If you've got about an hour to kill on YouTube comedy, give this a try. It's split into seven parts and the longer I watched it the funnier I thought it was.

For a brief moment I was actually worried that things were about to change for the better. But it hasn't even been a week and already the circular firing squad's up and the Republican 2008 campaign material is being primed.

Would you be so kind to the electorate as to at least attempt to not fall apart?

I think this has to be one of the best awful electioneering stories I've read about lately -- not only because of the degree of its offensiveness, but also because of the multiple ways in which it manages to offend. Though if you happen to know a worse story offhand (I don't care about party/country/election cycle) I'd love to read it.

Does anybody compile a nonpartisan list of political dirty tricks?

Wikipedia functions as it has for years, earns writeup in Reuters.

A man with his head stuck in a wall.

Just stumbled across this unfortunate bunch of people. What's important for them to keep in mind -- between the five calls a day from a fake phone number attempting to get their credit card information or trying to help their elderly parents recover from the same scam -- is that when they turn on their television or their radio they can be assured no prurient or otherwise entertaining content will sneak through.

Time to get hammered. Oh, but drive safely.

Set up a transparent proxy to block the things? Squid+Squirm+Virilator, and a tiny bit of coding, to recognize every WMF file as a virus by its header till things blow over?

Edit Privoxy to permit binary regex matching?

Hook the appropriate parts of kiServiceTable, per the recent DRM flap, and simply prevent any file with a WMF header from being opened? Just the ones that look funny or all of them to take no chances?

Use the apparently preferred method of replacing the callback for the Windows Executive Object for file access, and have that block WMF reads?

EDIT: As just seen on Bugtraq -- Update Sunbelt Kerio Personal Firewall with two IDS rules. If it provides full coverage network-wise for the computer this is actually a pretty nice option for individual client systems; the software is downloadable and usable for 30-days, after which it removes some features and becomes free for personal use or (for a limited time) is available for $14.95. It's also in my kit for the occasional friends/family/friends of family visits when I gotta clean a computer up and leave something behind to try to stop it from happening again.

Five days ago I was forced to reauthenticate software I paid for, entered a CD-KEY into, and authenticated over a year ago because the addition of a virtual device exceeded the number of changes I was permitted to make to my computer.

So as far as computers go, this has certainly been a week to reflect on how fortunate it is that my primary platform is the second, better operating system on this computer: one that is broken neither by accident nor by design. And here's to hoping I didn't just curse my luck by saying that.

I've been about to write a journal entry maybe three or four times since my last one, consequently there might be enough here to be of some substance.

First, some exciting news

For a limited time my two most popular signatures are being offered as a combination. Can't decide? Why should you have to! Now you can correct movie trivia and grammar in the same offtopic post. Valid while supplies last.

Firefox HTML/CSS tweaking

I don't know when the Slashdot contest for developing alternative stylesheets is going to get off the ground, but if you're looking to get a head start on the action I've discovered a free tool for Firefox users that helps greatly with the debugging process: Firefox Web Developer Extension. I've had the misfortune of working with CSS/HTML lately and while I tend to avoid WYSIWYG HTML editors and the like this utility is now indispensable.

Aardvark also deserves a mention. This tool is quite nice for "cleaning up" a web page for printing -- for example, you can move the mouse over a CSS block, press "E", and it will remove the block from the page. Also for Firefox.

Lengthy Windows rambling

I'm no master of the Windows Debugger (WinDbg, freely available from Microsoft), but it's nice to have around for diagnosing system crashes. If you don't know about it and you're troubleshooting any 2000/XP machines you should get acquainted, and I'll explain why.

For many people, the diagnosis stops at the STOP screen. You get a cryptic and mostly useless message about IRQL_LESS_THAN_EQUAL or some similar bullshit with a list of hexadecimal numbers. Savvy individuals write down the message, the numbers, and any other information (ntfs.sys?), walk over to a functioning Internet-connected system, and punch something like "STOP 0x0000000a" into Google. Which gets you a Microsoft support article explaining that 0x0000000a is a code for IRQL_LESS_THAN_EQUAL. Fantastic.

