Wednesday, May 31, 2017

How to Install Teamviewer

Teamviewer is one of dozens of computer programs/device apps that provide a way for you to log on to another device, see its screen, and "run" the other device. Prime competitors are GoToAssist, LogMeIn, and Chrome Remote Desktop. For a list of free apps, see https://www.lifewire.com/free-remote-access-software-tools-2625161.

I use teamviewer for the reasons discussed in the above article. To install teamviewer on your device, go to your app store or go to https://www.teamviewer.com. For the latter site, you will see a "Download Free for friends and family" button on the home page. Click on that to start the download. Depending on your browser and its settings, you might get a pop up. Do whatever it says that results in downloading the executable. Once downloaded, start the install process. The exact instructions on starting this install depend on the operating system you are using and the browser or download system you are using. I'll leave it to you to know how to start an install for your situation.

During the install, there might be one or more dialog boxes that have radio button options. You will want "for personal use" and "basic installation." Click through the buttons until the installation is complete. Once complete TeamViewer will pop up. Usually there is an ad in front of the business part of Teamviewer. Just delete that ad. You can close the teamviewer app at this point until you are ready to use it. But, before closing it, I recommend pinning the app to your taskbar or dock. If you are using a smart device, then you put it on a page that you use for important utilities.

To use Teamviewer, click on the icon or search in your applications for Teamviewer. Click on the icon. Up pops the Teamviewer interface.

On the left side will be entries for "Your ID" and "Password". That is the information someone who is going to make a connection to your computer needs to help you. If you are helping someone else, then you will put that other person's ID into the Partner ID field on the right side. You will then click Connect to Partner. The session will initialize and a dialog box will pop up asking for the other person's password. Enter that and you should get access to your friend's computer.

Monday, May 29, 2017

Home Security IoT Class 8 Notes.

The notes for the final class are here.

Wrong Instructions on AT&T: Linking an email client to AT&T email

If you use att (att.net at least, maybe bellsouth.net) as your email provider
-- and --
You want to link your email account to a client email application (Outlook, your smartphone)
-- and --
You want to keep a copy of the email on the att server (maybe you share an account with your spouse)
--then--
AT&T has apparently changed how to do the link that account using IMAP, but the company hasn't changed the instructions or notified you on how to do it.

Specifically, the instructions are at: https://www.att.com/esupport/article.html#!/email-support/KM1086159

The erroneous instruction is:

For IMAP accounts, enter imap.mail.att.net for the Incoming mail server, and smtp.mail.att.net for the Outgoing mail server.

If you follow the instructions and get an error about contacting the server that says, in part "*OK[capability IMAP 4rev1ID move namespace x-ID-ACLID", then you have entered the wrong email server information. (Why such gobble-de-gook for error messages? I guess the coders think they are all so much smarter than we are. NOT! Such coding just wastes everyone's time.)

To be brief, the correct entries for the inbound and smtp server are:

imap.mail.yahoo.net

smtp.mail.yahoo.net

att vs yahoo does make a big difference.

Do this only if you get the error. Apparently the change is dependent on the client application and even the version of the client application.

Thursday, May 25, 2017

Backing up or saving Gmail on your local computer

So you've moved to gmail. Then you realize that all gmail is retained unless you trash it. Good! But then you are concerned that "something" might happen and some of your emails you want to keep might be lost. That isn't likely, but let's address that. Here are ways:

Use a client email program, such as Outlook or Thunderbird. Configure your email connection as IMAP (Important!). Every so often, start your email program and do a receive. All messages from the last time you did it will be downloaded. Because you are using IMAP, the messages will not be removed from the gmail server. You've got a complete archive.
If you just occasionally have a message you want to save, you can "easily" save it to Google Drive.

But first, you have to be using Google Drive. There is a tutorial in the Youtube list to the right on how to install Google Drive on your device (from phone to super computer). When this is done, all documents, etc will be physically mirrored to your device as well as be on the google servers. (I should mention that, in the video, the lecturer starts the discussion by saying that he wants to share photos. Well, you don't share and edit photos in Google Drive. Google Drive has some features to save you from the mistake of putting pictures on Google Drive, but just don't save pictures to Google Drive. Save pictures to Google Photo instead.)
Here is a second dependency: You have to be logged on to Google through Google Chrome. Don't log on just to email. Logging on to Google through Chrome automatically logs you on to all the Google applications, even Youtube. That's necessary to use this feature I'm discussing. (To log on to Google Chrome, click the setting chevron for Google Chrome. The first thing at the top of settings is where you log on to Google Chrome.)
Here is a third dependency: you have to be using Google Cloud Print. To make sure you are using it, go to the Chrome settings, go to the bottom, and click on the Advanced link. This will reveal more settings. Near the bottom of these settings is a heading "Google Cloud Print." Click on the Manage button and start it. From now on, you can print from anywhere you are to your home printer, or, at least in my case, any of a couple dozen places. Close when done.
Now, back to saving the email. Start a "Print" of your email, any way you want. From that page, there is a button underneath the default printer name called "Change." Click on that. In that list is the entry "Save to Google Drive." Clicking on this will cause your print to generate a PDF file that will be saved to your Google Drive. That document will find its way down to your computer during the Google Drive synch process. Click Print to initiate this process.

Tuesday, May 23, 2017

The nightmare scenario caused by the Windows 8 through Windows 10 fast startup option and what to do about it

I have just had to endure one of the most miserable "repair jobs" of my career of 60 years. There was this laptop with Windows 10. The power was interrupted when the computer was shutting down AND it was ready to do the restart after a partial install of an update. The symptoms of the resulting problem were that the computer would not boot. It would get to the blue window screen just at the start of boot and just spin and spin. Night and day. I won't go into all the details on my effort to recover from this problem. You can read about some of what I did by searching on "deleting the hiberfil.sys and "Windows fast start up." I used all my skill with a Ubuntu live disk as well as various Windows recovery options and a Windows recovery disk. I was able to get read and write the hard drive by using a combination of applications in Ubuntu, but that only got the drive to the point where I could get Windows to go into its own recovery mode without relying on the recovery DVDs.

Oh, there were no recovery points.

I spent over an hour on the phone with Microsoft update tech support. I knew more than they did and their final conclusion was that I would have to use the "reinstall Windows 10 keeping the user data" option.

That worked. Of course, I have to reinstall all the user applications. In this case, one of the applications is not easy to install because it is an older app.

The lesson is: The Windows fast startup option is a death trap! I recommend enduring the longer start up times that result from not using fast startup, where the system creates a hiberfil.sys you don't know about and that locks up the computer if the computer shuts down at the "wrong time."

Instructions: Turn off fast startup:

Search for and open “Power options” in the Start Menu.
Click “Choose what the power buttons do” on the left side of the window.
Click “Change settings that are currently unavailable.”
Under “Shutdown settings” make sure “Turn on fast startup” is disabled. (no checkmark).

As an extra precaution, start an administrator cmd or powershell session and run "powercfg -h off. That turns off the system's inclination to create a hiberfil.sys.

Sunday, May 21, 2017

Home Security IoT Class 7 Notes

The class 7 notes for the Home Security IoT class are here.

Two factor authentication for your social security account

Social Security has a web site where you can review all your social security taxable income, your medicare taxable income, your social security personal details, and all your benefits, month by month. That's just to name a few kinds of information that are there. I've talked about two factor authentication in several blogs. It is a security feature that is a pain in the neck. If you use this feature, you have to sign on with your user id and password and then, if you use a device that the web site doesn't recognize, or "just because" you will have to enter some code that is sent by text or sent to your email address. This is before you are able to "log in" to the site. Although a pain, I hope you can see that it protects against someone else using your user id and password to access your social security information. Below is an announcement of an improvement of the social security web site two factor authentication process: the ability to get the two factor code on email. To date, you could only get the two factor code by text message.

On June 10, 2017, we will add a second method to check your identification when you sign in to mySocial Security. This is in addition to the first layer of security, your username and password. Right now, you don’t have to do anything for this new process. But you may want to sign in to your account

to make sure you remember your username and password. Then, when you sign in on or after June 10, you will be able to choose either your cell phone or your email address as your second identification method. Using two ways to identify you when you log on will help better protect your account from unauthorized use and potential identity fraud.

