4Chan, a group of immature script-kiddies that anonymously post online and organize “attacks” against various groups, organizations, and websites, are it again. This time, it’s not the Church of Scientology they’re attacking, but innocent children. As the BBC reports, members of 4Chan have been uploading videos containing explicit sexual content in droves to YouTube today, specifically targeting children.

The videos uploaded by members of 4Chan consisted of children’s clips that start off innocently enough, showing cartoons and other rated-G material usually targeted at children around 5 years old, but soon enough change to videos of adults engaged in sexual activity. 4Chan has the uncanny ability to strike a nerve, driving even the most liberal of internet users to condemn their behavior as pure evil. The problem is, the anonymous 4Chan members are perversely motivated by this sort of response, and cannot be shamed into bringing an end to their disgusting activities.

This isn’t the first time 4Chan does something that can only be described as pure evil. In March of 2008, 4Chan members flooded an internet board for victims of epilepsy with fast-moving and colorful images intending – and succeeding – in bringing about photosensitive seizures in visitors to the site. The last attack was carefully planned to occur just over the Easter weekend, guaranteeing less moderator activity on the forum and giving the attackers a bigger window of opportunity to maximize their damage.

The difference between the behavior that 4Chan engages in and what just about every other script kiddy organization on the web does is that 4Chan doesn’t do it to prove a point. They don’t do it just to prove they can, they do it to hurt. And the malicious intent makes all the difference. The internet isn’t the best place to pride yourself in holding the moral high ground, but in cases like this, it’s near impossible to understand just what it is that makes people like this tick.

Obviously there is no clear solution to bringing about the end of groups like 4Chan, but someone needs to do something, or else we’re all guilty of standing by and letting evil go.

If you’re like most people, the answer is not much. But there are people out there that really care, and with good reason. If you’re the FBI, Oprah Winfrey, or one of the million other celebrities currently on Twitter, you probably don’t want someone out there passing themselves off as yourself while posting fake updates to an account literally millions are watching.

Some people to whom money is not an issue already pay thousands of dollars for meaningless SSL certificates – something tucked away in the corner of your browser window that no one pays much attention to. But imagine if Twitter were to start offering “verified accounts” that have been authenticated as belonging to a particular person or institute… how many of these celebrity accounts would suddenly turn into cash cows for Twitter?

Right now, it looks like that’s what Twitter has in mind. In a recent blog post, Twitter co-founder Biz Stone talks about the upcoming limited release of “verified accounts” in order to curb fraud amongst accounts claiming to belong to celebrities. There is no mention of charging customers for this service, but the way it’s worded, that is pretty much taken for granted as a future step in the process:

The experiment will begin with public officials, public agencies, famous artists, athletes, and other well known individuals at risk of impersonation. We hope to verify more accounts in the future but due to the resources required, verification will begin only with a small set.

And later:

When we do start testing Account Verification, we will be sure to provide ample methods for feedback. Initially, verification will not be tested with businesses. However, we do see an opportunity in that arena so we’ll keep you posted when we have something to share.

That’s not to say this isn’t a good idea though. Has Twitter finally found a way to make some serious cash without alienating its userbase, providing “additional features” no one really needs but can make them plenty of cash from the more high-profile accounts currently on the site? God knows Paris Hilton, et. al. would be willing to pay the cash, while the rest of us rely on word of mouth, links back from official websites, and common sense to give our followers the confidence they need to trust the updates we post.

Follow me on Twitter @mqudsi.

But it looks like someone may have been a bit to hasty to pull that switch (perhaps itching to get some of the limelight Microsoft has been receiving for adding OpenID to all Live ID accounts just the day before yesterday)… because whatever it is that Google has released support for, it sure as hell isn’t OpenID, as they even so kindly point out in their OpenID developer documentation (that media outlets certainly won’t be reading):

1. The web application asks the end user to log in by offering a set of log-in options, including Google.
2. The user selects the "Sign in with Google" option.
3. The web application sends a "discovery" request to Google to get information on the Google authentication endpoint. This is a departure from the process outlined in OpenID 1.0. [Emphasis added]
4. Google returns an XRDS document, which contains endpoint address.
5. The web application sends a login authentication request to the Google endpoint address.
6. This action redirects the user to a Google Federated Login page.

As Google points out, this isn’t OpenID. This is something that Google cooked up that resembles OpenID masquerading as OpenID since that’s what people want to see – and that’s what Microsoft announced just the day before.

It’s not just a “departure” from OpenID, it’s a whole new standard.

With OpenID, the user memorizes a web URI, and provides it to the sites he or she would like to sign in to. The site then POSTs an OpenID request to that URI where the OpenID backend server proceeds to perform the requested authentication.

In Google’s version of the OpenID “standard,” users would enter their @gmail.com email addresses in the OpenID login box on OpenID-enabled sites, who would then detect that a Google email was entered. The server then requests permission from Google to use the OpenID standard in the first place by POSTing an XML document to Google’s “OpenID” servers. If Google decides it’ll accept the request from the server, it’ll return an XML document back to the site in question that contains a link to the actual OpenID URI for the email account in question.

