Archive for May, 2005

Dealing With Physical Network Problems

May 31, 2005

Network connectivity issues can easily be caused by physical network problems. Always ensure that you have a reliable and working connection between each computer and another, or each computer and a router.

Diagnosing a possible problem with a wired connection requires checking 3 components.

  • The network card on this computer.
  • The network cable.
  • The network card on the other computer, or the router port.

Does your computer connect to another computer or to a router? If to a router, try another port on the router – preferably swap ports with another, working computer. Also, swap network cables with another computer. Always test with currently known good components, when possible. And please, always start with a pre-made network cable – this is NOT the time to try making your own Ethernet cable!

Remember that the network card on this computer, and the network card on the other computer (or the router) are all computers in their own right. Each device uses drivers and / or firmware. Check with the vendor, and see if this is a known problem, and / or is there a driver or firmware update available? Whenever you have a problem, start with updated software. If you ever go the vendor for advice, that is the first thing they will ask you about.

Examine the network card, or read the manual. Make sure that it doesn’t contain an embedded hardware firewall, like the nVidia nForce.

Also, look at whether the problem is constant and permanent, or chronic. If chronic, is there a pattern to when it occurs, and / or is there a consistent workaround? One common example of this possibility would be loss of connectivity when the computer is idle for an hour or so.

Read Practically Networked Problems with Network Cards for suggestions on dealing with problems that originate with a network card itself.

Run the Device Manager (System Properties – Hardware tab), find the network adapter in question, and Troubleshoot it. See if the system can identify a hardware problem.

Always use the right kind of network cable, and always have a spare on hand. If you are connecting a computer to a router, you’ll probably use a straight-thru aka patch cable. If you are connecting two computers directly, you will probably need a cross-over aka null-modem cable. Some newer network cards may support a feature known as auto-mdix, which lets you use a cross-over, or a straight-thru cable, at your convenience, to connect directly to another computer. But always have a spare cross-over cable to diagnose this problem.

Does the network card, and maybe the router port, have one or two colored lights that light up or change color? Observing their behaviour, and checking the owners manual, could save you a trip to your nearby computer store to buy the wrong component.

On most network cards, the Green light indicates Link (connectivity), while the Yellow light indicates Transmission (activity). The Green light should be solid, while the Yellow light may be either blinking (light activity), or solid (heavy activity).

If a router is the other end of the connection, try checking the router access log too.

If your network includes WiFi components, your issues may be even more complex to diagnose.

  • WiFi operates at Layer 2 of the OSI Network Model, but it has its own network setup procedures.
  • Besides networking, WiFi involves radio. The WiFi signal won’t be uniformly available in your work area; however, it will pass into your neighbours work area (and your neighbours signal into your area).
  • You can control your own network, but you cannot control you neighbours network. And your neighbours network use will affect your network.

For WiFi physical issues, see WiFi Will Never Be As Fast As Ethernet. For WiFi security issues, see Setting Up A WiFi LAN? Please Protect Yourself!.

For truly unacceptable problems, prepare to uninstall the drivers for one or more network adapters.

Advertisements

Reading IPConfig and Diagnosing Network Problems

May 30, 2005

Both Internet Service and Windows Networking rely upon the Internet Protocol being properly configured. The IPConfig utility tells us the various settings on any computer using Internet Protocol. This is a good place to start, when diagnosing any networking problem.

Please note that the examples shown here are from a computer setup in a workgroup, which is almost identical to a domain. There is one major difference for a domain; the DNS server entry, for a computer in a domain, should point to the IP address of the domain controller, as indicated in Windows XP / 2000 On A Domain.

This is a problem, as the ipconfig listing will not give a clue as to where the domain controller points (forwards its DNS queries). If you have DNS problems, in a computer on a domain, ipconfig will not help diagnose any such.

To get ipconfig data for immediate examination, simply type “ipconfig /all” into a command window.

If you want the data so it is easily compared between computers, you need to export the data into a text file.

  • Type “ipconfig /all >c:\ipconfig.txt” (less the “”) into a command window.
  • Then,
    • Type “notepad c:\ipconfig.txt” (less the “”) into the same command window, for immediate examination.
    • Or, copy file c:\ipconfig.txt to another computer, for comparative examination.

A Normal IPConfig

Here’s an example of IPConfig (“ipconfig /all”) from a pair of computers on a LAN.

Windows IP Configuration
        Host Name . . . . . . . . . . . . : PChuck1
        Primary Dns Suffix  . . . . . . . : 
        Node Type . . . . . . . . . . . . : Broadcast
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : pchuck.net
Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . : 
        Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI For Complete PC Management NIC (3C905C-TX)
        Physical Address. . . . . . . . . : 00-04-76-D7-C5-6A
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.1.50
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 192.168.1.11
                                            192.168.1.33
        Lease Obtained. . . . . . . . . . : Wednesday, April 16, 2003 11:19:12
        Lease Expires . . . . . . . . . . : Wednesday, April 23, 2003 11:19:12

Windows IP Configuration
        Host Name . . . . . . . . . . . . : PChuck2
        Primary Dns Suffix  . . . . . . . : 
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : pchuck.net
Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . : 
        Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI For Complete PC Management NIC (3C905C-TX)
        Physical Address. . . . . . . . . : 00-04-76-D7-76-BC
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.1.51
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 192.168.1.11
                                            192.168.1.33
        Primary WINS Server . . . . . . . : 192.168.1.1
        Lease Obtained. . . . . . . . . . : Wednesday, April 16, 2003 11:53:45
        Lease Expires . . . . . . . . . . : Wednesday, April 23, 2003 11:53:45

What does this tell us?

        Host Name . . . . . . . . . . . . : PChuck1

This is the name of the computer, as seen by Internet Protocol.

        Primary Dns Suffix  . . . . . . . : 
        DNS Suffix Search List. . . . . . : pchuck.net

Most small LANs don’t have a DNS server setup, so you probably won’t use DNS for name resolution. If you do have a DNS server (not the one which your ISP provides, either), you should setup both DHCP and DNS carefully.

