Another reason not to run DD-WRT

Embarrassing is an understatement.

• Open-source firmware vuln exposes wireless routers
• Open-source firmware flaw exposes wireless routers – DD-WRT
• http://www.securityfocus.com/bid/35742/info

Tomato users are not affected. No idea regarding HyperWRT or Thibor.

Sebastian Gottschall’s statement, “consider that this exploit was released without any report to us”, is a miserable attempt at taking responsibility for the mistake. I have personally reviewed the DD-WRT source many times while working with WRT* routers — and like Busybox, it’s all duct tape and Bondo. The same applies to HyperWRT, though most of the trashy code there comes from the base source which is the responsibility of Linksys and their third-party vendor.

With regards to DD-WRT, I really don’t care if the exploit was released without any prior report — consider doing security audits of your own code, and stop allowing patches with hacked-up solutions. Instead, stop and think about the change in its entirety before committing.

Comcast isn’t messing with my port 53 traffic…

This is in response to the Slashdot article and the official blog post claiming that Comcast is transparently tinkering with TCP port 53 traffic.

Location: Mountain View, CA
Non-Comcast server: 72.20.106.4
Comcast connection: 98.248.46.159

There is an actual nameserver (BIND) running on 72.20.106.4 which per ACLs denies queries being made from non-permitted clients. The Comcast connection is not in the ACL list, so the nameserver should politely return REFUSED no matter what’s queried.

The Comcast connection is behind a router, so NAT is involved.

comcast# dig @72.20.106.4 comcast.sucks.com. a

; <<>> DiG 9.4.3-P2 <<>> @72.20.106.4 comcast.sucks.com. a
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 49471
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;comcast.sucks.com.             IN      A

;; Query time: 12 msec
;; SERVER: 72.20.106.4#53(72.20.106.4)
;; WHEN: Tue Jun  9 12:48:57 2009
;; MSG SIZE  rcvd: 35

What the server saw:

server# tcpdump -v -p -i em0 -l -n -s 8192 "host 98.248.46.159 and not port 22 and not port 993"
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 8192 bytes
12:48:57.264897 IP (tos 0x20, ttl 54, id 48387, offset 0, flags [none], proto UDP (17), length 63) 98.248.46.159.52697 > 72.20.106.4.53: 49471+ A? comcast.sucks.com. (35)
12:48:57.265005 IP (tos 0x0, ttl 64, id 46332, offset 0, flags [none], proto UDP (17), length 63) 72.20.106.4.53 > 98.248.46.159.52697: 49471 Refused- 0/0/0 (35)


Now let’s try TCP:

comcast# dig @72.20.106.4 comcast.sucks.com. a +tcp

; <<>> DiG 9.4.3-P2 <<>> @72.20.106.4 comcast.sucks.com. a +tcp
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 34286
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;comcast.sucks.com.             IN      A

;; Query time: 14 msec
;; SERVER: 72.20.106.4#53(72.20.106.4)
;; WHEN: Tue Jun  9 12:50:37 2009
;; MSG SIZE  rcvd: 35

And what the server saw:

server# tcpdump -v -p -i em0 -l -n -s 8192 "host 98.248.46.159 and not port 22 and not port 993"
12:50:37.675402 IP (tos 0x20, ttl 54, id 50693, offset 0, flags [DF], proto TCP (6), length 60) 98.248.46.159.57521 > 72.20.106.4.53: S, cksum 0xe098 (correct), 1964159373:1964159373(0) win 65535 <mss 1460,nop,wscale 3,sackOK,timestamp 662893746 0>
12:50:37.675443 IP (tos 0x0, ttl 64, id 48248, offset 0, flags [DF], proto TCP (6), length 60) 72.20.106.4.53 > 98.248.46.159.57521: S, cksum 0x9124 (correct), 1547364460:1547364460(0) ack 1964159374 win 65535 <mss 1460,nop,wscale 3,sackOK,timestamp 2908314978 662893746>
12:50:37.689896 IP (tos 0x20, ttl 54, id 50696, offset 0, flags [DF], proto TCP (6), length 52) 98.248.46.159.57521 > 72.20.106.4.53: ., cksum 0x9f5a (correct), ack 1 win 8326 <nop,nop,timestamp 662893758 2908314978>
12:50:37.689927 IP (tos 0x20, ttl 54, id 50697, offset 0, flags [DF], proto TCP (6), length 89) 98.248.46.159.57521 > 72.20.106.4.53: P, cksum 0x6f5a (correct), 1:38(37) ack 1 win 8326 <nop,nop,timestamp 662893758 2908314978>34286+ A? comcast.sucks.com. (35)
12:50:37.690104 IP (tos 0x0, ttl 64, id 48250, offset 0, flags [DF], proto TCP (6), length 89) 72.20.106.4.53 > 98.248.46.159.57521: P, cksum 0xef20 (correct), 1:38(37) ack 38 win 8326 >nop,nop,timestamp 2908314993 662893758>34286 Refused- 0/0/0 (35)
12:50:37.701886 IP (tos 0x20, ttl 54, id 50704, offset 0, flags [DF], proto TCP (6), length 52) 98.248.46.159.57521 > 72.20.106.4.53: F, cksum 0x9ef1 (correct), 38:38(0) ack 38 win 8326 <nop,nop,timestamp 662893773 2908314993>
12:50:37.701905 IP (tos 0x0, ttl 64, id 48251, offset 0, flags [DF], proto TCP (6), length 52) 72.20.106.4.53 > 98.248.46.159.57521: ., cksum 0x9ee5 (correct), ack 39 win 8326 <nop,nop,timestamp 2908315005 662893773>
12:50:37.701938 IP (tos 0x0, ttl 64, id 48252, offset 0, flags [DF], proto TCP (6), length 52) 72.20.106.4.53 > 98.248.46.159.57521: F, cksum 0x9ee4 (correct), 38:38(0) ack 39 win 8326 <nop,nop,timestamp 2908315005 662893773>
12:50:37.713879 IP (tos 0x20, ttl 54, id 50706, offset 0, flags [DF], proto TCP (6), length 52) 98.248.46.159.57521 > 72.20.106.4.53: ., cksum 0x9ed9 (correct), ack 39 win 8325 <nop,nop,timestamp 662893785 2908315005>


Finally, my ICSI results for those who care.

Conclusion: nothing being modified here.

Google search engine claiming all sites harmful

It looks like Google is seriously broken, all across the board. This began on 2009/01/31, sometime between 0600 PST and 0640 PST.

All search results on Google are returning “This site may harm your computer”. Every search result from www.google.com points you to their interstitial URL redirector, e.g.:

http://www.google.com/interstitial?url=http://www.whateversite.com/

Clearing one’s DNS cache does not fix this problem. I’ve verified its not my own connection either, by using lynx and telnet from co-located servers across the United States. This is indeed a Google problem.

I’m not the only one who’s reported this. Slashdot also reported it, as did the DSLR folks (and here as well).

I’ll be interested to see what the media makes of this, because this is a pretty severe outage.

EDIT: The outage appears over as of approximately 0710 PST. An hour to mitigate is pretty quick, but an hour of search results broken… ouch.

Google Chrome — eek.

So as I’m sure everyone knows, Google Chrome is out.  Whoop dee doo.  I tried it.  It does appear to live up to the hype presented in the announcement comic.  However, there’s some hilarious things about Google Chrome and its release which are baffling:

HKCU:Run — Page 27 in the Googlebooks Chrome cartoon states, “…no telling Windows to run an executable on startup”, implying that malware/adware has the capability to do so.  However, upon installing Chrome, you’ll find a new memory-resident process that runs at all times called GoogleUpdate.exe.  What does it do?  I don’t know.  Does GoogleUpdate.exe stop when Chrome exits?  Nope.  Because of this, I decided to look at the HKCU\Software\Microsoft\Windows\Run portion of my registry.  And what did I find?

"C:\Documents and Settings\jdc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

Upon uninstalling Chrome, you’ll find that the above HKCU:Run registry key *is not* deleted… because C:\Documents and Settings\jdc\Local Settings\Application Data\Google\Update is never removed or emptied either.  Ultimately what this means is that despite Google Chrome being removed from your system, you still have some creepy Google program lingering around in memory, and will continue to load even if you reboot the system.

Google, this is downright rude, and contradictory to what you’re presenting in Chrome itself. Knock it off.

Youtube — The Youtube-posted video about Chrome was obviously encoded with errors.  There are numerous times throughout the video where for a single frame, the video “freaks out”.  It’s obviously the result of bad/sloppy encoding or a buggy codec.  I thought for a moment it might be Chrome itself that was causing the oddity, but it happens in Firefox and IE as well.  Here are some example frames of what I’m talking about:

Real professional.  No, really, nice job…

Installation — The Chrome installer is quite possibly the most bizarre thing on earth.  I’ve seen people report it as “fast and incredible”, which makes no sense — it doesn’t appear to be fast, and you have absolutely no visibility into what it’s doing, who it’s talking to, or why it’s doing what it is.  I also hope you don’t install programs in places other than C:\Program Files, because with Chrome’s installer (presently), you have no choice.