This is shown quite clearly in the following image (courtesy of Google, ironically):

As you can see, steps 3 & 4 are not part of OpenID and leave Google’s implementation of OpenID, such as it is, incompatible with everyone else.

Google actually mentions this in passing:

Starting today, we are providing limited access to an API for an OpenID identity provider that is based on the user experience research of the OpenID community. Websites can now allow Google Account users to login to their website by using the OpenID protocol. We hope the continued evolution of both the technical features of OpenID, as well as the improvements in user experience. will lead to a solution that can be widely deployed for federated login. One of the companies using this new service is www.zoho.com.

Eric Sachs, author of the blog post in question, doesn’t actually come out and say, but he does come very close.

Basically, Google has rewritten OpenID. Not only is it not exactly the same as the current OpenID protocol, it’s so different that existing OpenID relying parties won’t be able to use it. Only a handful of “partner sites” have been updated to understand Google’s perverted version of the OpenID standard, and anyone else hoping to authenticate via “OpenID” to Google’s servers will need to do the same.

But OpenID is an open, community-based standard. Stabbing them in the back by creating an incompatible standard “based on” the same technology and masquerading under the same name isn’t the way to go. Google may have the best interests of decentralized authentication in mind, and perhaps even the better protocol to boot; but this is no way to prove a point.

OpenID is on tenterhooks as it is, and cannot withstand any more efforts to splinter its adoption. Never mind the fact that almost all the big names adopting OpenID are joining only as providers and not as relying parties (rendering the whole basis of OpenID useless) – now even the provider side of things is chaos.

Thanks, Google. Good to see you’re still doing the whole “Do no evil” thing, the community really appreciates this kind of approach to improving de facto standards and pushing decentralized authentication!

Facebook recently conducted a poll which showed up on the homepage newsfeed, and asked Facebook members just how exactly did they think Facebook’s “friend finder” worked when it prompted them for their email address & password in order to get a list of contacts. The numbers pretty much speak for themselves, here’s what they looked like near the end of the campaign:

Now ignore the dark blue bar: it’s a red herring and doesn’t contain any interesting info. The real juicy bit is the “Yes” option, and its 20% response.

20% of Facebook’s 80 Million active users (give or take) believe that the passwords for their email addresses are being stored when they use the Friend Finder…. and that doesn’t bother them in the least. That’s sixteen million people who don’t give a damn about their privacy, the contents of their email, or who has control of their entire online personas.

This is a subject that’s been chewed half to death already countless times by people far more in the know than myself; Jeff Atwood’s excellent article on the topic covers the dangers of sites asking for users’ email addresses & passwords, and – far more importantly – presents several more secure alternatives for web application developers looking to expand their social networks.

To put things in perspective, take a look at this downright horrifying tale on ReadWriteWeb about software that prompted users for their email addresses & passwords, then proceeded to save them for malicious use… then realize that 16 million Facebook users out there don’t care if this happens to them. Think about all the private, sensitive, confidential information available on your email account and just how truly terrible it would be for that info to fall in the wrong hands.

Of course all this begs the question: who’s to blame for this bout of end-user stupidity (for lack of a more politically-correct term)? Is it naïveté/trust in the goodwill of others that gets users to give out such sensitive data to people (Facebook has 500 employees!) they don’t know from Adam? Or is it that they just don’t get how dangerous it can be (see the ReadWriteWeb article for proof)? Or is it, maybe, that they’ve simply gotten accustomed to being asked for their email address and corresponding password by “trusted” sites they love to visit, too caught up in the “gather as many friends as you can” game to give a second thought to identity theft and fraud?

Personally, I can recall a time when most “normal people” I know would refuse flat-out to share such sensitive data with a site (phishing, tech support, etc. obviously excluded); but in the wake of “Web 2.0” it’s become so normal to ask for email addresses and passwords that no one ever gives it a second thought.

And it’s not just Facebook. To be totally frank, even if Facebook were to store end users’ passwords in their database, the access to that info would probably be very highly guarded… but when every new social network on the block is suddenly doing the same thing – you can get a good picture of just how easy it would be to steal users’ passwords.

MQ’s 3 Steps for World Domination

1. Send out an email purporting to be from “the hottest new social network around” informing the recipient that their “friends” want them to join: “Click here to show Peter you’re a real friend!”
2. Get the user to register a new account – make the procedure as pain-free and simple as possible… and right then and there on the registration page ask for the user’s email address and password so as to “make it easy to tell all your friends you care and get popular really fast…”
3. Profit.

As soon as it’s OK for one person to do it, it’ll be OK for everyone to… and then we’ll be in too deep to do anything about it.

So why does Facebook – after polling their end users and seeing just how dire the situation is – continue to use the same flawed mechanism of harvesting email addresses… especially when better, safer alternatives exist?