Saturday, May 20, 2017

3D Printing Example: radically new jet engine

I talked about 3D printing in class, about how the technology will move to exotic materials and eventually a build process similar to the ones used by semiconductor manufacturers. This link is an example of what is being done today: https://www.wired.com/2017/05/ge-turbofan-huge-jet-engine/?mbid=nl_52017_p1&CNDID=29643548

Thursday, May 18, 2017

Spectrum DNS Servers for our area

When you want to go to a web page on the internet, your first stop will be a server defined by Spectrum that will take the url (web address) you supply and translate that to an IP address on the internet. That server's function is similar to that of your router, which supplies IP addresses on your household intranet. The function is called DNS (Domain Name Server). Typically, your computer will obtain the IP address of those servers (yes, there is that first step) automagically; however, if you are having trouble connecting to the internet, you might try entering the following for primary and secondary DNS servers in your network adapter settings:

Warning: the following DNS numbers are wrong. These are the numbers you will be given if you ask Charter/Spectrum help.

Primary: 24.178.162.3
Secondary: 66.189.0.100

The correct numbers are:

Primary: 71.10.216.1
Secondary: 71.10.216.2

I apologize for the wrong information... but then Charter has a problem to fix.

Full instructions on how to do this for Windows 10 can be found at http://www.windowscentral.com/how-change-your-pcs-dns-settings-windows-10. For Mac: http://www.macworld.com/article/2824564/slow-internet-edit-your-dns-settings.html. Both references also provide alternate Primary and Secondary addresses to use. In fact, I use those alternate addresses myself.

Wednesday, May 17, 2017

How do spammers harvest email addresses ?

This is a paste from a review article. It is, in some ways, such as discussing UseNets, out of date, but I post it here more to remind me to update it when I have time and, in the meantime, as a IoT Security class discussion starter.

How do spammers harvest email addresses ?

By Uri Raz

There are many ways in which spammers can get your email address. The ones I know of are :

From posts to UseNet with your email address.
Spammers regularily scan UseNet for email address, using ready made programs designed to do so. Some programs just look at articles headers which contain email address (From:, Reply-To:, etc), while other programs check the articles' bodies, starting with programs that look at signatures, through programs that take everything that contain a '@' character and attempt to demunge munged email addresses.
There have been reports of spammers demunging email addresses on occasions, ranging from demunging a single address for purposes of revenge spamming to automatic methods that try to unmunge email addresses that were munged in some common ways, e.g. remove such strings as 'nospam' from email addresses.
As people who where spammed frequently report that spam frequency to their mailbox dropped sharply after a period in which they did not post to UseNet, as well as evidence to spammers' chase after 'fresh' and 'live' addresses, this technique seems to be the primary source of email addresses for spammers.
From mailing lists.
Spammers regularily attempt to get the lists of subscribers to mailing lists [some mail servers will give those upon request],knowing that the email addresses are unmunged and that only a few of the addresses are invalid.
When mail servers are configured to refuse such requests, another trick might be used - spammers might send an email to the mailing list with the headers Return-Receipt-To: or X-Confirm-Reading-To: . Those headers would cause some mail transfer agents and reading programs to send email back to the saying that the email was delivered to / read at a given email address, divulging it to spammers.
A different technique used by spammers is to request a mailing lists server to give him the list of all mailing lists it carries (an option implemented by some mailing list servers for the convenience of legitimate users), and then send the spam to the mailing list's address, leaving the server to do the hard work of forwarding a copy to each subscribed email address.
[I know spammers use this trick from bad experience - some spammer used this trick on the list server of the company for which I work, easily covering most of the employees, including employees working well under a month and whose email addresses would be hard to findin other ways.]
From web pages.
Spammers have programs which spider through web pages, looking for email addresses, e.g. email addresses contained in mailto: HTML tags [those you can click on and get a mail window opened]
Some spammers even target their mail based on web pages. I've discovered a web page of mine appeared in Yahoo as some spammer harvested email addresses from each new page appearing in Yahoo and sent me a spam regarding that web page.
A widely used technique to fight this technique is the 'poison' CGI script. The script creates a page with several bogus email addresses and a link to itself. Spammers' software visiting the page would harvest the bogus email addresses and follow up the link, entering an infinite loop polluting their lists with bogus email addresses.
For more information about the poision script, see http://www.monkeys.com/wpoison/
From various web and paper forms.
Some sites request various details via forms, e.g. guest books & registrations forms. Spammers can get email addresses from those either because the form becomes available on the world wide web, or because the site sells / gives the emails list to others.
Some companies would sell / give email lists filled in on paper forms, e.g. organizers of conventions would make a list of participants' email addresses, and sell it when it's no longer needed.
Some spammers would actually type E-mail addresses from printed material, e.g. professional directories & conference proceedings.
Domain name registration forms are a favourite as well - addresses are most usually correct and updated, and people read the emails sent to them expecting important messages.

Via an Ident daemon.
Many unix computers run a daemon (a program which runs in the background, initiated by the system administrator), intended to allow other computers to identify people who connect to them.
When a person surfs from such a computer connects to a web site or news server, the site or server can connect the person's computer back and ask that daemon's for the person's email address.
Some chat clients on PCs behave similarily, so using IRC can cause an email address to be given out to spammers.

From a web browser.
Some sites use various tricks to extract a surfer's email address from the web browser, sometimes without the surfer noticing it. Those techniques include :

Making the browser fetch one of the page's images through an anonymous FTP connection to the site.
Some browsers would give the email address the user has configured into the browser as the password for the anonymous FTP account. A surfer not aware of this technique will not notice that the email address has leaked.

Using JavaScript to make the browser send an email to a chosen email address with the email address configured into the browser.
Some browsers would allow email to be sent when the mouse passes over some part of a page. Unless the browser is properly configured, no warning will be issued.
Using the HTTP_FROM header that browsers send to the server.
Some browsers pass a header with your email address to every web server you visit. To check if your browser simply gives your email address to everybody this way, visit http://www.cs.rochester.edu/u/ferguson/BrowserCheck.cgi
It's worth noting here that when one reads E-mail with a browser (or any mail reader that understands HTML), the reader should be aware of active content (Java applets, Javascript, VB, etc) as well as web bugs.
An E-mail containing HTML may contain a script that upon being read (or even the subject being highlighted) automatically sends E-mail to any E-mail addresses. A good example of this case is the Melissa virus. Such a script could send the spammer not only the reader's E-mail address but all the addresses on the reader's address book.
http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html
A web bugs FAQ by Richard M. Smith can be read at http://www.tiac.net/users/smiths/privacy/wbfaq.htm

From IRC and chat rooms.
Some IRC clients will give a user's email address to anyone who cares to ask it. Many spammers harvest email addresses from IRC, knowing that those are 'live' addresses and send spam to those email addresses.
This method is used beside the annoying IRCbots that send messages interactively to IRC and chat rooms without attempting to recognize who is participating in the first place.
This is another major source of email addresses for spammers, especially as this is one of the first public activities newbies join, making it easy for spammers to harvest 'fresh' addresses of people who might have very little experience dealing with spam.
AOL chat rooms are the most popular of those - according to reports there's a utility that can get the screen names of participants in AOL chat rooms. The utility is reported to be specialized for AOL due to two main reasons - AOL makes the list of the actively participating users' screen names available and AOL users are considered prime targets by spammers due to the reputation of AOL as being the ISP of choice by newbies.
From finger daemons.
Some finger daemons are set to be very friendly - a finger query asking for john@host will produce list info including login names for all people named John on that host. A query for @host will produce a list of all currently logged-on users.
Spammers use this information to get extensive users list from hosts, and of active accounts - ones which are 'live' and will read their mail soon enough to be really attractive spam targets.