Processes — Chrome’s “separate process” concept is great, but upon examining the Windows Task Manager, I was shocked to find that by “separate process” they really did mean it.  Five chrome.exe processes running?  How do I know which is associated with what?  I’m forced to use Chrome’s Task Manager if I want to do that… but what if the browser is completely wedged and I can’t get to that?  Yep, better start killing off random processes until you get the right one. I already have to do this in Windows when it comes to Internet Explorer…

Tabs — either you love them or hate them. I’m one of the few who hate them. Why does Google insist they’re what I want with Chrome?  I’m used to looking at my taskbar whenever a new window is made; it’s instinctive, which is why tabs in all other browsers are optional.

UI design — fairly horrible.  I also want to know what jackfuck at Google decided the default minimise/maximise/close buttons should visually mimic that of Vista.  I use Windows XP, and the theming on windows/borders/buttons is defined by me in Windows; per-application “theming” or “skinning” is absolutely horrible.  This is a web browser, not Winamp or ThemeXP.

Miscellaneous — Why does the currently-focused HTML form input box have a gold border around it?  It’s to signify what’s currently in focus, input-wise, I’m sure.  But I know where my input is, because I’m the one who last clicked there… unless, of course, the web page is stealing or changing cursor focus on you, which should NEVER HAPPEN. So what’s the point?

Otherwise, it’s nice to see someone actually creating something from the ground up… oh wait, you’re using WebKit.  Well, it’s *almost* from the ground up.  ;-)  In all sincerity though, I’m serious: I grow sick and tired of the “why re-invent the wheel?” attitude that is often toted in our industry — and I’m a UNIX guy.

Moral domain registrars: do they even exist?

I came across a recent blog post over at Wired, asking the famous question: who exactly is a worthwhile registrar?

http://blog.wired.com/monkeybites/2008/03/is-there-a-real.html

As I expected, “worthwhile” can be interpreted in many ways. For some, worthwhile means low-cost (whoever’s the cheapest). For others, it’s about privacy — and I happen to be one of the latter.

As someone who has provided 100% free hosting services to the world since the 90s, I’ve learned that it’s really not about price: it’s about quality and privacy. I like a registrar who offers a good control panel interface to managing your domains (for example, if I add/remove a nameserver I do not want to have to repeat the process for every single domain I have with that registrar — a bulk modification method is a must), and one who truly respects their customers’ privacy.

You might be asking “what exactly does the word ‘truly’ encompass?” It’s very simple, and any basic security-savvy administrator adheres to it: do not disclose any of the information I provide you, unless I provide prior consent. That means no one except employees of your company have access to the information I give you (excluding things like WHOIS records, or the “real” owner of a domain (which gets submit to ICANN)). I don’t want my information given to third-parties, associates, affiliates, or even contractors (I’m willing to exclude the last item only if the company provides its customers a copy of the legally-binding contract their contractors have to sign, and it must include statements of what the legal ramifications are if the contractor violates privacy policies in regards to customer information).

It gets complex when you consider that ICANN demands customer records (not WHOIS, but the actual/true owner of the domain) for themselves… but then requires registrars to make available that information to those who want it (usually through large resales; e.g. US$10K will get you the entire database, even with companies like OpenSRS).

I don’t mind ICANN having my information, what I do mind is companies like the Domain Registry of America (otherwise known as Domain Renewal Group) getting access to my name, address, phone number, Email address, and lots of other things. For tens of thousands of dollars, they can get all of my information — and I’ve never been comfortable with that.

It gets scary when you start looking for what I call a “moral” registrar: one who actually understands and complies with the above security concept. Let’s take a look at the privacy policies of the top 10 popular registrars, based on what http://www.registrarstats.com/ considers the top 10 (with a couple of registrars I consider “popular” thrown in):

1. GoDaddy
2. eNom
3. Network Solutions (VeriSign)
4. Tucows (OpenSRS)
5. Melbourne IT
6. Schlund+Partner (1&1 Internet)
7. Wild West Domains (explictly excluded, see below)
8. Moniker Online Services
9. Register.com
10. PublicDomainRegistry
11. Gandi (see below)
12. DomainDiscover

All of these companies or organisations have two common clauses: a clause mentioning they have to submit your real contact details to ICANN (which is true; there’s no avoiding that), and — this is the kicker — a clause stating they reserve the right to distribute your information to third-parties, affiliates, or other “mysterious entities”… but they never tell you who (and I’m willing to bet they never mail you to tell you who they go into business with either).

