jp.jpg (13389 bytes)

THE VIEW FROM CHAOS MANOR

View 118 September 11 - 17, 2000 

read book now

HOME

VIEW

MAIL

Columns

BOOK Reviews

For Current Mail click here.

Last Week's View                    Next Week's View

emailblimp.gif (23130 bytes)

This is a day book. It's not all that well edited. I try to keep this up daily, but sometimes I can't. I'll keep trying. See also the monthly COMPUTING AT CHAOS MANOR column, 4,000 - 7,000 words, depending.  (Older columns here.) For more on what this place is about, please go to the VIEW PAGE.

If you are not paying for this place, click here...

Day-by-day...
Monday -- Tuesday -- Wednesday -- Thursday -- Friday -- Saturday -- Sunday

For Previous Weeks of the View, SEE VIEW HOME PAGE

Search: type in string and press return.

 

For an index of previous pages of view, see VIEWDEX.
See also the New Order page, which tries to make order of chaos. These will be useful.
For the rest, see What is this place? for some details on where you have got to.

Boiler Plate:

If you want to PAY FOR THIS there are problems, but I keep the latest HERE. I'm trying. MY THANKS to all of you who sent money.  Some of you went to a lot of trouble to send money from overseas. Thank you! There are also some new payment methods. I am preparing a special (electronic) mailing to all those who paid: there will be a couple of these. I am also toying with the notion of a subscriber section of the page. LET ME KNOW your thoughts.
.

If you subscribed:

atom.gif (1053 bytes) CLICK HERE for a Special Request.

If you didn't and haven't, why not?

If this seems a lot about paying think of it as the Subscription Drive Nag. You'll see more.

For the BYTE story, click here.

 

For Current Mail click here.

Highlights this week:

  •  
  •  
  •  
  •  

 

The atomz Search returns:

Search: type in string and press return.

 The freefind search remains:

 

   Search this site or the web        powered by FreeFind
 
  Site search Web search

 

 

 

line6.gif (917 bytes)

This week:

Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Sunday

TOP

Monday  September 11, 2000

Spent the day at the Zoo with Niven. We're looking for ideas for BURNING TOWER, the next volume in the Golden Road series about Los Angeles 14,000 years ago just after Atlantis sank and the magic was fading...  Alas, they don't have a jaguar so we will have to go elsewhere to study one.

 

 

 

 

 

TOP

 

This week:

Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Sunday

TOP

Tuesday, September 12, 2000

We spent the day at the zoo. I'd hoped to see a jaguar (Jaguar and Coyote will be characters in BURNING TOWER which we are writing now) but the LA Zoo doesn't have one. We will have to go to San Diego where, 20 years ago, but cousin Dr. George Pournelle was Curator of Mammals and invented many of the habitats now used to keep the animals happier.

I have mixed emotions about zoos. Without them some species would vanish, and we'd never get to see them; and today's zoo is a far cry from the barren cages of the old days. The animals don't have to scrounge for a living, and most of them seem content enough. And sometimes there's no choice.

p9120025.jpg (117100 bytes)

I don't suppose there is a sadder sight than a caged eagle. This one was brought in with an injured wing and she can't ever go back to the wild. They hope to breed her, and they have arranged the cage so she can up from one thing to another to get to a high perch. She seems to like people: she came out of taking a bath (looked like fun) to look at us when we stopped to watch her.

But I kept remembering Napoleon Bonaparte. Those who have only seen an eagle caged have never seen an eagle...

p9110008.jpg (127850 bytes)

And that's the orangutan. When we got there he was sitting huddled in a corner looking miserable. Presently a young lady came over, removed a padlock from a gate, and turned a mucking great wheel which opened the gate that leads from one half of the cage to the other. The passageway is high overhead as you can see. The "red man of the forest" instantly went to the gate, grinned like crazy, and climbed over, but not before one of the females darted past him. They're about half his size. 

When he got across she had two of the big sherbet ice thing things they put in the cage after they cleaned that half. How they got the whole gang to go over to the side where they were when we got there is not known to me. They sure brightened up when the passage was opened, and it was very clear that they knew exactly what was going on. The big male got one of the fruit sherbets. The lady wasn't about to share her two with him. She held one in one hand until it got too cold, set it down, but picked it up instantly if he came near. His objective was to get one of hers by stealth: the fact that he's a lot, and I mean a LOT bigger than she is didn't seem to matter. The other female was satisfied with one sherbet which she just sat and ate lick a time. Clearly they have better manners than many humans.