AOL profiles.
Spammers harvest AOL names from user profiles lists, as it allows them to 'target' their mailing lists. Also, AOL has a name being the choice ISP of newbies, who might not know how to recognize scams or know how to handle spam.
From domain contact points.
Every domain has one to three contact points - administration, technical, and billing. The contact point includes the email address of the contact person.
As the contact points are freely available, e.g. using the 'whois' command, spammers harvest the email addresses from the contact points for lists of domains (the list of domain is usually made available to the public by the domain registries). This is a tempting methods for spammers, as those email addresses are most usually valid and mail sent to it is being read regularily.
By guessing and cleaning.
Some spammers guess email addresses, send a test message (or a real spam) to a list which includes the guessed addresses. Then they wait for either an error message to return by email, indicating that the email address is correct, or for a confirmation. A confirmation could be solicited by inserting non-standard but commonly used mail headers requesting that the delivery system and/or mail client send a confirmation of delivery or reading. No news are, of coures, good news for the spammer.
Specifically, the headers are -
Return-Receipt-To: which causes a delivery confirmation to be sent, and
X-Confirm-Reading-To: which causes a reading confirmation to be sent.
Another method of confirming valid email addresses is sending HTML in the email's body (that is sending a web page as the email's content), and embedding in the HTML an image. Mail clients that decode HTML, e.g. as Outlook and Eudora do in the preview pane, will attempt fetching the image - and some spammers put the recipient's email address in the image's URL, and check the web server's log for the email addresses of recipients who viewed the spam.
So it's good advice to set the mail client to *not* preview rich media emails, which would protect the recipient from both accidently confirming their email addresses to spammers and viruses.
Guessing could be done based on the fact that email addresses are based on people's names, usually in commonly used ways (first.last@domain or an initial of one name followed / preceded by the other @domain)
Also, some email addresses are standard - postmaster is mandated by the RFCs for internet mail. Other common email addresses are postmaster, hostmaster, root [for unix hosts], etc.
From white & yellow pages.
There are various sites that serve as white pages, sometimes named people finders web sites. Yellow pages now have an email directory on the web.
Those white/yellow pages contain addresses from various sources, e.g. from UseNet, but sometimes your E-mail address will be registered for you. Example - HotMail will add E-mail addresses to BigFoot by default, making new addresses available to the public.
Spammers go through those directories in order to get email addresses. Most directories prohibit email address harvesting by spammers, but as those databases have a large databases of email addresses + names, it's a tempting target for spammers.
By having access to the same computer.
If a spammer has an access to a computer, he can usually get a list of valid usernames (and therefore email addresses) on that computer.
On unix computers the users file (/etc/passwd) is commonly world readable, and the list of currently logged-in users is listed via the 'who' command.
From a previous owner of the email address.
An email address might have been owned by someone else, who disposed of it. This might happen with dialup usernames at ISPs - somebody signs up for an ISP, has his/her email address harvested by spammers, and cancel the account. When somebody else signs up with the same ISP with the same username, spammers already know of it.
Similar things can happen with AOL screen names - somebody uses a screen name, gets tired of it, releases it. Later on somebody else might take the same screen name.
Using social engineering.
This method means the spammer uses a hoax to convince peopleinto giving him valid E-mail addresses.
A good example is Richard Douche's "Free CD's" chain letter. The letter promises a free CD for every person to whom the letter is forwarded to as long as it is CC'ed to Richard.
Richard claimed to be associated with Amazon and Music blvd, among other companies, who authorized him to make this offer. Yet hesupplied no references to web pages and used a free E-mail address.
All Richard wanted was to get people to send him valid E-mail addresses in order to build a list of addresses to spam and/or sell.
From the address book and emails on other people's computers.
Some viruses & worms spread by emailing themselves to all the email addresses they can find in the email address book. As some people forward jokes and other material by email to their friends, putting their friends' email addresses on either the To: or Cc: fields, rather than the BCc: field, some viruses and warms scan the mail folders for email addresses that are not in the address book, in hope to hit addresses the computer owner's friends' friends, friends' friends' friends, etc.
If it wasn't already done, it's just a matter of time before such malware will not only spam copies of itself, but also send the extracted list of email addresses to it's creator.
As invisible email addresses can't be harvested, it's good advice to have the email addresesses of recipients of jokes & the like on BCc:, and if forwarded from somebody else remove from the email's body all the email addresses inserted by the previous sender.
Buying lists from others.
This one covers two types of trades. The first type consists of buying a list of email addresses (often on CD) that were harvested via other methods, e.g. someone harvesting email addresses from UseNet and sells the list either to a company that wishes to advertise via email (sometimes passing off the list as that of people who opted-in for emailed advertisements) or to others who resell the list.
The second type consists of a company who got the email addresses legitimately (e.g. a magazine that asks subscribers for their email in order to keep in touch over the Internet) and sells the list for the extra income. This extends to selling of email addresses acompany got via other means, e.g. people who just emailed the companywith inquiries in any context.
The third type consist of technical staff selling the email address for money to spammers. There was a news story about an AOL employee who sold AOL email addresses to a spammer.
By hacking into sites.
I've heard rumours that sites that supply free email addresses were hacked in order to get the list of email addresses, somewhatlike e-commerce sites being hacked to get a list of credit cards.

If your address was harvested and you get spammed, the following pages could assist you in tracking the spammer down :

MindSpring's page explaining how to get an email's headers
http://help.mindspring.com/features/emailheaders/extended.htm
The spam FAQ, maintained by Ken Hollis.
http://gandalf.home.digital.net/spamfaq.html

The Reporting Spam page, an excellent resource.
http://www.ao.net/waytosuccess/

Reading Mail headers.
http://www.stopspam.org/email/headers/headers.html
Julian Haight's Spam Cop page.
http://spamcop.net/

Chris Hibbert's Junk Mail FAQ.
http://www.fortnet.org/WidowNet/faqs/junkmail.htm

Sam Spade, Spam hunter.
http://samspade.org/

WD Baseley's Address Munging FAQ
http://members.aol.com/emailfaq/mungfaq.html

Fight Spam on the Internet site
http://spam.abuse.net/
The Spam Recycling Center
http://www.spamrecycle.com/
The Junk Busters Site
http://www.junkbusters.com/

The Junk Email site
http://www.junkemail.org/

BCP 30: Anti-Spam Recommendations for SMTP MTAs
http://www.faqs.org/rfcs/bcp/bcp30.html

FYI 28: Netiquette Guidelines
http://www.faqs.org/rfcs/fyi/fyi28.html

FYI 35: DON'T SPEW
A Set of Guidelines for Mass Unsolicited Mailings and Postings
http://www.faqs.org/rfcs/fyi/fyi35.html

Several sites on the web will help in tracing spam :

Pete Bowden's list of traceroute gateways
http://www.missing.com/traceroute.html
To find traceroute gateways in any country, visit here.
http://www.traceroute.org/

Allwhois.com gates to whois on any domain world-wide
http://www.allwhois.org/

Alldomains.com site - links to NICs worldwide.
http://www.alldomains.com/
A similar page can be found at
http://www.forumnett.no/domreg.html

The Coalition Against Usolicited Commerical E-mail.
http://www.cauce.org/
The European CAUCE.
http://www.euro.cauce.org/en/index.html
The Coalition Against Unsolicited Bulk Email, Australia.
http://www.caube.org.au/
The Russian Anti-Spam organization.
http://www.antispam.ru/

No More Spam - ISP Spam-Blocking Interferes With Business
http://www.byte.com/columns/digitalbiz/1999/04/0405coombs.html
Removing the Spam, By Geoff Mulligan, Published by Addison Wesley, ISBN 0-201-37957-0
A good book about handling spam.

