"FUBAR-IT" What happens in IT Departments?

Keep working hard, Vote for your New Dew!

2008-06-09T18:17:00.000-07:00

Inside the Attack that Crippled Revision3

2008-05-29T09:30:00.001-07:00

on May 29th, 2008 at 07:49 am by Jim Louderback in Polemics
As many of you know, Revision3’s servers were brought down over the Memorial Day weekend by a denial of service attack. It’s an all too common occurrence these days. But this one wasn’t your normal cybercrime – there’s a chilling twist at the end. Here’s what happened, and why we’re even more concerned today, after it’s over, than we were on Saturday when it started.
It all started with just a simple “hi”. Now “hi” can be the sweetest word in the world, breathlessly whispered into your ear by a long-lost lover, or squealed out by your bouncy toddler at the end of the day. But taken to excess – like by a cranky 3-year old–it gets downright annoying. Now imagine a room full of hyperactive toddlers, hot off of a three hour Juicy-Juice bender, incessantly shrieking “hi” over and over again, and you begin to understand what our poor servers went through this past weekend.
On the internet, computers say hi with a special type of packet, called “SYN”. A conversation between devices typically requires just one short SYN packet exchange, before moving on to larger messages containing real data. And most of the traffic cops on the internet – routers, firewalls and load balancers – are designed to mostly handle those larger messages. So a flood of SYN packets, just like a room full of hyperactive screaming toddlers, can cause all sorts of problems.
For adults, it’s typically an inability to cope, followed either by quickly fleeing the room, or orchestrating a massive Teletubbies intervention. Since they lack both legs and a ready supply of plushies, internet devices usually just shut down.
That’s what happened to us. Another device on the internet flooded one of our servers with an overdose of SYN packets, and it shut down – bringing the rest of Revision3 with it. In webspeak it’s called a Denial of Service attack – aka DoS – and it happens when one machine overwhelms another with too many packets, or messages, too quickly. The receiving machine attempts to deal with all that traffic, but in the end just gives up.(Note the photo of our server equipment responding to the DoS Attack)
In its coverage Tuesday CNet asked the question, “Now who would want to attack Revision3?” Who indeed? So we set out to find out.
Internet attacks leave lots of evidence. In this case it was pretty easy to see exactly what our shadowy attacker was so upset about. It turns out that those zillions of SYN packets were addressed to one particular port, or doorway, on one of our web servers: 20000. Interestingly enough, that’s the port we use for our Bittorrent tracking server. It seems that someone was trying to destroy our bittorrent distribution network.
Let me take a step back and describe how Revision3 uses Bittorrent, aka BT. The BT protocol is a peer to peer scheme for sharing large files like music, programs and video. By harnessing the peer power of many computers, we can easily and cheaply distribute our huge HD-quality video shows for a lot less money. To get started, the person sharing that large file first creates a small file called a “torrent”, which contains metadata, along with which server will act as the conductor, coordinating the sharing. That server is called the tracking server, or “tracker”. You can read much more about Bittorrent at Wikipedia, if you really want to understand how it works.
Revision3 runs a tracker expressly designed to coordinate the sharing and downloading of our shows. It’s a completely legitimate business practice, similar to how ESPN puts out a guide that tells viewers how to tune into its network on DirecTV, Dish, Comcast and Time Warner, or a mall might publish a map of its stores.
But someone, or some company, apparently took offense to Revision3 using Bittorrent to distribute its own slate of shows. Who could that be?
Along with where it’s bound, every internet packet has a return address. Often, particularly in cases like this, it’s forged – or spoofed. But interestingly enough, whoever was sending these SYN packets wasn’t shy. Far from it: it’s as if they wanted us to know who they were.
A bit of address translation, and we’d discovered our nemesis. But instead of some shadowy underground criminal syndicate, the packets were coming from right in our home state of California. In fact, we traced the vast majority of those packets to a public company called Artistdirect (ARTD.OB). Once we were able to get their internet provider on the line, they verified that yes, indeed, that internet address belonged to a subsidiary of Artist Direct, called MediaDefender.
Now why would MediaDefender be trying to put Revision3 out of business? Heck, we’re one of the biggest defenders of media around. So I stopped by their website and found that MediaDefender provides “anti-piracy solutions in the emerging Internet-Piracy-Prevention industry.” The company aims to “stop the spread of illegally traded copyrighted material over the internet and peer-to-peer networks.” Hmm. We use the internet and peer-to-peer networks to accelerate the spread of legally traded materials that we own. That’s sort of directly opposite to what Media Defender is supposed to be doing.
Who pays MediaDefender to disrupt peer to peer networks? I don’t know who’s ponying up today, but in the past their clients have included Sony, Universal Music, and the central industry groups for both music and movies – the RIAA and MPAA. According to an article by Ars Technica, the company uses “its array of 2,000 servers and a 9GBps dedicated connection to propagate fake files and launch denial of service attacks against distributors.” Another Ars Technica story claims that MediaDefender used a similar denial of service attack to bring down a group critical of its actions.
Hmm. Now this could have been just a huge misunderstanding. Someone could have incorrectly configured a server on Friday, and left it to flood us mercilessly with SYN packets over the long Memorial Day weekend. If so, luckily it was pointed at us, and not, say, at the intensive care unit at Northwest Hospital and Medical Center But Occam’s razor leads to an entirely different conclusion.
