More on DNSer. I switched to a Netgear MR314 for 802.11b access, and this router wasn’t listed either. Here’s the info needed for the MR314, if you have one too.

;----------------------------------------------------------------------------;
;This is a template for Netgear MR314 Router, Firmware  V3.29(CF.0)b1 | 6/19/2002
;Contributed by Bill Talcott
;If your router's LAN IP isn't 192.168.0.1 you should change it accordingly:

[Source]
Interval=55
URL=http://192.168.0.1/mtenSysStatus.html
URL1=http://192.168.0.1/mtenSysStatus.html
User=admin
Pass=secret
Prefix=IP Address :                                                   <B>
Count=1
Log=1
;File=mr314temp.html
;----------------------------------------------------------------------------;

That should pretty much do it. You need to specify the first URL to establish a session, and the second one to actually get the status page.

I’ve been using Kerio Personal Firewall 4 for a few days now, so I’m more qualified to give my opinion on it now. As with the older versions, I recommend it. It’s basically an updated version of the program (duh) with more “security stuff” added. Personally, I want a firewall, so I disabled all that other stuff, which is why I don’t have much to say other than “it’s an updated version”.

During the install, it detected and uninstalled the old version. It created a backup of my config file as well. I didn’t pay attention to where it saved the file, expecting it to be in the program’s directory (my own fault), but I later found it in My Documents. During the install, something went wrong. I’m not sure exactly what happened, but the installer froze. Trying to run it again resulted in an error message. However, everything seemed to work after a reboot. Once I imported the backup config file, everything seemed to be great. The interface has the “XP style” of many new programs, with a flat look rather than standard buttons. Personally, I’m not a fan of this, but it’s only aesthetic so I’m not too concerned. I’d rather use an ugly piece of good software than a pretty piece of junk. The new interface also includes a bandwidth meter, and the tray icon also has small dots to represent this meter as well. This is better than the old arrow over the icon that simply told you whether or not there was traffic in a specific direction.

The one new feature that I do use is the intrusion detection system. The IDS module watches for signs of attacks. It divides them into high, medium, and low priority, and you can configure how to handle each one. The reports tell the name of the attempted intrusion, what type of attack it is, and often provide a website you can check for more info.

For me, there’s not a whole lot new here. However, it now includes a popup block and web filter, among other things. You may very well find this update to be quite an improvement. It really is a “security suite” now, as opposed to just a firewall (which it still does well). Besides being a great firewall, and covering some other functions, it’s free. Can’t beat that! Check it out if you haven’t already.

Kerio Personal Firewall 4 was just released. I’m still downloading it, but a friend who was a beta tester said it’s pretty good. I’ve been using KPF since it split off from Tiny. It’s still completely free for personal use, and on top of that it’s one of the best firewall programs available (even compared to the expensive ones). It now has some extra features like an intrusion detection system, web filtering, popup blocking, and dialup guarding (to prevent dialer programs from calling pay numbers).

I was going to include a link to the OutBound page at Hackbusters.net here. If I remember correctly, Tiny/KPF was one of the first firewall programs to be updated to handle this problem (programs using a protocol driver other than the default Microsoft stack were unaffected by any of the firewall’s settings). However, his LaBrea program (a “tarpit” designed to cause internet worms to waste a bunch of time trying to find new hosts) technically falls under the definition of “an unlawful communication device” (because it disrupts the “communication service” without the permission of the “communication service provider”) according to the “Super DMCA” law in Illinois. The final DMCA included a clause that there must be intent to defraud, but the earlier Illinois version has no such clause. Rather than risk action under a very ambiguous law, he has taken down most of the site, to also “Shine a bright light on a badly written and potentially damaging piece of legislation.” He has many links available if you’re interested in this and similar laws (which you should be, if you value your freedom at all). This section describes how it’s now a crime for him to report a serious security issue that he happened upon one day. Note that on the same page above all this, you can see where LaBrea was voted “Most Useful Application of 2001” by eWeek and the author was named as a finalist in the “Innovation in Infrastructure Awards” by eWeek and PC Magazine. While there may (and I stress may) be good intent behind some of these laws, they’re doing a lot of collateral damage which ends up making things less secure.

Back to my main topic, I’ll have more info on KPF4 as I use it some.

I just got an email from DynDNS.org saying that my hostname was about to expire, due to lack of updates. I have my D-Link DI-704 router set to update that automatically, but apparently it only updates it when your IP actually changes. This is fine until you have the same IP for 35 days, which is how often your DynDNS record has to be updated or else it will be deleted. I went to the DynDNS.org client page and set out to find a good updater program.

I’ve tried most of the top-ranked programs before. Most of them cost at least a little bit, which is more than I wanted to pay for something that I didn’t really need anyway. Many of them have a bunch of extra features I don’t need or want. I would prefer a simple service that simply updates my DynDNS record, and doesn’t have a multi-colored blinking icon and a built-in coffee maker.

