Category: debriefing
MTW Hacked
Written by Chad Phillips
Monday, 13 October 2008 16:43
No Comments

I said it would never happen. That's what I get for saying "never." Talk about cocky…or maybe just stupid. Recently, one of our contributors was checking posts on the front end of the site and was met with a security warning claiming our site was an attack site. I checked with our tech guy and he confirmed that MTW was hacked and malware had been installed on two different posts from several months ago.

Apparently, unbeknownst to me there was a security vulnerability in WordPress 2.3.2. This vulnerability would allow a registered user to edit any other user's posts, inserting malicious code into the page the post is viewed on.

Luckily, Google had blocked the pages from view. However, we honestly don't know how long the code may have been there before it was discovered and subsequently blocked by Google. Therefore, I am advising all MTW viewers and contributors to run a complete scan of their machine using AVG. This is a free antivirus program which will detect trojans and other malware the more popular programs won't. As an example, I ran two independent scans using Norton. I also used Adaware and both programs declared my system was clean. I was skeptical, so under the advice of my tech guy and a fellow blogger whose site was also infected with this same malware, I installed and ran AVG. The program found two trojans on my system.

The "offending" posts have since been deleted and republished using a clean script. Meanwhile the site has been upgraded to a secure version of WordPress. We also had to delete any registered users we didn't personally know or who looked suspicious.

UPDATE!!!

I posted in Google's forum concerning the teleology of these trojans and got this reply from Google. This should lay to rest any fears that the perp was using these trojans as a means of identity theft etc. (Sigh of relief)

FROM GOOGLE: Yes, looks like it's an ad.  A good indication of this is what the
diagnostic page says:

3 domain(s) appear to be functioning as intermediaries for
distributing malware to visitors of this site, including adbrite .
com, iconadserver . com, yieldmanager . com.

That means that when Google's automated scanner were analysing your
blog they followed paths through those servers on their way to the
unetworks . biz domain which served malware.  So, it's probably coming
though ads.

Hope that helps,
O.
Google Anti-Malware Team

Update:

My tech guy gave me a link to Exploit Prevention Labs, which will allow you to type in your url and scan your site for malware. I suggest anyone who is serious about keeping their site clean utilize this powerful tool.

 
‘Happy Monday’?
Written by Troglodad
Saturday, 15 March 2008 04:43
3 Comments

I am an overprotective parent. I can admit it.

I don’t let my eight year old daughter play outside by herself. I don’t let her surf the internet by herself. I don’t let her spend the night at friends' houses when I don’t know the parents. I’m reluctant to let her play at the park with other kids, even when I’m there. I’m reluctant to let her ride the traveling gypsy carnival rides, for fear they might break down.

Some people have told me I’m too protective. I often think so myself. Then I look around and see small children running at large in the neighborhood, while cars speed past, with no adults around.

Yeah, I might be overprotective, but I know my kids are safe.

One of the hardest things for me has been sending my kid to school, where strangers are responsible for her safety. True, they’re licensed strangers, but it makes me nervous everyday.

She’s in the second grade now, and it has gotten a little easier. But recent events just serve to reinforce my unease at not being there 24-7 for my kids.

My daughter got locked outside of the school.

It was a simple enough sequence of events. She was at recess with the other kids and hit her head on the playground equipment. So they sent her to the nurse. Everything apparently checked out, and she was told to rejoin her class.

Simple eight year old logic told her to go back to the playground. The school door locked behind her as she exited the school, she rounded the corner… and the playground was empty.

Standing there, beating on the door, yelling for help for some minutes disturbed my daughter. She was upset enough about it to keep talking about it up through that night, after school. Eventually, another student walked buy and let her in and she was able to rejoin her class.

After school, the teacher walked her out to her grandma’s car (who watches her after school) and mentioned the incident in about the same amount of detail as I have here. But no note was sent home. No email from the teacher. No call.

Upsetting, especially since this was the second time she was locked out of the school, because she went outside and her class wasn’t there.

Now I know, you probably are wondering why she didn’t just walk to the end of the building and enter the set of doors by the office that are always open. I wondered. I asked. She didn’t think of it. I can see that. She’s only eight.

So I decided to call the school, to see if something couldn’t be done to keep this from happening again. I ended up speaking to the school counselor, as the principal was out sick.