So I picked up the phone and tried to get in touch with ArtistDirect interim CEO Dimitri Villard. I eventually had a fascinating phone call with both Dimitri Villard and Ben Grodsky, Vice President of Operations at Media Defender.
First, they willingly admitted to abusing Revision3’s network, over a period of months, by injecting a broad array of torrents into our tracking server. They were able to do this because we configured the server to track hashes only – to improve performance and stability. That, in turn, opened up a back door which allowed their networking experts to exploit its capabilities for their own personal profit.
Second, and here’s where the chain of events come into focus, although not the motive. We’d noticed some unauthorized use of our tracking server, and took steps to de-authorize torrents pointing to non-Revision3 files. That, as it turns out, was exactly the wrong thing to do. MediaDefender’s servers, at that point, initiated a flood of SYN packets attempting to reconnect to the files stored on our server. And that torrential cascade of “Hi”s brought down our network.
Grodsky admits that his computers sent those SYN packets to Revision3, but claims that their servers were each only trying to contact us every three hours. Our own logs show upwards of 8,000 packets a second.
“Media Defender did not do anything specific, targeted at Revision3″, claims Grodsky. “We didn’t do anything to increase the traffic” – beyond what they’d normally be sending us due to the fact that Revision3 was hosting thousands of MediaDefender torrents improperly injected into our corporate server. His claim: that once we turned off MediaDefender’s back-door access to the server, “traffic piled up (to Revision3 from MediaDefender servers because) it didn’t get any acknowledgment back.”
Putting aside the company’s outrageous use of our servers for their own profit, and the large difference between one connection every three hours and 8,000 packets a second, I’m still left to wonder why they didn’t just tell us our basement window was unlocked. A quick call or email and we’d have locked it up tighter than a drum.
It’s as if McGruff the Crime Dog snuck into our basement, enlisted an army of cellar rats to eat up all of our cheese, and then burned the house down when we finally locked him out – instead of just knocking on the front door to tell us the window was open.
In the end, here’s what I know:
A torrential flood of SYN packets rained down on Revision3’s network over Memorial Day weekend.
Those packets – up to 8,000 a second – came primarily from computers controlled by MediaDefender, who is in the business of shutting down illegal torrent sites.
Revision3 suffered measurable harm to its business due to that flood of packets, as the attacks on our legitimate and legal Torrent Tracking server spilled over into our entire internet infrastructure. Thus we were unable to serve videos and advertising through much of the weekend, and into Tuesday – and even our internal email servers were brought down.
Denial of service attacks are illegal in the US under 12 different statutes, including the Economic Espionage Act and the Computer Fraud and Abuse Act.
Although I can only guess, here’s what I think really happened. Media Defender was abusing one of Revision3’s servers for their own purposes – quite without our approval. When we closed off their backdoor access, MediaDefender’s servers freaked out, and went into attack mode – much like how a petulant toddler will throw an epic tantrum if you take away an ill-gotten Oreo.
That tantrum threw upwards of 8,000 SYN packets a second at our servers. And that was enough to bring down both our public facing site, our RSS server, and even our internal corporate email – basically the entire Revision3 business. Smashing the cookie jar, as it were, so that no one else could have any Oreos either.
Was it malicious? Intentional? Negligent? Spoofed? I can’t say. But what I do know is that the FBI is looking into the matter – and it’s far more serious than toddlers squabbling over broken toys and lost cookies.
MediaDefender claims that they have taken steps to ensure this won’t happen again. “We’ve added a policy that will investigate open public trackers to see if they are associated with other companies”, promised Grodsky, “and first will make a communication that says, hey are you aware of this.”
In the end, I don’t think Media Defender deliberately targeted Revision3 specifically. However, the company has a history of using their servers to, as Ars Technica said, “launch denial of service attacks against distributors.” They saw us as a “distributor” – even though we were using Bittorrent for legitimate reasons. Once we shut them out, their vast network of servers were automatically programmed to implement a scorched earth policy, and shut us down in turn. The long Memorial Day weekend holiday made it impossible for us to contact either Media Defender or their ISP, which only exacerbated the problem.
All I want, for Revision3, is to get our weekend back – both the countless hours spent by our heroic tech staff attempting to unravel the mess, and the revenue, traffic and entertainment that we didn’t deliver.
If it can happen to Revision3, it could happen to your business too. We’re simply in the business of delivering entertainment and information – that’s not life or death stuff. But what if MediaDefender discovers a tracker inside a hospital, fire department or 911 center? If it happened to us, it could happen to them too. In my opinion, Media Defender practices risky business, and needs to overhaul how it operates. Because in this country, as far as I know, we’re still innocent until proven guilty – not drawn, quartered and executed simply because someone thinks you’re an outlaw.
- Jim LouderbackCEO - Revision3
Tags: blogThis entry was posted on Thursday, May 29th, 2008 at 7:49 am and is filed under Polemics. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

DO NOT use MY5GB unless you want to be left in the dark with no support.....