        Node Type . . . . . . . . . . . . : Broadcast

The Node Type tells us how this computer identifies the address of another computer on the LAN. Broadcast is the best setting for a small LAN, although anything but Peer-Peer will work. If you do not have a WINS server, and you see Peer-Peer here, you do have a problem.

If you have a LAN with its own DNS server, you will want to setup your LAN, and the DNS server, properly.

        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes

If DHCP is enabled, this computer should get it’s IP settings from a DHCP server (either a NAT router / ICS Host, or a dedicated server running the DHCP service).

If Autoconfiguration is enabled, this computer did get its IP settings from a DHCP server. If DHCP is enabled, but Autoconfiguration is not enabled, a DHCP server was not available. If the latter, it is very likely that the computer now has an APIPA address, and may display the message “limited or no connectivity“.

        Physical Address. . . . . . . . . : 00-04-76-D7-C5-6A
        IP Address. . . . . . . . . . . . : 192.168.1.50
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 192.168.1.11
                                            192.168.1.33
        Primary WINS Server . . . . . . . : 192.168.1.1

These are the most basic settings. You must get the addressing right, before the other components will be of much use.

The Physical Address is the MAC address for this network card. If this is the Vendor Assigned address, it is unique for this device. All Vendor Assigned addresses are unique, for every device in the world. If this is a User Defined address, it was set using tools provided by the vendor. For NT compliant network hardware, this was likely the device properties wizard, accessed from Local Area Connection Properties in Network Connections.

The IP Address for each computer must be unique. Taking the IP Address and the Subnet Mask, and subnetting the IP address, we see that this subnet is 192.168.1.0/24, and the Host Address is 50. On any LAN segment, all hosts (computers) must have the same subnet, and all computers must have a different host address.

While the Subnet and Host addresses together determine which computers on a LAN can communicate, the Default Gateway determines if the computer can communicate with any hosts outside the subnet. The Default Gateway must be the IP address of another host, on that same subnet, that also connects outside the LAN. With no default gateway value, or with an invalid IP address here, your computer won’t have access outside the LAN.

Having one or more computers with APIPA addresses – 169.254.0.0/16 (169.254.0.0 / 255.255.0.0) could have various causes.

  • If you’re connecting 2 computers directly, using a cross-over cable, then the APIPA addresses are perfectly normal.
  • If you’re connecting a computer to an ICS server, or to a NAT router, and it’s getting a 169.254.x.x address, then either you have a physical network problem, or the DHCP server (ICS server) is disabled.

The DHCP Server identifies the network device that issued the IP settings to this computer. If you have two computers which can’t communicate, and they have incompatible IP settings, checking the DHCP Server might show settings from two different DHCP servers.

There are two possible reasons for having two different DHCP servers.

  • If you’re paying your ISP for two ip addresses, you may be getting two addresses on different subnets, which is a perfectly expectable situation for cable broadband. The solution for this may be to not use IP on your LAN.
  • You also might have an unknown (rogue) DHCP server on your LAN. In that case, knowing the IP addresses of both servers should help you identify each server.

The Physical Address, IP Address, Subnet Mask, and Default Gateway are settings which describe how this computer connects to the network. DNS Servers, on the other hand, provide the ability to resolve the IP address of another computer on the network.

WINS is a legacy Microsoft name resolution protocol, used with Windows NT V4.0, and Windows 2000 (aka Windows NT V5.0). With Windows XP (aka Windows NT V5.1), Microsoft elected to use DNS, as the rest of the world has been doing for a while. But we still have the possibility to use WINS built in to Windows XP.

If your host configuration specifies a WINS server, you better have one. If a WINS server is configured, and WINS is queried, Windows XP will wait for a query against it to timeout. Depending upon the value of Node Type, you will have various problems.

  • If Node Type is Broadcast, the WINS entry will be ignored.
  • If Node Type is Hybrid, name resolution by Broadcast will be tried only AFTER WINS resolution is tried and times out. This will significantly increase latency in many file sharing processes.
  • If Node Type is Mixed, name resolution by Broadcast will be tried first. If the requested computer does not respond to a Broadcast (maybe you typed in the name wrong), name resolution will try WINS next. The WINS query will have to timeout before reporting “name not found” aka “Error = 53”.
  • If Node Type is Peer-Peer, only the WINS server will be tried. This is a common problem on small LANS.
  • If Node Type is Unknown, it will be treated as Hybrid.

A Bridge

When you run the Network Setup Wizard, you may end up with a bridge. Bridges cause problems with file sharing, and with Internet service sharing. You can get a bridge from having any of the following:

  • Two network cards, connected to two different subnets.
  • Dialup Internet service, with a modem and a network card.
  • PPPoE Internet service, with a PPPoE modem and a network card.
  • One network card and a 1394 Firewire device.
Windows IP Configuration
        Host Name . . . . . . . . . . . . : MyComputer
        Primary Dns Suffix  . . . . . . . : 
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : Yes
        WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Network Bridge (Network Bridge):
        Connection-specific DNS Suffix  . : 
        Description . . . . . . . . . . . : MAC Bridge Miniport
        Physical Address. . . . . . . . . : 02-2F-CC-91-84-FF
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.0.1
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :

If you don’t intentionally want a bridge, get rid of it. If you need a bridge, please refer to Steve Winograd PracticallyNetworked XP ICS – Network Bridge.

You can avoid ending up with a bridge, if you follow the advice from Microsoft How to prevent the Network Setup Wizard from creating a bridge in Windows XP.

IPV6
When you run the Network Setup Wizard, you may end up with IPV6, aka Automatic Tunneling, aka Teredo Tunneling.