Legal resources :

FTC Consumer Alert - FTC Names Its Dirty Dozen: 12 Scams Most Likely to Arrive Via Bulk email
http://www.ftc.gov/bcp/conline/pubs/alerts/doznalrt.htm
Report to the Federal Trade Commision of the Ad-Hoc Working Group on Unsolicited Commercial Mail. http://www.cdt.org/paper/report-federal-trade-commission-ad-hoc-working-group-unsolicited-commercial-email?quicktabs_4=1
Pyramid Schemes, Ponzi Schemes, and Related Frauds
http://www.impulse.net/~thebob/Pyramid.html

The AOL vs. Cyberpromo case
http://legal.web.aol.com/decisions/dljunk/cyber.html

Nine New Lawsuits Press Release.
http://legal.web.aol.com/decisions/dljunk/ninepress.html

"Intel scores in email suit", by Jim Hu, CNET News.com.
http://www.news.com/News/Item/0,4,29574,00.html?st.ne.ni.lh
The John Marshall Law School spam page
http://www.jmls.edu/cyber/index/spam.html

First amendment issues related to UBE, by Paul L. Schmehl.
http://www.utdallas.edu/~pauls/spam_law.html
U.S. Anti-Spam Laws
http://www.the-dma.org/antispam/statespamlaws.shtml

The UK Data Protection Law
http://www.dataprotection.gov.uk/

The Italian Anti-Spam Law
http://www.parlamento.it/parlam/leggi/deleghe/99185dl.htm

The Austrian Telecm Law
http://www.parlament.gv.at/pd/pm/XX/I/texte/020/I02064_.html

The Norwegian Marketing Control Act
http://www.forbrukerombudet.no/id/11039810.0

Pasted from <http://www.private.org.il/harvest.html>

Military Encryption-Breaking Computer Project Exposed

{This is an article from "The Intercept" with the url https://theintercept.com/2017/05/11/nyu-accidentally-exposed-military-code-breaking-computer-project-to-entire-internet/. The reason to include it in this blog is to demonstrate that the "deep state" is both insecure with respect to its weapons for cyberwarfare and that it is developing tools to defeat all methods of privacy. The combination is sobering with respect to individual and group rights and safety. I'm not saying that the work is bad, but that there are bad people in the deep state that have agendas that include stupidity and political ends, both to the detriment of the us. If I have a comment about the text, based on my experience with these technologies, I will comment in brackets.}

In early December 2016, Adam was doing what he’s always doing, somewhere between hobby and profession: looking for things that are on the internet that shouldn’t be. That week, he came across a server inside New York University’s famed Institute for Mathematics and Advanced Supercomputing, headed by the brilliant Chudnovsky brothers, David and Gregory. The server appeared to be an internet-connected backup drive. But instead of being filled with family photos and spreadsheets, this drive held confidential information on an advanced code-breaking machine that had never before been described in public. Dozens of documents spanning hundreds of pages detailed the project, a joint supercomputing initiative administered by NYU, the Department of Defense, and IBM. And they were available for the entire world to download.

The supercomputer described in the trove, “WindsorGreen,” was a system designed to excel at the sort of complex mathematics that underlies encryption, the technology that keeps data private, and almost certainly intended for use by the Defense Department’s signals intelligence wing, the National Security Agency. WindsorGreen was the successor to another password-cracking machine used by the NSA, “WindsorBlue,” which was also documented in the material leaked from NYU and which had been previously described in the Norwegian press thanks to a document provided by National Security Agency whistleblower Edward Snowden. Both systems were intended for use by the Pentagon and a select few other Western governments, including Canada and Norway.

Adam, an American digital security researcher, requested that his real name not be published out of fear of losing his day job. Although he deals constantly with digital carelessness, Adam was nonetheless stunned by what NYU had made available to the world. “The fact that this software, these spec sheets, and all the manuals to go with it were sitting out in the open for anyone to copy is just simply mind blowing,” he said.

He described to The Intercept how easy it would have been for someone to obtain the material, which was marked with warnings like “DISTRIBUTION LIMITED TO U.S. GOVERNMENT AGENCIES ONLY,” “REQUESTS FOR THIS DOCUMENT MUST BE REFERRED TO AND APPROVED BY THE DOD,” and “IBM Confidential.” At the time of his discovery, Adam wrote to me in an email:

All of this leaky data is courtesy of what I can only assume are misconfigurations in the IMAS (Institute for Mathematics and Advanced Supercomputing) department at NYU. Not even a single username or password separates these files from the public internet right now. It’s absolute insanity.

The files were taken down after Adam notified NYU.

Intelligence agencies like the NSA hide code-breaking advances like WindsorGreen because their disclosure might accelerate what has become a cryptographic arms race. Encrypting information on a computer used to be a dark art shared between militaries and mathematicians. But advances in cryptography, and rapidly swelling interest in privacy in the wake of Snowden, have helped make encryption tech an effortless, everyday commodity for consumers. Web connections are increasingly shielded using the HTTPS protocol, end-to-end encryption has come to popular chat platforms like WhatsApp, and secure phone calls can now be enabled simply by downloading some software to your device. The average person viewing their checking account online or chatting on iMessage might not realize the mathematical complexity that’s gone into making eavesdropping impractical.

The spread of encryption is a good thing — unless you’re the one trying to eavesdrop. Spy shops like the NSA can sometimes thwart encryption by going around it, finding flaws in the way programmers build their apps or taking advantage of improperly configured devices. When that fails, they may try and deduce encryption keys through extraordinarily complex math or repeated guessing. This is where specialized systems like WindsorGreen can give the NSA an edge, particularly when the agency’s targets aren’t aware of just how much code-breaking computing power they’re up against.
Adam declined to comment on the specifics of any conversations he might have had with the Department of Defense or IBM. He added that NYU, at the very least, expressed its gratitude to him for notifying it of the leak by mailing him a poster.

While he was trying to figure out who exactly the Windsor files belonged to and just how they’d wound up on a completely naked folder on the internet, Adam called David Chudnovsky, the world-renowned mathematician and IMAS co-director at NYU. Reaching Chudnovsky was a cinch, because his entire email outbox, including correspondence with active members of the U.S. military, was for some reason stored on the NYU drive and made publicly available alongside the Windsor documents. According to Adam, Chudnovsky confirmed his knowledge of and the university’s involvement in the supercomputing project; The Intercept was unable to reach Chudnovsky directly to confirm this. The school’s association is also strongly indicated by the fact that David’s brother Gregory, himself an eminent mathematician and professor at NYU, is listed as an author of a 164-page document from the cache describing the capabilities of WindsorGreen in great detail. Although the brothers clearly have ties to WindsorGreen, there is no indication they were responsible for the leak. Indeed, the identity of the person or persons responsible for putting a box filled with military secrets on the public internet remains utterly unclear.

An NYU spokesperson would not comment on the university’s relationship with the Department of Defense, IBM, or the Windsor programs in general. When The Intercept initially asked about WindsorGreen the spokesperson seemed unfamiliar with the project, saying they were “unable to find anything that meets your description.” This same spokesperson later added that “no NYU or NYU Tandon system was breached,” referring to the Tandon School of Engineering, which houses the IMAS. This statement is something of a non sequitur, since, according to Adam, the files leaked simply by being exposed to the open internet — none of the material was protected by a username, password, or firewall of any kind, so no “breach” would have been necessary. You can’t kick down a wide open door.

The documents, replete with intricate processor diagrams, lengthy mathematical proofs, and other exhaustive technical schematics, are dated from 2005 to 2012, when WindsorGreen appears to have been in development. Some documents are clearly marked as drafts, with notes that they were to be reviewed again in 2013. Project progress estimates suggest the computer wouldn’t have been ready for use until 2014 at the earliest. All of the documents appear to be proprietary to IBM and not classified by any government agency, although some are stamped with the aforementioned warnings restricting distribution to within the U.S. government. According to one WindsorGreen document, work on the project was restricted to American citizens, with some positions requiring a top-secret security clearance — which as Adam explains, makes the NYU hard drive an even greater blunder:

Let’s, just for hypotheticals, say that China found the same exposed NYU lab server that I did and downloaded all the stuff I downloaded. That simple act alone, to a large degree, negates a humongous competitive advantage we thought the U.S. had over other countries when it comes to supercomputing.

The only tool Adam used to find the NYU trove was Shodan.io, a website that’s roughly equivalent to Google for internet-connected, and typically unsecured, computers and appliances around the world, famous for turning up everything from baby monitors to farming equipment. Shodan has plenty of constructive technical uses but also serves as a constant reminder that we really ought to stop plugging things into the internet that have no business being there.

The WindsorGreen documents are mostly inscrutable to anyone without a Ph.D. in a related field, but they make clear that the computer is the successor to WindsorBlue, a next generation of specialized IBM hardware that would excel at cracking encryption, whose known customers are the U.S. government and its partners.

