler variations are springing up. David 'Pablo' Cohn sent me an email he had received yesterday evening just before 10:00 pm EDT. It had no subject and the following text. Cohn writes, "The message was surprising enough that I almost opened the attachment, before realizing that it was VBScript." The attachment was, of course, VBS/LoveLet.A.

  
    Thanks for your purchase!
  
    We have proceeded to charge your credit card for the amount of $326.92 for
    the mothers day diamond special. We have attached a detailed invoice to this
    email. Please print out the attachment and keep it in a safe place.
  
    Thanks Again and Have a Happy Mothers Day!
    Mothersday@gurlmail
  
     mothersday.vbs
  

  If you receive an email titled ILOVEYOU, don't click on it. Depending on how you have Outlook's preview pane set up, merely selecting the message can trigger the worm. The worm also runs each time your machine is rebooted. It'll send itself to everybody in all your Outlook address books, mess about in your registry, and overwrite with a copy of itself all of your files with any of these extensions: vbs, vbe, js, jse, css, wsh, sct, hta, jpg, and jpeg. It merely hides -- but does not delete -- .mp2 and .mp3 files, after copying itself into files of the same names with .vbs appended. It overwrites both local files and files on any mapped network drives. If you ever double-click on one of these, your formerly beloved files, the worm's payload will fire all over again.

  The worm also tries to download a program, which runs at system startup, to steal your passwords and mail them off to the Phillipines. The four URLS in the original worm, one of which is chosen at random when the worm runs, are no longer valid. (Note to the Phillipine authorities: start by questioning the users young1s, angelcat, koichi, and chu at skyinet.net in Manila, followed by mailme at super.net.ph.)

  CNet's coverage gives a good overview, Kurt DeMaagd provides instructions and a script for cleaning up after the worm, if you feel comfortable editing your Windows registry. Response from this site may be slow as this link was Slashdotted. Go here for a Sendmail patch that will stop ILOVEYOU at the border -- not a PC anti-virus payload, rather a sysadmin tool.

  Here are some recent links with more authoritative descriptions:

  • Virus Bulletin
  • Trend Micro
  • DataFellows (has good information on the "Barok" password-stealing trojan)
  • McAfee (shows a sample password-stealing email)
  
  

  In Slashdot's informative discussion on the worm, several posters suggest that Microsoft should change the name of Outlook to Microsoft Lookout.

  Here's a fine example of how not to write about viruses: this BBC article is full of hysteria and misinformation. Thanks to Ian Usher for this cite.

5/4/2000 9:11:52 AM

• Iridium: couldn't have said it better. John Kristoff sent this along, adding "This probably isn't newsworthy enough for you, but I had to send it to someone." (Hey, I could do worse than be the one who comes to mind when you've just gotta send it to someone.) Visit this page for a most understated belly-laugh. If they fix the page to be more informative and therefore less unintentionally hilarious, you can always visit this mirror (53K). (Thanks to the gang at Need To Know for the mirror naming convention.)

Tuesday, May 2, 2000

5/2/2000 5:21:30 PM

• New Siliconium: Bit Valley. Siliconia is an occasional TBTF feature tracking the worldwide spread of Silicon-Valley wannabeism. David James penned an article for Upside, titled Bit Valley Fever, about the Japanese hunger for US-style venture-backed entrepreneurial spirit. Bit Valley is not so much a place as a state of mind. James didn't coin the term, it's in widespread use in Japan, he says. Here's how James "locates" Bit Valley:

  Bit Valley takes its name from Shibuya, which literally translates as "bitter" (shibu) and "valley" (ya). First named the Bitter Valley Association, it was soon digitized to the Bit Valley Association. Now Bit Valley is a generic term with diminished geographic relevance, akin to the term Silicon Valley.

Monday, May 1, 2000

5/1/2000 8:02:30 PM

• GPS gets more accurate at midnight. The White House announced today that at midnight Dr. Neal Lane, Presidential science adviser, will throw a switch and render every civilian GPS receiver in the world 10 times more accurate. here are other links, courtesy of TBTF Irregular Monty Solomon:
  • Statement by the President
  • White House Fact Sheet
  • Statement by the Secretary of Commerce (MS Word format)
  • DOC Fact Sheet on Civilian Benefits of SA Termination (MS Word format)
  • Remarks at White House Press Conference
  • Prepared remarks of Dr. Neal Lane, Presidential Science Adviser
  • Remarks by Arthur Money, Assistant Secretary of Defense (MS Word format)
  • Remarks by Dr. D. James Baker, NOAA Administrator
  • Before & After Diagrams

Sunday, April 30, 2000

4/30/2000 2:32:43 PM

• ssleay.org no longer a trusted source. Received this note from Scot Wilcoxon, a Unix consultant. A quick count with Alta Vista shows 1331 links to ssleay.org. The domain name was registered to one James Woods, of Fresno, CA, on April 3.

  As I was updating my security skills this week, I found that the ssleay.org domain has become lost. Someone registered it a few weeks ago and it now only contains banner ads and an ad for the domain company userfriendly.com (apparently no relationship to the humorous userfriendly.org, according to the latter's FAQ).

  Many security sites and documents still point to ssleay.org, so apparently its loss was not announced and expected in the security community. I don't know who was in charge of it after the SSLeay creators went to RSA Australia.

  As any transition between providers would have been brief and the site content should have reappeared quickly, it seems someone unknown to the security community has grabbed that domain. It would be nice if someone in the community who knows who the SSLeay.org webmaster was could confirm if the new owner has any known security credentials.

  There are quite a few security web sites that need to find out if their links need updating.

Monday, April 24, 2000

4/24/2000 5:52:31 PM

• Anti-trust wallpaper. With the DoJ's recommendations for anti-trust remedies due any day now, here's a site to help your computer express your opinions on the case. (Unless of course your opinions favor Microsoft.)

  Thanks to Steve Kremer, who perpetrates Joke Wallpaper on an unsuspecting world.

4/24/2000 12:24:26 PM

• Interesting times (IP and the law). This Upside article, based on an interview with Columbia law professor Eban Moglen, takes the longest view I've yet seen of the battle between intellectual property and the Net. Moglen looks back in history for parallels with the clash of Information wants to be free vs. Information wants to be costly. Moglen views the lawsuits over CPhack and DeCSS -- and the much larger battle just forming over Napster, Gnutella, and Freenet -- as the opening salvos in a war that may rage for decades. Read this article if you do nothing else today.

  Thanks to Carl Juarez for the pointer.

4/24/2000 11:12:16 AM

• Jamming satcomms on the cheap. Recently a US Air Force team ran a little exercise. Two rookie engineers were instructed to build a satellite-communications jammer using whatever parts they could buy for cash. For guidance in designing such a device they were to rely only on a Net connection. They spent $7500 to construct this sweet little device that can be transported in a pickup truck. It's powered by a gasoline generator; the active ingredient was picked up at an electronics swap meet.