Windows IP Configuration
        Host Name . . . . . . . . . . . . : PChuck1
        Primary Dns Suffix  . . . . . . . : 
        Node Type . . . . . . . . . . . . : Broadcast
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : myhome.net
Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . : 
        Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI For Complete PC Management NIC (3C905C-TX)
        Physical Address. . . . . . . . . : 00-04-76-D7-E2-BA
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.1.50
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 10.201.99.11
                                            10.201.99.33
        Lease Obtained. . . . . . . . . . : Wednesday, April 16, 2003 11:19:12
        Lease Expires . . . . . . . . . . : Wednesday, April 23, 2003 11:19:12
Tunnel adapter Automatic Tunneling Pseudo-Interface:
        Connection-specific DNS Suffix  . : 
        Description . . . . . . . . . . . : Automatic Tunneling Pseudo-Interface
        Physical Address. . . . . . . . . : C0-A8-00-03
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : fe80::5efe:192.168.1.50%2
        Default Gateway . . . . . . . . . : 
        DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                            fec0:0:0:ffff::2%1
                                            fec0:0:0:ffff::3%1
        NetBIOS over Tcpip. . . . . . . . : Disabled

The presence of IPV6, aka Automatic / Teredo Tunneling, may hamper the diagnosis of your problems. Please remove IPV6 while we are working on your problems; if you truly need it, you can re install it later. You must remove IPV6.

A Hardware Firewall

This may become a common observance in the future.

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NVIDIA nforce Networking Controller

This is a hardware firewall, sitting inside your computer. The nVidia nForce is probably the first, but surely not the last, device of this type.

IPConfig Command not recognised

And here’s an odd result. You type “ipconfig”, and get

‘ipconfig’ is not recognized as an internal or external command, operable program or batch file.

In this case, you have still more work to do. There are several possibilities.

  • Check the Path. The entry “;%systemroot%\system32” may be missing.
  • You may need to reload TCP/IP (if this is not Windows XP), or reset TCP/IP (if this is Windows XP).

An Incredibly Stupid Wardriver

May 29, 2005

11/26/2003 Toronto Canada Wi-Fi hacker caught downloading child porn

Toronto police stopped Walter Nowakowski for driving the wrong way down a one way street during the early morning hours. Walter had his pants around his ankles, and he was watching a child porn video that he had just downloaded from the Internet, using a hijacked wireless connection from a nearby house.

Following his arrest, Police searched Nowakowski’s home when they recovered 10 computers along with thousands of CDs and floppy disks suspected to contain child porn images.

Walter was doing 4 things at the same time.

  1. He was wardriving.
  2. He was driving the vehicle himself.
  3. He was watching what he was downloading, while he was driving.
  4. He had his pants off, because he was enjoying what he was doing so much.

Walter got caught by the police for doing none of the above. Nor did he get caught for being a collector of child porn.

Walter got caught because he found doing all of the above so incredibly easy, that he paid no attention to what he was doing, and drove the wrong way down a one-way street.

If the FBI (or the Canadian equivalent) went knocking on somebody’s door and seized equipment that was used in downloading child porn (the FBI has been doing just this), Walter would not have been the one on whose door they would have knocked.

The FBI would have been knocking on the door of the people who provided Walter his Internet service. And those people would have been aware of it only after the FBI got there.

The people providing Walter his Internet service, very likely, have no idea how lucky they were that Walter was so stupid. Since Walter was arrested during the early morning hours, it’s likely that everybody was still asleep. Even if any of the inhabitants in the area saw Walter being arrested, or read about it in the newspaper, how likely is it that somebody thought “Gee, maybe that’s why my wireless router was so busy?”. Yeah right.

Imagine what the smart wardrivers can do? Folks, please, if you’re going to have a wireless LAN, Protect Your WLAN from idiots like Walter. And use a Layered Defense on all computers on your LAN – not just the ones connected wirelessly.

Using Event Viewer To Get Details About System Events

May 28, 2005

When you have a problem with the system (whenever a system error message pops up), or when the system does something strange, and you want to ask for help, start by finding any relevant entries in the System Event Log.

Under Control Panel – Administrative Tools – Event Viewer, you will find lists of all recorded system events. There are three standard logs – Application, Security, and System. Some applications, like your AntiVirus, may add an additional one – my antivirus program added an additional log called Antivirus.

Look in the appropriate log for an event recorded at the time you observed an error or event. Double click on any log entry to view details.

When you find an entry corresponding to the time and maybe the symptoms, extract the details.

  • Look for the clipboard button in the detail window – on the right, below the Up and Down arrows (used for viewing Next and Previous event details).
  • Hit the clipboard button to Copy the details.
  • Go to whatever communications tool that you use (browser, email, usenet, whatever) and Paste the details into the message that you’re creating.

Note that Event Viewer, like some other Windows Management applets, provides network access. When logged in under an account with administrative access to other computers:

  • Start Event Viewer.
  • Go to Action – Connect to another computer.
  • Select Another computer, and type the name of the other computer, or use the Select Computer applet to identify and select another computer.
  • Hit OK.

Now you can peruse the Event Log of another computer, as if you were right there logged in.

For interpretation of specific errors, see Microsoft Events and Errors Message Center.

For more information about the Event Viewer, see Microsoft How To View and Manage Event Logs in Event Viewer in Windows XP.

Security By Obscurity

May 27, 2005

The principle of Security By Obscurity, or hiding yourself from the bad guys, has been around for quite a few years. The English comedy troupe Monty Python provided a light-hearted, yet not entirely irrelevant, discussion about this issue, How Not To Be Seen.

In this film we hope to show how not to be seen. This is Mr. E.R. Bradshaw of Napier Court, Black Lion Road London SE5. He can not be seen. Now I am going to ask him to stand up. Mr. Bradshaw, will you stand up please? (In the distance Mr. Bradshaw stands up. There is a loud gunshot as Mr. Bradshaw is shot in the stomach. He crumples to the ground.) This demonstrates the value of not being seen.

Years back, folks would claim that they were never online for more than a few minutes, and they turned their computer off when they weren’t online.

