Apr 112017

I’m considering purchasing a ZOOM B3n bass effect processor, one of the nice features is the program that allows you to edit/load patches via a PC..  vs. having to do so on the device itself.   Being a security minded geek, I downloaded the software and took a look.

After installation, first thing it does is REQUIRE an active internet connection.  No explanation, it’s not in the system requirements..  So a little work with wireshark and a little snooping around, it’s downloading files from www.zoom.co.jp and placing them in %USERPROFILE%\AppData\Local\ZOOM Guitar Lab.

This appears to be some poor attempt at providing auto updating capabilities.  The first ‘conversation’ is via TLS however they do not appear to be authenticating the server certificate, AND the subsequent downloads .. at least some.. are happening via HTTP connection and appear to not be signed.

Poison DNS servers and reverse engineer their server protocol (likely trivial), and you have an easy way to deploy anything to everyone who uses this software.

Maybe not a likely target, however If you are concerned about your DAW being corrupted by malware, I’d suggest installing in a virtual machine as well as your DAW.  Turn off updating in the installation on your DAW (in Help menu, deselect “Notify when the new version of ZOOM Guitar Lab exists” and  “Notify when the new version of firmware exists”).

Let it do it’s update on the virtual machine, then copy the VM %USERPROFILE%\AppData\Local\ZOOM Guitar Lab to the same folder on your DAW.  That should get you the updates without any bad stuff (unless bad stuff was to installed in that folder of course).

Mar 292017

As noted here it’s likely that if not already, soon not only will you be paying exorbitant monopoly rates for internet access, the ISP will also sell your web browsing history.

There are many ways you can protect yourself, TOR comes to mind however the performance trade offs are often not worth it.  Personally I block java/javascript, cookies, 40,000 or so domains, ads, tracking sites AND often pipe traffic through Privoxy and TOR.   These tactics assure that my ISP is not getting a complete picture.   However all of this is a hassle, so my wife/guests/etc are not likely to put up with it.

There’s another option, fill their database with so much garbage that it’s useless.  This will not defend against ISP’s selling your data, however if enough people shovel enough shit into the system the buyers will eventually realize the data is useless and stop buying.

Introducing Obfuscatron GIGO this is a start.  I would love to see more people create more systems like this, run them all!  Fill their databases with garbage that is indistinguishable from real data!

If there’s enough interest I’ll keep enhancing this.  One idea I have is to provide a list of Zip codes for the U.S. and allow URL’s in the ‘seeds.txt’ list to contain place holders like %ZIP% that the system replaces with a random zip code..  May be useful for weather and travel sites.

If you have any questions/concerns or would like source code, leave a comment here.

NOTE: this works best if you have a computer that’s on 24×7.  If your computer goes to sleep, so will this.  It’s likely still helpful, just a bit less due to leaking your PC active hours (that may reveal when you work, got to school, come home, etc).

Mar 232017

According to art-technica: https://arstechnica.com/tech-policy/2017/03/senate-votes-to-let-isps-sell-your-web-browsing-history-to-advertisers/

The fix is easy, obfuscate.. fill their database with garbage that’s indistinguishable from real traffic.  For the do-it-yourselfer that it willing to accept some risk, running a TOR exit node would likely do the job.

For people who want a bit more control over the process, this is the official announcement for the Obfuscatron!  In short it’s a windows service (I’ll write a *nix deamon is there’s any demand) that will run in the background and generate very random web traffic.  The starting sources will be based on the Wikipedia random article function, however from there is will go out to external links on the page.  You will also be able to control the user agent, as well as configure how aggressive it is.

Currently in very early alpha, I’ll be running a version of this locally over the next several days and refining as I go.  Expect an available beta version in a couple of weeks.

I can’t imagine how they’d be able to distinguish this traffic from user traffic..  as long as it’s random enough and not just a constant stream of traffic going to a small set of sites.

Jan 082016

This article keeps popping up (along with related articles).  The Author Mat Honan jumps to conclusions not supported by the facts.  He makes claims such as “the way WE daisy chain account” being a problem, well maybe HE does that (and I suspect a lot of users do as well).

His problem can be summed up easily.  He relied on his Apple account as a point of security.  Once that was compromised (easily via simple social engineering phone call) they then could take over his GMail account (because the author used his Apple email as an alternate address) and once in that account the bad guy had the ability to  take over everything.

In an attempt to deflect blame from himself (and Apple) the author keeps repeating his same baseless assertion that passwords are bad and is now in a crusade to ‘kill’ passwords.  Mat Honan needs to grow up and accept responsibility for his own screw up and help people understand how to properly use passwords and properly secure online systems (as much as possible) rather than sowing FUD to protect his ego.