If the crashing system is configured to give a meaningful crash dump, you can go farther with WinDbg. I typically configure my systems to do a Kernel Memory Dump, which writes out whatever memory Windows thinks is in use, but the Small Memory Dump (which only writes 64K each crash) will write a new file with each crash whereas the Kernel Memory Dump will overwrite its storage file each time. The setting is somewhere under Control Panel -> System -> Advanced on Windows XP.

Basically, you need a debugger and a copy of the symbol files for your Windows installation (also freely available from Microsoft), although if you are using a faster-than-56kbps connection you can also tell the debugger to request symbols as needed via an Internet connection by following the details in the help file provided with the debugger.

Anyway, to set up a system I'll unpack the symbol files to C:\WINDOWS\SYMBOLS. Then I go into WinDbg and configure the symbol file path to the same location, then Save Workspace (both options under the File menu, IIRC) so I don't have to keep setting this option. Then File -> Open Crash Dump. The crash dump will be in Minidump under the Windows directory (for example, C:\WINDOWS\MINIDUMP) for 64K dumps or in the file C:\WINDOWS\MEMORY.DMP for a Kernel Memory Dump.

This gets a window, Command, which is a subwindow of the debugger (and can be dragged-and-dropped into its frame, which I do.) If I punch in "!analyze" at the prompt and hit Enter I get this:

Use !analyze -v to get detailed debugging information.

BugCheck E2, {0, 0, 0, 0}

Probably caused by : i8042prt.sys ( i8042prt!I8xProcessCrashDump+237 )

Followup: MachineOwner

Then, the command "!analyze -v" gets me this:

MANUALLY_INITIATED_CRASH (e2)
The user manually initiated this crash dump.
Arguments:
Arg1: 00000000
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000

Debugging Details:
------------------

BUGCHECK_STR: MANUALLY_INITIATED_CRASH

DEFAULT_BUCKET_ID: DRIVER_FAULT

LAST_CONTROL_TRANSFER: from f77817fa to 805339ae

STACK_TEXT:
805507dc f77817fa 000000e2 00000000 00000000 nt!KeBugCheckEx+0x1b
805507f8 f7781032 00887598 01da58c6 00000000
i8042prt!I8xProcessCrashDump+0x237
80550840 804dad9f 83595948 838874e0 00010008
i8042prt!I8042KeyboardInterruptServ
80550840 804dc0d9 83595948 838874e0 00010008 nt!KiInterruptDispatch+0x3d
805508d4 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x12

FOLLOWUP_IP:
i8042prt!I8xProcessCrashDump+237
f77817fa 5d pop ebp

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: i8042prt!I8xProcessCrashDump+237

MODULE_NAME: i8042prt

IMAGE_NAME: i8042prt.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 41107ecc

STACK_COMMAND: kb

FAILURE_BUCKET_ID: MANUALLY_INITIATED_CRASH_i8042prt!I8xProcessCrashDump+237

BUCKET_ID: MANUALLY_INITIATED_CRASH_i8042prt!I8xProcessCrashDump+237

Followup: MachineOwner

If desired, one can then dump a list of drivers that were loaded at the time. "lm t n" gets me a huge list of the following form:

start end module name
804d7000 806eb780 nt ntoskrnl.exe Wed Aug 04 01:19:48 2004 (41108004)
806ec000 8070c380 hal hal.dll Wed Aug 04 00:59:05 2004 (41107B29)
b91a4000 b91cdf00 kmixer kmixer.sys Wed Aug 04 01:07:46 2004 (41107D32)
ba06f000 ba0c1180 srv srv.sys Wed Aug 04 01:14:44 2004 (41107ED4)
[...about a hundred entries]
f777f000 f778be00 i8042prt i8042prt.sys Wed Aug 04 01:14:36 2004 (41107ECC)
[...fifty or so more]

If the debugger has difficulty determining where the crash occurred, it's worth examining the STACK_TEXT portion of "!analyze -v" or opening the call stack window (View -> Call Stack or Alt-6). As it's a stack, the most recent call (or the one occuring most closely to the generation of this dump) is on top.

Here, the call stack ends with "nt!KeBugCheckEx+0x1b". "nt" refers to the module, which you'll happily note appears in the driver list above. The "KeBugCheckEx" is a symbol referring to a particular spot in the module, and gives you something you can use Google to look up in addition to giving you some idea about what this chunk of code is about from the name. "+0x1b" means it's jumping 0x1b bytes after "KeBugCheckEx". Technically speaking, you could issue the command "u nt!KeBugCheckEx+0x1b" to show a disassembly, or "u nt!KeBugCheckEx" if you want to see what happens in this module leading up to the call, but it's unlikely to help you out.

