This page is from the original Don't Let Me Stop You blog. We have moved to a new site: Visit DLMSY on WordPress.

Saturday, January 14, 2006

Windows Meta File Vulnerability Kerfuffle

If you operate mainly in the Windows world, you should already have heard about the severe security vulnerability in Windows Meta Files (WMF). As it turns out, this is apparently not a bug; it's a feature.

A little background will help those who missed the initial story. At the end of December it was discovered that simply displaying doctored graphics files (WMF format) in a browser or email program on a Windows PC could force the PC to execute code embedded in the graphics file. The malicious hackers* who write "malware," instantly began exploiting this hole at web sites all over the net and with email viruses. Perhaps this had already been going on for awhile before the hole was discovered.

While this sounds almost like one of those email urban legends, this is real and serious. There is now a patch available for the newer versions of Windows from Microsoft. If you are running Windows haven't patched your system, go directly to the Windows Update page and do so.

That might have been the end of things, except that Microsoft decided not to create any patches for Win 98 / Win 95 users, even though those systems also could be vulnerable. In fact no one is quite sure whether Win 9x is or is not vulnerable to this.** Security "guru," Steve Gibson, who does the podcast Security Now! with Leo Laporte, pledged on the podcast that if Microsoft did not fix this for Win 9x, then he would.

As Gibson tried to reproduce the exploit so he could prevent it, he found some strange aspects to it. The oddities Gibson found convinced him that the WMF vulnerability had been deliberately introduced. Microsoft had already said that this was not a "buffer overflow" problem, like many previous vulnerabilities. Rather it was a known feature of the WMF format, added in the days before people worried about security issues. These two positions are not necessarily incompatible, but the details of what Gibson found did not seem to make sense except as a "backdoor" designed into Windows. He said on his latest Security Now! podcast (#22), that if it wasn't supposed to be a backdoor it's hard to see why it's there at all.

This, not surprisingly, has generated quite a kerfuffle, with many disputing Gibson's analysis. Microsoft has denied that this was intended as a backdoor, as they would probably do whether it actually was or not. The comments on that site and this one are pretty lively, with opinions ranging from "Steve Gibson is an idiot" to more reasonable arguments on both sides. Ryan Hornbeck at Always On takes Gibson at his word on the backdoor question, pointing out that unless the code is open source one can never tell what the developers' intentions were.

As we write this, Gibson's site is apparently down. Whether that's from the heavy load generated from this topic, some DoS attack by the We Hate Gibson Crowd, random internet problems, or the workings of The Great Satan (Microsoft), we may never know. While we're waiting for grc.com to come back up, you might want to download the podcast (available from iTunes and others).

We agree with comments on the linked sites that one should not attibute malice to a situation that can be explained by incompetence. Consequently, we remain skeptical of the claim that this feature is designed by Microsoft as a backdoor. We know a lot less about security than Gibson (however much that is), and we do enjoy his podcasts, so we'll see how this shakes out.

* We note that the term "hacker" does not necessarily imply the person doing the hacking is up to no good, although that is the way the general public tends to think of it these days.
** Microsoft now says that Win 9x systems will not execute the code in the WMF, FWIW.


Update: Dwight at TechBlog comes to a similar conclusion, and he has some additional background info about Gibson.

Glass House Shattered from Within

We learned long ago not to expect any sense of propriety from Sen. Ted Kennedy. Considering his own checkered past, the Moral High Ground he commands is well below sea level. Yet he actually named his dog "Splash." This week he attempted to make a big deal about US Supreme Court nominee Samuel Alito's membership 30 yrs ago in an obscure Princeton club. Now the Washington Times has hit Kennedy with a club of his own:
Sen. Edward M. Kennedy belongs to a social club for Harvard students and alumni that was evicted from campus nearly 20 years ago after refusing to allow female members.

According to the online membership directory of the Owl Club, the Massachusetts Democrat updated his personal information -- including the address of his home that is in his wife's name -- on Sept. 7.

The club has long been reviled on campus as "sexist" and "elitist" and, in 1984, was booted from the university for violating federal anti-discrimination laws, authored by Mr. Kennedy.
While Alito's ties to "CAP" at Princeton were apparently short-lived, Kennedy has clearly been keeping in touch with the Owls. Wouldn't you think that might have entered his mind as he was peeing into the wind in the confirmation hearings?

Technorati tags: , , ,

Thursday, January 12, 2006

New Intel-based Macs

The MacWorld conference introduced the long-anticipated Intel-Macs in the form of a new PowerBook (i.e. laptop) and a new iMac. At WindowsIT Pro Paul Thurrott confirms the previous speculation: these Macs will also be able to run Windows.
At the Macworld Expo this week in San Francisco, Apple executives confirmed that Windows Vista will run on the new Intel-based iMac desktop and MacBook Pro computers that the company is rolling out this year. However, Apple won't promote or support Windows on the new Macs, and users who want to dual-boot between Mac OS X and Windows on those machines still face some technical hurdles.
The "hurdles" aren't expected to be that high for Vista. While dual booting is somewhat inconvenient (I rarely reboot my PowerBook), this does open some exciting possibilities for those who can't completely avoid Windows. It could also tip the scales for a Windows user who might have been afraid to take the plunge before, knowing there's a "safety net."

New Vistas in Computing

The recent CES, the big Consumer Electronics Show, was reportedly largely lacking in cool new stuff. Microsoft's keynote presentation covered Vista, Microsoft's Next Big Thing, (apparently the next version of Windows), which is due out late in 2006.

An enterprising Mac user named "Eden" put together these three videos with Mac OS screen movies using the Microsoft keynote as the audio: Episode 1, Episode 2, and Episode 3.