I wasn’t mad at the counselor. I didn’t curse or yell at him. I mean, it’s not like it was his fault (I felt it was the fault of the teacher and nurse).

"What do you want us to do about it?" I was asked. Surprised, I responded that I didn’t want my child outside, without some adult supervision.

He agreed that "technically" the kids should always be supervised. He also agreed that a note could be put in her file for someone to make sure she gets back to class. Okay. That’s good. But while I had him on the phone, I asked about notes home. I had asked before if I could be notified whenever my child got sent to the nurse- I didn’t need a call right away or anything, but it’d be nice to have a note that advised what happened, rather than rely on my eight year old to accurately explain her injuries.

"We don’t do that," I was informed. If the kids get sutures or are bleeding, the parents get notified, I was advised.

I asked if that was school policy, or school corporation policy. I was advised it was school corporation policy. I could speak to the superintendent about it.

I was also told I was being rude.

"Silly me," I said, "for caring about the security of my child."

"Yes, silly you…. Happy Monday," the counselor responded, and hung up on me.

Wow.

That’s professional. Really the kind of behavior you expect from a counselor. A person who's supposed to preach patience to kids.

Perhaps next time I should curse and scream and carry on like a jackass. I know other parents who have done that- with the same man- and they didn’t get hung up on. In fact, they got what they wanted- their kid placed in the school a year early. All from cursing.

I should note that I later spoke to the School Corporation Superintendent. He agreed that children should be supervised at all times- that the teacher or nurse should make sure the kids get where they are going. He also agreed that if I wanted to be notified about nurse trips I should be. Oh, and that it is NOT school nor school corporation policy to notify or not notify parents about trips to the nurse.

And he apologized for the counselor being a prick.

Is there a moral to this story? Do I next time curse and scream?

Nah, I record. ‘Cause a recording of that call would have been a great thing to have. Like they tell us at work- always talk on the phone as if you’re being recorded.

Editor's Note: The illustration for this piece was done by K9Duke and is proudly powered by StripGenerator.com. Check 'em out. We do.

 
AT&Evil
Written by Troglodad
Thursday, 06 March 2008 17:34
4 Comments

AT&T has been in the news a lot lately. And not in a good light.

For those of you that are tech savvy, you probably are thinking of the iPhone debacle. That’s where Apple and AT&T formed an agreement that iPhones could only be used with AT&T (in the U.S.). If you buy one, it comes "locked" and can only be "unlocked" with an AT&T Sim card.

Interestingly, tech heads out there in the world quickly figured out how to unlock the phones so they could be used with any service. Apple/AT&T got mad and released an "update" that then relocked the phones. The Techheads revolted, and again, they figured out how to unlock the phones. Once more, AT&T/Apple struck, releasing a third update that this time "bricked" the phones- rendered them totally useless, unless you get AT&T to unbrick. Not to be outdone, the techheads then figured out how to revert the phones to the first unpatched versions.

You might also have heard recently of a change in AT&T Yahoo’s user license agreement. It basically says that if you complain too much about AT&T, they reserve the right to deny you service. So, if I had posted this article using AT&T Yahoo, I’d have problems.

In all fairness, I should point out that AT&T isn’t really AT&T. Rather, AT&T Long Distance was bought out by SBC-Ameritech, who then decided to start using the good name of AT&T to trick folks into trusting them. The AT&T corporation is the "holding agent" for at least four divisions; the former Ameritech phone company, AT&T Long distance, the former SBC Communications and Cingular cellular service. Somewhere in there is also the SBC Yahoo internet service provider.

So we’re not dealing with your mom and dad’s AT&T.

The main reason though that I’m venting today about AT&Evil, is their abysmal customer service. I think they may just be worse than the dot-headed Hindus of Dell, or Hewlett Packard’s computer-prompt reading customer service chimps.

Earlier this year, I was having some problems with my home phone. It was kind of staticky, then it just went out completely. I called AT&T and they sent out a tech, who reported that vines growing along the fence line behind my property had damaged the AT&T line running to my utility pole.

Although I’d never heard of this before, a friend of mine who lives across town had the exact same problem several months later- only the vines cut out his DSL service.