Experts who reviewed the IBM documents said WindsorGreen possesses substantially greater computing power than WindsorBlue, making it particularly adept at compromising encryption and passwords. In an overview of WindsorGreen, the computer is described as a “redesign” centered around an improved version of its processor, known as an “application specific integrated circuit,” or ASIC, a type of chip built to do one task, like mining bitcoin, extremely well, as opposed to being relatively good at accomplishing the wide range of tasks that, say, a typical MacBook would handle. One of the upgrades was to switch the processor to smaller transistors, allowing more circuitry to be crammed into the same area, a change quantified by measuring the reduction in nanometers (nm) between certain chip features. The overview states:

The WindsorGreen ASIC is a second-generation redesign of the WindsorBlue ASIC that moves from 90 nm to 32 nm ASIC technology and incorporates performance enhancements based on our experience with WindsorBlue. We expect to achieve at least twice the performance of the WindsorBlue ASIC with half the area, reduced cost, and an objective of half the power. We also expect our system development cost to be only a small fraction of the WindsorBlue development cost because we carry forward intact much of the WindsorBlue infrastructure.

{I specialized in ASIC design, development, and testing during my IBM career. 32 nm is old. The current technology is 10nm, represented by the Intel Cannonlake line. I think this level, 10nm, is just a shrink. More stuff might fit on a chip (die), but there are no fundamental changes from the previous generation. What this points out is that, especially with ASIC, the technology discussed here is "ancient." ASIC especially benefits from dimension shrinkage. My guess is that each chip has several RISC processors on it with control circuitry. (RISC processors were first use in commodity manufacturing in the early Mac computers. Today they are common in cell phones.) You can think of these computers as essentially a collection of fancy graphics cards, such as the ones produced by NVIDIA. I haven't included the pictures that go with this article, but they show "cooling." CMOS runs low power, typically requiring only air cooling. Is this showing water cooling? If so, then these ASICs are probably have some specialized super high speed circuits of the "bipolar technology." ASICS can mix CMOS and bipolar.}

Çetin Kaya Koç is the director of the Koç Lab at the University of California, Santa Barbara, which conducts cryptographic research. Koç reviewed the Windsor documents and told The Intercept that he has “not seen anything like [WindsorGreen],” and that “it is beyond what is commercially or academically available.” He added that outside of computational biology applications like complex gene sequencing (which it’s probably safe to say the NSA is not involved in), the only other purpose for such a machine would be code-breaking: “Probably no other problem deserves this much attention to design an expensive computer like this.” {No, image processing would be another option, such as massive facial recognition for an entire city. In general, this configuration is a "cellular automaton." Think of commanding a highly sophisticated attack by a swarm of drones. Each drone is essentially a node of this computer. Another very likely application is in the DeepDive project.}

Andrew “Bunnie” Huang, a hacker and computer hardware researcher who reviewed the documents at The Intercept’s request, said that WindsorGreen would surpass many of the most powerful code-breaking systems in the world: “My guess is this thing, compared to the TOP500 supercomputers at the time (and probably even today) pretty much wipes the floor with them for anything crypto-related.” Conducting a “cursory inspection of power and performance metrics,” according to Huang, puts WindsorGreen “heads and shoulders above any publicly disclosed capability” on the TOP500, a global ranking of supercomputers. Like all computers that use specialized processors, or ASICs, WindsorGreen appears to be a niche computer that excels at one kind of task but performs miserably at anything else. Still, when it comes to crypto-breaking, Huang believes WindsorGreen would be “many orders of magnitude … ahead of the fastest machines I previously knew of.”

{You'll probably have notice all the talk about AI. (artificial intelligence) The quote above is inaccurate. AI will be and has been implemented by architectures such as this. I know, I built several during my career. They are general purpose computers; they just work in a different way. More like neurons communicating with each other; hence the AI theme.}

But even with expert analysis, no one beyond those who built the thing can be entirely certain of how exactly an agency like the NSA might use WindsorGreen. To get a better sense of why a spy agency would do business with IBM, and how WindsorGreen might evolve into WindsorOrange (or whatever the next generation may be called), it helps to look at documents provided by Snowden that show how WindsorBlue was viewed in the intelligence community. Internal memos from Government Communications Headquarters, the NSA’s British counterpart, show that the agency was interested in purchasing WindsorBlue as part of its High Performance Computing initiative, which sought to help with a major problem: People around the world were getting too good at keeping unwanted eyes out of their data.

Under the header “what is it, and why,” one 2012 HPC document explains, “Over the past 18 months, the Password Recovery Service has seen rapidly increasing volumes of encrypted traffic … the use of much greater range of encryption techniques by our targets, and improved sophistication of both the techniques themselves and the passwords targets are using (due to improved OPSec awareness).” Accordingly, GCHQ had begun to “investigate the acquisition of WINDSORBLUE … and, subject to project board approval, the procurement of the infrastructure required to host the a [sic] WINDSORBLUE system at Benhall,” where the organization is headquartered.

Among the Windsor documents on the NYU hard drive was an illustration of an IBM computer codenamed “Cyclops,” (above) which appears to be a WindsorBlue/WindsorGreen predecessor. A GCHQ document provided by Snowden (below) describes Cyclops as an “NSA/IBM joint development.”

In April 2014, Norway’s Dagbladet newspaper reported that the Norwegian Intelligence Service had purchased a cryptographic computer system code-named STEELWINTER, based on WindsorBlue, as part of a $100 million overhaul of the agency’s intelligence-processing capabilities. The report was based on a document provided by Snowden.

The document does not say when the computer will be delivered, but in addition to the actual purchase, NIS has entered into a partnership with NSA to develop software for decryption. Some of the most interesting data NIS collects are encrypted, and the extensive processes for decryption require huge amounts of computing power.

Widespread modern encryption methods like RSA, named for the initials of the cryptographers who developed it, rely on the use of hugely complex numbers derived from prime numbers. Speaking very roughly, so long as those original prime numbers remain secret, the integrity of the encoded data will remain safe. But were someone able to factor the hugely complex number — a process identical to the sort of math exercise children are taught to do on a chalkboard, but on a massive scale — they would be able to decode the data on their own. Luckily for those using encryption, the numbers in question are so long that they can only be factored down to their prime numbers with an extremely large amount of computing power. Unluckily for those using encryption, government agencies in the U.S., Norway, and around the globe are keenly interested in computers designed to excel at exactly this purpose.

Given the billions of signals intelligence records collected by Western intelligence agencies every day, enormous computing power is required to sift through this data and crack what can be broken so that it can be further analyzed, whether through the factoring method mentioned above or via what’s known as a “brute force” attack, wherein a computer essentially guesses possible keys at a tremendous rate until one works. The NIS commented only to Dagbladet that the agency “handles large amounts of data and needs a relatively high computing power.” Details about how exactly such “high computing power” is achieved are typically held very close — finding hundreds of pages of documentation on a U.S. military code-breaking box, completely unguarded, is virtually unheard of.
A very important question remains: What exactly could WindsorBlue, and then WindsorGreen, crack? Are modern privacy mainstays like PGP, used to encrypt email, or the ciphers behind encrypted chat apps like Signal under threat? The experts who spoke to The Intercept don’t think there’s any reason to assume the worst.

“As long as you use long keys and recent-generation hashes, you should be OK,” said Huang. “Even if [WindsorGreen] gave a 100x advantage in cracking strength, it’s a pittance compared to the additional strength conferred by going from say, 1024-bit RSA to 4096-bit RSA or going from SHA-1 to SHA-256.”

Translation: Older encryption methods based on shorter strings of numbers, which are easier to factor, would be more vulnerable, but anyone using the strongest contemporary encryption software (which uses much longer numbers) should still be safe and confident in their privacy.

Still, “there are certainly classes of algorithms that got, wildly guessing, about 100x weaker from a brute force standpoint,” according to Huang, so “this computer’s greatest operational benefit would have come from a combination of algorithmic weakness and brute force. For example, SHA-1, which today is well-known to be too weak, but around the time of 2013 when this computer might have come online, it would have been pretty valuable to be able to ‘routinely’ collide SHA-1 as SHA-1 was still very popular and widely used.”