Main take away is never trust third parties who have no interest in securing your data with your ‘keys to the kingdom’.  There is no one set of rules that works or applies to everyone.  In my case (as an example) I have a yahoo account I use for non-sensitive sites (forums, online shopping sites where it NEVER store CC’s, etc).  All of my banking and financial access credentials are linked with addresses that are highly secure (server controlled by myself or trusted third party).  All of my secure passwords are the maximum complexity allowed and all are different.  This works for me.

People in general need to stop blaming technology when a failure is due to misuse (by themselves or others).

Jan 072016

Someone posted a comment on an old article with a bunch of SEO related rubbish and of course a link to a paid add-on for WP…    Search Engine Optimization doesn’t interest me in the least. It used to be possible to game search engines and it still is to some extent, however these tactics will backfire eventually.

A well written article in a good content management system stands on its own without any effort spent trying to trick or game search engines.  SEO is the refuge of bad writers and spammers only, don’t waste time on it.

Sep 182015

Decided to give Allods another go, installed and it came loaded with some crapware ‘gaming dashboard’ from my.com.  when I tried to uninstall it claims I’ll not be able to play Allods if I uninstall, when I confirmed that it tried to access the internet (which I denied) and blew up.  So I killed the task, deleted the files and then let windows blow out the uninstall entry….

Shortcut to aogame.exe.. no problem running without this crap..

All I can conclude is that it’s malware and serves no purpose at all…. kinda like nearly everything that wants to play ‘middle man’..

Aug 142015

Thursday Malware bytes reported on an ad server pushing malware via various exploits.

Checked my network and I’m already blocking adspirit.de at the router.  I have no idea why more people don’t do this, likely not all that many are running linux based routers or don’t have access. For those that do, here’s my simple script which runs weekly:

mkdir /tmp/hostupdate
cd /tmp/hostupdate
wget http://winhelp2002.mvps.org/hosts.txt

# copy local host definitions into hosts file first
cp /etc/hosts.local /etc/hosts

# we only want the host lines, no local host or comments.
grep -vE ‘localhost|#’ hosts.txt >> hosts.clean

# change to blackhole server
sed ‘s/’ hosts.clean >> /etc/hosts

# cleanup
cd /etc
rm -Rf /tmp/hostupdate

/etc/init.d/dnsmasq restart

Because I have other blocks and static hosts, I have a hosts.local file in /etc/ that is added to the hosts and obviously this system is my DHCP and DNS server for my local network.  People could of course shoot themselves in the foot a variety of ways, mostly by using a hardcoded DNS.. however if someone wants to do that.. so be it..

Apr 232015

A while back I decided to get Coach-net so we’d have easy access to roadside assistance while towing our trailer..  When you join online you get this list of options:


I chose basic, the list of features was good enough for me.. didn’t want all the fluff in premier.  So a week or so ago I got an email saying I could save $10 by renewing early.  I figured sure, why not.. Imagine my surprise when this shows up on the renewal page:


Notice anything unusual?  Nowhere on their website or in the membership materials does it state exactly what ‘gold’ membership is.. as far as anything else is concerned that doesn’t exist.  When I tried contacting them to find out how to renew my Basic membership I got a phone call a week later asking me to call back to discuss my membership options.

I don’t need to discuss options.. I know what I want.  I could save money by simply letting membership elapse and then starting again.. even after the $10 ‘one time’ processing feel.  Much easier still, I’ll just let it expire and not renew.  I’ll got to Good Sams Club if I want roadside assistance.

EDIT: when I asked one more time to explain why I couldn’t renew my Basic membership, I instead received a comparison of Gold and Premier plans..  Gold is pretty much basic but $20 more per year, so they’re doing  the classic ‘introductory offer’ or a bait and switch if you prefer.  Coach-Net can stuff this.

Feb 062015

Everyone that has Anthem should immediately file an initial fraud alert with any of the credit bureaus.  This is the simplest thing you can do to protect yourself right now.

Here’s some info on fraud alerts from the FTC: http://www.consumer.ftc.gov/articles/0275-place-fraud-alert

And the equifax fraud alert page.. NOTE: you only have to file with one bureau: https://www.alerts.equifax.com/AutoFraud_Online/jsp/fraudAlert.jsp

And in the ‘kick them while their down’ realm, in a couple of weeks I’ll be in small claims suing the shit out of Anthem for their gross negligence in handling a pre-certification for surgery….  weeks of unnecessary pain (too bad I can’t sue for that in SC).. I’ll be damned if I don’t try to get 100% reimbursed for my out of pocket on this.