jp.jpg (13389 bytes)


Mail 217 August 5 - 11, 2002






BOOK Reviews

read book now

emailblimp.gif (23130 bytes)



LAST WEEK                          Current Mail                           NEXT WEEK

  The current page will always have the name currentmail.html and may be bookmarked. For previous weeks, go to the MAIL HOME PAGE.


If you are not paying for this place, click here...

Highlights this week:

IF YOU SEND MAIL it may be published; if you want it private SAY SO AT THE TOP of the mail. I try to respect confidences, but there is only me, and this is Chaos Manor. If you want a mail address other than the one from which you sent the mail to appear, PUT THAT AT THE END OF THE LETTER as a signature. In general, put the name you want at the end of the letter: if you put no address there none will be posted, but I do want some kind of name, or explicitly to say (name withheld).

Note that if you don't put a name in the bottom of the letter I have to get one from the header. This takes time I don't have, and may end up with a name and address you didn't want on the letter. Do us both a favor: sign your letters to me with the name and address (or no address) as you want them posted.

I try to answer mail, but mostly I can't get to all of it. I read it all, although not always the instant it comes in. I do have books to write too...  I am reminded of H. P. Lovecraft who slowly starved to death while answering fan mail. 

Monday -- Tuesday -- Wednesday -- Thursday -- Friday -- Saturday -- Sunday

 Search engine:


or the freefind search

   Search this site or the web        powered by FreeFind
  Site search Web search

read book now

Boiler Plate:

If you want to PAY FOR THIS PLACE I keep the latest information HERE.  MY THANKS to all of you who sent money.  Some of you went to a lot of trouble to send money from overseas. Thank you! There are also some new payment methods. I am preparing a special (electronic) mailing to all those who paid: there will be a couple of these. I have thought about a subscriber section of the page. LET ME KNOW your thoughts.

If you subscribed:

atom.gif (1053 bytes) CLICK HERE for a Special Request.

If you didn't and haven't, why not?

If this seems a lot about paying think of it as the Subscription Drive Nag. You'll see more.

Search: type in string and press return.


line6.gif (917 bytes)

read book now If you contemplate sending me mail, see the INSTRUCTIONS here and here.



This week:


read book now


Monday  August 5, 2002

I got a Klez attempt today from myself: that is, it faked my name. I sent a warning to subscribers. Here's one reply:

Dr. Pournelle -

"Worm Klez.E immunity"

An email discussion group I am involved with which has about 1800 members worldwide is getting hit with messages from what appears to be a Klez infected member of the group. The group is now filtering out the messages to avoid passing them through the group reflector. What is worse, anyone who has posted to this group has their email addresses in the infected computer and are now getting two or more emails a day apparently from other members of the group but actually from this infected user. In one case I got one "from myself" like you just did. Our problem is tracing the infected machine. All the emails appear to originate from a single IP address and most are relayed through one or another of two email servers in Singapore, although at least one came from this IP address through a Verizon email server.

The IP address is owned by Optimum Online on Long Island NY a cable modem provider who uses fixed IP addresses for their cable modem boxes. Therefore it would seem they could easily trace the user if they would be bothered to do so. However they will not reply to emails about this.

Do any of your readers have any suggestions as to how to find this individual so we can get him to clean his machine? This flood of infected email is getting annoying.


Ray Rayburn Ray(at)

I don't know. This sort of thing is getting to be a real problem.

Dear Dr. Pournelle,

Pointing out the inanity of our overseers ist verboten!

Apparently, we are to not only submit, but submit *quietly*.


Gordon Runkle

-- "Far and away the best prize that life has to offer is the chance to work hard at work worth doing." -- Theodore Roosevelt

Of course. Ordnung! Your papers, please. Tyranny at airports will become tyranny elsewhere. Tyrants act in their own interests, not yours. The only cure for this madness is political.

You will be pleased to know that the depression piece yesterday was as I suspected satire:

It's satire from "The Brains Trust," which is a British "The Onion." 

--Mike J.

which is a relief.

And about computers we have this from Ed Hume:


Greg Goss's problem with the "unable to mount boot partition" is one I also had after I installed XP over ME. It didn't happen right away, but it caused a BSOD some time after I converted my HD from FAT32 to NTFS. Following one of Pournelle's laws (you need more than one computer connected to the Internet in order to keep any one computer going), I was able to look up the error message in MS's KnowledgeBase (article Q297185) and discovered that I had a corrupted system file.

After going through some effort to make the series of six floppies necessary to boot up XP, I was able to get into Recovery Console and fix the problem. So, he may not have had a bad HD after all.