A third expert in computer architecture and security, who requested anonymity due to the sensitivity of the documents and a concern for their future livelihood, told The Intercept that “most likely, the system is intended for brute-forcing password-protected data,” and that it “might also have applications for things like … breaking older/weaker (1024 bit) RSA keys.” Although there’s no explicit reference to a particular agency in the documents, this expert added, “I’m assuming NSA judging by the obvious use of the system.”

Huang and Koç both speculated that aside from breaking encryption, WindsorGreen could be used to fake the cryptographic signature used to mark software updates as authentic, so that a targeted computer could be tricked into believing a malicious software update was the real thing. For the NSA, getting a target to install software they shouldn’t be installing is about as great as intelligence-gathering gifts come.

The true silver bullet against encryption, a technology that doesn’t just threaten weaker forms of data protection but all available forms, will not be a computer like WindsorGreen, but something that doesn’t exist yet: a quantum computer. In 2014, the Washington Post reported on a Snowden document that revealed the NSA’s ongoing efforts to build a “quantum” computer processor that’s not confined to just ones and zeroes but can exist in multiple states at once, allowing for computing power incomparable to anything that exists today. Luckily for the privacy concerned, the world is still far from seeing a functional quantum computer. Luckily for the NSA and its partners, IBM is working hard on one right now. {See https://www.engadget.com/2017/05/17/ibm-quantum-q-experience-qubits-most-powerful-processor-yet/ for the latest as of this post.}

Repeated requests for comment sent to over a dozen members of the IBM media relations team were not returned, nor was a request for comment sent to a Department of Defense spokesperson. The NSA declined to comment. GCHQ declined to comment beyond its standard response that all its work “is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight.”

WannaCry Ransomware Discussion

WannaCry Ransomware

These are the "observations" as of this writing. Note that I have rated each "fact" as to the plausability:

not likely (N)
speculative(S)
plausible (P)
likely (L)
true (T)

For the best technical discussion, go to https://www.bleepingcomputer.com/news/security/wannacry-wana-decryptor-wanacrypt0r-info-and-technical-nose-dive/

Observations

The WannaCry Ransomware was a worm (T) (1)
It got on to computers through users clicking on a link in an email (T)
It encrypted data (T). Note that encryption takes time, so it is likely that the worm did not make itself know immediately. (L)
It demanded $300 to unlock the data (T). After a definite time, it increased the demand to double. (T) There are conflicting reports on whether or not the WannaCry creators unlocked the data if the ransom was paid (T).
It locked the screen and could not be killed through the normal Ransomware kill methods taught in class(T). That is because it was a separate program (worm) and not a hack of a browser. (T)
It exploited a Microsoft operating system vulerability that NSA knew about (T)but Microsoft did not know about or didn't care to fix (P).
The vulnerability was at least in Windows XP. (T)(2) I haven't found any references to later releases.(T) What confounds me is that Microsoft stopped providing support for XP in 2014.(T)(3) I just don't understand the-yes: stupidity- of people who think they can continue to use XP. (P) This apparently includes very large organizations, including national organizations. (T) Good Grief!
WannaCry apparently exploited the lack of firewalls on individual computers on the network in order to infect all the computers on that network (L).
WannaCry was implemented using some tools stolen from NSA by a hacker "group" called Shadow Brokers (T) (1). This group likely includes at least one member who works for the US Government or one of its contractors (L)(1). The leaks/espionage from the "deep state" has remarkably increased since the last election. (T) There is a likelihood that phone communication will become insecure, as well as any personal information retained by the US Goverment. (P)

Lessons Learned

Most of these lessons underscore what has been discussed in previous blog posts and in my IoT Security Class.

Don't click on links that go to places you don't recognize

Hover over the link to see what it is
If it is a "tiny url" use a tiny url inspector (web site or extension) to get the true destination
Though tedious, use black and white list extensions to guard against going to bad sites. Use WOT or other security inspector to inspect urls. Security suites offer some support as well, but don't count on them to protect you.
Resist the temptation

If you still use XP, then stay off the internet! Period. (3)
- If you want to use the internet, get a better operating system.
- If you want to keep your computer, then switch to a efficient and relatively secure Linux Distro like Ubuntu or Mint.
Keep up with system updates
Use a continuous backup scheme to back up your data. This is likely to require that you use (pay for) a commercial cloud backup or have the discipline to use Google Drive or Microsoft OneDrive.
On a reasonable schedule, after assuring your device is clean, back up an image of your device
Use a firewall, even if you are on a local network and you connect to a router.
- For Windows, the Windows Firewall for Windows 10 is fine. Otherwise, use a security suite that has a firewall or download a standalone soft firewall, such as Comodo. Study how to effectively use a firewall.
This is a subtle lesson, more based on my experience with how this kind of thing usually happens than any "knock on the side of the head revelation." I find that if you are using your computer for business as well as pleasure, then completely separate your business from pleasure. Do NOT use a business device for pleasure.
- Don't do personal email from your business device.
- Don't browse for personal purposes from your business device.
- Don't download any application.
- Don't put personal flash drives in your business device.
These lessons learned are not just for Microsoft users! They apply to the entire IoT, including IOS, OSX, Android, and Linux Distros.

References

A Brief History of Malware: The First Through 2006

Before addressing the latest Ransomware attack, which I will do in a later blog, I find it instructive and interesting to look at the history of Malware. This article appeared in the New York Times and I recommend it for background reading.

Worst Viruses of All Time (Limited to prior to 2010)

BY JONATHAN STRICKLAND TECH | COMPUTER & INTERNET SECURITY

Browse the article 10 Worst Computer Viruses of All Time

Computer viruses can be a nightmare. Some can wipe out the information on a hard drive, tie up traffic on a computer network for hours, turn an innocent machine into a zombie and replicate and send themselves to other computers. If you've never had a machine fall victim to a computer virus, you may wonder what the fuss is about. But the concern is understandable -- according to Consumer Reports, computer viruses helped contribute to $8.5 billion in consumer losses in 2008 [source: MarketWatch]. Computer viruses are just one kind of online threat, but they're arguably the best known of the bunch.

Computer viruses have been around for many years. In fact, in 1949, a scientist named John von Neumann theorized that a self-replicated program was possible [source: Krebs]. The computer industry wasn't even a decade old, and already someone had figured out how to throw a monkey wrench into the figurative gears. But it took a few decades before programmers known as hackers began to build computer viruses.

While some pranksters created virus-like programs for large computer systems, it was really the introduction of the personal computer that brought computer viruses to the public's attention. A doctoral student named Fred Cohen was the first to describe self-replicating programs designed to modify computers as viruses. The name has stuck ever since.

In the good old days (i.e., the early 1980s), viruses depended on humans to do the hard work of spreading the virus to other computers. A hacker would save the virus to disks and then distribute the disks to other people. It wasn't until modems became common that virus transmission became a real problem. Today when we think of a computer virus, we usually imagine something that transmits itself via the Internet. It might infect computers through e-mailmessages or corrupted Web links. Programs like these can spread much faster than the earliest computer viruses.

We're going to take a look at 10 of the worst computer viruses to cripple a computer system. Let's start with the Melissa virus.

Melissa

In the spring of 1999, a man named David L. Smith created a computer virus based on a Microsoft Word macro. He built the virus so that it could spread through e-mail messages. Smith named the virus "Melissa," saying that he named it after an exotic dancer from Florida [source: CNN].

Rather than shaking its moneymaker, the Melissa computer virus tempts recipients into opening a document with an e-mail message like "Here is that document you asked for, don't show it to anybody else." Once activated, the virus replicates itself and sends itself out to the top 50 people in the recipient's e-mail address book.

The virus spread rapidly after Smith unleashed it on the world. The United States federal government became very interested in Smith's work -- according to statements made by FBI officials to Congress, the Melissa virus "wreaked havoc on government and private sector networks" [source: FBI]. The increase in e-mail traffic forced some companies to discontinue e-mail programs until the virus was contained.

After a lengthy trial process, Smith lost his case and received a 20-month jail sentence. The court also fined Smith $5,000 and forbade him from accessing computer networks without court authorization [source: BBC]. Ultimately, the Melissa virus didn't cripple the Internet, but it was one of the first computer viruses to get the public's attention.