It would seem that between the way Gmail saves and retrieves sessions, existing sessions are authenticated, and views are cached there are one or more loopholes that allow data from a different account (that has nothing to do with yours) to be served instead of the correct data.

I don’t know why, but here’s the how:

• Firefox 3 opened to Gmail on Ubuntu.
• Session accidentally reset with ctrl+alt+bkspc
• Upon reboot & restarting of Firefox, Firefox requested the URIs that were previously open before the crash, partially loading data from local cache and the rest dynamically from the web (because of the AJAX portions of the Gmail interface).

The result:

• Gmail loaded up the email account of a user I’d never contacted before, never heard of, and never knew existed.
• I could see the front page of this user’s inbox, including the people he’d recently contacted, the brief summary of all messages, the total number of messages in the inbox, the number of unread messages in other folders, the dates of all correspondences, and a number of contacts (again, none that I have had contact with) in the sidebar.
• The number of remaining Gmail invites, the amount of space used, and other status values also reflected this mysterious individual’s account.
• I couldn’t browse deeper than the main page of the inbox. Emails couldn’t be opened, nothing past the first 50 correspondences could be seen, and I couldn’t switch to another folder.
• Attempts to do any of the above resulted in Gmail’s “Oops… the system encountered a problem (#102) – Retrying in XXs… <Retry Now>”

Parts of the Gmail interface contained values pertaining to my own account (for instance, the online status indicator) while others referred to this other individual’s account instead.

It’s very bizarre. I don’t know if it can be readily reproduced, but I’d imagine if you forced an exit of Firefox 3 and kept on firing it back up at some point or another you’d see similar behavior. Of course, a deeper analysis of what data Firefox 3 requests from Gmail’s servers verses what’s served from the local session cache may yield further information that could possibly be used to actively take advantage of this data leak.

It seems that Firefox requests a cached session complete with cookies and all from the Gmail URI, which in turn loads the Gmail javascript files that are responsible for retrieving the data associated with a particular email account via AJAX. At this point, either the session key is associated with another account and so Gmail retrieves the information assumming the session to be properly authenticated or else the expired session somehow causes Gmail to get data from elsewhere…

Screenshots of this behavior:

Gmail displaying the other user’s information:

Searching for this user in my own account yields no results:

As we’ve previously mentioned, NeoSmart Technologies is a big proponent of Full Disclosure. We’ve contacted the security department at Google and will post their reply if/when it’s available. We’ve also taken what we feel are the appropriate steps in this case with regards to the screenshots above in terms of what’s been made visible and what’s been blanked out for privacy concerns.

Update

The Google Security Team sent a reply to our inquiry. According to them, this behavior might be caused by broken ISP proxying, pending further investigation. This post will be further updated as soon as new information becomes available.

Update

Google has confirmed that was the result of an ISP caching/proxing problem, and that it’s been known to happen. It seems some ISPs are over zealous in their caching attempts (probably to save some money) – and you can add Cyberia to that list. Much thanks to Chris Evans of the Google Security Team for his feedback on the issue and prompt responses – that’s the way security is supposed to be handled!

Memory usage: Several new technologies work together to reduce the amount of memory used by Firefox 3 over a web browsing session. Memory cycles are broken and collected by an automated cycle collector, a new memory allocator reduces fragmentation, hundreds of leaks have been fixed, and caching strategies have been tuned.

We’re sorry to have to break it to you, but if you thought it was too good to be true you were right. Firefox still uses a lot of memory – way too much memory for a web browser.

We haven’t seen it reach 1GiB+ like we have with previous versions, but it’s quite normal for Firefox 3 to be sucking up ~300MiB of memory right off the bat, without a memory leak (the difference between memory leaks and normal memory abusage is that in a memory leak you’ll see the memory usage keep increasing the longer the browser is open/in-use).

This is a screenshot of Firefox’s memory usage after just a half hour or so with only a couple of HTML-only tabs open. This particular screenshot was taken on Linux where Firefox is using the shared GTK libraries – on our Windows PCs, it’s normal to find Firefox 3 taking up ~350MiB or so on both XP and Vista.

The sad thing is that isn’t caused by one of the memory leaks that plagued previous versions of Firefox. It’s Firefox 3 is supposed to take up that much memory – at least, that’s our assumption given how we’ve never seen it take up less.

Firefox 3 has a number of memory-hogging features added to the mix that are probably at least partially responsible for the absolutely gargantuan memory footprint. For example, Firefox now uses an SQL engine to keep track of your history and bookmarks, amongst other things. While that particular feature is powered by SQL-lite, which should – in theory – not take up too much memory, we’re at a loss to explain what else is wasting memory left, right, and center in the world’s most-popular open source web browser.

Things like full-text on-the-fly searching of the web cache for when you type text in the address bar certainly have an impact as well – that’s a lot of stuff to keep in memory at one time. But Opera 9.5 does the same with a lot less memory, so obviously Firefox 3 is doing something wrong.