After several months of adequate service, I noticed that my DSL connection kept getting dropped. I was repeatedly kicked off Xbox Live, and even my internet connection with my PC seemed slow and also repeatedly failed. At first I thought the problem was due to the wireless router I used to share my DSL line between my PC and Xbox 360. However, bypassing the router and plugging directly into the Siemens MODEM SBC Yahoo had supplied me when I signed up for DSL service did not improve things. On one night, in a less-than-three hour period, my connection was dropped 7 times. I was mad enough to throw my Xbox out the window.

So I called AT&T, and complained. They did the normal Customer Service Chimp routine, reading me troubleshooting tips that sounded remarkably like the ones on the AT&T website. I kept chanting over and over that I had already done the steps, could someone please come out. Finally, the CSC tells me they'll run a check on my line. He comes back and reports there's static on my line, so they'll have to send a tech out.

Guy comes out, checks the box on the back of the house, shows me where the test jack is, and reports that my line seems fine. I point out that my connection speed is half what it used to be. Conveniently, he runs a test and it comes back fine. So he insists that the problem is inside the house and asks to check my modem jack. I let him in, he runs some tests, and again, all seems well. I tell him that my connection problems are sporadic, but it goes right over his head. Finally, he suggests that I might have a problem with my lines in the house- and offers me this little kernal of wisdom:

"The jacks you never use are the ones that give you the most trouble."

Yeah, and this is the sound of my one hand smacking some sense into you…

All remains the norm- periodic drops included- until Monday night. The phone chirps once- like a half-ring- then goes dead. The next morning, I realize the phone is DEAD. KAPUTT. No dial tone.

I go around the house and unplug all the phones and DSL filters. I plug one line back in. Nothing. I check the modem's jack- sure enough, I still have a good DSL connection. Baffling.

At work I call to report the problem. The CS Chimps again start reading me prompts. I keep interrupting, telling them I've done all that. Finally, they agree to send someone out, and that it will take awhile, but they'll have someone out to the house by no later than close of business the next day.

When no one showed up, I unplugged everything this time. I even took apart a couple of jacks to make sure no liquid metal had been inadvertently poured into the jacks. Nope, all clear. I went out back- in the rain- and checked the phone box test port. Nothing. Clearly, the problem wasn't in my house- it was somewhere up the line.

So, after the third night with no phone, I call in again. This time I'm pretty pissed. I get yet another CSC- a sassy one at that- who tells me that as soon as a tech is available, they'll come out. I advise her that the problem is not in my house- that I checked the box out back and there's no dial tone. Did I unplug my DSL? Yes. Did I unplug my computer from the electrical outlet?

CSE representative standing by. ?!

Yes, it seems that the CSC thinks that even though no wire connects the PC to the phone lines, electricity could magically fly across the room and enter their system. At that point I could have reached across a counter and strangled someone. I ask for her name and supervisor.

Short wait.

Superviser comes on. I recap the problem, and my efforts, including my test at the phone box- AS THE TECH SHOWED ME TO. I point out that the last thing I want to hear is that I have to unplug my computer from an electrical outlet when it isn't even connected to the phone lines. I also remark on her employee for sounding like a chimp reading prompts off a screen.

I get a half-hearted apology and am assured that first thing in the morning, the supervisor will make sure that someone comes out- that all I should have had to say was that I tested at the box and nothing worked.

Of course, it's 3:15 PM as I start writing this email, and guess what? No phone service.

By 3:25 (I had to stop several times to answer phones at work) I get a call from AT&T, telling me that they'll have someone out tonight no later than 8 PM. I laugh at them and apologize for my skepticism. I am assured that someone will come out. I confirm that this is the number to call when no one shows up.

Ten minutes later, a tech calls to tell me he's on the way.

By 5 PM I’m home from work and have my phone working again. The tech who responded this time explains that it was a problem with the line feeding my house. It was laying on the ground, and–What?! Laying on the ground? The first tech told me he had personally buried it in April. No wonder then that rain and the growth of plants damaged the line. Tech #2 advised that he would get the line buried this time and that should solve my problems.

Alas, my DSL is acting screwy again, with poor connection speeds. Maybe burying my line will help.

And maybe monkeys will fly out of my butt…reading prompts from the customer service screen.

Editor's Note: This commentary first appeared in the November 2007 edition of MyVoiceNews.com.