The first freeware client I came to was DNSer. This is a very simple program, which seems to be perfect for what I want. It installs as an NT service, so I never even have to see it once it’s setup. It can detect your IP address from basically any webpage, specifically your broadband router’s status page. Some of these routers use non-standard HTML which screws up DNSer’s parsing, so it can even save a temporary copy of the status page with the problem code fixed. Configuring DNSer is definitely not idiot-proof, but it’s not too complicated either. You have to edit a .INI file by hand with the proper parameters. There are templates for many routers and dynamic DNS services, so in many cases this amounts to substituting in your router’s IP address and your username and password for whichever service you use. Using the .INI file also means that DNSer doesn’t stick itself all over your system. The parameter /INSTALL installs it as a service and /UNINSTALL removes the service. After that, just delete the directory where you unzipped the program, and it’s completely gone. No registry mucking or random files scattered about.

My router wasn’t listed, and uses a funny form of authentication. You don’t automatically get a login prompt if you just go to the status page first, and the login page is actually a set of frames with three other pages inside it. Once I figured out exactly how to get DNSer to logon, it was smooth sailing. Here’s the config section from my .INI file for the DI-704:

;----------------------------------------------------------------------------;
;This is a template for D-LINK DI-704 Router, Firmware 2.60 build 2
;Contributed by Bill Talcott
;If your router's LAN IP isn't 192.168.0.1 you should change it accordingly:

[Source]
Interval=55
URL=http://192.168.0.1/menu.htm?RC=@
URL1=http://192.168.0.1/status.htm
User=admin
Pass=secret
Prefix=IP Address</font></td><td ALIGN=CENTER WIDTH=40%>
Count=1
Log=1
;File=di704temp.html
;----------------------------------------------------------------------------;

The URL parameter is the actual login form frame’s URL. URL1 is the status page that shows your IP address. Pass should be set to whatever your password is to access your router. Prefix is the text that DNSer looks for on the status page right before your IP address. As you can see, you need to include any tags from the source HTML of the page too. Count is which occurance of the Prefix to use. Some routers use the same label on the internet IP address and the LAN IP address, and have them arranged in tables. If it shows the LAN IP first, you could set Count to 2 to have it use the second IP address listed. These parameters, and everything else in the .INI file, are explained in the documentation that comes with the program. Like I said, it’s not idiot-proof, but not really too hard either.

The default DynDNS.org service template has a maximum refresh time of 25 days. This means that if your record hasn’t been updated in 25 days, it will force an update, to keep your record from expiring. This is exactly what I was looking for. DNSer seems to be the perfect program for my needs. It gives up a bit of user-friendliness for nearly-infinite customizability, and doesn’t have a bunch of extra junk I don’t want. If you’re looking for something lke this, I recommend you check out DNSer yourself.

I’ve had my site hosted by a friend for a while. It was usually fine, but I’ve had a few outages and some more problems once he moved. Then I was directed to http://order.1and1.com/xml/static/Home. They’re just getting into personal hosting, and rather than spend a ton of money on advertising, they’re giving away accounts and relying on word of mouth for it to spread. I’ve used it for a little while now, so I have a few comments. I most likely wouldn’t pay for this service, but it sure is better than GeoCities and all the other free webhosts like it.

They seemed to be aimed more at the novice. Everything is done via a web interface, which isn’t 100% configurable. However, they do have some additional features that are nice, and not too common, even with paid hosts. http://order.1and1.com/xml/static/Faq is a FAQ about this promotion, and I’ve put up a copy of their terms of service if you want to see them before you go through the other stuff.

Here are the main features…

* 12Gb connection

* FTP, PHP, Perl, MySQL, CGI, SSH, and Cron Jobs

* 50 POP3 e-mail accounts, offering 50MB each, 500 e-mail forwarding accounts, Virus Scanning, auto-responders, and webmail via your own domain name

* 500MB of space

* 5GB of traffic allowed, $.99/GB for over 5GB

They do have a few limits on the free account. Only one SSL cert for the whole site and one MySQL database of 100MB. However, most “free webhost” users don’t need this stuff at all anyway. The virus scanning is only free for the first mailbox also. Additional mailboxes are $1.99, to be paid 3 months in advance, unused time not refundable. The 5GB limit is pretty good too, and $.99 per extra GB over that is pretty cheap. Even if you double your allowed traffic, that’s still only $5. One horror story showed that a customer managed to consume 234GB of traffic with his site, and was billed over $16,000. In trying to refute his claim, another person posted that he appeared to be hosted by rackspace.com, who charges $4/GB for overage (lowering his cost to $936). With 1&1, 234GB would cost you $226.71. Still quite a bill from a “free” hosting service, but a lot better than $900, and a whole lot better than $16,000.

They give you a xxxxxxxxxx.onlinehome.us domain name. I haven’t tried it, but I believe that should work as your domain name if you don’t want to pay the extra $5.99 to get your own domain name. I think you could have joesmith@xxxxxxxxxx.onlinehome.us for example. It’d be a bit annoying, but it would work.