It’s a shame that Firefox 3 is on the verge of a release and is so terribly unfit to run on any machine – Windows, Linux, or OS X – with less than at least a couple of gigabytes of memory.

• A cell-phone-wielding shopper enters the shopping plaza.
• Path Intelligence monitors mounted throughout the plaza detect that a new mobile phone is in the vicinity and log its IMEI code.
• As the shopper moves around the mall, his or her movements are continuously triangulated by the multiple Path Intelligence units, allowing movements to be mapped and saved for later analysis.

The good news: it’s totally private, there isn’t any (automated) way to map a particular record in the Path Intelligence logs to an actual person. The resulting logs can be analyzed for shopping patterns (where people go after visiting a certain store, peak hours of traffic, most popular regions, etc.) later on, providing valuable intelligence and allowing for improvements.

The bad news: The Path Intelligence logs — in-conjunction with other monitoring techniques such as cashier timestamps, credit card log, video surveillance, etc. — can result in the identification of the persons associated with logged behavior in the system; posing a real and tangible privacy/Big Brother concern.

The weird news: Everything in the above scenario can be directly mapped to an exact counterpart in the current web-tracking solutions in use:

• Shopper -> Visitor to a site
• Mall/Shopping Plaza -> Website
• IMEI code -> IP Address (unique, but not personally identifying on its own)
• Path Intelligence -> One of the many web-statistics companies

Everything from the tracking techniques used to the information gathered to the way its analyzed and used is directly taken from the way cyber traffic has been logged and analyzed for years. After all, why not?

Web monitoring solutions have proven to be reliable metrics for understanding the userbase of any given site; and more importantly, the number one tool to improving conversion rates and increasing the visits-to-sales ratio. If there are technologies that have proven invaluable to boosting the online commerce economy, it makes sense for people to attempt to apply these same methods to everyday life in the real world as well.

It’s somewhat of an epiphany to consider the amount of information available in cyberspace and how easy it is to obtain and analyze when compared to the physical world we live in. The quantity, quality, and pervasiveness of the data available to online far exceeds anything in the real world, and the use that it can be put to are truly amazing – and scary when extended to our normal lives.

Imagine for an instance the typical data available to a website owner enlisted with one or more of the web statistics services and just how useful such knowledge would be in the real world:

• Referrals. Who came from where, how people came across your store, and what they’re most interested in.
• Popularity Ranking. Know what stores in each mall are the most popular, down to the last customer. Find out exactly what sections of each store get the most attention (then compare it with sections are currently getting the most sales and try to maximize sales in those departments).
• Shopper Characteristics. As the Times article explains, the IMEI number can be traced back to the country the shopper comes from. In high-tourist areas (think New York, Las Vegas, London, Chicago, etc.) this kind of intelligence can provide great insight…

Basically, the real world is starting catch up with the online one (not the other way around, folks!), and there’s a lot it has to learn and a lot it has to benefit.

iReboot isn’t by any means a major application, but it’s gathered a pretty strong following over the months, mostly by people interested in boosting productivity (or increasing laziness) to the max. But there was one flaw in iReboot that made all the hard work we put into making it as unobtrusive and minimalistic as possible almost meaningless: if you had UAC enabled, iReboot will not run automatically at startup, no matter what you do.

This behavior comes as a result of the architecture that Microsoft used to secure Windows Vista, which doesn’t allow for applications requiring admin approval to run at startup. It doesn’t matter what your application does or if you absolutely trust it beyond the shadow of the doubt, Windows Vista simply won’t let an application that runs in elevated privileges mode to launch at startup – end of story.

Users of iReboot were quick to point out that this is a major drawback that made it almost useless – after all, it’s far less productive to have to manually run an application when you want to reboot than it is to wait for that startup screen to appear and select the OS you want. So we set about finding a solution.

We’ve just released iReboot 1.1, a UAC-free implementation that doesn’t require admin approval, elevation, etc. past the initial installation. And, yes, it does run automatically at startup too!

The Gory Details (feel free to skip below to the download links!)

In order for iReboot to be of any use, we had to get around Microsoft’s UAC limitations. For iReboot, it was of the absolute importance that it run at startup, and that it be allowed system access from normal user accounts. On Windows XP – where everyone runs as an Administrator and there are no annoying UAC prompts – it was a non-issue. But on Windows Vista, the new architectural requirements for running applications in elevated privilege modes made it near impossible.

While digging around for possible solutions, it became clear that the only possible fix would be to split iReboot into two parts. One would run in the background as a service, running under the SYSTEM or LOCAL SERVICE accounts and having privileged access to the OS without requiring admin approval or UAC elevation, and with the second half running as an unprivileged userspace client program which interacts with the service backend to get stuff done.

The resulting application has an installer – which requires admin privileges, of course – which installs and launches the background service. The background service has full permission to do what we need to get operating system XXXX to be the default option for the next boot, but – in line with the Windows Service Model – cannot be interacted with by end users.