The key interventions are: first-Make a set of boot-up floppies. Look in MS knowledgebase Article, Obtaining Windows XP Setup Boot Disks (Q310994). The software for making the floppy sets are here  (Win XP Pro) and here  (Win XP Home). Download and run the software.

Second-set up your XP machine to boot to a menu page that gives you a choice of running Recovery Console or Windows. It stays up for a few seconds, then proceeds to Windows if you don't intervene. (According to KB article Q314058, "Add the Windows Recovery Console to the Windows Startup folder by using the Winnt32.exe utility with the /cmdcons option. This procedure requires approximately 7 megabytes (MB) of hard disk space on the system partition to hold the Cmdcons folder and files.")

Murphy's Law says I will never have a comparable problem again, because now I am ready. If people who use XP take the above precautions they will ready, too.


PS-the things we must do to make our Windows machines (we have 3) run smoothly and protect against danger require a level of sophistication not needed in the Mac world. We have run Macs since 1987, and I have not needed to develop any abilities to troubleshoot a Mac.

And see below.

And Tim Loeb has a long and interesting story on increasing hard drive throughput:

August 5

Dear Jerry:

A little over a year ago when I got my current desktop system I wondered at how quiet the hard disk - a 60 gigabyte IBM Deskstar - was; it turns out I should have been questioning how that silence was achieved.

IBM and Maxtor, perhaps others, have made their newer high-performance drives quiet through a feature IBM calls "Acoustic Management." To reduce the "clickety clack" sound we're all so familiar with IBM simply slows down the speed with which the drive's read/write heads move or re-positions themselves as they read from or write to the disk - at the same time reducing the potential performance of the drive by as much as ten percent or more.

The good news is that both companies have made available software to let the user adjust or even disable the acoustic management - from IBM it's part of their hard disk Feature Tools suite available for free on their Web site. The program creates a diskette which loads - get this - IBM PC DOS 2000 (I didn't even know there was such a thing!) at boot and then offers a variety of hard disk tweaking and diagnostic programs, one of which allows user access to the acoustic management settings. It's a very easy-to-use slider that goes from zero (disable) to full "management;" you simply set the slider, close the program, remove the floppy and reboot. Bring on da noise, bring in da funk!

My disk is an IBM 60GXP made in June 2001, and performance went from 18,593 KB/s as reported by Si Soft Sandra to 21,263 KB/s once I disabled the acoustic management entirely, an increase of 14.36% in throughput. Equally significant my average seek time, again as reported by Sandra, has dropped from a rather miserable 14 milliseconds to 9! Other measures have changed as well, but I didn't record them.

The full clickety clack of drives from days gone by is back, but the improvement in speed is not just noticeable but remarkable - program access, game loads and saves, even page loads from the Net, some of which are cached on the drive, are significantly faster. And I kind of missed the clack, anyway! I do wonder about drive longevity with the new settings, however.

My brother has a Maxtor drive and has found that it also has acoustic management enabled by default, but their access program only runs under Windows 98 and ME, not NT, 2000, or XP. He's looking into other ways of getting at the settings and is due to report back Real Soon Now. I hope to use the IBM program to fine-tune my settings when I have time - it would be great to quiet the drive a bit without taking too big a performance hit. It's a neat technology but not one many users even know is there - I certainly just assumed the silence of the new drives came from better design, not de-tuning the disk's performance.

Got to run now, I'll get back with the CD burning tip ASAP.

All the best--

Tim Loeb




This week:


read book now


Tuesday,  August 6, 2002

The latest X prize:

Dear Dr. Pournelle,

DARPA is sponsoring an autonomous robot race from LA to Las Vegas. The race is anticipated to take place in 2004.

The official website is: 

There is also a UPI writeup:

Putting up prize money sounds like a good idea, too.


Gordon Runkle

-- "Far and away the best prize that life has to offer is the chance to work hard at work worth doing." -- Theodore Roosevelt

An intriguing idea... 

And we've seen this before, but:

This is the BBC

Dear Dr. Pournelle,

Perhaps our overlords' strategy is to prevent our lampooning them by exceeding anything we could possibly dream up.

The Barny Fife Brigade at LAX have disarmed none other than G.I. Joe, relieving him of his 2" plastic rifle:

A spokesman for Los Angeles International Airport said: "We have instructions to confiscate anything that looks like a weapon or a replica.

"If GI Joe was carrying a replica then it had to be taken from him." 