2008-05-22T12:02:00.000-07:00

First I had good luck with this site for a few weeks. Then I suggested that a Friend us it to host a nonprofit org... BIG Mistake, during this time they locked up the DNS, and had me in limbo for 5 days with no support or help even thou the site says 24/7/365 (Allot of Crap) Don’t believe me go look at the forum if you can get thru the spam. Plus when I created sever post trying to get thru the spam they banned my account. Nice move Morons. http://forum.my5gb.com

Original web ticket request! The Deleted this real quick when I got upset with them!

Cannot register this name on server.Extra domainAdd a valid domain name(.com, .co.uk etc). After adding this domain both the domain and previous subdomain will operate on your account.Domains must be registered through an external registrar.Nameservers: ns1.my5gb.com, ns2.my5gb.comMaximum of 255 characters.Sorry but this domain is already in use.Using domain1.com that I own.A Record domain1.com Edit Delete A Record domain1.com Edit Delete web site is down currently because of this...

Posted On: 15 May 2008 07:16 PM
I need to see about getting this resolved ASAP. What do I need to do or fix!!!!!!

Posted On: 19 May 2008 09:14 PM
This is still an issue and has been 4 days. I need to get this fixed ASAP.

Posted On: 20 May 2008 01:10 PM
I need a resolution to this fast. I am getting allot of heat having the site down, because I am the one that suggested using 5gb.... PLEEEEEEEEEASE Help!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Posted On: 21 May 2008 11:38 PM
I am still waiting for a resolution and this is Day 6, what am I to do. Do you really have support or is this just a joke... :(

Back

After all this and no response all 5 of my domain get the Spam header wanting me to download Firefox and Google toolbar…. WTF is My5GB getting hacked I think yes….

So Finally I got an email back and here is how the Thread went…
from
Tommy
hide details
11:13 pm (11 hours ago)
reply-to
tommy@my5gb.com

date
May 21, 2008 11:13 PM

subject
[#QVI-148291]: DNS not working

If you even bothered searching on the forums maybe you would of find the fix.--Tommy L.www.my5gb.comTicket Details===================Ticket ID: QVI-148291Department: GeneralPriority: CriticalStatus: Open
What was this support can Insult you, so after taking my Blood meds I replied…
Tommy,Point me in the right direction and I was asking for support not a insult... Your forum is full of complaints and blue pill spam... Come on you got to have better support than this and yes I did dig thru the forum and try every trick I could find.... After taking 4 blue pills to make my girl friend happy for 12 hour I tried every DNS suggestion on the forum and had no luck... So how about helping out and not trying to insult me... :( After 5 days waiting I am very dissatisfied with the reply.

I get this back and notice the issue is closed now, he assumes it done…
from
Tommy
hide details
9:55 am (56 minutes ago)
reply-to
tommy@my5gb.com

date
May 22, 2008 9:55 AM

subject
[#QVI-148291]: DNS not working

http://forum.my5gb.com/showthread.php?p=465#post465--Tommy L.www.my5gb.comTicket Details===================Ticket ID: QVI-148291Department: GeneralPriority: CriticalStatus: Closed
Then I call Yahoo who has my registered name and get this.

I just got off the phone with Yahoo. They said my5gb was seriously hacked. They are resetting everything for the Domain Name and they are working on getting the site up and running. They said they tried to hack my account at yahoo where I have the domain name and the additional domain under.

Now I really miffed to be nice about it… So waiting on next response for the excellent support team at my5gb.com (NOT) I GET THIS!!!!!

I think the error is very clear. And also the forum explained it well so you should be able to fix it.Thanks--Tommy L.www.my5gb.comTicket Details===================Ticket ID: QVI-148291Department: GeneralPriority: CriticalStatus: Open

Please I beg you please go look at this link he sent and please explain how this is good for business.
http://forum.my5gb.com/showthread.php?p=465#post465

So I reply:

This is the worst support I have ever heard of...... The forum link you keep referring me to says the same that you suck... I will make sure to tell everyone I know how much your customer services sucks... I thought India was bad...How do I get on the quality of service questioner? I have a lot of suggestions...And I get back

Tommy
hide details
10:45 am (17 minutes ago)
reply-to
tommy@my5gb.com

date
May 22, 2008 10:45 AM

subject
[#ZBC-904221]: Re: Delete Accounts

Great, you are free to find a better one. Remember it's a free service.Bye--Tommy L.www.my5gb.comTicket Details===================Ticket ID: ZBC-904221Department: GeneralPriority: LowStatus: Closed

So remember before you go for the Free make sure to do your home work, this has forced me to go back to a paid service and never take the chance again… If you don’t believe me I am sure Tommy can help you out finding a free service for free if you remember when you need support “This is a Free Service good luck”

