Monday, December 15, 2008

Three Network Tidbits

  1. RoadRunner Re-IP'd My Subnet: It happened in the middle of the night. I woke up this morning and nothing was working. This is the first time they (RR) have ever done this, at least as far as I can recall. So if you had any of the UT servers in your favorites list, those addresses are now obsolete. Select the servers from the UT browser and you'll be O.K.

  2. I Still Hate ATI Drivers: But as it turns out, my UT crashes had nothing at all to do with them. The problem turned out to be an out-of-date (vintage 2007) RTL8139 NIC driver. Looking back, this should have been obvious because whenever the system crashed it made a horrendously load BUZZING SOUND, a sign that "something" was stomping all over the soundcard. Obvious because I've seen this issue at least a dozen times over the years. Both the soundcard and the NIC are built-in devices and both are manufactured by RealTek. I did an "update from the Internet" on the NIC and it found a driver from Feb. 2008. Things have been fine ever since. Too easy!

  3. Marvell NICs Are Not Marvellous: In fact they suck major ass. In the early days of Experimental v1.0 I put a lot of time into making a wireless UT server using one of these pieces of dogshit. It was disastrous. That NIC ended up in my "other" Windows system, which among other things has a "secure" 802.11b dedicated point-to-point connection with a Webcam. That Windows box has been shitting itself for months, so on a lark I swapped out the Marvell NIC with a RaLink NIC and its incontinent days are over. The system is solid as a rock.

Friday, December 12, 2008

Yet Another Blog

Seriously, I have way too much free time.

Last Sunday, I woke up, got a cup of coffee and checked my Gmail. Of course, most of my Gmail consists of Google Alerts. For about two years I've had an alert on "suicide", due to a tinfoil hat theory of mine concerning SSRIs. That morning, there were a ton of "suicide" alerts, among them an unusual number of murder-suicides.

This story caught my eye first. It had everything: Boy meets girl, boy loses girl, boy kills girl, boy blows his brains out.

And, as it turns out, that is the story of 90% of murder-suicides. Typically a "white guy" crime, the killer is in his mid-40s and has had an on-going relationship with the victim, who is female and, on average, six years younger.

Statistically, there are 1000-1500 incidents of this crime per year. This means you can expect two to five murder-suicides per day, which is absolutely perfect for a specialty news aggregation blog.

I was absolutely certain someone had already done it, so I checked BlogSpot to see if the name was free. And, surprisingly, it was.

I've been doing it for less than a week now and I've gotten 21 hits from my Google News Alerts. The blog isn't a happy place, but it's not a happy subject. It just happens, and it happens with astounding regularity.

Click here to check it out.

Sunday, December 07, 2008

Election Day Hit

I'm really at a loss to explain this, but apparently some clown took it upon himself to DoS

It didn't work.

Hell, I didn't even notice until over a month later.

303,819 requests from someone with a UserAgent of Links (2.1pre36; Linux 2.6.24-1-686 i686; 80x24). So many hits Links took the #3 browser spot in one day.

If I didn't know better I'd swear that was me (wrong Linux version, but I do use Links quite a lot - completely automated to fill out the Proxy List).

And why Election Day? Did some neocon confuse me with that other MrHinkyDink?

We may never know.


Since I've been doing this crap at work for a few weeks now, I decided to aggregate my Google Alerts into a service for IT Security Pros and ethusiasts. The result: HINKY LINKS at!

Hopefully this means I won't bore you to death with this security crap anymore.

Any more than I have to. lol

Anyway, it's not as brutal on the eyes as this black background theme (most security wonks use the same theme on BlogSpot - a very curious phenom) and since it's primarily cut-and-paste the upkeep should be simple (famous last words).

But I am good at this, and even though it's not quite as fresh as it could be at the moment, I get content coming into my gmail account constantly. If you were a coworker, Hinky Links is exactly what you'd see at my work blog.

Saturday, December 06, 2008

Koobface/Port 9090

For months, the Proxy List has been inadvertently tracking the spread of the Koobface virus.

Koobface is spread via the social engineering of Facebook users, prompting them to view a video of themselves that requires (surprise) the installation of an "updated" (translation: BOGUS) Flash player that subsequently zombifies the user's computer, installing a proxy server (tinyproxy.exe) running on TCP port 9090.

Koobface was allegedly discovered in August 2008. The Proxy List has been reporting proxies on port 9090 since March 2008 (to be exact, three days after the beginning of the Proxy Project).

Granted, a proxy on port 9090 does not imply that tinyproxy.exe is running on that port, but given anti-virus companies are so far behind the curve on protecting consumers from malware, a five-month "0day" status is not unheard of.

According to my proxy database, port 9090 started in March, ticked up in April, took the months of May and June off, and started rising from July through October. In November, it exploded. So much that port 9090 is now the fifth most common port for verified proxies (meaning, they worked at least once) in the database, only a few hundred away from knocking port 3128 (SQUID, CoDeeN) off the #4 spot.

Not surprisingly, the top three infected countries (US, GB, CA) are all English-speaking. The DNS names, with a handfull of exceptions, all reflect consumer ISPs.

There is some serious Facebook ownage going on, and this probably explains the surge in Cameroon users I reported last week.

Is it advisory-worthy? No. The press has been doing a fair job of getting the word out. The security discussion lists (BugTraq, FullDisclosure, et al) have been, as usual, silent/worthless on the entire subject. That's what really pisses me off. I spend a great deal of time sifting through the lists for security information and 90% of that turns out to be wasted effort. In fact, 100% of the information on Koobface came from my own Google Alerts and independent research.

Why do I bother?