Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

All posts by jrivett


Anonymity, Internet, Privacy, Things that are bad

Some VPN services should be avoided

Leave a comment

People use VPNs (Virtual Private Networks) for lots of reasons, both legitimate and… less so. They are commonly required for remote access to workplace computers by employees. They are used by people who do their banking from public WiFi networks. They are used by people who can’t afford to pay for dozens of streaming and cable services and instead rely on still-considered-illegal downloads of copyrighted media. And some people use VPNs to get around ridiculous regional limitations on access to streaming media.

I myself fit into at least two of those general categories of VPN users. I won’t say which.

Because people want (and rightly feel they deserve) access to their culture, and because Big Media is willing to go after absolutely anyone who dares to defy their stranglehold on culture, savvy media consumers rely on VPNs to avoid costly (and absurd) lawsuits.

But sadly, some VPN services exist only to fleece gullible consumers. There are numerous ways in which a VPN provider can cause problems for its customers:

  • Faulty service can leave the customer’s activity exposed.
  • Logging customer activity, and being willing to provide those logs to Big Media’s law enforcement lackeys, essentially renders a VPN service pointless.
  • Requiring installation of software that is then used by the VPN provider to route other customer traffic through the customer’s computer is just a horrible idea.
  • Selling customer information to anyone who wants it.
  • Poor security can lead to customer data being exposed.

Recently, a group of VPN providers, all owned and operated by one company in Hong Kong, was discovered to be doing many of the problematic things listed above. Needless to say, all of these VPN providers should be avoided:

  • UFO VPN
  • FAST VPN
  • FREE VPN
  • SUPER VPN
  • Flash VPN
  • Secure VPN
  • Rabbit VPN

In general, VPN services should be carefully researched before using them. There are numerous VPN rating sites on the web, but many of them are maintained by the VPN providers themselves, and not to be trusted. TorrentFreak’s “Which VPN Providers Really Take Privacy Seriously” series is both trustworthy and comprehensive, and focuses on investigating the privacy claims of VPN providers.

There’s also a growing chorus of voices encouraging people to reconsider their reliance on VPN services for privacy, arguing that the way most of these services work provides little actual privacy for their customers. Techdirt has more along those lines.

There’s more on the welivesecurity site.

Brian Krebs recently investigated the extremely shady proxy service provider Microleaves (currently being rebranded as ‘Shifter.io’). This service uses a huge network of computers runing their software, often installed without the knowledge of their owners.

Microsoft, Patches and updates, Security

Microsoft still has trouble remembering not all users are the same

Leave a comment

Until June 30, Microsoft had planned to disable Visual Basic for Applications (VBA) scripts in Office applications. VBA is the programming language built into all Office applications.

The change rolled out to beta testers in June. Whereupon Microsoft was apparently deluged with feedback from businesses whose many custom scripts suddenly stopped working.

Microsoft’s about-face was abrupt: on June 30, Microsoft announced that the change would not be rolled out to the general public in June as planned.

Previously, Office applications only popped up warnings about running potentially non-secure scripts, and allowed the user to run them anyway. That override was removed in the version that was being tested.

Incidentally, that earlier change was generally viewed as a good thing by security folks, because it’s well known that malicious scripts in Office documents are an effective vector for malware, phishing, and other nasty stuff.

But business and education users often use extensive custom VBS scripts to manage their work, and suddenly disabling all those scripts was going to be a huge problem for those people.

Once again, Microsoft seems to have completely forgotten that a lot of people use Office applications for their work; that those scripts are often poorly maintained; and that while it may make sense to force ordinary users to stop using VBA, the effect on business users would be much more dramatic.

Microsoft says that they are reveiwing the situation. How about giving these changes some thought before foisting them on us?

The Verge has more.

Update 2022Jul29: Microsoft is once again rolling out this change, with some tweaks to the wording of associated warnings, and a few critical tweaks that make it easier to work around for system administrators.

Internet crime, Spam and scams, Things that are bad

Fake malware warning scams

Leave a comment
A recent example of a full-screen browser window that appears to be a serious malware alert.

Web sites that make their money from advertising usually subscribe to one or more advertising providers, such as Google Adsense. There are many others, including some that push ads that are really just scams.

One popular type of scam ad takes the form of a malware warning, presented to the unsuspecting user in a full-screen web page that seems to lock out the user completely. The example above (provided recently by a client) appears to be from Microsoft, generated by Windows anti-malware software, and it includes what is supposedly a Microsoft phone number.

In reality, this is just a web page, generated by Javascript from an advertisement on a shady web site. The full screen effect is produced by your web browser’s built-in full-screen view feature, triggered by the ad. These messages are not reporting the presence of malware; they are intended to scare you into calling a phone number. Messages of this type are categorized as ‘scareware‘.