Gordon Runkle

-- "Far and away the best prize that life has to offer is the chance to work hard at work worth doing." -- Theodore Roosevelt

This is the BBC was the way The Goon Show began in the old days. Now it's done in airlines.

The article regarding the elderly man at the airport was timely to me. Saturday, after having been wanded and searched three times in one day, I decided that I will never vote for an incumbent again--no matter who the challenger is--as long as this insanity continues. If I must vote for Al Gore, Ralph Nader, or Ghengis Khan, then so be it. I am now a single issue voter and have notified all my representatives of that.

One incident that brought great sadness to me was that, while putting on my shoes and belt, I remarked to a 30-something lady that this was an outrage--at least a million Americans have given their lives for our freedom and we are giving up those rights for one act. She agreed that it was an outrage, but that it was much better than "the alternative." Don't schools teach the fallacy of the false dichotomy any more? I shall let that stand as an example of the quality of thought in America today.




Dear Mr. Pournelle, Here is a good one: /The Hill/ is reporting (  ) that lobbyists are getting tired of standing in line and going through security with ordinary citizens visiting the Capitol, so they want a special passes created to allow them to bypass security (this report is via Glenn Reynolds at Instanpundit:  ).

Now, I know that my ability to purchase "access" and laws from federal congresspersons is almost non-existant compared to, say, the RIAA, but it does grate just a bit to think of $500k/year Washington lobbyists sailing by 8th graders waiting to go through security for their once-in-a-lifetime tour of the Capitol.


Empires always have an aristocratic class.

Dear Dr Pournelle,

I read with interest the claim by World that large numbers of troops would be needed to defend Iraq from Iran after removing Mr Hussein ("75,000 U. S. forces needed to protect a defeated Iraq from Iran").

But the US has had to face policing situations under threat by third partys before. Apparently various WWII Field Manuals covered the subject. Can I commend to your attention the 1949 speech to a staff college by Colonel Alfred C. Bowman - one of the US commanders trying to sort out the mess between Italians and Yugoslav partisans in Trieste, especially disarming the Yugoslav police. You can find it at .

Bowman observed that /"It was only after ... basic economic problems were on the way to solution, that we turned our attention to the form of local government. Those of you who have read FM 27-10 and probably even 27-5 (as I think you should) will know that one of the elementary rules of land warfare is that *an occupying power must, as far as possible, maintain local institutions as it finds them*... In the end we adopted the Italian scheme, stripped of Mussolini's Fascist trimmings, and with a new nomenclature"/. The idea that Iran might take military advantage of a weakened Iraq is a worry but the usual method for dealing with it doesn't involve large numbers of troops. After a police action you content yourself with a nominal occupying battalion including around one platoon of real combat troops, with the rest having police functions, and you keep on defeated local troops, standing ready to arm and support them.

The Brits, being in possession of an empire, could also keep quite serious numbers of troops in depots a few days sail away, in places like Madras, or within a few hours by rail, and RAF airfields were sprinkled about. The point the empire was making to potential opportunists was simply this: whatever you start, we will finish. After the Gulf War, Bosnia, and Afghanistan, I don't think anyone - even the mullahs - seriously doubts that the US and the Brits between them can do the same. ___________ PS: The last time this policy was seen in action was in the Falklands war. A baker's dozen Royal Marines were the only combat troops on station when the Argentines invaded. After a brisk firefight they surrendered; they had done their job. The consequences were fairly apocalyptic for the Argentine generals who started it, and others took note. In particular the Guatemalans, who'd had larcenous designs on Belize, were quite suddenly very cooperative.

The same attitude was useful in the Second World War also, and this time Americans - in the form of the Fifth Army - were participants and observers, including Col. Bowman. At the start of May 1945, Tito's partisans announced they had taken Trieste. This was news to the NZ troops of the Eighth Army, fighting alongside the Fifth, for they had discovered Trieste was still defended by Axis troops unwilling to surrender to the Partisans that surrounded them but willing to surrender to Freyberg - cf. 'When negotiations were later proceeding for the surrender of the Germans, one of them said to a New Zealander, 'If the partisans take us, we shall lose our lives; if the New Zealanders, we shall lose our watches.' (To understand that last remark it helps to remember that one nickname of General Freyberg and his NZ divisions was "Ali Baba and his 40,000 thieves").

Unfortunately the partisans objected in the strongest possible terms to the German prisoners being marched out of their reach and went as far as killing one of the Kiwis to make their point. The Kiwis withdrew under fire, taking a couple of tanks full of Germans with them, but ultimately most of the Germans were turned over to the Partisans. Tito in fact treated ordinary German soldiers quite well, it was their homegrown traitors who really had something to worry about.