DO NOT use MY5GB unless you want to be left in the dark with no support..... DO NOT use MY5GB unless you want to be left in the dark with no support.....
DO NOT use MY5GB unless you want to be left in the dark with no support..... DO NOT use MY5GB unless you want to be left in the dark with no support.....
DO NOT use MY5GB unless you want to be left in the dark with no support..... DO NOT use MY5GB unless you want to be left in the dark with no support.....
DO NOT use MY5GB unless you want to be left in the dark with no support..... DO NOT use MY5GB unless you want to be left in the dark with no support.....
DO NOT use MY5GB unless you want to be left in the dark with no support..... DO NOT use MY5GB unless you want to be left in the dark with no support.....
DO NOT use MY5GB unless you want to be left in the dark with no support..... DO NOT use MY5GB unless you want to be left in the dark with no support.....
DO NOT use MY5GB unless you want to be left in the dark with no support..... DO NOT use MY5GB unless you want to be left in the dark with no support.....
DO NOT use MY5GB unless you want to be left in the dark with no support..... DO NOT use MY5GB unless you want to be left in the dark with no support.....
DO NOT use MY5GB unless you want to be left in the dark with no support..... DO NOT use MY5GB unless you want to be left in the dark with no support.....
DO NOT use MY5GB unless you want to be left in the dark with no support..... DO NOT use MY5GB unless you want to be left in the dark with no support.....
DO NOT use MY5GB unless you want to be left in the dark with no support..... DO NOT use MY5GB unless you want to be left in the dark with no support.....
DO NOT use MY5GB unless you want to be left in the dark with no support..... DO NOT use MY5GB unless you want to be left in the dark with no support.....
DO NOT use MY5GB unless you want to be left in the dark with no support..... DO NOT use MY5GB unless you want to be left in the dark with no support.....
DO NOT use MY5GB unless you want to be left in the dark with no support..... DO NOT use MY5GB unless you want to be left in the dark with no support.....
DO NOT use MY5GB unless you want to be left in the dark with no support..... DO NOT use MY5GB unless you want to be left in the dark with no support.....
DO NOT use MY5GB unless you want to be left in the dark with no support..... DO NOT use MY5GB unless you want to be left in the dark with no support.....
DO NOT use MY5GB unless you want to be left in the dark with no support..... DO NOT use MY5GB unless you want to be left in the dark with no support.....
DO NOT use MY5GB unless you want to be left in the dark with no support..... DO NOT use MY5GB unless you want to be left in the dark with no support.....
DO NOT use MY5GB unless you want to be left in the dark with no support..... DO NOT use MY5GB unless you want to be left in the dark with no support.....
DO NOT use MY5GB unless you want to be left in the dark with no support..... DO NOT use MY5GB unless you want to be left in the dark with no support.....
DO NOT use MY5GB unless you want to be left in the dark with no support.....

Dont do Free Hosting, Wait DONT DO MY5GB.com

2008-05-22T08:40:00.000-07:00

Chicago Micro New Website

2008-04-08T10:13:00.000-07:00

When you want the right price and product go to:

1934 Spam "How things have and have not changed"

2008-02-14T07:26:00.001-08:00

OUTLAWS MAY USE SUPER-STATIONS at Sea

Broadcasting stations without a country seek new ways to flood the United States with radio advertising barred by federal commission. Two hundred outlaws face war by the government.

by MURPHY McHENRY

RADIO circles on the Pacific Coast were turned topsy turvy not long ago by the; continued presence of a radio pirate ship which had taken unto itself a very popular spot on the dial and started broadcasting without regard for the land stations with which it interfered.

The primary purpose of the unlicensed broadcast station was to advertise the gambling, liquor, and other dubious pleasure activities of the ship upon which it was built—all these activities beyond the 12-mile limit, of course. Thousands responded to the advertising and the owners waxed rich. They found other sundry rackets, such as a fortune telling program, which brought in additional money and finally assumed such an extensive program that one Los Angeles station was threatened with; a complete loss of audience and business because the ship’s radio signal was the more powerful of the two.

After numerous unsuccessful attempts of a local nature, the floating broadcasting establishment was silenced, but only after the state department at Washington, D. C, had made diplomatic representations which forced a Central American country to cancel the ship’s registry.

However, this ship had paved the way and now, with the United States making headway in its light to muzzle stations just south of the Rio Grande river, within the shelter of Mexico, it appears that soon floating broadcast palaces may be dotted here and there outside the 12 mile limit, particularly in the Gulf of Mexico.

There is little chance that the border broadcasters will give up without a struggle. Led by XER’s spectacular Dr. John R. Brinkley, formerly of Milford, Kansas, and now of Del Rio, Texas, they have found too many ways to gather in otherwise hard earned dollars to sit by complacently and be permanently hushed. Dr. Brinkley has made millions of dollars as a result of his broadcasts. Others, working along numerous lines, have taken in many more millions.

And that is why, in the face of possibilities that they may be driven out of Mexico, these promotional minded broadcasters - are putting up a brilliant struggle. That is also the reason why, as they battle for further privileges in Mexico, they are showing deep interest in the possibility of operating from beyond the 12 mile limit. To do so, they would have to secure ship registry from some nation, but it is well known that there are a number of Central and South American countries which would welcome the chance for added governmental revenue, for these broadcasters, barred from the United States, are accustomed to paying handsome taxes in Mexico.

All the so-called “radio pirates” are not across the border or out on the high seas. A. D. Ring, principal engineer of the-federal radio commission, says that at least 200 outlaw stations have been under surveillance in the United States alone.