The installer also adds a normal UI application which sits in the taskbar (from where end-users may interact with and use iReboot) and communicates with the backend service via a custom API which must not require the execution of any privileged code. The service can do whatever it wants (well, whatever we want it to do, but lets not get picky here!), but the client program must only perform actions which normal, unprivileged users have permission to execute.

By using a standard inter-process communication API we avoided the need for any special actions on behalf of the client application, effectively separating logic (residing and executing on the backend service, free from the many limitations of UAC) and presentation/design (the client application, bound to obey UAC’s every wish).

The Bottom Line

Anyone running Windows XP or Windows Vista – with or without UAC and/or admin approval mode enabled – can now run iReboot at startup and use it to boot into whatever OS they like (in conjunction with EasyBCD, of course!).

But getting this far wasn’t easy. With Windows Vista, what should have been 100 lines of code maximum ended up being a dozen times longer, split across two different processes, and requiring way too much man-hours to write the most minimalist and to-the-point piece of software we’ve released to date.

Perhaps most importantly though, is the fact that Windows Vista’s newly-implemented security limitations are artificial at best, easy to code around, and only there to give the impression of security. Any program that UAC blocks from starting up "for good security reasons" can be coded to work around these limitations with (relative) ease. The "architectural redesign" of Vista’s security framework isn’t so much a rebuilt system as much as it is a makeover, intended to give the false impression of a more secure OS.

With the current Windows Vista security models, Microsoft can claim that Vista blocks system-modification tools from running at startup; but the truth is, there are still many ways to get them to run. At the end of day, our experience with iReboot and Vista’s security implementations brings us to the sad conclusion that with Windows Vista, Microsoft has made ISVs’ jobs more complicated without actually providing any any further protection for end users from malware authors – which certainly isn’t the best way of going about this task.

Anyway, the fruits of our efforts:

Download iReboot 1.1 (248 KiB)

[support] [donate] [changelog]

This morning I came across such an event that penetrated that virtual suite of armor when I read this Wired.com article about a recent script-kiddy attack on a web forum run by The Epilepsy Foundation – the news is so bad it makes one’s blood boil. A group of crackers launched a bone-chillingly cold-blooded and thoughtless attack on the members of the epilepsy forum. They weren’t looking for money, private info, fame, or acknowledgement — they were merely searching for a way to cause as much physical and mental harm as possible.

Epilepsy, as defined by Wikipedia:

Epilepsy is a common chronic neurological disorder that is characterized by recurrent unprovoked seizures. These seizures are transient signs and/or symptoms due to abnormal, excessive or synchronous neuronal activity in the brain. About 50 million people worldwide have epilepsy at any one time.

This particular attack focused on hacking the forum to display images that triggered epileptic attacks in visitors; invoked by a series of images flashing at pre-determined intervals showing certain shapes and patterns that are known to cause seizures to people suffering from epilepsy.

Everyone has seen the photosensitive seizure warning on video games at one point in time or the other – they’re there for a reason. Epileptic attacks are not a joke, and purposely invoking such an attack on innocent website visitors as some sick person or persons’ sick idea of a joke must not be tolerated.

What’s even worse is that the first round of attack was not enough for the perpetrators. Instead, a second attack followed which used javascript exploits to redirect visitors to more-complex images and animations; affecting even more people.

The compromised forum posts and code were available for approximately 12 hours:

But she’s satisfied with the Epilepsy Foundation’s relatively fast response to the attack, about 12 hours after it began on Easter weekend. "We all really appreciate them for giving us this forum and giving us this place to find each other," she says.

While that may not seem like too long of a time, if you consider the fact that these are human beings being attacked and not machines or web-browsers then 12 hours turns into a lifetime – after all, for some people this really is a matter of life or death.

At the moment evidence suggests that "Anonymous," a group of crackers recently come to fame for their web-cracking endeavors; the true identity of the perpetrator(s) remains unknown. But whoever it is, this kind of ridiculous, immature, and down-right evil attacks most not be tolerated by the tech community at large.

Most people take a look at these three facts, and instantly come to a conclusion.. the wrong conclusion: you can’t properly manage a Windows server because it’s inherently lacking in the shell scripting department.

But that’s not true… Because here’s another fact for you:

Perl scripts are a drop-in replacement for 99% ((We admit, that’s a made up statistic, give us a break though, will ya?)) of all shell scripting needs.

And another fact:

Perl (unlike PHP) runs great (awesome, in fact) on Windows.

Now with these two facts in mind, you can now make a proper conclusion: Shell scripting on Windows doesn’t have to be difficult, limiting, or in any way inferior than on Linux.

Perl is an awesome language. Between the online Perl community and the millions of Perl-scripting samples across the web, it’s quite the well-documented language and no sysadmin has an excuse not to use it. The Perl modules are an extensive array of easy-to-use pluggable scripts that you just reference and run.