They would claim safety by using dial-up, and later by using dynamically addressed broadband. Dynamic addressing was thought to be safer, because with a frequently changed IP address, the bad guys could never find you.

One of the selling points of PPPoE, which let the DSL Broadband ISPs oversell their customer base against their IP pools, was the “dial-up experience”, as if PPPoE customers wanted a new IP address every day. Some customers actually believed that argument. Remember that Cable Broadband is that way routinely.

Nobody ever talked explicitly about getting a new IP address that had apparently already been noticed by the bad guys. Yet that was always a possibility; any “new” address that you get has probably been used by somebody. In any mature pool of dynamic addresses, most or all have probably been noticed by the bad guys in some way.

A well known and controversial security consultant provides a free scanning service, to check out your computer or router. His service will tell you if your computer or router is providing information to the internet, gratuitously, which would make you visible to those with dishonourable intent.

Steve Gibson’s Shields Up! will probe your public ip address, whether your computer or router, checking for open and replying ports. It will then advise you how exposed you are, from observing how many of your ports are open, or are replying to his probes.

To the Shields UP! scanning service, the most secure configuration is a computer or router that does not respond to any probes, simply discards them. This condition is called, by Steve, “Stealth Mode”. The idea about “stealth” is that your computer or router shouldn’t reply to any connection attempt, to say “no connection available here”, which would obviously verify to a bad guy that there is a host at your ip address.

(Cut to another area, however this time there is a bush in the middle.) This is Mr. Nesbitt of Harlow New Town. Mr. Nesbit, would you stand up please. (Nothing happens.) Mr. Nesbitt has learned the first lesson of not being seen – not to stand up. However, he has chosen a very obvious piece of cover. (The bush explodes and you hear a muffled scream).

Unfortunately, if there was no host at your ip address, a router upstream from you would respond, with “Destination address unreachable”, to any probes. By not replying to probes at all, you are confirming that your ip address is in use (and the router has been routing the probes to you), but you simply chose not to answer. To a bad guy, this may make you even more interesting.

Also unfortunately, there are many ways to probe your ports. Just because your computer / router doesn’t respond to a proper “TCP connect” request doesn’t mean that it won’t necessarily respond to (or can’t be detected from) a SYN, FIN, or UDP scan.

(Cut to another scene with three bushes.) Mr. E.V. Lambert of Homeleigh, The Burrows, Oswestly, has presented us with a poser. We do not know which bush he is behind, but we can soon find out. (The left-hand bush explodes, then the right-hand bush explodes, and then the middle bush explodes). (There is a muffled scream as Mr. Lambert is blown up.) Yes, it was the middle one.

Bad guys, that don’t care whether there is anything at your ip address, will attempt to hit you anyway. Security By Obscurity became still less relevant on January 25, 2003, with Slammer!. Slammer didn’t check for anything at any given ip address, it just sent itself to randomly chosen addresses. It infected 90% of its potential targets – worldwide – in 10 minutes, by simply not caring what it was invading. By its very simple design, its code became lean, mean, and very fast.

Slammer’s target base was fortunately limited, as it was aimed at a special type of server. Even so, it brought down massive portions of the internet infrastructure, with the huge volume of traffic that it had generated, within 15 minutes after it hit the internet.

  • The tiny worm hit its first victim at 12:30 am Eastern standard time.
  • By 12:33 am, the number of slave servers in Slammer’s replicant army was doubling every 8.5 seconds.
  • By 12:45 am, huge sections of the Internet began to wink out of existence.

Read more about this milestone in the history of malware, in this fascinating tale by Wired Magazine Slammed! An inside view of the worm that crashed the Internet in 15 minutes.

Blaster, a successor to Slammer, that uses an RPC service vulnerability that was present in Windows NT operating systems until it was patched, continues to infect (unpatched) hosts occasionally. Look at any of the Microsoft.public.*.* Usenet discussion groups. Even now, occasionally somebody asks about their computer shutting down with “NT Authority…” or “RPC Call…”.

Sasser, a successor to Blaster, uses an LSASS vulnerability that was present in Windows NT operating systems until it was patched. Sasser was featured on TV in 2005 – in the BBC Video Jacques’ Hack Attack. The computer featured in the video was online for less than 30 minutes, because it crashed after loading 3 worms (Sasser being just 1 of the 3), and the resulting network and system traffic overloaded it. The first worm hit that unprotected computer almost immediately after it was connected to the internet.

In typical british melodrama (and to us Yanks, Spencer Kelly, of the BBC, may sound vaguely similar to John Cleese, but the BBC is not Monty Python):

How long would it be before we were hit by something nasty on the net? Hours, minutes? As it turned out – eight seconds!

If your computer is vulnerable to an attack, and a Blaster or Slammer type worm is sent in your direction, you WILL be infected. Stealth or not.

I’ve been trying to make an anagram out of “security by obscurity”, to something evocative, like “botnet membership” – but no luck so far. Anybody out there want to help? I’ll send you a t-shirt (and attach a link here to your blog), if you can come up with an interesting anagram.

Regardless of whether it makes an anagram or not, Security by Obscurity, if it’s your main protection, will surely lead into botnet membership. Making your computer into yet another distributor of important email – like “Your l0an has been @pproved”, “che@p mesdctations”, and “V!agra”.

Hiding Your Server From Enumeration

May 27, 2005

If you don’t want your server to be displayed in Network Neighborhood, add a registry value [HKLM \SYSTEM \CurrentControlSet \Services \LanmanServer \Parameters \Hidden]. Make Hidden a DWORD, with value “00000001”. This will prevent it from reporting any shares to the browser.

Conversely, if your server isn’t showing up in Network Neighborhood, and you want it to show up there, check for that value. If it exists, make sure that it has a value of “00000000”, or delete it altogether.

How To Post On Usenet And Encourage Intelligent Answers

May 27, 2005


Usenet is an interesting place to hang out. You can meet all sorts of interesting personalities there – from helpful to helpless, and from technical to totally irrelevant. Depending upon your current needs, whether to get serious advice or to just waste time, you can affect who you want to converse with in several ways.

