Apple Updater Acts Like Trojan

I don't have an iPod and will never ever use iTunes, so much so I will resist installing it with my dying breath. I used an earlier version on a previous PC and it was a pile of "donkey's queer things" completely renaming my existing audio library and hogged resources.

I use Quicktime, but only because people will insist on using the proprietary mov format for videos, the Quicktime player is another bloated, slow and resource hungry program. So while Apple Mac advocates sing the praises of their machines and the software they run on them my experiences of Apple software on Windows has been disappointing.

For a long time the Apple website has dubiously implied that the installation of Quicktime required iTunes, the standalone Quicktime player being hidden away on the website. In addition, following a recent update to Quicktime (due to yet another security vunerability) my machine had become infected with the Apple Software Updater. I say infected because despite only having Quicktime installed it has for many weeks telling me to update iTunes and helpfully filling in the tickbox so should I not have be paying attention and select update I would have installed it.

This morning the updater had an additional item (and filled in tickbox) Safari, Apple's new web browser! Surely this amounts to spam and trojan activity by attempting to install software on a persons machine without their knowledge?

What is even worse is the marketing blurb you see in the updater

“Safari for Windows is the fastest and easiest-to-use web browser for the PC. It displays web pages faster than any other browser and is filled with innovative features — all delivered in an efficient and elegant user interface.”

But what it fails to mention are the ongoing worries about security risks on Safari, especially for people using Window operating systems.

Automatic software updaters are becoming the norm, with Windows and Firefox two prime examples, But the big difference here is that they only offer updates to what is already installed, rather than spamming users with unwanted software downloads. Of course advocates will claim Apple isn’t making you download anything, you can always say no, but how many people new to iTunes will blindly click ‘Install’, thinking it’s part of the essential program?

It seems to have inflamed a lot of people with blogs full of outrage. Mozilla's CEO John Lily has hit out at Apple's decision.

Interrupts hogging CPU use caused by UDMA drives reverting to PIO mode.

I have experienced some on going problems with my Dell PC running XP being slow and unresponsive, as well as the hard disk problems [1][2][3].

Running the SysInternals utility Process Explorer I have noticed that it was indicating that "interrupts" were taking the majority of CPU load, and it seemed related to disk activity, when copying large files to and from USB drives for example. I did a quick google and discovered this post which identified the problem, which is related to way XP handles the DMA mode on ATA/ATAPI devices (article here and discussion here).

For repeated DMA errors. Windows XP will turn off DMA mode for a device after encountering certain errors during data transfer operations. If more that six DMA transfer timeouts occur, Windows will turn off DMA and use only PIO mode on that device.

In this case, the user cannot turn on DMA for this device. The only option for the user who wants to enable DMA mode is to uninstall and reinstall the device.

Windows XP downgrades the Ultra DMA transfer mode after receiving more than six CRC errors. Whenever possible, the operating system will step down one UDMA mode at a time (from UDMA mode 4 to UDMA mode 3, and so on).

Sure enough checking my machine the drives were switched to PIO mode.

To access this information use Settings->Control Panel->System->Hardware->Device Manager and then expanding the IDE ATA/ATAPI controllers



Double click them and under advanced settings you will see the transfer mode selected



If the current transfer mode is set as PIO rather then UDMA then the best thing to do is uninstall the driver and let XP reboot, this reinstalls the driver and resets the transfer mode. This works for SATA drives as well as they are still IDE drives.

I can't recommend the SysInternals Process Explorer utility enough and is a worthwhile replacement for Task Manager. The Sysinternals web site was created in 1996 by Mark Russinovich and Bryce Cogswell to host their advanced system utilities and technical information. Microsoft acquired Sysinternals in July, 2006. The site is full of useful utilities to help manage, troubleshoot and diagnose Windows systems and applications.

To quote David Coverdale "Here I Go Again!"

Click the picture for some classic 1980s rock ballad and insane hairstyles!

Back in January before I split my online ramblings into two distinct blogs I posted about some problems with my main Dell Windows XP box and it's recurrent BSOD problem.

Well last Thursday I found my computer hung up again and after being forced to power it down and rebooting found it extremely sluggish and within a few minutes the familiar "Stop 0x000000F4 BSOD" appeared. Checking the event viewer it was apparent that yet again bad blocks on the hard drive were the problem so I had to run a "chkdsk /r" which this time took the best part of 24 hours!

While it was doing that I decided I would have another look at getting a desktop Linux box running. I was tempted by openSUSE but opted for Fedora8, I have had good experiences with both distributions in the past as opposed to my awful experiences with Ubuntu, I think it may be the hideous brown colour scheme!



My target hardware came courtesy of my neighbour who was disposing of some old pcs. On investigation this old Packard Bell came with a MSI K7TM Pro (MS-6340) motherboard an AMD Athlon 800MHz, 256MB of RAM and NVidia Vanta TNT2 video card and on board sound and a DVD-CD/RW combo drive. I installed a spare 80GB harddrive, boosted the memory to 640MB and stuck in a network card. I upgraded the BIOS (which made a remarkable difference to the options available) and stuck in the Fedora8 Install DVD and off it went.


You can see the Fedora8 running on the left while the XP box on the right struggles to correct itself!

I have been pleasantly surprised how reasonably it runs on relative underpowered hardware and more surprised how much easier I found it to get things running. In the past I have always hardware incompatibility problems, often in the install failing completely, or software problems. So all I have ever done is get a rudimentary server running, mainly so I could use it as a SSH proxy to bypass my previous companies web block and logging! That is not to say I did encounter a few minor problems but they were easily corrected and I will post some of the solutions later.