These incidents rankled with Freyberg, who was quite glad to be given orders to occupy Trieste. At one point a guard detachment of Kiwis was told to leave by partisan irregulars with tanks (which they didn't really know how to operate, but still). The Kiwis brought up their own tanks and effectively dared the partisans to do something about it. This was something Tito didn't quite have the stomach for, because (a) several British and US Army Corps were looking on with great interest a few kilometres away and (b) the Pakehas and Maoris manning the guardposts were real mean looking bastards with corresponding reputations.

Regards, TC

-- Terry Cole BA/BSc/BE/BA(hons) ( System Administrator, Dept. of Maths. & Stats., Otago Uni. PO Box 56, Dunedin, NZ.

Properly run empires get client states to take care of most of the details...

And back to computers,


Ed Hume's note described use of Windows XP's recovery console to repair a machine that would not boot.

You can avoid the effort of making the six-floppy start up disk set by booting instead from the XP distribution CD, if your machine supports that capability.

The recovery console options remain as Mr. Hume indicated.

Regards Ron Morse




This week:


read book now


Wednesday, August 7, 2002

Dear Dr. Pournelle,

More news on the Saudi front: 

I wonder if this signals real debate within the adminstration, or just a not-so-subtle hint to the House of Saud.

Given that they were big supporters of al-Queda, I'd say they are viable targets, as are Syria, Iran, and Iraq. The question is, what do we do after we topple the leaders/terrorists? I would hope we don't make the Versailles mistake again and have to do it all over again ten or twenty years hence. A Marshall Plan for the Middle East? Who would run it? Not the same jokers who are doing their level best to regulate and strangle our economy, I hope! And the schools? Will the same crew that has been running our schools into the ground show them how it's done? And, not to start a flame war, but is Islamism (including but not limited to Wahhibism) at all compatible with a Western-style republic and all that implies? Or would they have one election only which would install Ayatollahs and such?

The aftermath looks pretty messy no matter how I look at it; yet the terrorists and their accomplices must be hunted down and killed both in payment for their attack and as an abject lesson to others.

We live in interesting times.


Gordon Runkle

-- "Far and away the best prize that life has to offer is the chance to work hard at work worth doing." -- Theodore Roosevelt

I make no doubt we will end up at war over there. I grow less enthusiastic about it as time passes. I would rather spend money on developing energy independence.


I found this while going through slashdot from the last few days. Good news for the anti-spam crowd (as long as they don't catch the guy who cracked her computer). 


------ Brian C. Lane (W7BCL) Programmer RF, DSP & Microcontroller Design

It sure couldn't happen to a nicer person...

Hi Jerry, 

I came across this page in a posting from Slashdot. (yes, dig deep enough in the morass of crap, and there are a few gems). To quote from the page:

" This research was sparked by comments made by Microsoft VP Jim Allchin who stated, under oath, that there were flaws in Windows so great that they would threaten national security if the Windows source code were to be disclosed. He mentioned Message Queueing, and immediately regretted it. However, given the quantity of research currently taking place around the world after Mr Allchin's comments, it is about time the white hat community saw what is actually possible. "

The short of it is, is that the security design deficiencies in windows are so great that you could never use windows in a "trusted" environment. The moment that someone discovers a new way to get any kind of privileges at all in windows, they can use this "shatter" technique to immediately and easily escalate their privileges to Local System (administrator + ).

oh, and in "locked down" environments such as what you find in financial institutions where you are trying to prevent the users from abusing the system? forget it, you have no defence. none. zip. nada.

It's a beautiful hack.

- Paul

It is indeed a beautiful hack. Much more in the column. Don't Panic.


I had an idea for another crossover linux product.

If the Windows emulator is WINE (WINE Is Not an Emulator) what would you call an emulator for BE-OS?


Bill Kilner



From: Stephen M. St. Onge

subject: WEIRD!

Dear Jerry:

I swear I am not making this up, and it isn't a satire site.

"Dogs Being Trained To Smell Cancer Animals Can Smell Scents Given Off By Tumor Cells Updated: 10:27 a.m. EDT August 7, 2002


Shing Ling, 2, is more than just a furry companion for researcher Michael McCulloch.

He and other researchers are developing a pilot program to train dogs to identify who has cancer. <snip>

After a year and a half of perfecting the training methods, he said Shing Ling is right 87 percent of the time. But many doctors won't believe it until real evidence comes in.