Perl was created for stuff like this. It’s the language of choice for hacking quick scripts that get the job done, easily, quickly, and with little pain or effort. A Perl script made to run on Linux will likely run on Windows too, with little to no hacking necessary for most of the stuff out there.

With Perl, you can easily do things like manage (prune, grep, or sort) log files, backup and FTP or email database server dumps, schedule webserver maintenance, and more.

Shell scripting with Perl is even easier than shell scripting in Bash – simply because of the huge libraries available that make even the most mundane and PITA tasks quite easy. It takes all of 6 statements (we’re purposely refraining from counting lines because this is Perl we’re talking about) to compose an email with your MySQL dumps as a GZIP’d attachment.

You can easily schedule Perl scripts to run at regular intervals with the Task Scheduler – but that’s about all you’ll ever need to interact with Windows for.

A quick Google search will reveal millions of results for “Perl server management scripts.” Take your pick, hack it, and run.

Here’s our 5-step guide to managing your server with Perl scripts:

1. Download and install Perl for Windows (ActivePerl, free).
2. Read the Perl FAQs and get familiar with the syntax. It’s nothing too complicated, and very simple to code in (though reading someone else’s code is another story). You absolutely don’t need anything more than the basic syntax, stuff like classes and functions are completely unnecessary for shell scripting – it’s too easy to even be considered programming!
3. Write your Perl script. Use a real text editor like Notepad++.
4. Test it by running it from the command line and ensuring it does what you need. Repeat step 3 as needed.
5. Open up Scheduled Tasks in the Control Panel and set up a new task to run your Perl script however often you like.

Sure, maybe it’s not as easy it looks and it’ll probably take you a day or so to go from absolute zero to cranking your first Perl-based shell script; but soon enough you’ll be doing it blindfolded and with both your hands behind your back. And it’ll only be one line long, too!

The most important thing to realize is, you don’t need to be a programmer (or become one) in order to shell script in Perl.

Just pretend your Perl script is a batch file (yuck!). The Perl processor will run it from top to bottom, in a very straight-forward manner. Put one task/command per-line, stick loops where needed, and test constantly. You don’t need classes, you don’t need data structures, you don’t need object orientation, and you don’t even really need to use variables if you don’t want to!

We’ll be posting more details, guides, sample shell scripts, and how-to’s on Perl-based shell scripting in the weeks and months to come. Don’t give up just because it involves learning something new, this is in an investment that’ll last a lifetime. If you can shell script in Perl on Windows, you can do the same on Linux and OS X with ease. If you can shell script in Perl, you can do anything!

View all articles in the “Shell Scripting with Perl” category.

While Microsoft’s [[MSFT]] newly-released build and the one leaked a month ago (Build 3180) may share the same name, we can exclusively reveal that they are not identical releases. This release, also shipped as windowsxp-kb936929-sp3-x86-enu.exe, is 334.2 megabytes and has been made available to tier-one Windows Server 2008 and Windows Vista SP1 beta testers. Hashes are as follows:

CRC: 56e08837
MD5: c8c24ec004332198c47b9ac2b3d400f7

Along with the standalone installer redistributables (in English, Japanese, and German), Microsoft also provided the usual release notes and a list of all the hotfixes included in this release. Contrary to popular belief, Windows XP SP3 does ship with all-new features - not just patches and hotfixes, most of them backported from Windows Vista:

• New Windows Product Activation model: no need to enter product key during setup. Thank God for that!
• Network Access Protection modules and policies have been brought to XP after being one of the more-well-received features in Windows Vista. You can read more about NAP here.
• New Microsoft Kernel Mode Cryptographic Module – the Windows XP SP3 kernel now includes an entire module that provides easy access to multiple cryptographic algorithms and is available for use in kernel-mode drivers and services.
• New “Black Hole Router” detection – Windows XP SP3 can detect and protect against rogue routers that are discarding data.

Windows XP SP3 is compatible with all versions of Windows x86, included Embedded, Fundamentals, Start, Professional, Media Center, and Home Editions.

Windows XP SP3 now contains 1,073 patches/hotfixes, not including those in previous service packs. Of the 1,073 included updates, 114 are for security-related issues. The remainder are updates to performance & reliability, bugfixes, improvements to kernel-mode driver modules, and many BSOD fixes.

As with Service Pack 2, these include both previously publicly-available updates (whether through support.microsoft.com or via Windows Update) as well as any and all privately-redistributed updates for select customers or partners with specific problems/scenarios.

The first included update: KB123456 (April 7, 2006). The last: KB942367 (September 29, 2007).

We’re checking with our MS contacts if we can provide you with the actual comprehensive list of updates included in Windows XP SP3, along with their descriptions and KB article links.

A Texan family is now suing Virgin Mobile for using a photo of their daughter, Alison Chang, in an ad campaign – the catch is, it was released by the photographer on Flickr under the Creative Commons Attribution license, and that’s where Virgin Mobile got the photo from. The problem is, the girl featured in the photo had no idea her photo was being used – or that it was released under the Creative Commons license.

