Month: April 2011

Jessica’s Contribution

My friend Jessica was kind enough to promote me with a dedicated post which contained an extremely flattering assessment of both my work and my person. http://therandomworldofjessica.blogspot.com/2011/04/today-friend-of-mine-gets-honor-of.html

So I felt it was only fitting that I do the same. Fortunately for her I actually have some rather high opinions of her person and her work. If I did not, I would be obligated to either say nothing, or as always be honest about a negative opinion.

I think the best way for me to approach this would be as I approach a debate as that’s the style of writing I am accustomed to, only instead of arguments, I’ll add commentary.

“Today, a friend of mine gets the honor of being Lafango’s ‘Stage of the day’. “

Eh, probably more like random prize, than honor. But yeah.

“Innomen has had his blog for quite some time now, and regularly writes about topics that, maybe, you or I might not be bold enough to put what we really think for the world to see.”

Courage is action in the presence of fear. I don’t fear speaking my mind on these topics, thus I am not courageous or bold. I just feel like I have to, and besides I know my blog isn’t very popular anyway so I feel very safe in speaking out. It’s kind of like being brave, in your own kitchen. 🙂

“I have been friends with innomen since my teenage years, and have got the pleasure of getting his big personality in full force (*cough* whether I liked it or not).”

So true. Sorry about that. I still do it too, I can’t help it. Poor Jimmy and Crystal dropped by the other day and I instantly launched into an hour long lecture about the problems with representative democracy. Bet it’s weeks or more before I see them again 😛

“…willing to listen to just about anything you have to say, just make sure you can handle his side of it.”

Also true. I don’t need or even want everyone to be like me. If everyone was like me we’d all be dead in a year. I lack MANY essential skills, but I like to think I have a few that others lack. This is true of most people and it is why as a group we are so good at surviving. Let’s just hope the forces that attack such diversity, in favor of encouraging a profitable and pliant homogeneity, fall victim to their own inflexibility before they doom the rest of us.

All I want is for people to have the data they need to make informed decisions, and for them to be as happy and healthy as they wish to be so long as the cost of that happiness and health doesn’t unduly deprive others of the same.

“Also, check out his blog, it has some really interesting stuff in it:”

If this is what happens when my friends get blogs, I wish they’d all get one, diversity or not hehe.

Her blog is nice as well. As she accurately puts it, she is using “her powers for good.” I know for a fact she is a good mother and a kind person. Her content is already well beyond the average for such a new voice, in an entirely new (to her) medium.

I expect great things from her in the future. Here is the root of her blog. http://therandomworldofjessica.blogspot.com

Anti Virus Community Creates False Positives For Fun and Profit

Update: Another example: http://www.sevenforums.com/music-pictures-video/39095-animated-gifs-windows-photo-viewer-5.html

I’ve always believed in fair use. And as such I often acquire the “warez” community versions of software I legally own because they often have abilities (such as portability) the “legitimate” versions lack. Considering I own the licenses to the relevant software I consider this to be squarely in the fair use category.

In doing this I often have encountered worms and other malware in keygens. But after a while you get a feel for what is obviously fake, used to spread bad code, and what seems like false positives.

Well, I found a case in point. An instance of strong evidence that the commercial AV community is abusing our trust in order to police a Corporate agenda.

If one runs “Office 2010 Toolkit and EZ-Activator”

Instantly MSEA balks. Crying “severe threat” and I couldn’t help but add in my mind “… to our pocket book.” Which of course is itself a fallacy. Piracy no more harms the software industry’s earnings than libraries and xerox machines destroy book sales. People who pirate do so because they are poor. Poor people aren’t buying software either way. People with money buy the software because it’s easier.

So anyway, I dug into the problem of false positives a little bit. I figured if it’s a “severe threat” then I can find a record of just exactly what it’s doing to my system and in this case I could prove or disprove my hypothesis.

And check out what I found. First of all, here is MSE’s report. (Microsoft Security Essentials)

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommended action: Remove this software immediately.

Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the Allow action and click Apply actions. If this option is not available, log on as administrator or ask the security administrator for help.

Items:
file:C:\Windows\AutoKMS.exe

Get more information about this item online.

Yet when I scanned the item with Clamwin (Open source AV.) I get the following…

Scan Started Mon Apr 04 13:27:38 2011
——————————————————————————-

———– SCAN SUMMARY ———–
Known viruses: 938128
Engine version: 0.97
Scanned directories: 0
Scanned files: 1
Infected files: 0

Data scanned: 1.36 MB
Data read: 0.62 MB (ratio 2.20:1)
Time: 3.827 sec (0 m 3 s)

————————————–
Completed
————————————–

So, either commercial AV software lies, or Clamwin sucks.

Here is the forum where in the authors of the toolkit comment about this very issue.

http://forums.mydigitallife.info/threads/18746-Office-2010-Toolkit-and-EZ-Activator./page97

Here are a pair of relevant comments from the linked thread, but I suggest reading the whole thing.

Hey Sherlock Holmes, CODYQX4 and I wrote the code of AutoKMS.exe and it’s NOT a virus, it’s not even close of being a trojan. The Keygen.exe (which is a different file) opens a port because it’s a KMS Server emulator, yes, Office needs to conect to a port of the KMS Server to activate.

Hope it’s clear

Later on…

Here’s what the Keygen.exe does.

(Log window showing the file’s activity.)

As you can see, the “Create File” operation is made only with read attributes, which means that the Keygen.exe is reading/using the file. There are also the TCP operations made in the activation attempt using the toolkit “Activate” function.

Here’s an xlsx file if you want to view it in excel as a table:
Keygen.exe Activity Report

I used process monitor, added the filters:
– “Process name” –> “Keygen.exe”
– “Operation” –> “CreateFile”, “TCP-” (all of the TCP operations available to filter)

This is important because while the toolkit may be illegal (I believe it isn’t but that’s a fair use debate) it is NOT malware by definition.

It is Not the AV communities job to police the Internet for piracy. What’s next? False positives on downloaded mp3s?

Also consider that while a false positive might be in a sense harmless, a false negative would be far more dangerous.

Sony’s infamous root kit taught us that The Company is more than happy to invade our systems and privacy to protect its profit margin. If the AV community has betrayed us on the issue of false posatives, who’s to say they aren’t doing so for false negatives?

I think it’s clear that this seriously wounds trust for commercial antivirus software. When I run AV, I’m not scanning for contraband, I’m scanning for infection.

It would seem that even the commercial av ware, at least in the case of MSE, knows that false posatives are common. It was trivially easy for me to “allow” this “threat” to persist on my system. Which begs the question, if they are so good, and these really are threats, then why isn’t allowing a threat more complicated?

And why is their language so ambivalent and cautious? (…programs that may compromise…) Smells like CYA to me.

If anyone has any more proof one way or the other, I would like to see it. If this activator is really dangerous then it undermines my point, not that it applies to me one way or another. But on the other hand, if there is some third party proof that the toolkit is not dangerous, then a wider investigation is warranted.