McCulloch isn't the only researcher with these ideas. Scientists in Florida and England are also seeing if the dogs' noses know ...

Best, Stephen

Well I certainly couldn't have made that up!!!






This week:


read book now


Thursday, August 8, 2002

Subject: Empire watch

"Woman forced to drink own breast milk at airport checkpoint."

The above is a joke/hoax/sataric comment, right?


--- Marc A. Vezina Dream Pod 9 --> Visit our Web site! -->

Alas it is not.

FAA & motherhood. 

-- --- Roland Dobbins

Our crackerjack Federal agents at work

But we were born free.

On another subject:

More encouragement for Mr. Bear.

-- ---------------- Roland Dobbins


Jerry, I thought you and Larry Niven might find this interesting, if alarming. Not that any of this is surprising in the largest remaining despotism:


LIFE IMITATING SCIENCE FICTION: Over 30 years ago, science fiction writer Larry Niven hypothesized a world where the possibility of harvesting executed criminals' organs for transplantation leads to a steady broadening of the death penalty, as law-abiding voters see their lives depending on the maintenance and expansion of executions (see his The Jigsaw Man).

I think it's unlike that this will happen in a liberal democracy such as ours; but something like this might be happening in China, though it's impossible to tell because the details of the program are kept deeply shrouded by the Chinese government.

According to a Human Rights Watch/Asia report, the harvesting of executed convicts' organs has been an important part of the execution process for some decades, even to the point of some "executions [being] deliberately mishandled to ensure that the prisoners are not yet dead when their organs are removed." During the same era, the Chinese government implemented various crack-downs on crime, and "the list of crimes punishable by execution in China was expanded to include . . . corruption, embezzlement, and drug trafficking." The organ transplant program also apparently disproportionately helps the very class-government officials-that has the power to make decisions about executions: "[G]overnment cadres . . . are reportedly given preferential status for organ pro-curement"; "[i]nstructions from the [Party] leadership say that medical departments should naturally expend every possible effort to meet the needs of loyal servants of the revolution, and so organs from condemned prisoners are first of all reserved for their use." ("[H]igh-paying foreign or over-seas Chinese patients," who presumably pay the money to government bodies, also get preferential treatment, in circumstances that "suggest that execution dates are scheduled to conform with patient transplantation needs.")

The report does not specifically allege that the decisions about which crimes should be made capital or kept capital are influenced by the interest of the government in maintaining a large supply of transplantable organs; but the picture it paints suggests that this might well be so. Old news to some, perhaps, but I hadn't heard of it until I started doing research for my slippery slopes piece late last year.

What makes you think it won't happen here?

From AP:

"JERUSALEM — A thriving Bronze Age drug trade supplied narcotics to ancient cultures throughout the eastern Mediterranean as balm for the pain of childbirth and disease, proving a sophisticated knowledge of medicines dating back thousands of years, researchers say. "

Jim Whitlock

Fascinating. Thanks.

On another topic:

Guilt by association? 

----- Roland Dobbins

Having read this, my view is that it's the kind of thing best left to the states (which it has been). I would not myself hold the chap criminally negligent, but I do think he has civil liabilities. His defense seems to be "But I meant well." There's a lot of that going around. And I can see how the common law might well hold him criminally liable as well, even if I would argue against that.

From: Stephen M. St. Onge

subject: Rated Adults Only (based on religious butchery content)

Dear Jerry:

On the subject of Islam, see: 

and the associated links.

"I’d have no interest in this website whatsoever were it not for three things:

"1. When there’s a subculture out there ranking the best jihadi decapitation video, you’d best pay attention.

"2. When a message board devoted to guidance for Islamic youth doesn’t delete the posts about stabbing Jews, you’d best pay attention.

"3. This thread (
  ) . As far as I can tell, the debate seems to be whether it’s a brother’s job to kill his sexually active sister, or the religious authority’s job.

"What’s the British expression? Isa wept."

Best, Stephen


From: Stephen M. St. Onge

subject: How many troops to conquer Iraq?

Dear Jerry:

Terry Cole writes: "I read with interest the claim by World that large numbers of troops would be needed to defend Iraq from Iran after removing Mr Hussein ..." Well, I dug into that story, and it appears to originate with Colin Powell and the NO MORE VIETNAMS crowd. Having failed to persuade people not to have overseas involvments, they've decided to lie about the price.