Most of these stations operate on from one to five watts power and claim immunity from federal restrictions on the assertion that their radio waves do not travel from one state to another. However, supersensitive equipment employed by federal investigators has broken down this claim and as a consequence many such station operators have been indicted and held for trial in the federal courts.

In addition to the type of business indulged in, the stations in Mexico have stirred up great protest because they provide serious interference with many stations in the United States.

There never has been any radio treaty or agreement between the United States and Mexico, such as this country has with Canada. In many circles this has been accepted as a diplomatic insult and as a consequence almost anybody wanting to build a radio station can secure a permit from the Mexican government.

Quite naturally, this situation appeals most to those broadcasters who cannot carry on their operations in the United States. Men who have definitely been barred from radio privileges in this country have quickly turned to Mexico, built super-power stations and easily reached the millions of American homes possessing radio sets.

There is no known means of barring radio waves where they have sufficient force and power to cross political or physical boundaries.

Dr. Brinkley was one of the early border operators. He turned to Mexico when the federal radio commission closed his famous Station KFKB, at Milford, Kansas.

And now Dr. Brinkley, and others, may be forced to turn elsewhere, possibly to the high seas, in order to continue the radio invasion of the United States. For just as Dr. Brinkley was contemplating the increase of power on XER from 150,000 watts to 500,000 watts, the Mexican authorities issued new rules.

Dr. Brinkley, along with other border broadcasters, has started to fight in the courts of Mexico. For the rules, if enforced, would make it impossible to carry on profitably.

Specifically, they provide: 1. Discontinuance of remote control lines originating outside of Mexico.

2. Elimination of advertising of any medical product which is not approved by Mexican health authorities.

3. Discontinuance of mentalist acts, question and answer hours and the like, except by special permission from the Mexican radio department. 4. Designation of the Spanish language as the official language in which all broadcasts must be made, except in cases where special permission is obtained for broadcasts in another language, such as English.

Brinkley Minus Passport Dr. Brinkley is fighting. He is refused a passport into Mexico, ostensibly through the efforts of the American Medical Association, and elimination of his remote control line would make it impossible for him to talk on his own radio station. Without permission to advertise his medicines and gland operations, he would have little incentive to talk in such an expensive manner. Cancelling the question and answer program would deprive XER of about $10,000 a month.

If he is not successful in his fight to have the drastic new orders rescinded, Dr. Brinkley will not quit. That much is certain. He will be ready to build his station either on a ship or in some friendly Central American country which would appreciate added tax revenues. Other border broadcasters would no doubt follow suit, for they are more or less depending upon the leadership of Dr. Brinkley in this latest battle.

The doctor is right on the battle ground. He has closed his Milford, Kansas, establishment, and moved to Del Rio, Texas, with his full staff. Elimination of the intricate remote control line from Milford to the radio station in Mexico effected a saving of approximately $10,000 a month.

Closely watching every move made by Dr. Brinkley is Norman Baker, another well publicized broadcaster now exiled from the United States, so far as radio is concerned. Baker, who came into the toils of law through advertising and operation of a cancer clinic at Muscatine, Iowa, has his new 150,000 watt transmitter, XENT, nearing completion at Nuevo Laredo, just opposite the important border city of Laredo, Texas. Baker’s fate will largely depend upon Dr. Brinkley’s ability to invalidate the nonmedical advertising order.

Battle of Power Seen If Dr. Brinkley should increase his station’s power to 500,000 watts, it will place Mexico on a radio par with the United States, for WLW at Cincinnati is soon to begin operation on that strength. With two such high powered stations on the dial, many fear that numerous adjacent small stations will be drowned out by interference.

However, WLW will be under governmental regulations which require that it remain within five cycles of its assigned frequency. In all probability Mexico, for the protection of its own listening audiences, will invoke the same rule, which will in a measure alleviate much interference.

The proposal of Dr. Brinkley to float his station in the event of further trouble with Mexico, brings up the interesting possibility that several such stations might be constructed in favorable locations with proper credentials from a recognized government.

http://blog.modernmechanix.com/2008/02/04/outlaws-may-use-super-stations-at-sea/

MySpace Under New Malware Attack

2008-01-18T05:34:00.000-08:00

MySpace is under attack again. According to Marshal's TRACE team, it involves spam that pretends to be a legitimate invitation to join MySpace. It contains a link that redirects to a fake MySpace page. Once there the user is prompted to update Adobe Flash player. If they accept the download, malware is downloaded to their computer, turning it into zombie and making it part of a botnet. The affected computer then starts sending phishing emails targeting major US banks.
"We saw sites such as YouTube targeted in these kinds of malware distribution campaigns last year. It follows that social networking sites would be next on the spammers list of targets to exploit, although this newest campaign arrived a little sooner that expected. This attempt to exploit MySpace is simplistic but effective," said Bradley Anstis, Marshal's VP of Products.
It is not yet clear if the botnet in question is controlled by the Storm Worm or a single hacker or gang. See full article.