In this case, the symbol names tell the story:

nt!KeBugCheckEx+0x1b
i8042prt!I8xProcessCrashDump+0x237
i8042prt!I8042KeyboardInterruptService+0x21c
nt!KiInterruptDispatch+0x3d
nt!KiIdleLoop+0x12

There's a registry key you can set to permit you to crash the system by holding down the right Ctrl key and pressing Scroll Lock twice, and that's how I generated this dump. But this is the same routine I use when I suspect a driver is causing a problem on the system (a common cause of crashes.) There's another command "!process" that helps working out software-created lockups, but this scenario's complex enough as is.

Anyway, I actually bring it up because after the unfortunate Sony DRM flap I went to figure out what sort of interesting API hooks might have been made into my system. If you're still with me, I thought I'd use what I'd learned from Mark's Sysinternals Blog to do it by hand. With a Kernel Memory Dump, I could check the results of the memory dump at kiservicetable (it's a window you can open in WinDbg) against my list of drivers from the command "lm t n" -- the deviants tend to show up because on my system the kernel API calls are in the 8xxxxxxx region and the driver API hooks are in the 4xxxxxxx region. Compare the 4xxxxxxx hooks against the driver list, and voila. Well, you can see what's intercepting system API calls, but to decipher which API calls are being intercepted is a pain (I just checked them in sequence against a list of API calls I found somewhere on the Internet.)

Interestingly, I do have something on my system that does this: my firewall. Although it's worth noting that because of the way API hooking works, there could be more than one program doing it -- program A inserts its hook that calls the system API after doing what it wants to do, then program B inserts a hook that calls program A after doing what it wants to do, etc. You only get to see the final hook, although I'd imagine disassembling the code at the address shown for the hook would allow you to dig further. But only do so if the code doing the hook is actually malware and not a program you paid for that has an EULA forbidding you from examining your computer.

Anyway, I won't bother checking my system this way again, as in the process of looking up the API functions I found a tool that automatically did everything I did. The dire warnings on the website prevent me from making this a part of my diagnostic kit, but I'm keeping an eye on them to see if they get to a stable release.

Christmas

Merry Christmas. I know it's late, but whatever. I dig Civilization IV but it eats memory like it's free. What's doing that, a Python instance for every frigging unit, town, and scrap of land?

As a fan of The Cuckoo's Egg, I found this TIME article pretty compelling... and surprisingly underreported. The article boils down the state of U.S. computer security to the same unsatisfying equation present in The Cuckoo's Egg:

• Many computers remain insecure
• Most targets remain unaware of (and unconcerned by) exploitation
• Being a good net-samaritan means you will have a pile of unnecessary grief heaped on you by the people you think you're helping

I recall a point in the book where it seemed everything was dropped on the floor but matters were actually being handled without the involvement of the author. Maybe something similar's going on here despite the discouraging turn of events at the end.

You know, I'd feel a little more sympathy about this if I forgot about that.

The BBC reports that World of Warcraft has developed a different kind of bug:

In the last week, [Blizzard] added the Zul'Gurub dungeon which gave players a chance to confront and kill the fearsome Hakkar - the god of Blood.

In his death throes Hakkar hits foes with a "corrupted blood" infection that can instantly kill weaker characters.

The infection was only supposed to affect those in the immediate vicinity of Hakkar's corpse but some players found a way to transfer it to other areas of the game by infecting an in-game virtual pet with it.

This pet was then unleashed in the orc capital city of Ogrimmar and proved hugely effective as the Corrupted Blood plague spread from player to player.

I found this somewhat amusing.

At the pro-Bush rally several miles away, there were some heated moments when two members of Protest Warrior, a group that frequently holds counter protests to anti-war rallies, walked in with a sign that read "Say No to War Unless a Democrat is President."

Many Bush supporters only saw the top of the sign and believed the men were war protesters, so they began shouting and chasing the pair out. One man tore up their signs.

-- from AP/ABC News

The actual sign, not seen here because I forgot where I originally read the story that had a picture of it, had "Say No to War" in large font and the rest was nearly unreadable in the picture. So the misunderstanding was understandable.