Best, Stephen

Well, defend it against whom? The Turks can see that Iran doesn't invade Iraq. In fact, conquest of Iraq without the Turks would be expensive. And given all that money from oil, there are other alternatives. We have plenty of client states to defend Iraq. Empires don't leave Legions in far flung posts. They keep the Legions to impress the client states and let the client states do the fighting.

Our goal in the Near East ought to be to make it very clear to every ruling class of there: it is in YOUR interest to keep people from using any resource of your country to do harm to the people of the United States. If you allow your citizens to attack us or harbor strangers who use your land to attack us, then we will replace YOU. And if what comes after you is worse, we will replace them. If we run your country it will only be so that we can extract from your resources the money we had to spend doing you in. Be sure you understand this. Have a nice decade.








This week:


read book now


Friday, August 9, 2002

Open with an alert. I sent this by mail to the subscribers. It may be serious.

I just got this. Roland sent the message to me as well as to Thompson, but this is what I first saw and it has some additional stuff.

More on the web site when I get a chance but this looks well worth an alert.

Thanks to Roland Dobbins and Robert Bruce Thompson

-----Original Message----- From: Robert Bruce Thompson [] Sent: Friday, August 09, 2002 9:09 AM To: TTG Subscribers Subject: Shockwave Flash security hole

Thanks to Roland Dobbins for alerting me to this vulnerability. It doesn't affect me personally, because I've removed Flash and other Macromedia applications from all of my systems, as much to avoid obnoxious Flash ads as from any security concerns.

If you're running Flash, it'd probably be a good idea to remove it entirely from your system as well. Alas, I cannot provide detailed directions, because the steps required to remove it depend on the version, your OS, and other factors. Also note that you may be running Flash without being aware of it, because some applications install it without asking. For example, when I installed Mozilla, I was shocked (so to speak) when I noticed that Mozilla had Shockwave support enabled, with no apparent way to disable it. As it turned out, Opera had installed a Flash DLL without asking or informing me, and Mozilla had noticed that DLL during installation and enabled it automatically.

-- Robert Bruce Thompson

-----Forwarded Message-----

From: Marc Maiffret <> To: Subject: [Full-Disclosure] EEYE: Macromedia Shockwave Flash Malformed Header Overflow Date: 09 Aug 2002 02:12:12 -0700

Macromedia Shockwave Flash Malformed Header Overflow

Release Date: August 8, 2002

Severity: High (Remote Code Execution)

Systems Affected: Macromedia Shockwave Flash - All Versions; Unix and Windows; Netscape and Internet Explorer

Description: While working on some pre-release eEye Retina CHAM tools, an exploitable condition was discovered within the Shockwave Flash file format called SWF (pronounced "SWIF").

Since this is a browser based bug, it makes it trivial to bypass firewalls and attack the user at his desktop. Also, application browser bugs allow you to target users based on the websites they visit, the newsgroups they read, or the mailing lists they frequent. It is a "one button" push attack, and using anonymous remailers or proxies for these attacks is possible.

This vulnerability has been proven to work with all versions of Macromedia Flash on Windows and Unix, through IE and Netscape. It may be run wherever Shockwave files may be displayed or attached, including: websites, email, news postings, forums, Instant Messengers, and within applications utilizing web-browsing functionality.

Technical Description: The data header is roughly made out to:

[Flash signature][version (1)][File Length(A number of bytes too short)][frame size (malformed)][Frame Rate (malformed)][Frame Count (malformed)][Data]

By creating a malformed header we can supply more frame data than the decoder is expecting. By supplying enough data we can overwrite a function pointer address and redirect the flow of control to a specified location as soon as this address is used. At the moment the overwritten address takes control flow, an address pointing to a portion of our data is 8 bytes back from the stack pointer. By using a relative jump we redirect flow into a "call dword ptr [esp+N]", where N is the number of bytes from the stack pointer. These "jump points" can be located in multiple loaded dll's. By creating a simple tool using the debugging API and ReadMemory, you can examine a process's virtual address space for useful data to help you with your exploitation.

This is not to say other potentially vulnerable situations have not been found in Macromedia's Flash. We discovered about seventeen others before we ended our testing. We are working with Macromedia on these issues.

Protection: Retina(R) Network Security Scanner already scans for this latest version of Flash on users' systems. Ensure all users within your control upgrade their systems.

Vendor Status: Macromedia has released a patch for this vulnerability, available at:

Discovery: Drew Copley Exploitation: Riley Hassell

Greetings: Hacktivismo!, Centra Spike

Copyright (c) 1998-2002 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail for permission.

Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Feedback Please send suggestions, updates, and comments to:

eEye Digital Security 

Act Accordingly. I am told that Macromedia has posted a fix. Go look.