  • What forums do you post in?
  • What is the content, demeanour, and style of your posts?
  • What time of day, and day of week, do you typically post?


If you have spent very much time at all on Usenet, you know that there are some forums where, even if you ask a serious question, you are just as likely to get total time wasting insults, and stupid remarks, as anything else. That’s if you don’t get totally ignored, which would probably be better for you in the long run.

On the other hand, if you post in a forum which is known for good technical advice, and you format, style, and and word your questions properly, you can encourage useful answers from the helpful and knowledgeable folks who hang out there.

If you’re new to this, the best way to start is to find the forums where the serious discussions take place. Find threads which contain intelligent, well written responses, then observe how the initial posts, in those threads, were worded. When you find threads containing responses similar to what you’d like to get, try and imitate the original posts.


I highly recommend that you read several useful articles on Usenet.

The best suggestion – Try and Fit In – Help Us To Help You.

>>Top

Please Use Proper Grammar, Spelling, and Other Refinements

Usenet is a wide and diverse medium, and it is recognised that not everybody there speaks the same language. And in the more serious forums, the more serious helpers will try and be tolerant of those who were not born with English as their mother tongue. Many of us have been to foreign lands, and have experienced for ourselves the frustration of being part of a minority culture.

That said, there are several posting styles, other than broken English from not speaking it as well as one would like, which will not be received graciously.

  • Grammar and Phrasing. Usenet is NOT English class, and nobody expects perfect documents. But when you type incomplete or run-on sentences, don’t start sentences with capital letters, or your entire post is just one long paragraph, your post is hard to read. Many helpers will ignore your post and find better written ones to read.
  • Shouting. Please don’t type in all capital letters – that is considered shouting, and will not get you polite treatment. As with grammar, many will simply ignore your posts, as use of mixed case is much easier to read.
  • Spelling. Were you typing conversations in an Instant Messenger program, you would be expected to make a few odd spelling mistakes from time to time. When you post in Usenet, take the time to review what you type before hitting Send. Use a spell checker even. If it’s important enough for the helpers to read, it’s important enough for YOU to read once after you write it.

    In a chat forum, it’s mere courtesy to write in the same style as the others. In a technical help forum, where YOU are looking for help, it’s common sense. Help the helpers to help YOU.

    And please don’t use “leet speak” in the serious Usenet forums; techies don’t appreciate it and will quickly tag you as a newbie.

Read the above linked documents for more discussion on each of these concepts.

>>Top

Hijacking Threads

When you have a problem, it’s a good idea to spend a few minutes (or hours) reading previous discussions in a forum. Maybe there’s a thread in there with your problem, and a solution to your problem. But remember, howver similar your problem may appear to be to the posted problem, there will always be some degree of variance.

If there is a thread with your problem in it (and however similar it may be), check out the discussion, silently. Please don’t add your post in there “I have the same problem. Can someone help me too please?”, or worse yet “I have the same problem, except… Can someone help me too please?”. When you do this, it’s called thread hijacking.

When you hijack the thread, it splits into two sub-threads, one addressing the Original Poster, the other addressing you.

  • This doesn’t benefit the Original Poster, because you’re taking attention away from his problem, and directing it towards yours.
  • This doesn’t benefit the helpers, because they have to consider two problems, or at least to direct responses towards two (or more) people.
  • Since you don’t know what causes your problem (if you did, you could fix it yourself, couldn’t you?), you don’t really know that the symptoms are exactly the same as the Original Poster’s. As the helpers address both problems, they may find that the two problems are totally different.
  • Your thread, which is now under the Original Poster’s thread, may not be seen by as many people. You may not get the attention of a qualified helper.
  • As the helpers continue to address your problem, they have to repeatedly search for your thread, which is under the Original Poster’s thread. This causes confusion and inability to find your thread, and less help for you.
  • When there are multiple people asking for help in the same thread, everybody has to keep constantly looking at each post, and wondering if its addressing the right subthread. It’s like being in a large party, with 6 people talking at once about 6 different subjects. How can you carry on an intelligent conversation, with 6 people talking simultaneously? It’s worse than a mixture of bottom and top posting.

In short, hijacking a thread benefits nobody.

When you have a problem, start a new thread. Let the helpers decide if your problem is the same as somebody else’s. Solve one problem in one thread.

>>Top

MultiPosting

The Internet as a whole, and Usenet specifically, is an infinitely diverse and large population. When you use Usenet, and you post thru a newsreader, you can post in any of thousands of different forums. Many times, a question that you have may be of interest to (may be helped by) folks in several different forums. Maybe you have a question about pinging a computer running Windows XP; in which case, your question might be answered by folks in microsoft.public.windowsnt.protocol.tcpip, or in microsoft.public.windowsxp.network_web. You might get help from folks in either group, or maybe some advice from folks in each group.

If you use a Usenet newsreader, any articles that you write can be posted into both groups simultaneously, and folks reading in either group can reply, with their replies going to both groups. Why should this be of any interest to you?

It’s just this. When you get advice on Usenet, you benefit from collaboration. With the experts in both groups able to see what is being written about your problem, you are more likely to get accurate and timely advice. This is called cross-posting.

On the other hand, if you post your question into both groups separately, you’ll be getting advice separately. With folks helping you separately, you are more likely to get contradicting or incomplete advice. This is called multi-posting.

Please! Cross-post, don’t Multi-post. And please cross-post conservatively and thoughtfully. Cross-posted articles get better results than Multi-posted articles, and properly Cross-posted articles get results that are better still.

For more discussion about the differences between cross-posting and multi-posting:

>>Top

Munging Your Email Address

For those who don’t yet know, posting your email address on Usenet, in plain text, is not a good idea. I have just 2 rules about posting email addresses on Usenet:

  • Don’t post your address on Usenet.
  • Don’t post someone else’s address on Usenet.