I'm afraid "Waving subtle comedic wit in a hostile crowd" has just been crossed off the list of occasions where it pays to be cleverer than your audience. For the next event might I suggest a Goatse print and an airhorn?

not another award i'm running out of room on my mantel lol

Notes: Thought I'd do this again to see what's changed since last month. Common inbound ports such as telnet, SMTP, pop3, and http are filtered out by my ISP to prevent giving me too much value for my money and therefore are not represented in this list. Ports receiving fewer than ten packets are not listed. "Attempts" are likely inflated because connections may be tried more than once by the same IP address at the same time (tool- or protocol-related retries). All descriptions are my best guess (forgot to mention this last time.)

Attempts, Protocol, Port
18726, UDP, 1026
15764, UDP, 1027
Windows messenger spam attempts.

1412, UDP, 68
bootpd/dhcpd. Expected and probably legit.

449, UDP, 1434
427, TCP, 1433
Microsoft SQL server exploit traffic.

360, TCP, 42
Microsoft networking scan (WINS) -- almost 26 times the traffic last month. The reason, I think, is a misconfiguration by a budding Windows administrator (well, the second if he's not properly blocking Windows traffic at his border firewall.)

223, UDP, 1028
216, UDP, 1029
More Windows messenger spam attempts?

193, UDP, 6970
RealPlayer/Quicktime trying and failing to use UDP as a network transport. Expected and probably legit.

136, TCP, 4899
radmin (a remote administration tool) listens here. I don't know if the interest is in exploit-related access or brute force access. I've heard some worms will install radmin, and others try to get in existing installations using weak passwords.

115, UDP, 33437
Traceroute, or routing optimization. Probably legit.

100, TCP, 22
SSH.

84, TCP, 10000
Veritas Backup Exec? Zabbix? Webmin?

51, TCP, 2100
Oracle 9i XDB FTP service exploit.

47, TCP, 3306
MySQL.

31, TCP, 57
More probes for an obscure Cisco service. Again, I'm thinking it'd be interesting to hook something up to this port to see what's what.

30, TCP, 9898
Scans for a FTP server the Sasser worm will run on an infected system.

28, TCP, 3127
Backdoor port installed by the MyDoom virus.

27, TCP, 1023
The Sasser.E worm drops an FTP server here.

27, TCP, 3128
Squid webproxy. Slashdot scans.

27, TCP, 5554
The Sasser worm drops an FTP server here.

23, TCP, 8000
Webproxy. Slashdot scans.

22, UDP, 33435
Routing optimization.

21, TCP, 444
Webproxy. Slashdot scans.

19, TCP, 81
Webproxy. Slashdot scans.

19, TCP, 3124
Webproxy. Slashdot scans.

18, TCP, 111
RPC portmapper for Unix/Linux/BSD/etc. type systems. Oldschool attack vector, but I don't know what they're looking for now.

17, TCP, 3389
Remote Desktop Protocol. Someone mentioned a potential exploit on SANS in mid-July, but traffic isn't up much from last month.

17, TCP, 22826
I don't know what this is about.

17, TCP, 6101
According to an entry at SANS, a scan for the Veritas Backup Exec exploit.

17, UDP, 6346
More Gnutella. I dumped the packets this time; they're validly-formed Gnutella PING packets containing extended data that looks like a nickname field. Looks like two people checking from four hosts. I thought Gnutella clients were TCP but gtk-gnutella at least has offered UDP connectivity since November last year. Still don't know why the same machines keep scanning mine but maybe they're building a host cache (which is used by Gnutella clients as a starting point to join the network.)

12, UDP, 33439
Routing optimization.

11, TCP, 3382
Webproxy. Slashdot scans.

11, TCP, 6129
Dameware remote management tool exploit.

11, TCP, 5900
VNC (remote desktop tool).

10, TCP, 7032
Webproxy. Slashdot scans.

10, TCP, 2578
Webproxy. Slashdot scans.

10, TCP, 8081
Webproxy. Slashdot scans.

10, TCP, 8090
Webproxy. Slashdot scans.

10, TCP, 1026
Webproxy. Slashdot scans.

10, TCP, 8002
Webproxy. Slashdot scans.

10, TCP, 6588
Webproxy. Slashdot scans.