The machine called "INSANE" is fully integrated into the Windows network, prints and scans using my HP 3210 All-in-one printer/scanner. It plays videos, mp3s and I even compiled the last.fm client!

Can data overload protects privacy?

Privacy advocates are probably foaming at the mouth with the shocking revelation that in June 2006 all conversations on the MSN instant messaging system were being collected and passed to researchers Eric Horvitz and Jure Leskovec at Microsoft Research.

They claim they weren't interested in the content of the messages but were simply investigating the behaviour of a 'planetary scale system'.

There is nothing earth shattering about the results, they show people are more likely to chat with others in the same geographical location, age group and of the same sex. But as us pointed out by the arXiv blogger the most interesting aspect of the research is the fact the researchers struggled to cope with the size of their dataset.

"The dataset consisted of 30 billion conversations generated by 240 million distinct users over one month. We found that approximately 90 million distinct Messenger accounts were accessed each day and that these users produced about 1 billion conversations, with approximately 7 billion exchanged messages per day."

"The sheer size of the data limits the kinds of analyses one can perform,"

"Each day yielded about 150 gigabytes of compressed text logs (4.5 terabytes in total). Copying the data to a dedicated eight-processor server with 32 gigabytes of memory took 12 hours. Our log-parsing system employed a pipeline of four threads that parse the data in parallel, collapse the session join/leave events into sets of conversations, and save the data in a compact compressed binary format. This process compressed the data down to 45 gigabytes per day. Processing the data took an additional 4 to 5 hours per day."

For years now various security services around the world have made moves to assemble databases of online communication. They want to watch over phone calls, social networking sites and emails. But extracting useful information, not just generalities like the study mentioned, is going to require massive amounts of storage and processing power.

But to quote the arXiv blogger

So will data overload always protect us from Big Brother’s prying eyes? Perhaps in some circumstances like these but otherwise I wouldn’t count on it. It’s straightforward to sample big datasets like this (although that can introduce problems of its own).

I wouldn’t mind betting that with a little more effort, it would be possible to identify individuals from their travel and chatting patterns, perhaps by correlating the data with local telephone and business directories much in the same way this has been done with search data. However, it looks as if Horvitz and Leskovec have steered carefully around this issue.

Of course, Microsoft doesn’t need to do this since it can store a much fuller set of data anyway including the full text of the conversations and whatever data it has on the identity of the owners.

And you can be sure that more shadowy organisations with access to much greater computing resources will also have this full data set and be happily chewing through it as you read this.

Warning on Firewire Insecurity

It is already being wildly reported elsewhere but Firewire (IEEE1394) ports on computers are a potential security risk.

The insecurity has been known about for many years, but with the recent publicity about the Disk Encryption ram hack Adam Boileau has decided to release his tool, which he claims to have sat on for two years waiting for a response from Microsoft.

The insecurity is because the specification of the protocol allows devices on a FireWire bus to communicate by direct memory access (DMA), where a device can use hardware to map internal memory to FireWire's "Physical Memory Space". The SBP-2 (Serial Bus Protocol 2) used by FireWire disk drives uses this capability to minimize interrupts and buffer copies. In SBP-2, the initiator (controlling device) sends a request by remotely writing a command into a specified area of the target's FireWire address space. This command usually includes buffer addresses in the initiator's FireWire "Physical Address Space", which the target is supposed to use for moving I/O data to and from the initiator.

On many implementations, particularly those like PCs and Macs using the popular OHCI, the mapping between the FireWire "Physical Memory Space" and device physical memory is done in hardware, without operating system intervention. While this enables high-speed and low-latency communication between data sources and sinks without unnecessary copying (such as between a video camera and a software video recording application, or between a disk drive and the application buffers), this can also be a security risk if untrustworthy devices are attached to the bus.

Adam Boileau released a Linux Firewire utility that will give you immediate Administrator to an XP machine:

It's two years later, and I think anyone who was going to get the message about Firewire has already got it, and anyone who was going to be upset about it has got over it. Besides, according to Microsoft's definition, it never was a Security Vulnerability anyway - screensavers and login prompts are - as Bruce says - about the Feeling of Security. Anyway, today's release day for Winlockpwn, the tool I demoed at Ruxcon for bypassing windows auth, or popping an admin shell at the login window....

• Yes, you can read and write main memory over firewire on windows.
• Yes, this means you can completely own any box who's firewire port you can plug into in seconds.
• Yes, it requires physical access. People with physical access win in lots of ways. Sure, this is fast and easy, but it's just one of many.
• Yes, it's a FEATURE, not a bug. It's the Fire in Firewire. Yes, I know this, Microsoft know this. The OHCI-1394 specification knows this. People with firewire ports generally don't.
  

Adam's tools include a few Python apps that can copy and impersonate Firewire device signatures, dump RAM on a remote machine, bypass Windows authentication, and extract BIOS passwords. It's not exactly comforting, but I've got a new appreciation for Firewire now. This is the sort of access that used to only be possible by creating hardware that physically connects to the PCI bus. Now all you need is a cable and a laptop.

Watch YouTube in higher resolutions

YouTube have apparently been testing higher bitrate encodings of it videos. You can see them if you add a &fmt=8 or &fmt=16 to the video url. Historically, all videos have been delivered to the lowest common denominator, apparently sorenson encoded 320x240. By adding &fmt=6 to the URL, the video is served up in 448x336 resolution and &fmt=18 gives you the iPhone-style MP4 stream.

What videos will actually look better in the higher resolution format is completely dependent on the material that was uploaded to YouTube. Videos uploaded that were already heavily compressed or pre-scaled to 320x240 won't look much different.