The latest Windows abomination -  and it really is nasty, you should patch it right away - comes to you courtesy of an update to a little-known hacker utility called the Web Attacker toolkit that costs just US$20.

The toolkit's a DIY malware builder that simplifies the construction of spyware and adware, and contains a guide to setting up spam-driven panics that trick users into visiting infected websites. It even cheekily claims to offer technical support.

The kit - which identifies which browser and version you're using - was recently updated with details of a buffer overflow in Windows' Vector Markup Language (VML) that allows the drive-by installation of malicious code even on fully patched machines. (You can see it at work here.) Just visit one of nearly a thousand websites - or a website that imports an IFrame from one of those sites - and you're infected.

Ultimate credit of course must go to the world's most insecure browser and the company behind it. Yet again Microsoft have been caught napping. For years they've claimed to have thoroughly vetted all their systems for precisely this sort of vulnerability, yet time and time again more emerge. Hackers and malware merchants continue to run rings around them - even without the source code.

Posted by Geoff Palmer at 8:32 AM | Permalink | Comments ( 1 )

What happens when you lose your Linux root password? Since root = god in Linux-land all is lost, right? Actually, no. You'll never recover a lost root password, but you can reset it.

First off, try booting into what's known as single-user mode. How you do so depends on your boot manager.

Grub
Select the Linux system you want to boot from the graphical menu and press e. You'll find yourself in a mini editor where you can alter boot commands.

Move the cursor to the end of the boot command line, add a space and then either a 1 or the word single. Then hit Enter and b to boot this line.

Lilo
Press any key but Enter at the boot menu. If that takes you to a command prompt, type linux single, hit Enter and let the system boot.

Once the system's running, you'll find yourself in runlevel 1 (aka. 'single-user mode'). From here it's just a matter of typing passwd to change the root password followed by exit to reboot into the usual runlevel.

But what if the boot process is protected from this sort of interference? Many modern Linuxes like Suse and Mandrake won't let you start runlevel 1 unless you first supply the root password. Oh, oh; Catch 22! You need the password you've forgotten in order to get into the system to reset the password. What now?

Boot the system in another version of Linux!

You'll need bootable Linux disk. Virtually everyone these days produces versions of Linux that boot and run from CD (they're typically called 'live' distributions) but my personal favourite it Tom's Root and Boot (tomsrtbt), a complete Linux system on a floppy disk.

Boot into your alternate Linux – either from CD or floppy. If you booted into a graphical system start a console session.

• Make a temporary directory: mkdir /tmp/mylinux
  
• Mount the root disk: mount /dev/hda5 /tmp/mylinux
• Edit and save the shadow password table: vi tmp/mylinux/etc/shadow. (Check this link if you need help with the vi editor's confusing commands.)

The basic idea here is to remove root's encrypted password. Here's how it'll look in /etc/shadow...

root:$1$8cC5pHtr$rT.INHxDBWn1VvU5gjGzi/:12209:0:99999: ... bin:*:12187:0:99999:7::: 
daemon:*:12187:0:99999:7:::

You want to remove the highlighted bit so it looks like this...

root::12209:0:99999: ...
bin:*:12187:0:99999:7:::
daemon:*:12187:0:99999:7:::

Go back to where you were: cd /
Unmount the temporary directory: umount /tmp/mylinux
Reboot the system: shutdown -r now

Root's password is now blank. (Just hit Enter when prompted for it.) Be sure to reset it though. Blank passwords aren't terribly secure!

Posted by Geoff Palmer at 9:38 AM | Permalink | Comments ( 1 )

$14,000 to rent an ancient rotary telephone might seem excessive, but that's what one eldery US resident has paid over the last four decades. And you might be doing the same.

Around 125.000 Kiwis happily pay Telecom $48 a year to rent something they could buy from the Warehouse for half that sum. Even worse, it's reckoned that many of the original phones have long been binned, so they're actually paying the rental on a something they already own!

Apparently TV Auckland News ran an item on this a couple of weeks ago. That would've brought a smile to Theresa's face as no one would have seen it - at least the way the news show's been haemorrhaging viewers lately. This link has more details about the phone scam, but don't bother clicking the video links unless you've got a few days to kill. I tried the 1 minute, 44 second clip and gave up after 10 minutes. (Honestly, I don't know why these bozos don't just stick their clips on YouTube. I get much quicker playback from the States than I do from Auckland!)