The email setup is a bit weird also. They give you another xxxxxxxxxx name for your mail stuff. You can create up to 50 mailboxes, but the names are all xxxxxxxxxx-____. They start with that xxxxxxxxxx, and you can choose 4 characters to stick on the end, like xxxxxxxxxx-1 and xxxxxxxxxx-2 for example. You can still choose any name to use for the email address (like joesmith@xxxxxxxxxx.onlinehome.us), but the mailbox account itself is named xxxxxxxxxx-1. xxxxxxxxxx-1 is the username you would enter into your mail client for checking the mail account.

It also takes a while for changes made in their web interface to go into effect. When you change a subdomain setting, it says that the change will take place within the next three hours. Again, not a huge deal, but it can be annoying at times if you’re trying to get something working and have to wait that long to test it.

When you sign up, you have to provide a phone number for them to call. Their automated confirmation system calls you a few minutes later with a PIN. You put that number into a web form to confirm your identity. Once that’s done, they send you the final confirmation so you can access your account.

Overall, not a bad host. Their configuration stuff seems lacking to me, and it can be time-consuming and a bit confusing to get everything set up and working. As I said, I don’t think I’d pay for this service, but it’s leaps and bounds above the other free hosts out there. Might as well give it a try. They don’t ask for a credit card number or anything, so it is absolutely free. If you don’t like it, just stop using it before the 3 year promo is up.

I’ve been playing with GNU Privacy Guard, a completely open source replacement for PGP. Brendan Kidwell has a guide which gives a good basic introduction to GPG on Windows. Enigmail lets you incorporate GPG into Mozilla’s mail client as well as the standalone Thunderbird mail client. You can search for a person’s key at http://www.us.pgp.net/pgpnet/pks-commands.html. You can find my public key here.

unsobigf.inf is a little file I wrote. The “default install” for the file is to delete the two Sobig.f files from your Windows directory and remove the two startup commands from the registry. It will not delete the files if they’re currently in use. Run taskmgr and look for a process named winppr32.exe. Click on that process, then click the End Process button to shut the virus down. Save the file, right-click on it, and choose Install. As long as you stopped the program, the virus should be completely removed from your system. If you didn’t stop the program, the .inf should at least remove the startup commands from the registry. After rebooting, the virus shouldn’t run automatically. This will allow the .inf to remove the files that were running before.

The latest variant of the Sobig virus is going around. The easiest way to see if you’re infected is to look for a WINPPR32.EXE file in your Windows directory. Running dir %windir%\WINPPR32.EXE from a command prompt (run cmd) will tell you that the file isn’t found or give you info for the file. If you have the file, you’re infected. Update your virus scanner and/or do a free online virus scan at Trend Micro or Panda.

The virus spreads by email. If you get one of these emails, remember that the return address is forged. The virus picks a random address found on the infected PC (address book, old mass emails, saved webpages, etc.) and uses that as the return address. You can find the actual sender by viewing the header information of the email (usually hidden by default). In Outlook Express, you should be able to select the message and press Ctrl+F3 to view the raw data. There should be a line that starts with Recieved from. It will say that a message was received from an IP address, to your mail server, meant for your email address. The virus has a built-in mail server, so the IP address of the sending mail server is the infected PC. If you run ping -a 111.222.333.444 (using the infected IP address you just found), it will look up the hostname for that IP address. That will tell you the user’s ISP, and possibly their region. This can help you figure out who the infected user is. If the forged address is something like list-subscribe&#64mycoolcar.com, then you can probably assume that the infected user is subscribed to the same mailing list at mycoolcar.com that you are, and that’s where they got your address. Obviously the best way to contact them is probably going to be through mycoolcar.com.

Make sure you don’t run any of the email attachments while you’re doing this. That will infect your computer and just make things worse. As a general rule, you shouldn’t open any attachment unless you’re expecting it, even if you know the person. Many of the newer viruses spread using information from the address book, so you’re very likely to get an email virus from someone you know.

I’ve been using Miranda at work for a while, and I’ve just now gotten switched over to it at home (from Trillian). I don’t do anything fancy with my IM programs, just chat, so Miranda is the best client I’ve found so far. It was originally an ICQ client, but it has been converted to support any protocol that a plugin can be written for. It supports the basic TOC protocol of AIM, which is all I need. They are working on the full OSCAR protocol which supports file transfers and such, but AOL has made it quite clear that OSCAR is their proprietary format, and they don’t want others using it (occasionally Trillian and other clients get into little band and forth break/fix coding wars with AOL). There are plugins for Jabber and MSN protocols, and many other “utility” plugins that do everything from get RSS news feeds to checking game server statuses. If you prefer a small simple IM client over a fancy bloated program, give Miranda a look.

I’ve been told that the webpage hosting the Castle game tries to install spyware and has a bunch of popups and stuff. I use Mozilla so I was immune to all of this (just one more reason to at least try a non-IE browser). If you used IE on that page, or just want to make sure your system is clean, get Spybot S&D. It’s like the popular AdAware, but completely freeware and updated more frequently. The default scan will pick up more than AdAware’s default, and it can search for privacy-related stuff too (mostly just history lists inside programs).