As the case currently stands, the Changs are suing consumers of open source works and not the original party responsible for the release of the work as an open source material without a proper media consent form.

It gets more complicated than that. Appearances in the media need a media consent form, but posting a photo online technically doesn’t. At least, not yet — is this another issue at stake? So in this case, a photographer posts a photo online, fully within their rights and releases the photo itself as an open source work. Then the open source work (and not the actual person) is used in a media appearance – what’s the ruling then? Why is the family suing Virgin Mobile and not the photographer? Do they (and their lawyer) fully understand the concept of open source and creative commons licensing? Do end-users of open source material have a legal obligation to ensure that the material they use was cleanly and wholly legally released as open source in the first place? Just how far does one have to go?

Still not confusing enough for you? Well, Virgin Mobile added insult to injury, captioning the photo in their advertisements with what amounts to – more or less – an insult to Alison Chang. Is the question of whether the subject of an open source’d photograph can be used against one’s self a legal or a moral issue? Does releasing a photo to the public under a lax license let it be used by anyone for any purpose, even when “hurting” the original producer/subject?

This is quite the legal tangle, and we’re betting it’ll be settled out of court – but even if it is, it’s certain to come up later in one court case or another. We’re not lawyers, but this is clearly a case that poses quite the risk to open source, attempting to redefine just how “open” it really is. Here’s a re-cap of the issues at stake:

• Are “consumers” of open source legally liable for using “dirty” open source’d code? Do they have a legal requirement to verify its validity before using it?
• Will legal consent forms be required for simply posting photos online? What about “personal” sites like Flickr, MySpace, and Facebook?
• Just how global is an open source copyright? In this case, Virgin Mobile Australia is charged with breaking a US copyright.
• Previous court cases have ruled that bloggers are journalists in their own right. Does the freedom of press protect online photo-journalism, too? ((In this case, we’re referring to the original “blog post” on Flickr by the photographer, and not the subsequent use by Virgin Mobile))

It’s unlikely that all of these issues will actually appear in a court of law, but it certainly is possible. The first and second are very likely to appear, and have far-reaching effects; whereas the latter two are stretching it a bit, but anything is likely when money is involved. Creative Commons has an optional “country” setting that determines, in the case of a legal dispute, which country’s laws and jurisdictions shall apply. We have no details at the moment which setting was specified, but the default is USA, and that’s where the photographer and subject both resided. The Creative Commons license is recognized by law in both the United States and Australia.

Should it actually be ruled that Virgin Mobile is guilty as charged, a huge online panic in the open source community will likely ensue. At the moment, most big open source projects perform a cursory check on any code/content submitted for possible legal violations (and, let’s be honest, for plausible deniability more than anything else). But in some cases (read: Wikipdia) it’s almost impossible to practically do so, thanks to the enormous volume of content being constantly contributed and the difficutly of vigorously checking it for legal trespasses. What happens when you can no longer simply trust the EULA that ships with a particularly code library? Or when the content you grab off of Wikipedia (technically licensed under the GFDL) isn’t as open source as it claims to be? And most importantly, that using such “dirty” materials makes you, in the eyes of the law, guilty of content/idea theft?

If any ruling of this sort were to be passed with an actual verdict on the open source angle, it would instantly destroy the entire spirit of open source. No one would be able to trust any open source project or the other, destroying one of the most important benefits of using an open source license the first place: being able to instantly convey the rights a consumer has or doesn’t by simply telling them it’s “GPL” or “BSD” or whatever. You’d need something tantamount to a chain of custody for each and every modification/copy, telling people exactly where each bit of code or content came from and what grounds you had to use it, and no project would be safe without a lawyer of its own. In a word, it’d be the death of open source… In the United States, that is; because the rest of the world (for the most part) is blissfully immune to many of the issues outlined in this post.

Not only does the United States system of copyrights and software patents have to be rewritten to prevent ridiculous things like this taking a toll on the entire open source industry, but also a legally-recognized free software “Bill of Rights” needs to be drafted to ensure that lawsuits like this one don’t jeopardize everything that the online community has been working on for decades. Just like the current Bill of Rights defines basic freedoms for US Citizens that no law can overrule (the Patriot Act excluded because GWB says so), free software needs a similar document to set down its (proverbial) foot and ensure that open source lives on – freely, as it was meant to be.

It’s important to note that the Creative Commons license that the photo was released under was not marked as non-commercial, and that Virgin Mobile fully complied with the letter of the Creative Commons license, by properly citing the Flickr page the photo was grabbed from at the bottom of their advertisement. As far as Virgin Mobile is concerned, they didn’t really do anything wrong. It is no wonder most magazines still insist on getting explicit legal permission before including anything in their issues, even if the EULA/copyright is clearly indicated on the site/source!
This might just be a case of a family trying to get rich quick; and if it is, it’s quite unfortunate that the entire spirit of open source has to be put on trial for a couple of bucks and a 16-year-old emotional teenager’s injured self image. If it’s not, it’s still a damn shame.