MS issues two security patches for January 2008

2008-01-08T10:42:00.000-08:00

MS08-001 -Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution Severity: Critical Click here to read the full bulletin at Microsoft

MS08-002 - Vulnerability in LSASS Could Allow Local Elevation of Privilege Severity: Important Click here to read the full bulletin at Microsoft

For the Vista users, Microsoft used patch Tuesday to release several non-security update packages via the Windows Update. The updates include the regular monthly Malicious Software Removal Tool and Windows Mail Junk Mail Filter, two updates in MS's regular series of Windows Vista updates (KB943302 for application compatibility and KB943899 for reliability and performance), and one update of particular notice: KB935509. Similar to previous updates that enhanced Windows Vista’s performance and reliability, these updates will be distributed automatically through Windows Update. The KB935509 release is a little different than past updates. It is a prerequisite for installing SP1 and is applicable only for Windows Vista Ultimate and Enterprise users, because it only affects versions of Windows Vista supporting BitLocker Drive Encryption

Anyone use Second Life for Biz?

2008-01-02T09:34:00.000-08:00

Anyone using this yet for Biz?

A LOOK AT Second Life

JOIN SECOND LIFE

EVENTS AT SECOND LIFE

Help! UDP outbound to port 1230 every 17 seconds?

2007-12-31T08:51:00.000-08:00

I am being flooded with port 1230 request on Christmas weekend.

I started getting hit with log errors for port 1230 and have never seen this one before. I have several workstations trying to get out all of the sudden for no reason using port 1230.

Destination IP: 85.85.170.170
Name Resolution: eu85-85-170-170.clientes.euskaltel.es
Port: 1230
Port Registered as: periscope
Service: UDP

It turned out to be an HP printer on the network that had a static address but was broadcasting that is was 85.85.170.170 / eu85-85-170-170.clientes.euskaltel.es

I ran a sniffer to watch one of my workstations that was sending data out to IP 85.85.170.170 port 1230 and grabbed the MAC address of the box.

I used the good old Microsoft reboot method on the printer and everything is working now.

Maybe this post will help you save some time troubleshooting and tracking! HP What's the deal with this.....

Thanks to this link for reducing the research http://aplawrence.com/Bofcusm/2551.html

MS issues 7 Security Patches for December 2007

2007-12-19T08:48:00.000-08:00

MS07-063 -Vulnerability in SMBv2 Could Allow Remote Code ExecutionSeverity: Important Click here to read the full bulletin at Microsoft

MS07-064 -Vulnerabilities in DirectX Could Allow Remote Code ExecutionSeverity: Critical Click here to read the full bulletin at Microsoft

MS07-065 - Vulnerability in Message Queuing Could Allow Remote Code ExecutionSeverity: Important Click here to read the full bulletin at Microsoft

MS07-066 -Vulnerability in Windows Kernel Could Allow Elevation of Privilege Severity: Important Click here to read the full bulletin at Microsoft

MS07-067 -Vulnerability in Macrovision Driver Could Allow Local Elevation of PrivilegeSeverity: Important Click here to read the full bulletin at Microsoft

MS07-068 -Vulnerability in Windows Media File Format Could Allow Remote Code Execution Severity: Critical Click here to read the full bulletin at Microsoft

MS07-069 -Cumulative Security Update for Internet Explorer Severity: Critical Click here to read the full bulletin at Microsoft

COMCRAPPY

2007-11-26T07:18:00.000-08:00

Missouri City Not Experiencing "Comcastic" ServiceHats off to a group of Missouri City residents who are not happy with their new "comcastic" service from Comcast Cable. Residents of Missouri City filed their complaints with Missouri City officials at city hall. Their grievances ranged from faded to no signals, rate hikes and many others. Comcast has heard their complaints and says they won't lower their rates but they do promise better service. Promises, promises.
I think this needs to be ALL of HOUSTON. I have had issues ever since the rollover with billing, speed and keeping the internet working, plus poor signal on the TV. Why did we get the trashy service and loose Time Warner?????????????
MAKE YOUR VOICE HEARD! Mean Time I am looking at going back to AT&T and hoping Verizon will hurry up with the fiber.

96% of all email is SPAM

2007-11-14T06:11:00.000-08:00

Do you realize that 96% of all email is SPAM? That means for every 25 emails you receive, only one of them is a real email. At least that's what Ken Rutkowski, host of KenRadio's World Technology Roundup is saying. In this brief video, Ken highlights a few tools that can be used to filter the spam from your inbox.
Meanwhile, I present an alternative to email that came up in my conversation with Jonathan Christensen at Skype: persistent chat windows. Jonathan does not check email first thing in the morning, he checks his Skype to see what chats had activity overnight. He can then go through all the chat windows to find the ones that had activity and respond as appropriate.It's a clever idea, actually. All the information is right there, in context. Spam is a non-issue since you can easily block those that do. It might be a while before I can work like this, but it has a certain appeal. What do you think? Leave a note in the comments. See article.