If your email address is “myaddress@myisp.com”, “myaddressnospamplease@myisp.com”, and “myaddress@myispnospamplease.com” may be somebody else’s address. If the other address doesn’t exist now, it may in the future. And “anything@nospam.com” could cause problems for the domain nospam.com. Neither of these are acceptable munging techniques.

For more information, see Munging Your Email Address and Spam-Blocking Your Email Address.

>>Top

Replying To Posts By Others
When you converse with another person, in a voice conversation, face to face, you speak to that person. You should do likewise when conversing in Usenet.

When you reply to someone, reply to the post that was made. When someone answers your post, reply directly to that person.

  • Don’t reply to your own post; that looks like you’re talking to yourself. Qualified helpers may not see your reply, if it’s to your original post. Also, when you reply to your own post, you leave out my immediately previous reply to you. Having all portions of our conversation in one sequential file helps me to help you better.
  • Don’t reply thru a second person, when answering the first person. That’s rude, and looks like you’re trying to ignore the second person.
  • Don’t start a new thread, restating your problem. This produces an effect similar to thread hijacking. The helpers can help you better if your entire problem is attacked in one unique thread. Solve one problem in one thread.
  • Don’t change your name in the middle of a thread. Trying to guess if “JD” is the same as “James Doe” is frustrating to the helpers.
  • Don’t use the name field as part of the message. When you post as “The above advice didn’t work”, or similar, in the name, it makes you look like a newbie, and will not enhance your chances of getting prompt and effective results.

>>Top

Starting a New Thread

When you start a new thread, briefly summarise your problem in the Subject of your post. Think of the Subject as part of the index – an index entry with Date, Subject, and Name of Poster (you). Make the Subject a brief, unique categorisation of your problem – 6 – 8 words is enough.

  • Please don’t make the Subject “Help Me!”, or “Network Problem”. When you do that, your post shows up in the same thread as half a dozen other posts. Trying to help in a thread like that is like trying to deal with a hijacked thread, or with someone who doesn’t know how to reply in a thread properly.
  • To the other extreme, please don’t try and describe the problem completely in the Subject, with “Help please!” in the body. If your problem is so simple that it can be adequately described in that way, then either:
    • You have no problem. This is typically not the case.
    • You don’t understand the problem. Alternately, you can’t provide enough details for an effective diagnosis.
    • Your Subject is way too long. You cannot fit enough details about a typical network problem in a Subject line of proper length.
  • Please don’t start out your message with “My problem is the same as (this other thread)…”, or “My problem is the same as (the one below)…”. This is similar, in effect, to a hijacked thread, except for one extra detail.
    • The other thread may not be visible to anyone qualified to help you. It will almost certainly not be the one below yours in everybody else’s index.
  • Please summarise your problem in the Subject, and provide details in the Body of the post, as text. Don’t just provide a link to another article, and please don’t put the problem description in an attachment.
    • The ones qualified to help you may not know what your problem is, unless you provide some description.
    • The ones qualified to help you may not follow any link provided, for fear that it may lead to a malicious or non-relevant website.
    • The ones qualified to help you won’t open attachments. Attachments are well known security risks, and anybody who is best suited to help you will ignore them.

Always state your problem on its own, and provide background information. Let the helpers try and correlate multiple threads. If details about a problem can best be provided in another article, include links to the other article in your problem report. But provide a good description about your problem in your report, so the helpers will know the nature of your problem, without following the links.

>>Top

Testing

If you’re going to use your computer, you have to learn to test; but you need to test properly. Posting test messages in a non-test forum is not proper testing.

  • Test messages clutter up the forums, making it hard to find relevant posts.
  • Finding your own test message in a non-test forum may not be too easy either.

There are several forums setup specifically for posting test messages.

  • alt.test
  • alt.test.a
  • alt.test.b
  • microsoft.public.test.here

Please use the test forums for testing, and the non-test forums for relevant discussions.

>>Top

Bottom vs Top Posting

In a forum where technical help is provided, bottom posting is much more useful. That allows the helpers to review the previous conversation in one long sequential, smooth flow. This results in a more accurate and efficient work process, and better help for you.

Here’s a hypothetical example, between the Original Poster (“OP”), and one Helper, as viewed in a news reader in thread view.

OP: I have a problem.
  Helper: OK, try this and let me know the result.
    OP: Here is the result.
      Helper: OK, now try this and see what happens.
        OP: Here is what happens now.
          Helper: OK, This should fix it.
            OP: Yes, it did.  Thank you.

When viewed by Helper, while preparing the 6th entry, the thread, accumulated in the 5th entry, looks like (both OP and Helper bottom posting):

I have a problem.
OK, try this and let me know the result.
Here is the result.
OK, now try this and see what happens.
Here is what happens now.

On some days, I might be participating in as many as a dozen threads, with some threads having several entries / day, and others having several days between each entry. To prevent embarassment and useless posts, I have found it very helpful for me to review each conversation before posting.

When each entry in the thread contains multiple lines, and I can review the thread as in the above example, with each entry in the thread in perfect sequence, top to bottom, it helps me greatly.

Compare the example above with (the OP top posting, and Helper bottom posting):

Here is what happens now.
Here is the result.
I have a problem.
OK, try this and let me know the result.
OK, now try this and see what happens.

Or with (both the OP and Helper top posting):

Here is what happens now.
OK, now try this and see what happens.
Here is the result.
OK, try this and let me know the result.
I have a problem.

Imagine either of the above examples, with a page or so of lines in each individual post. Could you read that, and figure out progress to date?

Now depending upon what product you use for reading and posting to the forums, you may have different possibilities here.

Anytime you’re using any of the above products, and you are preparing to reply in the thread of your interest, the current thread contents will typically be presented below the cursor. If you start typing with the cursor positioned there, you will be top posting. This is not an insurmountable obstacle though.

Simply read thru the thread, and move the cursor. When you get to the bottom of the thread, position the cursor at the end of the thread, and begin typing. This is bottom posting.