Anyway, the long and the short of it is that if you're paying for a pointless rental, call Telecom and tell 'em to stop charging you. And send me the money instead.

Posted by Geoff Palmer at 8:28 PM | Permalink | Comments ( 1 )

Fifty years ago yesterday you could have picked up the world's first hard disk drive - though not literally as it weighed over 950Kg and required a truck to shift it. IBM's RAMAC 650 was launched on 14 September, 1956.

About the size of a large fridge, the forerunner to that 100GB wafer in your laptop featured 50 60-centimetre (24") wide platters coated with magnetic iron oxide paint. Each held 100KB, giving the beast a total capacity of 5MB at a cost of US$7,000 - which equates to US$1,400,000 per gigabyte!
 


IBM sold around 2,000 650's in 1956 and didn't officially reitre the product till 1969. This year sales of hard disk drives are expected to exceed 425 million units.

Posted by Geoff Palmer at 7:56 PM | Permalink | Comments ( 2 )

Beware of Browzar. It might sound just the biz...


...but it's not quite all it's cracked up to be.

Browzar's attraction is that it magically makes your web work more secure. It's promoted as an easy way to surf the internet without leaving sensitive information lying about. It'll automatically delete internet caches, histories, and cookies, and it doesn't use auto-complete - which anticipates the terms a user might enter.

It's what's known as a "custom wrapper" for Internet Explorer - and that alone should sound alarm bells. Tidying up the interface and adding a few extra features doesn't make the underlying engine any more secure. In fact in Browzar's case they've made it worse.

That secure-browsing feeling is just a mirage. Though Browzar deletes what it says it does, it doesn't wipe the files - meaning that anyone can come along later and use an undelete utility to recover them. On top of that it uses ActiveX - a known security weakness in itself - that retains a list of websites visited in the index.dat file. You can't change Browzar's homepage - you always have to visit their home site - and worst of all it skews search results in favour of paid advertisements. Security guru Bruce Schneier sums it up; "This browser seems to be both fake and full of adware."

My advice: Avoid, with a capital "A".

Posted by Geoff Palmer at 11:30 PM | Permalink | Comments ( 0 )

Yesterday I was invited to dine with the Prime Minister. Again. I was skiing at Treble Cone when my mobile went off and, suspecting it to be work-related - I really shouldn't be you telling this - I ignored it. (Hey, what's the point of having a messaging service if you don't use it...?)

Of course it didn't actually come from Helen herself but one of her flunkies. A very polite gentleman by the name of Oliver Saunders from Business Ceremonials. The PM will be hosting a dinner for Lord Faulkner on the 16th of September and would like my wife and I to join her.

This is not the first time I've had invitations in mistake of my more famous namesake. I was on the Aussie High Commission's mailing list for a while, was once phoned by a Lambton Quay shoe shop after the other GP left a package behind, and one year Creative New Zealand mailed me his Author's Fund cheque. I sent it back explaining their mistake and sugggesting the knighthood might have gone to the wrong address too. The letter back, with my own much more feeble cheque, said yes, they rather thought it might.

The cock-ups are the result of there being two G. Palmers in the same Wellington suburb, so I would like to publicly offer Sir Geoffrey the opportunity to change his name. (It does seem reasonable the he get first dibs, what with being a kinight and all.)

The phone message resulted in great hilarity amongst my skiing companions and we've come up with three possible options;

1: Phone Oliver Saunders back, decline the invitation and explain his mistake.

2. Accept the invitation, raffle off the opportunity to pretend to be my wife on Trade Me, make a publicity killing, a fistfull of dollars and maybe even get some top-knotch nosh into the bargain.

3. Call Oliver back, make abusive comments about the PM, tell him how sick I am of her bugging me and that how I wish she'd just [fill in your own expletives here], then leak the story to the media about what the a former PM said about the current one.

Blog readers are humbly invited to submit their own suggestions. But be quick, I can't keep Helen waiting.

Posted by Geoff Palmer at 1:54 PM | Permalink | Comments ( 5 )