Now I have to pay the bills. Hollywood Bowl tonight, last performance.

 

 

TOP

 

This week:

Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Sunday

TOP

Wednesday, September 13, 2000

Hollywood Bowl last night. Mendelsohn concerto by 18 year old Ilya Gringolts conducted by Itzhak Perlman. Now THAT was a combination! Extremely well done, as you'd expect.

I have got to grind on my O'Reilly hardware book, but yesterday Niven came over and we worked on Burning Tower. Good scenes.

VIRUS ALERT    

This has not got widespread publicity. And I sure have it and had it for quite some time.

On Windows 98 and Windows ME (and probably Windows 95) machines, check the size of NOTEPAD.EXE. DO NOT OPEN NOTEPAD until you check that file size.  If that is larger than 60K and you have a file called note.com or note.exe on your system then you have a worm.

Use startup manager to see if your system automatically runs NOTEPAD on startup. If it does, stop it, that is NOT NOTEPAD. It sends an email to China. Whatever else it does it does that.

 

USE TASK MANAGER to STOP NOTEPAD which may be running although you didn't tell it to. (Closing the program won't shut this down.) Use STARTUP MANAGER to prevent NOTEPAD from opening on startup. DELETE NOTEPAD (if it's larger than 100K and rename NOTE.COM to NOTEPAD.EXE and stay tuned for more messages.

Have a look at this site:

http://www.datafellows.fi/v-descs/qaz.htm 

ALEX has mailed the following: (HE writes faster than I can)

This information is current as of 9/13/00, 1730 Hours PDT. This is a personal message from Alex Pournelle, and contains, to the best of my ability to determine, a serious and not-well-understood threat to Windows 9X computers and probably other Windows variants as well.

Re: "QAZ" trojan

Dear everyone:

PLEASE PROPAGATE THIS INFORMATION AS QUICKLY AS POSSIBLE, BUT INCLUDE THE PROVISO THAT THIS INFORMATION IS BOTH TENTATIVE AND NOT AUTHORITATIVE. WE DO NOT KNOW HOW WIDESPREAD THIS PROBLEM IS, AND THE POSSIBILITY EXISTS THAT THIS IS SOMEHOW A FALSE CONCLUSION ON OUR PART.

We have just discovered what appears to be a sneaky and infective new virus, which is propagated by a new method as yet not understood. ALL machines running Windows 98 and ME are at risk and NO VIRUS CHECKING SOFTWARE we have tried detects it at this moment.

Short version: If your NOTEPAD.EXE is larger than about 52K, and it is being run on startup, YOU ARE INFECTED. NOTE.EXE, also present, is the original version of Notepad. We do not yet know about its propagation method or harm. Use Startup Manager, not MSCONFIG, to check for this program executing at startup. Check for a NOTE.EXE, which will probably be the unharmed version of the original application. Check for a file association of ".HSQ", which appears on several of the affected machines.

Information from the current alert as we understand it BEGINS:

On Windows 98 and Windows ME (and probably Windows 95) machines, check the size of NOTEPAD.EXE. DO NOT OPEN NOTEPAD until you check that file size. If that is larger than 60K and you have a file called note.com or note.exe on your system then you have a worm.

Use startup manager to see if your system automatically runs NOTEPAD on startup. If it does, stop it, that is NOT NOTEPAD. It sends an email to China. Whatever else it does it does that.

USE TASK MANAGER to STOP NOTEPAD which may be running although you didn't tell it to. (Closing the program won't shut this down.) Use STARTUP MANAGER to prevent NOTEPAD from opening on startup. DELETE NOTEPAD (if it's larger than 100K and rename NOTE.COM to NOTEPAD.EXE and stay tuned for more messages.

Symptoms apparently include sending an email to somewhere in China.

END OF ALERT

This apparent virus/trojan was discovered by Robert Ransom while on-site at Chaos Manor less than an hour ago, as of 1730 hours PDT 9/13/00.