This sound isn’t the one you get on startup (which is still there, just like in previous versions of Windows), but rather the one that plays right when Windows finishes loading – and you can’t do a thing about it. In our opinion, it’s a quite nice sound, but unfortunately you don’t get to hear it (most of the time) if you have a analog/digital sound card with analog being the default. At any rate, for those of you that don’t like it, chin up: it can be changed!

1. Grab reshacker (or XN Resource Editor, if you prefer), they’re both invaluable utilities that you should always keep at your side when you want to hack just about any program or feature on Windows.
2. Copy C:\Windows\System32\imageres.dll to another location, and open it with reshacker.
3. Open the WAVE subfolder, and select the appropriate localized resource as follows:
4. If you’re using XN Resource Editor, you don’t need to worry about this step: skip on to number 5. Each language has a different code in Windows; in this example, we’re working on a United States English copy of Vista, which has language code 1033. Referring to the list of language codes, German would be 1031, and Spanish is 1034. Open the subfolder pertaining to your particular language code.
5. You need to replace resource name (number?) 5051 with a Wave file of your own – resource 5051 is the default Windows Vista startup sound, and you’re going to replace it with your own custom (wave!) file.
6. Save and exit.
7. Backup the original \Windows\System32\imageres.dll file, replace the existing one with your newly-modified uber-cool version, and reboot to check it out.

In recent years (mainly from last year though), NOD32 has fallen a bit behind in the detection rankings, but for the most part had remained a close contender and a decent choice. Virus.gr has the latest testing results (Link currently not working) as summed up in this post at CyberNet News. In the latest round of tests (and the one before that, and the one before that) Kaspersky is yet again at the top, with a 99.23% detection rate for the newly-released version 7 and a 99.13% for version 6.

Our biggest gripe with Kaspersky 6 was the terrible user interface (which relied on the uber-slow MMC with horrid integration) – plus, we were quite happy with NOD32’s excellent service for all these past years and admittedly a bit reluctant to see its shortcomings.

But all that changed with the release of Kaspersky 7. In a test run, we found 3 different trojans on our machines (for a total of 6 infected files) that NOD32 hadn’t detected (even with heuristics enabled and set to the highest level) which Kaspersky picked up immediately.

The real kicker wasn’t the fact that NOD32 missed a trojan, it was the fact that 2 of these trojans have been listed in the Kaspersky virus signature database since mid-2006, and that when reporting such missed trojans the NOD32 team replies in a mostly arrogant manner.

Looking at this thread where a NOD32 user reported to their tech support that several common trojans ((One of which was found in our test run here at NeoSmart Technologies)) weren’t picked up by NOD32 but were by Kasperksy, the replies by NOD32 moderators are quite shocking. They start off by claiming that the original poster’s title is misleading purposely accusatory (which it isn’t, objectively speaking) and this later escalates (when a new poster claims to have a list of 21 trojans NOD32 failed to detect) into accusations of virus-harvesting and purposely looking for NOD32’s weaknesses.

What should have been a simple “thank you for your observations and our apologies for the inconvenience” became a highly-ridiculous “NOD32 can do no wrong” thread. We’ve been recommending NOD32 since the start, but to us it is clear that this is where we part paths. If a company makes a mistake an oversight of a single trojan, that we can live with. But when moderators on their forum insist on turning it into a personal attack against anyone that has any issues with NOD32, it’s sign that something very wrong is underfoot.

So, goodbye NOD32, you’ve served us well throughout the years (as previous threads and articles will testify). But it’s time for a new AV that continues to improve and without taking offense to simple mistakes. Unfortunately, pride and failure often to lead to one and the same thing – and if there’s a better alternative, we’d be fools not to take it.

Hat-Tip: Thanks, Spencer, for the virus.gr overview!

The attack lasted around 3 hours, the recovery process another hour or so. We’re sorry for this downtime and are implementing failsafes that will hopefully protect against data corruption in the future. Luckily, our other data is stored on PostgreSQL (with the exception of this blog, which miraculously survived the ordeal unscathed) which is less prone to data corruption in our experience.

We urge anyone with any information about this attack to come forth, and remind the perpetrators that this is a felony punishable under law.

But at NeoSmart Technologies, we always do try to make the best out of whatever situation we’re in, so we took advantage of the downtime to do some server upgrades we’d been planning for a while:

• Apache Tomcat (for the Wiki and Bug Tracker) was upgraded to version 6
• MySQL was upgraded from version 5.1 to version 6.0
• We upgraded PHP from 5.2.1 to 5.2.3
• The IIS rewrite module was re-compiled and upgraded
• Installed an XMPP/Jabber Server
• Several other script changes

At any rate, hopefully this is like lightning and doesn’t strike the same place twice! We’re still here, and we will be for a very long time to come, God willing of course.

Once more, sorry for the downtime, and to those people who unfortunately had their posts vanished in the forums: our deepest apologies.