Wild West Domains was explicitly excluded because they have direct relation to the Domain Registry of America, who I won’t discuss based on past legal actions of theirs against bloggers. This is what I’m talking about:

http://blog.forret.com/2004/12/domain-registry-of-america-scam/

PublicDomainRegistry is absolutely amazing. See Section 13, subsection (2) of their Registrant Agreement PDF. I don’t know anyone in their right mind who would agree with this had they read it in full prior to a domain purchase.

Finally, Gandi. I read 4 separate PDFs of theirs, all of which are somewhat ambiguous in regards to what they do with your information. They don’t even state that said information has to go to ICANN; instead, it seems they imply the information in your WHOIS records is what they go off of. It’s amusing when you note that they offer “Whois protection”, except all they protect is your Email address.

Take the time to review all of the above policies. You’ll be quite disgusted with how open-ended they are; there’s absolutely no guarantee your information won’t be viewed by someone who isn’t a direct employee of the registrar.

It’s a very depressing situation we’re in; all these companies have shady behind-the-scenes ties with companies who are doing god-knows-what with your contact information — and I mean the stuff that’s associated with your billing data, not WHOIS data.

Netflix “Watch Now” PC limitation

While dealing with the DRM issue in my previous post, one of the things I ended up doing was — of course — reinstalling Windows XP SP2. I do this pretty often because I end up getting a “bad feeling” about the current state of Windows, and when I can’t fix/solve something, formatting + reinstalling is the best choice.

After reinstalling and loading up the Netflix Viewer, I was greeted with a message that said I had reached the limit of unique PCs allowed to view Watch Now content (the limit was 4), and that I was required to contact Netflix Technical Support before I could begin watching videos again. This problem is completely reminiscent of the Windows XP Activation issue, where if you change hardware or reinstall the OS + activate too many times, you’re forced to call Microsoft every time you reinstall.

This isn’t something I agree with, for what it’s worth. My hardware and software are my property: I will do with them what I wish. I have a legitimate store-purchased copy of Windows XP (hell, I’m a Microsoft employee — would you expect otherwise?!), which means I should be able to do whatever I want with it (within reason of course), which includes installing it as many times on my PC as I wish. I understand piracy is a problem, but as Steve Jobs said, piracy is a social problem, and it’s one you cannot solve with technology. Any attempts to solve it with technology results in nothing more than irritation and pain for customers — case in point.

Anyway.

I was on hold with Netflix for 116 minutes: yup, almost 2 full hours before I got to speak to a human. On the other hand, the human I spoke to was fairly technical, and didn’t give me much difficulty when I explained to him the situation and what I had done that likely induced the problem. I told him I had been dealing with a DRM problem which I had solved, but in the process had reinstalled Windows.

The tech was able to tell me that resetting the DRM settings via RESETDRM.EXE would not cause this problem, but reinstalling Windows XP definitely would. He also took the time to explain that the 4-license (or 4-PC) limitation is induced by movie studios (I took that to mean the MPAA). The way he described it was as follows: Netflix keeps track and allows up to 4 unique IDs (associated with your account of course) to play Netflix movies — probably to allow up to 4 PCs in the same household to use Watch Now. When a fifth is detected, the fifth will receive a message like what I got, and force you to talk to Netflix Technical Support if you want an explanation.

I explained to the tech that I’m a system administrator and thus I reinstall Windows fairly often, and that I pretty much reserve the right to reinstall the OS whenever I please for whatever reason.

The tech explained that Netflix argued the same point with the studios, and the agreement reached was that Netflix could be allowed to permit a “fifth and final permission” which would allow that system to play videos, but after that point would no longer be able to assist in any issues relating to the said limitations. Meaning, if any of your PCs got that message from then on, Netflix TS would refuse to help you.

He also added that every 365 days from the start of the year, all of the IDs associated with your account would be deleted. I sure as hell wasn’t going to wait until January 2009 to be able to use Watch Now. :-)

The tech then asked me if I wanted to use my fifth and final allowed ID. I told him yes, with one caveat: I wanted to know how to retain/save that ID, so if I reinstalled in the future, I could simply restore that ID and continue to use Watch Now without any problems.