Important information will be contained at www.jerrypournelle.com , my father's website, and will doubtless be followed by other sites.

PLEASE PROPAGATE THIS INFORMATION AS QUICKLY AS POSSIBLE, BUT INCLUDE THE PROVISO THAT THIS INFORMATION IS BOTH TENTATIVE AND NOT AUTHORITATIVE. WE DO NOT KNOW HOW WIDESPREAD THIS PROBLEM IS, AND THE POSSIBILITY EXISTS THAT THIS IS SOMEHOW A FALSE CONCLUSION ON OUR PART.

Check the usual virus sites. As of this writing, there has been NO news about this at the usual sites, including ICSA. The ONLY reference to this trojan is via the "Northern Lights" search engine as of this writing.

More to follow, Alex Pournelle

Alex Pournelle, Director, PC and LAN Practice, Tech/Knowledge (www.t-k.com) VP Business Development, TK Media Services (www.locationconnect.com) (800) 818-TECH or (626) 844-1000


OK. Here is the situation. Every machine at Chaos Manor had the phoney NOTEPAD.EXE file. The dead giveaway is that the file is over 100K, while Notepad is about 50 - 60K if it's real. EVERY machine. I will come back to the implications of that shortly.

However, none of my machines seemed to be infected in the sense that the worm was running. To activate the worm you must start Notepad, and I hadn't done that on any 98 or ME machine; and on NT and 2000 machines this thing doesn't seem to take hold.

If you run Notepad, several things happen. First, it opens note.com which is in fact your old Notepad renamed. Next, it tells the registry to run notepad on startup. Finally, it goes resident, and closing notepad does not close this thing at all. To get rid of this you must run Task Manager.

I deliberately allowed one of my systems to be infected with this thing by running a known corrupted copy of Notepad. "I do all these silly things so you won't have to..."  The result was much trundling. I got rid of it by closing Notepad with Task Manager, then using Startup Manager to stop it from running on startup. Then I renamed note.com to NOTEPAD.EXE.

When it does run it seems to seek out every machine on your local network. I found copies of it on SPIRIT, an ancient server running NT 4 and strictly used as an application file storage system. It was there. It was on every one of my Windows 98 machines. It was on Roberta's machine and it made Notepad work VERY Strangely; removing it and renaming took care of that.

I am not sure what the purpose of this is, or how I got it, or how it managed to put itself on all my machines. It's possible that a machine brought here and hooked up to my network had it, and that infected all the others.

We can't find how we got it, and it's fairly easy to get rid of, but it's there. BEWARE.

For more see mail. ALso, Roland has found a bit more about "our Chinese friend".

And it was on ALL Machines, including portables. What I have done is on every machine in the house I search for note and see what happens. Then I sort by size in the search returns. If I see a file larger than 100K it will generally be an infected Notepad. Kill it -- you can do that right from the search result -- and if it will not die then it is running in background. Use ctl-alt-del and Task Manager to shut it down, erase the file (or move it to an isolation ward), rename note.com to NOTEPAD.EXE and you should be all right. It's not a particularly vicious thing, but it will muck up the way Notepad works, and it does upload something to China. We aren't through taking it apart yet.

My thanks to Robert Ransom who noted that his disk drives were churning when running Notepad and found this monster,

See also

http://www.symantec.com/avcenter/venc/data/qaz.trojan.html 

 

 

 

 

 

TOP

 

 

 

This week:

Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Sunday

read book now

TOP

Thursday,

 

Dear Jerry, 

While your warning is perfectly justified, you might want to remember that there are some freeware and shareware substitutions to Notepad.exe that are larger (mine is NotePad+ and 422k). In a shared computer, someone else might substitute it without others knowing it. If note.com doesn't exist and NotePad isn't set to AutoStart it then it could still be harmless. Better safe than sorry anyway, keep up the good work. 

James Siddall jr

All true enough.

Apparently later versions of both Norton and MacAfee catch this thing, which shows the value of frequent updates of AV software. Still in all there was remarkably little notice of this, and the fact that it can propagate through Windows 2000 and NT systems is particularly disturbing.

I am writing this in the dermatologist's office while I wait for my annual birthday suit inspection. On or about your birthday, have a look at your birthday suit… Naturally I am using the MobilePro 780.