I’m trying to help you. Help me to help you. Type your replies below my replies.

>>Top

Waiting For, And Reacting To, Replies
When you ask for help, post your question, and check back in the forum periodically to look for answers. Internet forums, Usenet or Web based, provide help in group based conversations. Here, multiple people post articles of similar nature in common forums, and the experts, who try to help you, find subjects that they’re experienced with.

Please don’t post a request for help, and ask to have answers emailed to you. Asked here, answered here. For everybody’s benefit.

  • You’ll get better help with all the helpers able to see, together, the status of your problem, as it’s resolved.
  • Many helpers keep their email addresses secret, and won’t be interested in sharing them with strangers.
  • You encourage a spirit of community, which is what drives these forums in the first place.
  • You help provide an online record of problems and solutions, again strengthening the idea of using online forums for problem resolution.

Getting help in Usenet requires both patience and persistence, carefully balanced.

Post once, with a carefully summarised problem report, and wait. You may get a reply back in an hour, or a day. You may get a reply back in an hour, and a better reply in a day.

There are two ways of posting that probably won’t get you a reply. Or if a reply, not always an answer to your problem. One is posting repeatedly. The second is posting a second (or third) time, asking “Why has nobody answered my first post”?

Both strategies, if you’re lucky, will simply get you replies pointing you to articles like this one. In some forums, you’ll get rude replies telling you to shut up. Remember most helpers have lives outside of the forums, and the more knowledgeable ones may have several activities that prevent them from reading here very often. Be patient.

When you do get replies, try and answer them promptly. If a response is serious, and appears genuine, trust and help the person responding, and provide relevant details that can help diagnose your problem. And don’t expect the first answer to provide an instant resolution to your problem. Some problems could take several days, or longer, to resolve. Your posting occasionally “Nothing works. I think I’ll give up.” won’t encourage help. Try and remember that the ones trying to help you have their own problems, and they need encouragement too.

Remember the style of advice given may vary, depending upon the helper, and upon the nature of your problem. Some advice may contain all relevant information in the body of the Usenet post. Other advice may contain links to articles discussing technical issues in detail. When links to other articles are provided in the body of the advice, follow the links, and read the other articles. It’s to your benefit to read the articles referenced by the person giving advice. It’s to nobody’s benefit for you to overlook the links, and continue to ask questions that are answered in the linked articles.

Sometimes, as we work on a problem together, my questions may seem intense; at other times, they may seem rather irrelevant, and idle. Appearances may be deceiving, in this case. If you’re going to trust me for advice, you need to trust my style of problem diagnosis, and work with me.

If you don’t get a reply within a couple of days, look at the forum as a whole. Are there other folks posting, and getting answers? If so, reread this article, revise or upgrade your problem report, and try again. If there’s no activity in the forum, either wait for a while longer, or find another forum. Some forums have activity each minute, others may have days between posts. Be observant.

Finally, if you do eventually (or immediately) get an answer that solves your problem, post one last time, and let everybody know that the problem is solved, and what helped you the most. Nobody gets paid to help here, so a “Thank You” should not be too much to ask. What you can tell about your experience, whether negative or positive, may help the next guy with a similar problem – and that’s what the forums are all about.

>>Top

Windows XP On An NT Domain

May 25, 2005

If you’re attaching a new Windows 2000 or XP computer to a LAN with Windows NT systems, you may have a problem logging in to the domain, or accessing domain resources, if both the client computer and the domain aren’t setup properly.

Windows 2000 and XP use DNS to locate Domain Controllers. If DNS is not configured properly, a Windows 2000 or XP system will waste time waiting for a DNS query to timeout, then try NT4 NetBIOS (i.e., WINS) to locate a Domain Controller. See the Microsoft articles How Domain Controllers Are Located in Windows, or How Domain Controllers Are Located in Windows XP, for more information.

These specific instructions are known to apply to Server 2003; for Server 2000, or for NT server, details may differ.

  1. Ensure that the 2000 / XP clients are all configured to use the domain DNS server. If you’re using DHCP on your LAN, the DHCP server should provide the address of the domain DNS server, not your ISP’s DNS server(s). If you’re not using DHCP, each client should provide the address of the domain DNS server individually.
  2. Whether you use DHCP or not, don’t specify your ISP’s DNS server as a backup to your domain DNS server. If you’re using DNS for name resolution, your ISP won’t have your local addresses.
  3. Check Properties for the DNS server Forward Lookup Zone.
    • On the General tab, ensure the domain DNS server is configured to permit dynamic updates.
    • On the Name Servers tab, ensure the DNS server points to itself as a DNS server.
  4. Check Properties for the DNS server itself. For both LAN address resolution, and internet address resolution, specify your ISP’s DNS server(s) in the Forwarders tab of the DNS server.

You may find more information in additional Microsoft articles:

Dealing With Malware (Adware / Spyware)

May 25, 2005

One of the fastest growing industry in technology today is development and deployment of malware – software to run on peoples personal computers, without their consent and / or knowledge. This software is called by some adware, by others, spyware. It has many installation methods, many purposes, and many results.

It can range from the most innocuous add-on program designed to “enhance your Internet enjoyment”, to programs which secretly transmit your most intimate financial details (like your credit card number and PIN) to thieves who will use the information to empty your bank account.

The one thing you can say for a certainty is that it’s software that you do not want on your computer.

This is where you need a thorough adware / spyware scan, including CWShredder, AdAware, Spybot S&D, HijackFree, and HijackThis, with expert advice to interpret the HijackThis log.

>>Top

Check the Hosts file.
Search your entire system drive, including hidden and system folders, for file “hosts”. There is one legitimate copy, and it is used in many security strategies. Any others are possibly bogus, and part (but just part) of the problem. Make sure that the registry entry points to the legitimate location.

Now, you need to examine the contents of each Hosts file. Look for entries like

127.0.0.1 http://www.symantec.com

which would make your browser display “404 (Page Not Found)”, or similar, when you try to access Symantec.