Flavors of Viruses

In this article, we'll look at several different kinds of computer viruses. Here's a quick guide to what we'll see:

The general term computer virus usually covers programs that modify how a computer works (including damaging the computer) and can self-replicate. A true computer virus requires a host program to run properly -- Melissa used a Word document.

A worm, on the other hand, doesn't require a host program. It's an application that can replicate itself and send itself through computer networks.

Trojan horses are programs that claim to do one thing but really do another. Some might damage a victim's hard drive. Others can create a backdoor, allowing a remote user to access the victim's computer system.

Next, we'll look at a virus that had a sweet name but a nasty effect on its victims.

Old-school Viruses

Some of the earliest viruses to infect personal computers included the Apple Viruses, which attacked Apple II computers.

ILOVEYOU

A year after the Melissa virus hit the Internet, a digital menace emerged from the Philippines. Unlike the Melissa virus, this threat came in the form of a worm -- it was a standalone program capable of replicating itself. It bore the name ILOVEYOU.

The ILOVEYOU virus initially traveled the Internet by e-mail, just like the Melissa virus. The subject of the e-mail said that the message was a love letter from a secret admirer. An attachment in the e-mail was what caused all the trouble. The original worm had the file name of LOVE-LETTER-FOR-YOU.TXT.vbs. The vbs extension pointed to the language the hacker used to create the worm: Visual Basic Scripting [source: McAfee].

According to anti-virus software producer McAfee, the ILOVEYOU virus had a wide range of attacks:

It copied itself several times and hid the copies in several folders on the victim's hard drive.

It added new files to the victim's registry keys.

It replaced several different kinds of files with copies of itself.

It sent itself through Internet Relay Chat clients as well as e-mail.

It downloaded a file called WIN-BUGSFIX.EXE from the Internet and executed it. Rather than fix bugs, this program was a password-stealing application that e-mailed secret information to the hacker's e-mail address.

Who created the ILOVEYOU virus? Some think it was Onel de Guzman of the Philippines. Filipino authorities investigated de Guzman on charges of theft -- at the time the Philippines had no computer espionage or sabotage laws. Citing a lack of evidence, the Filipino authorities dropped the charges against de Guzman, who would neither confirm nor deny his responsibility for the virus. According to some estimates, the ILOVEYOU virus caused $10 billion in damages [source: Landler].

Now that the love fest is over, let's take a look at one of the most widespread viruses to hit the Web.

Gotcha!

As if viruses, worms and Trojan horses weren't enough, we also have to worry about virus hoaxes. These are fake viruses -- they don't actually cause any harm or replicate themselves. Instead, the creators of these viruses hope that people and media companies treat the hoax as if it were the real deal. Even though these hoaxes aren't immediately dangerous, they are still a problem. Like the boy who cried wolf, hoax viruses can cause people to ignore warnings about real threats.

The Klez Virus

Fortunately for consumers, there's no shortage of antivirus software suites on the market.

The Klez virus marked a new direction for computer viruses, setting the bar high for those that would follow. It debuted in late 2001, and variations of the virus plagued the Internet for several months. The basic Klez worm infected a victim's computer through an e-mail message, replicated itself and then sent itself to people in the victim's address book. Some variations of the Klez virus carried other harmful programs that could render a victim's computer inoperable. Depending on the version, the Klez virus could act like a normal computer virus, a worm or a Trojan horse. It could even disable virus-scanning software and pose as a virus-removal tool [source: Symantec].

Shortly after it appeared on the Internet, hackers modified the Klez virus in a way that made it far more effective. Like other viruses, it could comb through a victim's address book and send itself to contacts. But it could also take another name from the contact list and place that address in the "From" field in the e-mail client. It's called spoofing -- the e-mail appears to come from one source when it's really coming from somewhere else.

Spoofing an e-mail address accomplishes a couple of goals. For one thing, it doesn't do the recipient of the e-mail any good to block the person in the "From" field, since the e-mails are really coming from someone else. A Klez worm programmed to spampeople with multiple e-mails could clog an inbox in short order, because the recipients would be unable to tell what the real source of the problem was. Also, the e-mail's recipient might recognize the name in the "From" field and therefore be more receptive to opening it.

2001-

Code Red and Code Red II

The CERT Coordination Center at Carnegie-Mellon university published an advisory alerting the public to the dangers of the Code Red virus.

The Code Red and Code Red II worms popped up in the summer of 2001. Both worms exploited an operating systemvulnerability that was found in machines running Windows 2000 and Windows NT. The vulnerability was a buffer overflow problem, which means when a machine running on these operating systems receives more information than its buffers can handle, it starts to overwrite adjacent memory.

The original Code Red worm initiated a distributed denial of service (DDoS) attack on the White House. That means all the computers infected with Code Red tried to contact the Web servers at the White House at the same time, overloading the machines.

A Windows 2000 machine infected by the Code Red II worm no longer obeys the owner. That's because the worm creates a backdoor into the computer's operating system, allowing a remote user to access and control the machine. In computing terms, this is a system-level compromise, and it's bad news for the computer's owner. The person behind the virus can access information from the victim's computer or even use the infected computer to commit crimes. That means the victim not only has to deal with an infected computer, but also may fall under suspicion for crimes he or she didn't commit.

While Windows NT machines were vulnerable to the Code Red worms, the viruses' effect on these machines wasn't as extreme. Web servers running Windows NT might crash more often than normal, but that was about as bad as it got. Compared to the woes experienced by Windows 2000 users, that's not so bad.

Microsoft released software patches that addressed the security vulnerability in Windows 2000 and Windows NT. Once patched, the original worms could no longer infect a Windows 2000 machine; however, the patch didn't remove viruses from infected computers -- victims had to do that themselves.

Nimda

Another virus to hit the Internet in 2001 was the Nimda (which is admin spelled backwards) worm. Nimda spread through the Internet rapidly, becoming the fastest propagating computer virus at that time. In fact, according to TruSecure CTO Peter Tippett, it only took 22 minutes from the moment Nimda hit the Internet to reach the top of the list of reported attacks [source: Anthes].

The Nimda worm's primary targets were Internet servers. While it could infect a home PC, its real purpose was to bring Internet traffic to a crawl. It could travel through the Internet using multiple methods, including e-mail. This helped spread the virus across multiple servers in record time.

The Nimda worm created a backdoor into the victim's operating system. It allowed the person behind the attack to access the same level of functions as whatever account was logged into the machine currently. In other words, if a user with limited privileges activated the worm on a computer, the attacker would also have limited access to the computer's functions. On the other hand, if the victim was the administrator for the machine, the attacker would have full control.

The spread of the Nimda virus caused some network systems to crash as more of the system's resources became fodder for the worm. In effect, the Nimda worm became a distributed denial of service (DDoS) attack.

Phoning it In

Not all computer viruses focus on computers. Some target other electronic devices. Here's just a small sample of some highly portable viruses:

CommWarrior attacked smartphones running the Symbian operating system (OS).

The Skulls Virus also attacked Symbian phones and displayed screens of skulls instead of a home page on the victims' phones.

RavMonE.exe is a virus that could infect iPod MP3 devices made between Sept. 12, 2006, and Oct. 18, 2006.

Fox News reported in March 2008 that some electronic gadgets leave the factory with viruses pre-installed -- these viruses attack your computer when you sync the device with your machine [source: Fox News].

Next, we'll take a look at a virus that affected major networks, including airline computers and bank ATMs.

SQL Slammer/Sapphire

The Slammer virus hit South Korea hard, cutting it off from the Internet and leaving Internet cafes like this one relatively empty.

In late January 2003, a new Web server virus spread across the Internet. Many computer networks were unprepared for the attack, and as a result the virus brought down several important systems. The Bank of America's ATM service crashed, the city of Seattle suffered outages in 911 service and Continental Airlines had to cancel several flights due to electronic ticketing and check-in errors.

The culprit was the SQL Slammer virus, also known as Sapphire. By some estimates, the virus caused more than $1 billion in damages before patches and antivirus software caught up to the problem [source: Lemos]. The progress of Slammer's attack is well documented. Only a few minutes after infecting its first Internet server, the Slammer virus was doubling its number of victims every few seconds. Fifteen minutes after its first attack, the Slammer virus infected nearly half of the servers that act as the pillars of the Internet [source: Boutin].

