Heartbleed Bug – End of the World or Non-event?

heartbleed xkcd comicThat about covers the risks.  Now what can you do about it?  First, update your computer (Windows, Mac OS X or Linux/Unix), right now!  Before you read the rest of this post.

Most software vendors/service providers recognized the serious nature of this bug and updated their software (the easy part).  So getting the fix is usually easy. The biggest problem is trying to determine if your information has been compromised.  You can’t!  Attacks leave no trace or very little on the computers that gave up their private secrets.  This bug has been out in the wild for 2 years!  Maybe nobody found it and took advantage OR somebody did and has all our passwords.  N.S.A is that you?  The actual risk is probably somewhere in between those extremes.

Most security experts are recommending that we change all our passwords and replace all of our SSL certificates.  At the very least change your password on you bank account log-in, but you probably don’t need to change your Facebook password (everybody has all that info).  And definitely change your password if you use one password for everything.  Yea, it is hard to remember all of them, but you can let your computer do the remembering.  Start using a password safe like KeePass or KeePassX to create and store long secure password using one password, that you have to remember, to save them on your system in an encrypted file.

More info about Heartbleed Bug:


Microsoft dropping XP support

Microsoft has finally made good on their threat to stop supporting Windows XP and on April 8, 2014 will stop providing update and fixes for one of their most popular operating system releases.  Microsoft released Windows XP in 2001 and end development of it in 2008.  They have continued to provide bug-fixes and minor updates until April 8, 2014.

To find out what version of Windows you are running you could go to this page on Microsoft’s web site, but it said I was running Windows 8.1 even though I am running Ubuntu.  So if you know you are not running Ubuntu or Mac OS X the following steps will help you find your version of Windows.

The minimum hardware you need to run Windows 8.1 is:

  • Processor: 1 gigahertz (GHz) or faster with support for PAE, NX, and SSE2
  • RAM: 1 gigabyte (GB) (32-bit) or 2 GB (64-bit)
  • Hard disk space: 16 GB (32-bit) or 20 GB (64-bit)
  • Graphics card: Microsoft DirectX 9 graphics device with WDDM driver

I stress this is the minimum to even install and doubling these minimums is needed to run Windows 8 in a efficient and productive way. Also this does not take into account any other applications you might install and run.

So you either need to buy new hardware, which will come with a newer version of Windows or switch to another operating system.  To use Mac OS X you need to buy an Apple Macintosh PC which, in my opinion, is a much better interface and less of a target for computer viruses that Microsoft Windows.

If do not want to buy new computer hardware there are alternatives that will run on your existing PC.  Check out the free Lubuntu, a lightweight variation of Ubuntu.

If you use you computer for just email and browsing these free alternatives will fit the bill.  You can also edit documents (in most Microsoft Office and other formats) with the free LibreOffice office suite software.

There are other free Linux distributions that will run on older computers and here is a link to the DistroWatch.com web-site that lists some of them.  Most of these offer a “live CD” download that allows you to download and create a CD that you can use to try out the new operating system and application software without installing it on your system.  A try before you install option!

If you don’t have a writable CD/DVD drive or don’t know how to create a CD, you can order a Lubuntu CD from OSDisc.com for $2.95 +S/H.  They also sell other Linux variations as well.

Other benefits of most Linux distributions are ease of update and less computer viruses that are designed to attack Linux-based computers.

Before your old Window XP system is hacked, check out the alternatives.

What Is That Thing?

Recently I purchased a Dremel® power tool and noticed a black plastic device mounted on the power cord. On this device the words “Do Not Remove” were prominently displayed.  This piqued my curiosity, so I search the web for the “Emtag” and “Do Not Remove” and found numerous results.  Most of which gave confusing information about this device.  Some said it was to suppress high frequency interference in electronic circuits.  Some said it was a tracking device.

Emtag picture
Emtag Side A
Emtag Side B
Emtag Side B
Emtag removed pic
Emtag Removed

Not being able to live with this information void, I decided to try a test, contrary to all warnings and remove the device!  I just used pliers to squeeze the device until it separated into two pieces.

The Dremel still ran!  But was I now interfering with my wireless network while grinding, shaping and polishing?  Looking at the inside of the removed Emtag™, I saw something familiar.  This flat white plastic tag (seen in the picture Emtag Removed) is commonly used in stores to prevent theft.

Emtag™ is a anti-shoplifting device that is attached to electrical product cords using electronic article surveillance (EAS) to prevent theft. The Emtag™ device is manufactured by B&G International Inc. and contains a Sensormatic Supertag acousto-magnetic (AM) tag. These AM devices are typically attached to products and packaging during manufacturing. The devices are sensed by special antennas located at exits from a store or building. The Emtag™ comes in several sizes for attachment to power codes of different sizes.

This device can safely be removed (after purchase) from power tools without affecting the performance of the tool.  This device has nothing to do with suppressing high frequency noise in electronic circuits like ferrite rings.  In fact, it is similar to those mattress tags that say “Do Not Remove” in that they are unneeded after you get your purchase home.