The great virus flap is done, and perhaps I reacted a bit strongly. It was a rare event. I am not often hit with a virus. I still don't know how this one got here, or when. I am also astonished that I didn't know about it. I usually get warnings.

As viruses go, this one was less harmful than most -- to me, anyway. So far as I can tell it was only running on one machine, Mrs. Pournelle's. I deliberately ran it on another machine. However, let me correct one impression people have. You do not have to map a letter drive from one machine to another to have this Trojan travel across from one system to another,. Some of the machines infected have never been connected to the Internet and have never had a drive letter mapping to another machine. One was Creon, a backup server, which doesn't get mapped from or to, but it had a copy (not running) of this thing. Then too because of the Netwinder whatever this package was supposed to do doesn't happen.

Still, whether coincidence or other -- I am always suspicious of coincidence -- the Netwinder gave me the SL0 error yesterday before we discovered the existence of the virus. I doubt that had anything to do with it, though. But using Notepad as the mechanism for the virus is brilliant. It's not likely to be noticed and some of use Notepad to look at suspicious files; guaranteeing that it would be opened, and opening Notepad is all that it takes.

That puts the virus in memory and tells the Registry to run Notepad on startup so it will always be running (well the virus will) no matter what you do. So use Task Manager now and if you havre Notepad runi9ng and it should not be, you are infected. Use Task Manager to stop Notepad (it isn't really notepad); use Startup Manager to stop Notepad from running on startup -- this is important -- and delete the NOTEPAD.EXE file. If you are of a suspicious mind, delete NOTE.COM as well, and install a fresh Notepad from your Microsoft CDROM. If you are really paranoid you can do a repair instillation of Windows.

Robert Ransom suggests that if you leave NOTE.COM on your machine - or even make a copy of a new copy of NOTEPAD and name it NOTE.COM - the virus won't again attack that machine since this is what it looks for. I am also working on how to be sure it is gone from all systems. And the flap is over, but it was real.


Well, Wen Ho Lee went from being so dangerous that he had to be in solitary confinement, and could talk to his lawyers only if he were in chains, to going home having pleaded guilty to a crime which, according to one newspaper, he couldn't have committed because when he downloaded the information it wasn't "yet" classified. I thought there was some nonsense about ex post facto laws in the Constitution but I must have misread. 

And the way the scientists are leaving the Labs and refusing to go to work for them, there soon won't be any secrets to protect. And those remaining apparently now greet FBI agents with the Nazi salute, which, given the way those on the Lee case acted, is entirely appropriate. A man cannot be so dangerous he must be locked away in solitary and take his hour of exercise alone only when chained, and the next be so harmless that he can go home without restrictions.

WHAT? The GOVERNMENT LIED to the Courts? We are shocked. Shocked. Sieg Heil.

It's pretty clear that Lee acted like a distracted genius unaware of regulations. Gosh. Read Richard Feynman's autobiographies for some more enlightenment, only I now wonder if modern FBI creatures can read or would comprehend. 

There was a time when this kind of mishandling of everything, and the total politicization of the Department of Justice, capricious prosecutions of some and total ignorance of other criminal activities, and the like would have so horrified the nation that not one member of the Administration or Congress would be re-elected. Turn the rascals out, and elect people who will fire the lot of these incompetent tyrants who pretend they are our protectors.

 True, there must still be some decent people in the FBI. Surely there must be. They can't all be keeping the fire department away from burning children while parking Lon Horiuchi outside with a rifle, or chaining up an elderly man and pretending he is so dangerous that the nation will fall if he talks to his children without FBI surveillance. Or can they? The only real question now for sane people is, are there ten competent people left who genuinely didn't know that the rest of the Bureau had lost not only its competence but it's senses? (Ten is a mystical number. I don't expect the FBI to know why ten.)

But the bureaucratic herd mentality seems strong. 

What is pretty certain is that nothing real will be done. We have Keystone Cops infected with megalomania doing our counter intelligence now. And you will doubtless have noticed that in all this there is not one clue as to how the details of our warheads did get to the Chinese. They couldn't have been on the hard drives of surplus supercomputers we sold, could they? But no, with our competent guardians on the alert, surely not.