I have found a directory on my computer called "tagged " that seems to have been placed there by hackers. I can't for the life of me figure out how to delete it since it seems to have some illegal filenames. The directory itself has three blank spaces in the nam, not sure what the names of the files inside it are since it won't list them.

I'm running Windows 2000.

I saw some Microsoft notes on this issue;EN-US;Q120716&

But I can't figure out what to do since the DOS command they suggest doesn't work and the POSIX commands (rm.exe) I don't seem to have and can't figure out where to get.

Any suggestions?

Jim Pickrell, Santa Monica

Norton Commander. Boot in Safe Mode, use Commander (or another "point and shoot" file manager but Commander's system is built into my fingertips to the cellular level so I use it). Point and shoot file managers take care of this stuff nicely.

A parable. 

---- Roland Dobbins

Indeed. Instructive. Algorithms forever.

Interesting news about ATI:

Very interesting news: 

-Dan Spisak

I will have more about the new ATI boards in the column. It's amazing what they can do.

“The Senator from Disney” isn’t sinister enough. People like Disney. What you need is a symbol that doesn’t really make people feel warm and fuzzy, a company that has its fingers in both hardware and content.

Call Hollings “The Senator from Sony.”


Actually I like Sony. Senator from RIAA?


Thought you'd be interested in this:

"Ready to tackle Armageddon" < 

A space mission to knock a potential rogue asteroid off its orbit is being examined by European scientists.


Walter Giesbrecht /

Maybe someone takes the threat seriously.





This week:


read book now


Saturday, August 10, 2002

Thanks to Ed Hume for this one:

From <

August 7, 2002; A Canadian sniper in Afghanistan has been confirmed as hitting an enemy soldier at a range of 2,310 meters, the longest recorded and confirmed sniper shot in history. The previous record of 2,250 meters was set by US Marine sniper Carlos Hathcock in Vietnam in 1967. The Canadian sniper was at an altitude of 8,500 feet and the target, across a valley, was at 9,000 feet. Canadian sniper units often operated in support of US infantry units, which were grateful for their help. The record lasted only one day, until a second Canadian sniper hit an enemy soldier at 2,400 meters. The Canadian snipers were firing special ..50-caliber McMillan tactical rifles, which are bolt-action weapons with five-round magazines. The Canadian snipers were the only Canadian troops operating without helmets or flak jackets as they had too much other equipment to carry. Each three-man team had one sniper rifle, three standard rifles (Canadian C7s), one of them with a 203mm grenade launcher.--Stephen V Cole


And from Sue Ferarra

Subject: Headline - Not so fast Einstein, light's got the brakes on


Sue Ferrara wants you to know about a story on 

Personal Message:

Not so fast Einstein, light's got the brakes on August 8 2002


The notion that the speed of light is a slowly changing "constant" has been with us a long time. I am not really competent to evaluate the evidence. Another reader put it:

What if the speed of light isn't a constant? 

and wonders if that has consequences for interstellar travel. Probably not in our lifetimes.

On another subject,


Since the events of 9/11 I've been trying to understand the motivation or purpose of people who would condemn themselves and others to death.  Lee Harris has written  for Policy Review that seems to shed a different understanding on what's happening in the Islamic world and how our response has missed the mark.&nbsp; It also has broader implications in our understanding of how Hitler, Mussolini, Lenin or Stalin managed to build and maintain the regimes they did. 

Hope you enjoy your birthday.

Sincerely, Dennis C. O'Neil

Thank you. It is a bit long before he gets to his point, and the way he leads into the subject makes you think he will reach a different conclusion (although Policy Review publication makes that unlikely); but it's worth the time to read it, and of course he's correct. Those with religious visions even if they have shed most of the religious aspects, are not usually deterred by rational argument. The Crusaders weren't and neither were those who set forth to complete the Crescent under Suleiman the Magnificent. And see commentary.

And Eric sends this: 

A hilarious attempt to protest American Imperialism online.

from a self proclaimed Cambridge philosopher manqué, an interesting concept all by itself. I note that he has no problem believing in a persona called "The United States" however much quarrel he has with cyberspace as a place.


And thanks to Roland for another Internet Explorer vulnerability, this one quite serious:

Internet Explorer SSL Vulnerability 08/05/02 Mike Benham <> <> < <> >



Internet Explorer's implementation of SSL contains a vulnerability that allows for an active, undetected, man in the middle attack. No dialogs are shown, no warnings are given.



