WTVN Radio • Columbus, Ohio • Sunday morning from 8 until 9

Sunday, May 25, 2003

Random thought:

Microsoft sending screen savers? Nope.

Thursday morning I finally received the message I've been waiting for. The message claimed to be from "support@microsoft.com" and promised a "Cool screen saver." The message told me that all the information was in the attached file. Trouble was, there was no attached file.

Had there been an attached file, it would have contained a worm. But the mental midget who created this variant wound up shooting blanks.

I can think of several reasons why something this stupid shouldn't work.

1. Microsoft support doesn't use the word "cool". (They're businesslike.)
2. Microsoft support never sends anything to anyone as an e-mail attachment.
3. When Microsoft wants you to know about something, they send a message that directs you to a Knowledgebase article. The Knowledgebase article directs you to a download page where you can specify your operating system and obtain the file in question.

Unfortunately, I can also think of at least as many reasons why something this stupid will work.

1. Many people still don't comprehend that the "from" part of an e-mail is easily forged. Give me 20 seconds and I can send you an e-mail that appears to come from "b.gates@microsoft.com".
2. A surprising number of people don't yet know that Microsoft never sends attachments even though the company has been explaining that policy for years.
3. Some people really will believe anything they hear, no matter who says it. (Hey, did you hear that they took "gullible" out of the dictionary!)

I was sorry the attachment wasn't present because it would have given me a chance to test my computer's antivirus program.

Rule #1: Never, ever open an attachment from anyone if you're not expecting it -- even if the message is from someone you know.
(I make an exception to this rule in certain carefully analyzed instances every day, but it's still a good rule.)

If you're in doubt, take a look at the message's routing headers to see where the message really came from. Remember, when you look at the headers, that the origin is at the bottom and your server's information will be near the top. For example, here's the header from the message I received on Thursday morning:

Return-path: <support@microsoft.com>
Envelope-to: xxx@xxx.com
Delivery-date: Thu, 22 May 2003 07:10:29 -0400
Received: from xxx.com ([xxx.xxx.xxx.xxx] helo=xxx.xxx.xxx.xxx)
        by hazel.xxxxxx.com with esmtp (Exim 3.36 #1)
        id 19Inxs-0005BW-00
        for xxx@xxx.com; Thu, 22 May 2003 07:10:28 -0400
Received: from adrem.krakow.pol.pl ([195.116.22.154] helo=ANNA)
        by hazel.xxxxxx.com with esmtp (Exim 3.36 #1)
        id 19Inml-000517-00
        for wtvn@blinn.com; Thu, 22 May 2003 06:59:00 -0400
From: <support@microsoft.com>
Subject: Cool screensaver
Date: Thu, 22 May 2003 12:59:00 +0200
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000

I've obscured some information here because I don't care to share it with the world, but let's take a look at some of the hints that tell me this is not really a message from Microsoft. We're starting at the bottom and working our way up.

X-Mailer: Microsoft Outlook Express 6.00.2600.0000 - Would Microsoft support use Outlook Express? I doubt it; they would use Outlook. For messages to a large number of people (presumably this would be in that category) the tool of choice (even at Microsoft) would not be any version of Outlook.

Date: Thu, 22 May 2003 12:59:00 +0200 - The last time I checked, Microsoft was still in Redmond, Washington, and that's in the Pacific time zone (GMT minus 8) and not in a time zone that's 2 hours ahead of GMT.

Received: from adrem.krakow.pol.pl ([195.116.22.154] helo=ANNA) - If this is really a message from Microsoft, why are they using an SMTP server in Krakow, Poland? And the IP address 195.116.22.154 belongs to RIPE Network Coordination Centre in Amsterdam, Netherlands, a registrar. The address is assigned to "Polska Online", apparently a dial-up Internet service provider in Poland.

Further evidence that the person who sent this worm (or attempted to) isn't too bright: No attempt was made to disguise the actual origin of the message.

Meet the Palyh worm

Messages reported so far carry these subject lines: Your Password, Screensaver, Re: Movie, Your details, Approved (Ref: 38446-263), Re: Approved (Ref: 3394-65467), Cool screensaver, Re: My details, Re: My application, Re: Movie. The message is always the same: "All information is in attached file."

A message like that should stand out like a day-glow orange elephant on the lawn of the White House. It does everything but scream, "Open me and your computer will be converted to toast!" What more could you want? "All information is in the attached file" indeed. Would any thinking person at any hardware or software company send such a message? (That was a rhetorical question, but the answer is "No!")

What happens if you open it? Palyh copies itself to the Registry and installs itself so that it will start whenever Windows starts. Then it starts seeking out open network shares. It at least some cases, Palyh has been reported to have attempted to connect to a website where it attempts to download malicious code.

Of course, no worm would be complete without code to seek out e-mail addresses and mail itself to every address it can find. The worm inspects files with these extensions: wab, dbx, htm, html, eml, and txt.

This worm affects all Windows systems (except for Windows version 3 or older). Mac, OS/2, Unix, and Linux users are safe from this one.

Symantec is spamming you? Nope.

Have you received offers for Norton Antivirus "90% off"? If not, count yourself among the lucky few. At least a dozen of these spams are trapped and destroyed every day by GoodbyeSpam. I know because I like to glance at the trash before dumping it. Are these spams from Symantec? In a word, NO.

Anyone who thinks an offer like this comes from Symantec should consider the logic of such an offer. Would any business that depends on distributors and retailers to sell its products suddenly decide that it's a good idea to sell it's product at a 90% discount -- far below the price that even the largest distributors get? Can any company afford to sell its products at a 90% discount? Even if a company could sell its products at a 90% discount, why would it want to do that?