When examining each Hosts file found, check it very carefully.

>>Top

Scan for viruses using online services
How current is your virus protection? Try one or more free online virus scans services, which should complement your current protection.

>>Top

Download AntiMalware and Corrective Software.
Download free tools to detect and remove malware. Only download each individual product from each server as listed. When dealing with malware, the most current version of all software is essential, so don’t use old versions – download new versions before starting.

NOTE: Some malware installs components into the LSP / Winsock layer in the network. Its removal may damage the LSP / Winsock, and damage network functionality in various ways. Download corrective tools, described in Problems With The LSP / Winsock Layer In Your Network, before starting malware removal. These tools are all very easy to use, and take up very little disk space. Downloading them, before starting malware removal, is a very good idea.

>>Top

Install Software.

  • Create a separate folder for HijackFree, such as C:\HijackFree, and copy the downloaded file there.
  • Create a separate folder for HijackThis, such as C:\HijackThis, and copy the downloaded file there.
  • Create a separate folder for Silent Runners, such as C:\SilentRunners, unzip the downloaded file, and copy “Silent Runners.vbs” there.
  • Create a separate folder for the two TrendMicro files, such as C:\TrendMicro, and copy the downloaded files there (unzipped if necessary).
  • AdAware, CWShredder, and Spybot S&D have install routines – run them.
  • The other downloaded programs can be copied into, and run from, any convenient folder.

>>Top

Scan for Malware.

  • Close all Internet Explorer and Outlook windows.
  • Run Stinger. Have it remove all problems found.
  • Run CWShredder. Have it fix all problems found.
  • Empty your temporary files folders:
    • “C:\WINDOWS\Temp”
    • “C:\Documents and Settings\(Username)\Local Settings\Temporary Internet Files”.
  • Disable System Restore.
  • Boot your computer into Safe Mode.
  • Run C:\TrendMicro\Sysclean.com. Delete any infections found.
  • Reboot your computer, and re enable System Restore.
  • Run AdAware. First update it, configure for full scan, then scan. When scanning finishes, remove all Critical Objects found.
  • Run Spybot S&D. First update it, then run a scan. Trust Spybot, and delete everything (“Fix Problems”) that is displayed in Red.
  • Then, run HijackThis (“Scan”). Do NOT make any changes immediately. Save the HJT Log.
  • Run A2 HijackFree, using Windows Explorer. Simply find the folder where you copied “HijackFree.exe”, and double click on it. It will run, with no settings or selections needed. Save a log file. Next, hit the Analyze.. button, and it will open a browser window, and analyse its findings against the current Sysinfo malware database.
  • Run Silent Runners, using Windows Explorer. Simply find the folder where you copied “Silent Runners.vbs”, and double click on it. It will run, with no settings or selections needed, and create a .txt file in that folder.
  • Interpret your HJT log.
  • Remove any malware found. Alternately, run whole computer heuristic analysis, starting with the HJT log, and including HijackFree.

If removal of any spyware affects network functionality, run the corrective software downloaded above. See Problems With The LSP / Winsock Layer In Your Network for specific advice.

>>Top

Improve Your Chances For the Future.

Now that you’ve experienced the frustration and uncertainty involved in dealing with malware, do you want to go thru this again? I hope not. So improve your future – layer your security!

Using The Path and Making Custom Program Libraries

May 23, 2005

If you write a simple script, or download a one component utility, where do you put your script or utility module? Generally, you can put it into any convenient folder on your system. It’s your system, after all.

Having copied your script to any convenient folder, Windows has to know to search that folder for your script, when you try to run it. If you run “ipconfig”, for instance, Windows looks into “C:\Windows\System32” to find program “ipconfig.exe”. Windows knows to search that folder, because “C:\Windows\System32” is in the Path in Windows.

I don’t recommend putting any custom files in “C:\Windows\System32”, or in any of the other Windows folders, for several reasons. I setup a special folder, C:\Utility, where I put all of my scripts and simple utilities. Having setup and populated “C:\Utility” with several dozen useful programs, when I run one of these utilities from a command window, I like to simplify things a bit.

If I were to simply copy program “MyUtility.exe” into my utility programs folder “C:\Utility”, then open a command window, I would expect to run MyUtility as “C:\Utility\MyUtility”. Typing “C:\Utility\” gets pretty monotonous after a while. Fortunately, with Windows, you can tell the system to look into your custom program libraries, like “C:\Utility”, for any command that isn’t entered with a complete path.

The system Path variable contains a list of all system libraries, and you can add your libraries (folders) to the list.

Open the System wizard (either Control Panel – System, or My Computer – Properties), and select Advanced, then Environment Variables. In the System variables window, you’ll find an entry for Path. Double click on the Path entry, and you’ll get an “Edit System Variable” window, which contains the current value of Path. My current value, for instance, contains:

%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Utility

There are 3 default system entries in there, each separated by a “;”.

  • %SystemRoot%\system32
  • %SystemRoot%
  • %SystemRoot%\System32\Wbem

With these three entries, any reference to any module without a specific path will cause the system to automatically search thru the listed folders in the path, in sequence, and load the first copy found of the named module. Remember %SystemRoot% is a system variable, which points to the folder where Windows is installed; in most cases, it’s value will be “C:\Windows”.

You want to add “C:\Utility” to the Path list. Just open the “Edit System Variable” window, hit the End key (please don’t overtype the Path value with just “C:\Utility”!), and type “;C:\Utility”. Then hit OK, and OK again.

The next command window that you open will use the new value of Path, and you can run your custom commands without having to type in the path of the custom library. Just be sure to add your custom libraries to the end of the list; you don’t want system functions searching thru your libraries, before trying the default ones, and slowing the system down.

NOTE: If all of this is too much trouble for you, you’re welcome to run each utility by specifying the complete path, as “c:\utility\myutility” for instance. I simply find it easier to run as “myutility”. It’s your dime.

For more information, see Microsoft Product Documentation: Path.