Sorry for the tirade. I am sure I'll feel better after I get my mind right. Lee was really really dangerous until he pleaded to something, anything, anything at all, after which he wasn't dangerous. Right. Now I get it.


I know a great trade policy: we impose a tariff on imports. Any nation that imposes a tariff on us, we simply announce that we will give a Green Card to any worker from that country who gets here and holds a job for two years, provided they sign away any right to welfare. We'll stop doing that when you eliminate the tariff on our goods.

Opium wars in reverse...


I sent an email to all subscribers about the virus, and a surprising number had the thing on home systems although not on professional. Which says a lot...

 

TOP

 

 

 

This week:

Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Sunday

TOP

Friday, September 15, 2000

Dinner last night with colleagues and new writers at the Writers of the Future dinner. Good to see old friends, and I always enjoy pontificating to new writers...

Big formal awards thing tonight. Writers of the Future does a pretty good job of encouraging new writers and teaching them some of the basics with instructors like Tim Powers and Algis Budrys.  Writing is a tough game, and there is something to be said for the notion that if you can be discouraged from taking up scribbling for a living you ought to be, but there's also something to be said for teaching basics of craftsmanship to those who have been bitten with the fatal bug.

Most regulars here have seen:

How to get my job: the secret of becoming a professional writer.

But if not, that's where to find it.

 

TOP

 

 

This week:

Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Sunday

TOP

Saturday, September 16, 2000

I see I am not the only one upset by the Wen Ho Lee affair. Nor have we heard the last of this.

http://x53.deja.com/[ST_rn=ps]/getdoc.xp?AN=669715980.1&;CONTEXT=969102250.1301086225&;hitnum=1 

I doubt, incidentally, that this was racial in nature. I don't think the Keystone Gestapo cared. They wanted someone, and anyone would do, and Dr. Lee was both willing to cooperate in his own demise, and trusting of the authorities. If Lee had hired a lawyer the day the FBI talked to him he would never have spent a day in jail. What a lesson to learn.

Like the writer of the above. I assumed the FBI had SOME evidence: something indicating that Lee had made contact with a foreign government, or was "looking for an overseas job and building a resume" as another government-initiated rumor had it for a while when it finally dawned on the Keystone Gestapo that Taiwanese are not likely to help the People's Republic of China -- not a lot more likely than someone named Cohen would be spying for Saddam Hussein.  But one does not expect elementary competence any longer.

From the New York Time summary:

Mr. Messemer had said, for example, that Dr. Lee lied to a colleague to gain access to a computer, then recanted. He had also said that Dr. Lee had sent letters to a number of foreign scientific institutes seeking a job, suggesting that Dr. Lee may have downloaded all the secrets in an effort to enhance his job prospects. But Mr. Messemer recanted again, saying that the F.B.I. had no knowledge any such letters had ever been sent.

Odd: Napoleon said that one should never ascribe to malice that which is adequately explained by incompetence.  He didn't tell us what to think of incompetent malice.

But we had a good time last night at the Writers of the Future awards.

p9160658.jpg (157840 bytes)

That's me with Col. Doug Beeson, Ph.D. who commands the AF Labs in New Mexico, and Dr. Yoji Kondo, a NASA senior scientist. 

p9160673.jpg (146327 bytes)

Algis Budrys usually known as AJ, the Coordinating Judge of the WOTF contest.  Just beyond Kelly Freas is Dr. Laura Brodian Freas.

 

p9160681.jpg (151552 bytes)

Fred and Betty Pohl. Fred had just won the Lifetime Achievement Award from Writers of the Future. Behind him are Roberta looking spectacular as usual, flanked by Colonel Beeson and Marilyn Niven. That's Frank Kelly Freas to Fred's right.

So a good time was had by all...

TOP

 

 

This week:

Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Sunday

read book now

TOP

Sunday, September 18

I took the day off. If you must know, I played about with Everquest a remarkably efficient way to waste time.

I have an interesting story about the Writers of the Future contest, but I'll save it for tomorrow's edition.  And as always there's a new installment of my column up at every Monday morning.

 

 

  TOP

      Current View                                                         Current Mail

 

birdline.gif (1428 bytes)