The Slammer virus taught a valuable lesson: It's not enough to make sure you have the latest patches and antivirus software. Hackers will always look for a way to exploit any weakness, particularly if the vulnerability isn't widely known. While it's still important to try and head off viruses before they hit you, it's also important to have a worst-case-scenario plan to fall back on should disaster strike.

A Matter of Timing

Some hackers program viruses to sit dormant on a victim's computer only to unleash an attack on a specific date. Here's a quick sample of some famous viruses that had time triggers:

The Jerusalem virus activated every Friday the 13th to destroy data on the victim computer's hard drive
The Michelangelo virus activated on March 6, 1992 -- Michelangelo was born on March 6, 1475
The Chernobyl virus activated on April 26, 1999 -- the 13th anniversary of the Chernobyl meltdown disaster
The Nyxem virus delivered its payload on the third of every month, wiping out files on the victim's computer

Computer viruses can make a victim feel helpless, vulnerable and despondent. Next, we'll look at a virus with a name that evokes all three of those feelings.

MyDoom

The MyDoom virus inspired politicians like U.S. Senator Chuck Schumer to propose a National Virus Response Center.

The MyDoom (or Novarg) virus is another worm that can create a backdoor in the victim computer's operating system. The original MyDoom virus -- there have been several variants -- had two triggers. One trigger caused the virus to begin a denial of service (DoS) attack starting Feb. 1, 2004. The second trigger commanded the virus to stop distributing itself on Feb. 12, 2004. Even after the virus stopped spreading, the backdoors created during the initial infections remained active [source: Symantec].

Later that year, a second outbreak of the MyDoom virus gave several search engine companies grief. Like other viruses, MyDoom searched victim computers for e-mail addresses as part of its replication process. But it would also send a search request to a search engine and use e-mail addresses found in the search results. Eventually, search engines like Google began to receive millions of search requests from corrupted computers. These attacks slowed down search engine services and even caused some to crash [source: Sullivan].

MyDoom spread through e-mail and peer-to-peer networks. According to the security firm MessageLabs, one in every 12 e-mailmessages carried the virus at one time [source: BBC]. Like the Klez virus, MyDoom could spoof e-mails so that it became very difficult to track the source of the infection.

Oddball Viruses

Not all viruses cause severe damage to computers or destroy networks. Some just cause computers to act in odd ways. An early virus called Ping-Pong created a bouncing ball graphic, but didn't seriously damage the infected computer. There are several joke programs that might make a computer owner think his or her computer is infected, but they're really harmless applications that don't self-replicate. When in doubt, it's best to let an antivirus program remove the application.

Next, we'll take a look at a pair of viruses created by the same hacker: the Sasser and Netsky viruses.

Sasser and Netsky

Sometimes computer virus programmers escape detection. But once in a while, authorities find a way to track a virus back to its origin. Such was the case with the Sasser and Netsky viruses. A 17-year-old German named Sven Jaschan created the two programs and unleashed them onto the Internet. While the two worms behaved in different ways, similarities in the code led security experts to believe they both were the work of the same person.

The Sasser worm attacked computers through a Microsoft Windows vulnerability. Unlike other worms, it didn't spread through e-mail. Instead, once the virus infected a computer, it looked for other vulnerable systems. It contacted those systems and instructed them to download the virus. The virus would scan random IP addresses to find potential victims. The virus also altered the victim's operating system in a way that made it difficult to shut down the computer without cutting off power to the system.

The Netsky virus moves through e-mails and Windows networks. It spoofs e-mail addresses and propagates through a 22,016-byte file attachment [source: CERT]. As it spreads, it can cause a denial of service (DoS) attack as systems collapse while trying to handle all the Internet traffic. At one time, security experts at Sophos believed Netsky and its variants accounted for 25 percent of all computer viruses on the Internet [source: Wagner].

Sven Jaschan spent no time in jail; he received a sentence of one year and nine months of probation. Because he was under 18 at the time of his arrest, he avoided being tried as an adult in German courts.

So far, most of the viruses we've looked at target PCs running Windows. But Macintosh computers aren't immune to computer virus attacks. In the next section, we'll take a look at the first virus to commit a Mac attack.

2006-

Leap-A/Oompa-A

Maybe you've seen the ad in Apple's Mac computer marketing campaign where Justin "I'm a Mac" Long consoles John "I'm a PC" Hodgman. Hodgman comes down with a virus and points out that there are more than 100,000 viruses that can strike a computer. Long says that those viruses target PCs, not Mac computers.

For the most part, that's true. Mac computers are partially protected from virus attacks because of a concept called security through obscurity. Apple has a reputation for keeping its operating system (OS) and hardware a closed system -- Apple produces both the hardware and the software. This keeps the OS obscure. Traditionally, Macs have been a distant second to PCs in the home computer market. A hacker who creates a virus for the Mac won't hit as many victims as he or she would with a virus for PCs.

But that hasn't stopped at least one Mac hacker. In 2006, the Leap-A virus, also known as Oompa-A, debuted. It uses the iChat instant messaging program to propagate across vulnerable Mac computers. After the virus infects a Mac, it searches through the iChat contacts and sends a message to each person on the list. The message contains a corrupted file that appears to be an innocent JPEG image.

The Leap-A virus doesn't cause much harm to computers, but it does show that even a Mac computer can fall prey to malicious software. As Mac computers become more popular, we'll probably see more hackers create customized viruses that could damage files on the computer or snarl network traffic. Hodgman's character may yet have his revenge.

We're down to the end of the list. What computer virus has landed the number one spot?

Breaking into Song

While computer viruses can pose a serious threat to computer systems and Internet traffic, sometimes the media overstates the impact of a particular virus. For example, the Michelangelo virus gained a great deal of media attention, but the actual damage caused by the virus was pretty small. That might have been the inspiration for the song "Virus Alert" by "Weird Al" Yankovic. The song warns listeners of a computer virus called Stinky Cheese that not only wipes out your computer's hard drive, but also forces you to listen to Jethro Tull songs and legally change your name to Reggie.

Storm Worm

The latest virus on our list is the dreaded Storm.

It was late 2006 when computer security experts first identified the worm. The public began to call the virus the Storm Worm because one of the e-mail messages carrying the virus had as its subject "230 dead as storm batters Europe." Antivirus companies call the worm other names. For example, Symantec calls it Peacomm while McAfee refers to it as Nuwar. This might sound confusing, but there's already a 2001 virus called the W32.Storm.Worm. The 2001 virus and the 2006 worm are completely different programs.

The Storm Worm is a Trojan horse program. Its payload is another program, though not always the same one. Some versions of the Storm Worm turn computers into zombies or bots. As computers become infected, they become vulnerable to remote control by the person behind the attack. Some hackers use the Storm Worm to create a botnet and use it to send spam mail across the Internet.

Many versions of the Storm Worm fool the victim into downloading the application through fake links to news stories or videos. The people behind the attacks will often change the subject of the e-mail to reflect current events. For example, just before the 2008 Olympics in Beijing, a new version of the worm appeared in e-mails with subjects like "a new deadly catastrophe in China" or "China's most deadly earthquake." The e-mail claimed to link to video and news stories related to the subject, but in reality clicking on the link activated a download of the worm to the victim's computer [source: McAfee].

Several news agencies and blogs named the Storm Worm one of the worst virus attacks in years. By July 2007, an official with the security company Postini claimed that the firm detected more than 200 million e-mails carrying links to the Storm Worm during an attack that spanned several days [source: Gaudin]. Fortunately, not every e-mail led to someone downloading the worm.

Although the Storm Worm is widespread, it's not the most difficult virus to detect or remove from a computer system. If you keep your antivirus software up to date and remember to use caution when you receive e-mails from unfamiliar people or see strange links, you'll save yourself some major headaches.

Want to learn more about computer viruses? Take a look at the links on the next page, if you dare.

Pasted from <http://computer.howstuffworks.com/worst-computer-viruses.htm/printable>