In the normal case, the administrator of a web site might wish to provide secure communication via SSL. To do so, the administrator generates a certificate and has it signed by a Certificate Authority. The generated

certificate should list the URL of the secure web site in the Common Name field of the Distinguished Name section.

The CA verifies that the administrator legitimately owns the URL in the CN field, signs the certificate, and gives it back. Assuming the administrator is trying to secure, we now have the following certificate structure:

[CERT - Issuer: VeriSign / Subject: VeriSign] -> [CERT - Issuer: VeriSign / Subject:]

When a web browser receives this, it should verify that the CN field matches the domain it just connected to, and that it's signed using a known CA certificate. No man in the middle attack is possible because it should not be possible to substitute a certificate with a valid CN and a

valid signature.

However, there is a slightly more complicated scenario. Sometimes it is

convenient to delegate signing authority to more localized authorities. In this case, the administrator of would get a chain of certificates from the localized authority:

[Issuer: VeriSign / Subject: VeriSign] -> [Issuer: VeriSign / Subject: Intermediate CA] -> [Issuer: Intermediate CA / Subject:]

When a web browser receives this, it should verify that the CN field of the leaf certificate matches the domain it just connected to, that it's signed by the intermediate CA, and that the intermediate CA is signed by a known CA certificate. Finally, the web browser should also check that all intermediate certificates have valid CA Basic Constraints.

You guessed it, Internet Explorer does not check the Basic Constraints.

=========================== == Exploit

So what does this mean? This means that as far as IE is concerned, anyone with a valid CA-signed certificate for ANY domain can generate a valid CA-signed certificate for ANY OTHER domain.

As the unscrupulous administrator of, I can generate a valid certificate and request a signature from VeriSign:

[CERT - Issuer: VeriSign / Subject: VeriSign] -> [CERT - Issuer: VeriSign / Subject:]

Then I generate a certificate for any domain I want, and sign it using my run-of-the-mill joe-blow CA-signed certificate:

[CERT - Issuer: VeriSign / Subject: VeriSign] -> [CERT - Issuer: VeriSign / Subject:] -> [CERT - Issuer: / Subject:]

Since IE doesn't check the Basic Constraints on the

certificate, it accepts this certificate chain as valid for

Anyone with any CA-signed certificate (and the corresponding private key) can spoof anyone else.



I would consider this to be incredibly severe. Any of the standard connection hijacking techniques can be combined with this vulnerability to produce a successful man in the middle attack. Since all you need is

one constant CA-signed certificate (and the corresponding private key), an attacker can use that to generate spoofed certificates for other domains

as connections are intercepted (on the fly). Since no warnings are given and no dialogs are shown, the attacker has effectively circumvented all security that an SSL certificate provides.

There is some level of accountability, though, since a user who randomly chooses to view the certificate of the web site she's visiting will see the attacker's certificate in the chain. However, by that point the damage has already been done. All "secure" data has already been transmitted.

====================== = Affected Browsers

Netscape 4.x and Mozilla are NOT vulnerable.

IE 5 and 5.5 are vulnerable straight-up, and IE 6 is mostly vulnerable.

When VeriSign issues certificates, usually they leave out the CA Basic Constraint information all together. Thawte tends to explicitly put in a Basic Constraint CA = FALSE with the critical bit set to TRUE.

When the CA Basic Constraint on the middle certificate is explicitly set

to false and marked as critical, IE 6 does not follow the chain. When it's not mentioned at all, IE 6 follows the chain and is vulnerable.

This just means that an attacker needs to use a VeriSign-issued certificate to exploit IE 6.

========================= = Working Exploit

I've set up a URL to demonstrate this problem. If you want to test browsers not listed above or need proof of this vulnerability, contact me and I'll give you the information.

=========================== = Vendor Notification Status

Last week I saw Microsoft downplay and obfuscate the severity of the IE vulnerability that Adam Megacz reported. After seeing that, I don't feel like wasting time with the Microsoft PR department.

- Mike

-- <> < <> >






This week:


read book now


Sunday, August 11, 2002

I have been working with the new Tablet PC and letting Windows XP drive me mad: I don't seem to understand how to use XP and Windows 2000 server together to create accounts on the XP machine that can log on to the net. I'll figure it out, but it seems to take some doing. Oh well, if it were all easy no one would pay me to do these silly things and then talk about them.

Mail Monday afternoon when I finish writing.





Entire Site Copyright, 1998, 1999, 2000, 2001, 2002 by Jerry E. Pournelle. All rights reserved.

birdline.gif (1428 bytes)