MS Issues 2 Security Patches for November 2007

2007-11-13T12:57:00.000-08:00

One critical patch and one important patch from MS11-13-2007 -- from the folks at Microsoft

MS07-061 -Vulnerability in Windows URI Handling Could Allow Remote Code Execution Severity: Critical Click here to read the full bulletin at Microsoft

MS07-062 - Vulnerability in DNS Could Allow Spoofing Severity: Important Click here to read the full bulletin at Microsoft

True HollyWood Tech

2007-10-19T13:22:00.001-07:00

MS Issues 6 Security Patches for October 2007

2007-10-09T06:05:00.000-07:00

3 Critical and 2 Important and 1 Impotant Security Patches10-09-2007 -- from the folks at MicrosoftMS07-055 -Vulnerability in Kodak Image Viewer Could Allow Remote Code ExecutionSeverity: Critical Click here to read the full bulletin at Microsoft
MS07-056 -Security Update for Outlook Express and Windows MailSeverity: Critical Click here to read the full bulletin at MicrosoftMS07-057 - Cumulative Security Update for Internet ExplorerSeverity: Critical Click here to read the full bulletin at MicrosoftMS07-058 -Vulnerability in RPC Could Allow Denial of ServiceSeverity: Important Click here to read the full bulletin at Microsoft
MS07-059 -Vulnerability in Windows SharePoint Services 3.0 and Office SharePoint Server 2007 Could Result in Elevation of Privilege Within the SharePoint SiteSeverity: Important Click here to read the full bulletin at Microsoft
MS07-060 -Vulnerability in Microsoft Word Could Allow Remote Code Execution Severity: Critical Click here to read the full bulletin at Microsoft

Breaking News: All Online Data Lost After Internet Crash

2007-10-05T06:33:00.000-07:00

Breaking News: All Online Data Lost After Internet Crash

How IT Works!

2007-10-02T15:52:00.000-07:00

Such a IT SIT

2007-10-01T06:10:00.000-07:00

MS issues 4 Security Patches for Sept 2007

2007-09-11T06:44:00.000-07:00

MS07-051 -Vulnerability in Microsoft Agent Could Allow Remote Code ExecutionSeverity: Critical Click here to read the full bulletin at Microsoft
MS07-052 -Vulnerability in Crystal Reports for Visual Studio Could Allow Remote Code ExecutionSeverity: Important Click here to read the full bulletin at MicrosoftMS07-053 - Vulnerability in Windows Services for UNIX Could Allow Elevation of PrivilegeSeverity: Important Click here to read the full bulletin at MicrosoftMS07-054 -Vulnerability in MSN Messenger and Windows Live Messenger Could Allow Remote Code Execution Severity: Important Click here to read the full bulletin at Microsoft

Site Rules and Policy!

2007-08-15T10:25:00.000-07:00

Playing with Windows Updates!

2007-08-14T13:36:00.000-07:00

Today is getting ready for patch day again. Here is a script I found on AWSODA.NET to help force a patch. http://www.awsoda.net/security/

Here is a Force patch script to clear the Reg setting and restart the AU service without a wait time. This is good to clear out the wait setting and force an update for testing or emergencies. Copy and Paste to notepad and save as AUForceUpdate.cmd All Files. For use in a logon script remove the two pauses.

Start Cut
=================================================================================================================
@echo off
Echo
Echo This batch file will Force the Update Detection from the AutoUdate client by: AWSODA
Echo
Echo 1. Stops the Automatic Updates Service (wuauserv)
Echo 2. Deletes the LastWaitTimeout registry key (if it exists)
Echo 3. Deletes the DetectionStartTime registry key (if it exists)
Echo 4. Deletes the NextDetectionTime registry key (if it exists)
Echo 5. Restart the Automatic Updates Service (wuauserv)
Pause
@echo on
net stop wuauserv
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v LastWaitTimeout /f
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v DetectionStartTime /f
Reg Delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NextDetectionTime /f
net start wuauserv
@echo off
Echo The Auto Update client will now check for the Updates on the Local SUS or WSUS Server.
Echo
Echo After 10-20 minutes Have a look at "C:\WINNT\WindowsUpdate.log"
Echo
Echo
Pause
=================================================================================================================

Stop Cut

Isn't it ironic?

2007-08-07T08:46:00.000-07:00

Life's little ironies make me smile. I opened up my Microsoft Outlook this morning and saw that I had an e-mail in their built-in "Junk e-mail" folder. I don't get many, so I thought I'd take a look and see what it was for (I always need more little blue pills).

I about fell out of my chair when I saw that Microsoft had tagged themselves as spam. You gotta love that.

Desk are not dull anymore!

2007-06-26T09:54:00.000-07:00

Hmmm, this is the FUBAR-IT in the making!

2007-06-12T15:08:00.001-07:00

Ok ok ok ok yea ok

I finally was able to hire a new employee at a remote location fighting tooth and nail to justify work, needs, why and all the other question I had to answer. I was finally able to hire a contractor for the helpdesk position (Only IT Person for 30 People)

So after this was completed and I have him onsite and trying to get him set up. First thing is to get him access to the location, keys and code. When the request can thru I received a email stating that we do not give out keys and access to contractors. Hmm ok so now I have a contract employee that cannot access the building after hours, has to come in 1 hour later or wait at the door and cannot access the server room unless he ask a person from a different department.

Hmm What do I reply, how about:

I am fine with this as long as IT does not have to support the Remote office during non business hours. I will let Blank and Blank work this out with Blank. Not my place to ask for exceptions to the rule.