D-Link Router Backdoor Vulnerability

The US-CERT, a part of the Department of Homeland Security,  has issued a warning that certain D-Link routers have firmware that contains a backdoor for remote users to access router administrative functions without entering the administrator password.  Besides D-Link, Planex and Alpha Networks devices may also contain this firmware.

According to D-Link, the following D-Link routers are affected:

  • DIR-100
  • DIR-120
  • DI-624S
  • DI-524UP
  • DI-604S
  • DI-604UP
  • DI-604+
  • TM-G5240

For more detailed up-to-date information go to this D-Link page on this issue.

According to the original vulnerability report, the following Planex routers are likely affected:

  • BRL-04R
  • BRL-04UR
  • BRL-04CW

If you have one of these routers, check to make sure that the remote configuration from the Internet is not allowed (default setting).  This may have been changed by ISPs that remotely administer customers Internet connections.

Security researcher Craig Heffner found these routers’ internal web server will accept and process any HTTP requests that contain the User-Agent string “xmlset_roodkcableoj28840ybtide” without checking if the connecting host is authenticated.

DNSChanger malware

If you use default passwords on your home or office gateway/router, then you maybe at risk from the DNSChanger malware.  This can affect how your computers translate domain names such as apple.com, microsoft.com and other domain names to the unique Internet Protocol (IP) address such as that we ultimately depend on to access other computers.  A company in Estonia called Rove Digital has been operating since 2007 and may have affected more that 500,000 computers in the United States alone.  If your computer is affected, it will fail to access the Internet after July 9, 2012.

The Domain Name System (DNS) is a critical Internet service that converts user-friendly domain names, such as www.fbi.gov, into numerical addresses that allow computers to talk to each other. Without DNS and the DNS servers operated by Internet service providers, computer users would not be able to browse websites or send e-mail.

DNSChanger malware causes a computer to use rogue DNS servers in one of two ways.

  1. The malware changes the computer’s DNS server settings to replace the ISP’s good DNS servers with rogue DNS servers operated by the criminal.
  2. The malware attempts to access devices on the victim’s small office/home office (SOHO) network that run a dynamic host configuration protocol (DHCP) server (eg. a router or home gateway). The malware attempts to access these devices using common default usernames and passwords and, if successful, changes the DNS servers these devices use from the ISP’s good DNS servers to rogue DNS servers operated by the criminals. This is a change that may impact all computers on the SOHO network, even if those computers are not infected with the malware.

To assist victims affected by the DNSChanger malicious software, the FBI obtained a court order authorizing the Internet Systems Consortium (ISC) to deploy and maintain temporary clean DNS servers. This solution is temporary, providing additional time for victims to clean affected computers and restore their normal DNS settings. The clean DNS servers will be turned off on July 9, 2012, and computers still impacted by DNSChanger may lose Internet connectivity at that time.

The following table list sites setup to help you determine if your computer is affected.




http://www.dns-ok.us/ English DNS Changer Working Group (DCWG)
http://www.dns-ok.de/ German Bundeskriminalamt (BKA)
Bundesamt für Sicherheit in der Informationstechnik (BSI)
http://www.dns-ok.fi/ Finish CERT-Fi
http://www.dns-ok.ax/ Swedish CERT-Fi
http://www.dns-ok.be/ Dutch/French CERT.be
http://www.dns-ok.fr/ French CERT-LEXSI
http://www.dns-ok.ca/ English/French CIRA and CCIRC
http://www.dns-ok.lu/ English CIRCL
http://dns-ok.nl/ Dutch/English SIDN

For more technically oriented people the following is a list of IP address the criminals used for their activities.

List of Rogue DNS Server Addresses

  • through
  • through
  • through
  • through
  • through
  • through

For more information see the following links:


DNS Changer Working Group (DCWG)


Update 2015-01-02: Many sites linked from this page are no longer available.

Uncle Sam Needs You!

We need your help prevent United States Senate Bill 968 (PIPA) and HR 3261 (SOPA) from becoming U.S. law. These bills are essentially a technical solution (a flawed one) for a business problem.  These laws would short-circuit due process of existing laws and provide a sledge hammer for businesses to take down their competitors.  These laws are the wrong solution for the described problem.  A group of Internet inventors and engineers have voiced their opinion in an open letter to Congress stating their opposition to the SOPA and PIPA bills.  Ironically some provisions in these bills would attack Free Speech in ways we condemn in China and Iran.

Uncle Sam needs youWe need you to help over come the well funded lobbying effort to create these laws!  Some opponents of PIPA and SOPA: Google, Yahoo, Wikipedia, craigslist, Facebook, Twitter, LinkedIn, eBay, AOL, Mozilla, Reddit, Tumblr, Etsy, Zynga, EFF, ACLU, Human Rights Watch, Darrell Issa (R-CA), Ron Wyden (D-OR), Nancy Pelosi (D-CA), Ron Paul (R-TX), Tim O’Reilly.

To find out how you representative is voting go to SOPA Opera to find out.  Then contact them and tell them how you feel about keeping the Internet a fair and open place to socialize and work.