The tech more or less refused to tell me how the system worked, or how I could back up the ID. He did, on the other hand, recommend that I use a reimaging system (such as Norton Ghost or Acronis TrueImage) to back up the current state of my PC as it was right now, because the ID itself was stored in the Registry.

He then enabled the ID in question and sure enough Watch Now began working immediately, urging me to take a system image ASAP. Two hours on hold for nothing more than a 10 minute conversation.

I reserve the right to choose to install my OS however I wish, and I choose not to use reimaging software. Why? I make my own XP CDs using nLite, slipstreaming latest updates and other whatnots into the image. I rebuild that image and reinstall using it. If you use a disk snapshot/imaging utility like TrueImage or Ghost, you’ll be forced until the end of time to use Windows Update to get said updates. Reimaging systems work great for massive corporate enterprise environments, but not very well for people like me. :-)

All of this got me thinking: if the ID is in the registry somewhere, backing it up is simple. REGEDIT.EXE and its Export option would suffice. So off I went, digging around in the registry.

Lo and behold, I found the following key:

HKCU\Software\Netflix\Movie Viewer\ID

I changed this ID to something different than what I had after the tech enabled the ID, and sure enough, I got the nasty message from Netflix (this time saying I had reached a 5 PC limit).

I restored the ID to the working value, and an interesting thing happened: immediately prior to the video playback, I was prompted for my Netflix login name and password. The window asking me for that looked to be something within the Netflix Movie Viewer itself, and not something from the web browser. I entered my credentials, and voila — Watch Now started working again!

Thus, after reinstalling XP, all one has to do is install the Netflix Movie Viewer software and restore said registry entry. I’m not sure why Netflix just doesn’t disclose the registry entry location; you can’t go copying the ID to random computers or give it to your friends, because they’ll need your login/password to be able to use it. It’s a generally secure system, so disclosing the path won’t circumvent anything.

I just wanted to share this piece of information with the world, because guaranteed there are many others like me. Remember to back up HKCU\Software\Netflix\Movie Viewer\ID before reinstalling your OS, folks!

Netflix “Watch Now” and error C00D11B1

I’m not going to bother listing off all the different threads and websites discussing said problem. You can use Google or any other search engine to find hundreds upon hundreds of reports, most with no solution. (I say most because some folks ran into this when trying to play Netflix films on their TV, thus were running into HDCP DRM issues). In my case, I’m watching Netflix movies on my PC — absolutely nothing fancy.

For months now I’ve been seeing said error, but in an odd fashion. Reinstalling XP seemed to solve it, until some “random point” in time when it would just stop working again. Naturally I thought “It must be some software I’m installing or some update I’m applying”, so I spent a few hours today trying to track it down. Things I tried to no avail:

• Using Netflix’s RESETDRM.EXE utility
• Uninstalling every piece of software I had installed (this took quite some time!)
• Downgrading to Windows Media Player 10 (which doesn’t work anyways, because Netflix will then tell you that you NEED to upgrade to WMP11 to watch their movies)
• Upgrading my nVidia video drivers (for a 7950GT) to the latest beta
• Tinkering with Creative’s sound drivers for the XtremeGamer (tried latest beta, etc.)

I was about to give up until I came across this post, which I’m very glad I read slowly and in full:

http://www.longdarktechtime.com/2007/12/another-twisty-maze-of-windows-error.html

The following paragraph caught my eye:

“The tech has me adjust some Windows Media player display settings to disable the video mixing render (he knows exactly where to send me) and then we try again. Boom! I get a new error message – this time is C00D11B1.”

The option referred to is in Windows Media Player 11, under Tools -> Options -> Performance -> Video Acceleration (Advanced button) -> Use video mixing renderer checkbox.

The reason it caught my eye: I uncheck said box because I watch/stream Japanese TV shows to a friend of mine in Michigan. We watch a couple shows a week together. The desktop capture driver I use, VHScrCap, cannot capture video when it’s being played in Overlay mode (understandable). So, rather than unchecking “Use overlays” (which is really what I should’ve been doing), I’ve been unchecking “Use video mixing renderer”.

Sure enough, this is what was causing me to get error C00D11B1 from Netflix/Windows Media Player’s DRM!

All I did was turn on “Use video mixing renderer” and instead uncheck “Use overlays” – voila, problem gone.

Bottom line: if you uncheck “Use video mixing renderer”, you break DRM in some bizarre way. Do I consider this a bug? Not really. However, Microsoft would do well to explain that the “Use video mixing renderer” option actually disables other stuff than what’s implied via the UI options.