Symantec cannot sell product at a 90% discount if it hopes to be able to continue research and development efforts. If it hopes to provide support for existing customers. If it wants to continue to pay its 4000 employees.

Here's the message. Looks like it's from Norton, doesn't it? The "from" address isn't Symantec's, though.
And look at this offer!
But the link goes to "discountbuyers.biz" instead of to Symantec. The IP address appears to be in China. Symantec is in California.
And the domain is registered in Australia.

In other words, these "offers" are nothing more than spam from thieves. If you decide to buy from a spammer, one of three things will happen:

• Best possible outcome: You will be allowed to download pirated software. You won't have a manual. You won't have any support. The product might be current.
• Second best possible outcome: You will receive nothing. Your credit card information will be used by thieves. Your identity will be stolen. (Yes, this is the second BEST outcome.)
• Frequent outcome: The software you download (or received on an unmarked disk in an envelope without a return address) will not be the antivirus program you thought you were getting, but a Trojan horse program that, once installed, gives the thieves full access to every file on your computer.

Symantec is concerned because many people think these spams are from Symantec or condoned by Symantec. And those who fall for the offer often blame Symantec when something goes wrong.

I spoke with Symantec's director of worldwide security, William Plante, who's concerned that people will believe offers such as these really are coming from Symantec ...
REAL AUDIO William Plante 3:32 q-an e-mail from us.

Remember last December when
this site was down more than it was up?

I certainly do. The site was hosted, back then, by an organization called Feature Price. When I started using the service in the late summer, the service was so good and the price was so reasonable that I recommended it to many others. Starting in early December, things went bad. The site was down. E-mail wasn't delivered. Calls to support went unanswered. I eventually cancelled the service, leaving a balance of more than $200.

This week, I found out what was wrong. I received a message from Fathi Said, who was the owner, with Travis Johnson, of FeaturePrice. In early December, Said alleges, Johnson forced him out and "stole" the company. All I know is that service changed from quite good to the worst I've experienced anywhere. Near the end of December, I signed on with Akashik.net, an Australian company with a US presence. From then until now, Akashik has provided splendid service at an astonishingly reasonable price.

To read Said's account of this sorry mess, click here. If you're an attorney and have any interest in filing a class-action suit, you'll find that a lot of former FeaturePrice clients will support your efforts!

Nerdly News

New version of WinZip coming soon

WinZip has been my favorite file compression utility since it arrived on the scene. Remember ARC? Remember PK-Zip? PKWare is still around, but the new version of the product costs nearly $100 (current discounts drop that to $80. The product is available for a wide range of operating systems, too. But if you're a Windows user, you're probably familiar with WinZip.

Version 9 is available in a free beta version you can download from www.winzip.com, and the company will continue one of the most unusual practices in the software industry when version 9 is released. Any registered user will be able to download the new version and use it for free. This is what WinZip has done since 1991 and I don't know how they continue to do it: If you have any registered version of the product, you get the new product for no additional charge.

And version 9 adds some major new features. The most significant is encryption -- both 128-bit and 256-bit. Users may also create files in the original zip format or choose a new 64-bit zip format. The new format essentially removes all size restrictions. The previous version was "limited" to no more than 65,535 files in a zip and no individual file could be larger than 4GB. I've never come close to testing that limit, but it's nice to know that I'll never have to be concerned with how many files I put into a zip file or how large they are.

For the folks at WinZip -- BRAVO! Again.

Looking for a vacation?

Instead of the usual vacation -- book the hotel, book the airline, book the rental car -- what about a charter flight and a vacation plan that includes everything? If that sounds like a good idea to you, check out www.11thhourvacations.com. I don't know anything about the company, but the website provides a huge amount of information about how it works.

Seven days in Cancun (including air fare) for under $700 per person (from Columbus). Yes, you can do that. 11thHourVacations.com lists resorts, cruises, and escorted vacations in the US and around the world. Charter flights often offer lower fares than commercial flights and usually provide non-stop service to the destinations. Saving both time and money is a good thing.

How good are the rates? Can an agent do a better job? Can you do a better job on your own. Since I travel to New York City fairly often, I checked their "land only" options for that city. The best rate was $150 per night (per person). While that's not bad for New York City, it's far more than I'm willing to pay when I spend only a few hours per day in the room and I'm sleeping most of the time I'm there. Those who are willing to stay somewhere other than Midtown will find substantially lower rates. New York City does have some "bed and breakfast" operations, too. It is possible for 3 people to stay in a large, comfortable suite in Manhattan, close to a subway line, in a quiet neighborhood for under $100 per night. 11thHourVacations missed that one.

Let us know what you think about this program! Write to:
Bill Blinn --
(wtvn@blinn.com still works)
Joe Bradley --

Joe
(Photo by Sally)

Bill
(Photo by Scampi)

Privacy Guarantee:

I HATE SPAM and will not sell, rent, loan, auction, trade, or do anything else with your e-mail address. Period.

As if you didn't already get enough weather on the radio!

If you do not see a Weather Underground banner above and you use ad-blocking software, please set your application to allow images from "www.wunderground.com" to appear.

Annoying legal disclaimer
My attorney says I really need to say this: The Technology Corner website is for informational purposes only. Neither Joe nor I assume any responsibility for its accuracy, although we do our best. The information is subject to change without notice. Any actions you take based on information from the radio program or from this website are entirely at your own risk. Products and services are mentioned for informational purposes only and their various trademarks and service marks are the property of their respective owners. Technology Corner cannot provide technical support for products or services mentioned on the air or on the website.