Here are some of the people and companies that are working against your interests and for their own profit: RIAA, MPAA, News Corp, Time Warner, Walmart, Nike, Tiffany, Chanel, Rolex, Sony, Juicy Couture, Ralph Lauren, VISA, Mastercard, Comcast, ABC, Dow Chemical, Monster Cable, Teamsters, Rupert Murdoch, Lamar Smith (R-TX), John Conyers (D-MI), Michael F. Bennet (D-CO).

Simple Intrusion Detection

Sometimes I want to have a simple way to determine if a file has been changed or has been compromised without the configuration required of a full feature IDS such as AIDE or Tripwire.  This technique uses CFV, a free and open-source program written in Python and “has been verified to work on linux, freebsd, openbsd, netbsd, solaris, macosx, and windows.”  This program can generate a variety of checksum formats including the SHA1 used in this example.

To create the signature file for a directory’s and sub-directories’ files use the following commands in a Linux or Mac OS X command window:

cd /usr/local/bin
cfv -C -rr -f bin.sha1 -t sha1
gpg -sab bin.sha1

To verify the file signatures use the following commands:

cd /usr/local/bin
gpg --verify bin.sha1.asc
cfv -M -f bin.sha1

The gpg command verifies the integrity of the signature file (bin.sha1).  The cfv command then verifies all the files originally tested when creating the signature file.

Amazon Simple Storage Service (S3)

I have been using Amazon Simple Storage Service (S3) for several years to provide off-site backup and synchronizing files on my numerous systems.  It is a cloud-based service that provides storage for a very reasonable cost ($0.14 per GB/Month as of 7/19/2011).  Access to files on S3 are through web service interfaces (REST, SOAP, and BitTorrent) that are not for general use.  So most access is through some end-user program or service.  Many services have been built that use S3 including Netflix, Tumblr, reddit, and SmugMug with the list growing rapidly.

To use this service, I use a variety of tools including command-line utility called s3cmd, on my Linux systems to synchronize directories and upload/download files.  Synchronizing a directory is as simple as:

s3cmd sync /home/dirk/data s3://bta-bucket/dirk/

This will create a “directory” data in the S3 “directory” bta-bucket/dirk; upload the files that have changed or do not exist on S3 and store file metadata date/time information to make all this possible.  The only problem I have run into is s3cmd’s get and put commands do not use this file metadata to set the file modification time.  This prevents using get and put where you have used the sync command, because the file modification time will not be saved (in S3 headers) or set (on local PC) with get and put.  So to restore one file to a directory AND set the file modification time set during the sync upload use the following command:

s3cmd sync s3://bta-bucket/dirk/data/somefile.ods /home/dirk/data/somefile.ods

The local file date should match the original file’s modification date/time.  Note: the date/time shown by the s3cmd ls command is the upload date/time, NOT the file modification date/time.  The file metadata is stored in the S3 metadata headers with the Key  = “x-amz-meta-s3cmd-attrs” with a Value similar to: “uid:1000/gname:dirk/uname:dirk/gid:1000/mode:33188/mtime:1302623148/atime:1311007748/ctime:1302627027” to hold the file information.

Other S3 utilities save file metadata in different and incompatible ways, so be careful in choosing your S3 backup software and remember that changing to another utility may cause problems with synchronization based on the file modification date/time.

For Windows users, there is a free client called DragonDisk that uses S3 for file storage.  I have not used it, so this is not a recommendation.

MySQL and UTF-8

I recently had a problem in a web application that I created where the UTF-8 characters were not interpreted correctly by browsers.  The biggest issue was this did not happen in all instances of presenting these UTF-8 strings.

After tracing the strings through several libraries, I found the culprit.  The following SQL statement was the source of the text.

SELECT ID, CONCAT(sDescription, ' (', ID, ')') FROM ProdFamily;

Where ID is a integer key for the table and sDescription is a varchar column.  The result of the CONCAT function is a “binary string” because of the integer column as one of the operands.  The end result is that this “binary string” was treated differently than a regular UTF-8 string and characters outside the normal ASCII ones were not display correctly.  To fix this issue the CAST function must be added to set the type of the ID column to string as follows.

SELECT ID, CONCAT(sDescription, ' (', CAST(ID AS CHAR), ')') FROM ProdFamily

See MySQL CONCAT or CAST function documentation for more information.

MySQL: Setting date field default to current date

In MySQL, creating a date/time stamp field that defaults to the current date/time has been a problem in the past.  MySQL restricted you to one timestamp field per table that is automatically updated with the current date/time.  Early versions of MySQL allowed multiple updating timestamp fields contrary to the specification, but this was “fixed” in later versions.  Then triggers were added to MySQL v5.0.2 and can be used as a solution for this common issue.


Replace “TableName” with your table’s name and “dtColumn” with your date/time column’s name.  Also the trigger name, “TableName_dtColumn_default” in this example, must be unique within a schema.

MySQL triggers are a very versatile feature.  For more details about creating and using triggers see the MySQL documentation for CREATE TRIGGER syntax.