As you'll see from the movies, Microsoft still has some catching up to do.

Wednesday, January 11, 2006

Fiskie 2005

It's Cindy, of course, a runaway winner for The Idiotarian of the Year. She couldn't have done it without all the Little People in the MSM.

Tuesday, January 10, 2006

Murine Terrorism

A mouse destroyed a home in New Mexico in an apparent suicide attack. Discarded Mouse Returns to Set Home Ablaze:
"I had some leaves burning outside, so I threw it [the mouse] in the fire, and the mouse was on fire and ran back at the house," Mares said from a motel room Saturday. Village Fire Chief Juan Chavez said the burning mouse ran to just beneath a window of the nearby home. The flames spread up the window and throughout the house. All contents of the home were destroyed, he said. No injuries were reported.
Tonight's TV news here in Lincoln cast doubt upon this version of events, however the homeowner is standing by his story.

Monday, January 09, 2006

Is It Really Art?

Perhaps you've heard of "Fountain," Marcel Duchamp's "sculpture" urinal. Now a 76 yr old "performance artist" has been charged in France with vandalizing the urinal:
Duchamp's 1917 piece -- an ordinary white, porcelain urinal that's been called one of the most influential works of modern art -- was slightly chipped in the attack at the Pompidou Center in Paris, the museum said Thursday. It was removed from the exhibit for repair.
Perhaps they called in a plumber. But wait, there's more:
The suspect, a Provence resident whose identity was not released, already vandalized the work in 1993 -- urinating into the piece when it was on display in Nimes, in southern France, police said.
We're guessing that urinating into it was part of his "performance art" back then. That's what he claims about his current attack. We have here a microcosm of what's wrong with the art world. Oh, the estimated value of the urinal is $3.6 million. We hope that at least includes installation.

Sunday, January 08, 2006

Hurricane Katrina Statistics II

We previously posted about the Knight Ridder article that exploded the myth that Hurricane Katrina victims were disproportionately black and/or poor. To his credit David Zeeck, Executive Editor of the News Tribune (Tacoma, WA), has also picked up on the story behind the story:
Recently our deputy managing editor was running the daily Page One news meeting when the wire editor announced this story:

"Knight Ridder is moving a story that says an analysis of data now suggests that some widely reported assumptions about Hurricane Katrina were incorrect," said Kathleen Cooper, the wire editor. "They're saying the data show the victims weren't disproportionately poor or African American."

Dale Phelps, the deputy M.E., laughed and facetiously asked: "Wasn't anything we reported about Hurricane Katrina accurate?"

There was a burst of laughter at the news meeting, but everyone there also felt the sting in Dale's question.
Zeeck goes on to list a number of specific, widely-reported, shocking stories that simply never happened. That's a lot of misinformation. What conclusions should we draw?
Well, first, these stories weren’t invented by the media. They originated with public officials. Mayors. Police chiefs. Sheriffs. Senators. Dispatchers. National Guard officers. People in a position to know the truth. If the reporters had been mere stenographers, satisfied only to quote official sources, the stories might be proof of journalistic incompetence.

But the second thing to remember is that the reporting didn’t stop. Good reporters and solid news organizations kept after the story, ran the fabrications and exaggerations to ground, and exposed them as rumors, half-truths and fables.
We'll give him that. The reason we eventually found out the truth (Or should we say "are finding out") about the Hurricane Katrina victims is because good reports did the followup work. Reporters like John Simerman, Dwight Ott, and Ted Mellnik, who wrote the Knight Ridder story, kept digging. Zeeck also mentions another Knight Ridder reporter, George Pawlaczyk, who debunked another false story reported on NPR.

So in a sense, the system is "self-correcting." The problem is that the corrections occur much later and are less prominently reported. If it bleeds it leads, as the saying goes. A corollary is that corrections are destined to be buried. Even if the corrections did get as much play as the original stories, by the time the truth comes out many people have stopped paying attention. Now that everybody "knows" that the Katrina victims were all poor and black and consequently ignored by the Evil Republicans, the truth has a hard time breaking through.

Of course, the most blatant racial stereotype today is the notion that conservatives are racists while liberals are champions of the black underclass. This is a big part of the reason the Katrina victims became victims of GWB in the eyes of many in and out of the media. Statistics can refute that, but some will still claim the original stories were "fake but accurate."

Lincoln Public School Bond Issue

There will be a special election next month for a bond issue for the Lincoln Public Schools:
JournalStar.com: "The prospect of voters approving $250 million in bonds to pay for school renovation and construction hasn’t silenced a vocal critic of Lincoln Public Schools’ fiscal policies.

Nor has it persuaded former school board member Peter Katt to dismiss his tax appeal challenging the way LPS has raised money to pay for heating, air conditioning and codes updates over the past decade."
Mr. Katt has also started a blog on this issue.

I haven't yet made up my own mind on the bond, but I'm leaning toward approval. LPS does a very good job of educating the students; standardized test results are well above the national and state averages. Tycho and I are former LPS students (quite awhile ago for me, obviously) and Viper is currently one. Mrs. Abe volunteers in several schools. There has been a cap in place for several years which limits property taxes, which are the main source of money for the schools. Efforts to raise that limit were defeated soundly the last time the voters were asked, and LPS has had to get by with less money than it wants. (Haven't we all.) Some of the older schools are definitely in need of renovation, although those in my immediate area are in good shape.

On the other hand Mr. Katt raises some good points, and he has certainly seen the way the system works from the inside. LPS is a big part of Lincoln's total budget and, consequently, of the tax burden on the citizens.