Needless to say within 15 minutes he had keys and access to the location 24/7.

You sir, are a dumbass

2007-06-12T13:58:00.000-07:00

I asked a coworker at a remote site to open up some machines and see what kind of RAM upgrades they would take. Actually, I did one better than that.... I sent him to www.crucial.com and told him to run their little System Scanner to see EXACTLY what type of RAM chip each system took. He comes back with these results:

Notice how it says "DDR PC3200" is currently installed.

Notice how it says "FPM" is currently installed.

Well boys and girls, it looks like we have a bunch of systems with 2 different motherboards. Well I then get this email from him:

The chips are the same in all boxes

Kingston KVR400X64C3A/512

Sometimes CrucialScan is not correct

Thanks

My response back:

Interesting….

So ALL of the boxes (both 2.5 and 3.0) use Kingston KVR400X64C3A/512 right now?

And do they all have 2 chips with 2 open slots?

His final response:

Correct !

Okey-dokey. I placed the RAM for ALL PC3200 sticks, as he has assured me that is what they will take. Two weeks go by (IT misplaced the order, ahem)... I get another broadcast e-mail from him saying that some of the servers were upgraded with new ram, but...

P.S.

I received memory (RAM) - but all chips are the same -

184 pin DIMM 128x64 DDR PC3200 and they’re not

Compatible with following boxes:

<.....>

They are KVR800 series

WTF?!?!?! Did I not ask him to double check what kind of RAM the boxes took? Did Crucial not tell him some boxes were FPM800. WTF?!!??!?!

And yes, he used purple font in his e-mail, along with red, blue, green, and black.

Who around here has an opinion?

2007-06-12T09:39:00.001-07:00

I guess you could lump all upper management in with CEOs.

Family? They had a good run

2007-06-12T09:31:00.001-07:00

Some people are just slow

2007-06-12T09:20:00.000-07:00

So I got an IM from one of our support reps today asking about a customer issue:

TS: Ok. About the PRB12345
TS: I have a Webex recording of the issue form the client
Trevor: let me look it up
TS: Is 5meg
TS: Yoy want me send here
Trevor: did they apply the hotfix?
TS: which one
Trevor: the one I validated last night?
TS: I have seen that. Checking
Trevor: check your email, should be at 11 PM last night
TS: k
TS: Can you resend please
Trevor: done
Trevor: did you get my email about the hotfix?
[TS has logged off MSN]

The support issue is linked to the engineering issue. I sent out a broadcast email to the whole support group last night, I even marked it HIGH importance with the little red ! that Outlook uses. WTF is he doing asking me today if I need extra info from the customer on the issue?

OK here it is the weird issue of the week that cannot be explained and wasted allot of time to find a fix.

2007-06-08T10:01:00.000-07:00

After spending hours trying to figure out why one server out of ten cannot connect to the Buffalo NAS. Here is the fix and still have no reason why this started. SP1 has been applied for over a year and I cannot count how many time the box has been rebooted over a year.

FIX found here
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=11005

You experience authentication issues when you try to access a Windows Server 2003 SP1 server locally using a UNC (Universal Naming Convention) path in the \\ServerName\ShareName format. You experience one of the following:

- Repeated logon windows.

- Access Denied.

- No network provider accepted the given network path.

- The Security event log contains Event ID 537.

You can access the computer locally using its' FQDN or CNAME alias, and you can access it remotely use \\ServerName or \\IPaddress.
This behavior is the result of the new loopback check security feature, which is enabled by default on Windows Server 2003 SP1.
To workaround this behavior, you can disable the authentication loopback check, or you can create local LSA (Local Security Authority) host names that are referenced in a NTLM authentication request.

To disable the authentication loopback check:

1. Open a CMD.EXE window.

2. Type the following command and press Enter:
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Lsa /V DisableLoopbackCheck /T REG_DWORD /F /D 1

3. Shutdown and restart Windows Server 2003.

To create local LSA host names that are referenced in a NTLM authentication request.

1. Open a CMD.EXE window.

2. Type the following command and press Enter:
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 /V BackConnectionHostNames /T REG_MULTI_SZ /F /D "Multi_String CNAME or DNS alias"
Where each entry is separated by a \0 and the last entry is terminated with \0\0, like CNAME1\0CNAME2\0CNAME3\0\0 or CNAME\0\0.

3. Shutdown and restart Windows Server 2003

NO Thanks to the Advertising king web site that used to have good info before they got Greedy
http://www.experts-exchange.com/Networking/Windows_Networking/Q_22484239.html

Funny of the Day!

2007-06-07T19:48:00.000-07:00

I was sent this from a family member and thank them for adding me to the latest spam list. :) Not realy IT related but some good office humor.

The First Help Desk Call

2007-06-06T18:12:00.000-07:00

I was sent this video from a web developer and had to share.

Funny of the day!

2007-06-06T16:57:00.000-07:00

Clearing my Head

2007-06-06T15:20:00.000-07:00

Today I am clearing my head of all the strange things that happen in IT Departments. No names or clues will be typed to indentify the persons but we all know one or two.

/Lance