A Google search for the phone number in the example above shows that it’s definitely associated with support scams.

These fake alerts vary in appearance and quality. Some are more convincing than others. Many are based on real malware warnings. You can see other examples by searching Google Images for ‘fake malware warning’.

It’s important to understand that legitimate anti-malware software won’t ‘lock’ your computer when it detects malware, and it won’t insist that you call a phone number.

If you see one of these scary-looking screens, don’t panic. Obviously, don’t call the phone number shown on the screen. Nothing good will come from that. Try pressing the F11 key on your keyboard. This is the near-universal key that toggles full screen view in web browsers. If it is just a web page, pressing F11 will reveal your web browser’s user interface, and you should regain your bearings immediately. Close the tab, and/or close the browser.

Also, please reconsider visting any web site that’s operated by people who care so little for visitors that they are willing to inflict this kind of dangerous garbage on them, albeit indirectly.

More useful information about this from the Safety Detectives site.

Microsoft, Windows, Windows 11

Den Delimarsky: Windows Needs a Change in Priorities

Leave a comment

In a recent post on his blog, Den Delimarsky explains why he’s disappointed with the direction Microsoft is going with Windows.

Anyone who reads my own posts about Windows will notice that we complain about the same things. Inconsistent user interface elements, disappearing functionality, changes that nobody wants, advertising, and privacy issues all plague Windows 11, just as they do with Windows 10. But with each new Windows release, the problems are only getting worse.

It’s a good read, and I recommend it to anyone who is considering upgrading to Windows 11. It may also be helpful for people who are stuck using Windows 11, in business and education environments. If you’re using Windows 11 and are only vaguely aware that something is rotten in Denmark, this article may clarify things for you.

Things that are bad, Tools

Cisco Immunet anti-malware software

Leave a comment

In brief: stay away from this software.

I’m always interested in evaluating anti-malware/antivirus software, especially when it claims to be ‘lightweight’. All too often, anti-malware software that’s configured to run in the background has a very noticeable effect on performance.

So I installed Cisco’s Immunet on my main Windows computer. About ten minutes later, I removed it.

The user interface is horrible, seeming more like a first-time coder might have produced it, rather than an organization with the resources of Cisco.

I was very careful to configure Immunet before I ran any scans. In particular, I configured it to ask me before quarantining any files. Imagine my surprise when on its initial scan, it went ahead and quarantined three executables, none of which were actually malware.

Of the three quarantined files, I was able to use Immunet to restore one. The others were irretrievable, and I had to reinstall the associated software. For one of them, I lost its settings as well.

Normally I would persist with an evaluation like this, to give it a thorough test. But really, having suffered this much in such a short space of time, why bother?

This is crappy software. Avoid at all costs.

Microsoft, Patches and updates, Things that are bad, Windows

Microsoft updates still breaking things

Leave a comment

Is it just me, or is Microsoft actually getting worse at this? It seems that every month there are more horror stories about problems caused by MS software updates. Given that Microsoft is still pushing hard for all Windows updates to happen automatically, this is very troubling.

In the latest instance, updates pushed out for January’s Patch Tuesday caused some Windows servers to reboot continuously. For server admins, this is a nightmare scenario.

One could argue that since the problem only affected a specific subset of Windows servers, this was less serious than something that affects all Windows 10 users. But affected servers were potentially used by hundreds or even thousands of people, which amplifies the scope of the problem.

Microsoft’s approach to testing changed with the release of Windows 10, and they now rely on reports from regular users who have opted in to pre-release versions of Windows. It’s clear that this kind of testing is much less useful than proper, methodical testing. Whether Microsoft will eventually go back to proper testing remains unclear. Meanwhile, we all suffer. And wonder whether the next Patch Tuesday is going to be a day of disaster.

Ars Technica and The Verge have more.

*nix, Hacking, Internet, Internet crime, Security

Blocking IP ranges at the router

Leave a comment

I’m sure that Russia is a wonderful place, and I’m sure that the vast majority of people there are lovely, and have no interest in harming anyone.

Sadly, from the perspective of a server operator, it sometimes feels that nothing good ever comes from Russia.

Being the diligent server operator that I (hopefully) am, I monitor things pretty closely. That includes network traffic coming from the Internet. Over the years, I’ve noticed that a huge proportion of the probes, DDoS attacks, spam, phishing, and hack attempts against my network come from IP addresses in Russia.

It’s gotten to the point where I am now actively blocking huge swathes of Internet addresses (IPs) that originate in Russia and neighbouring countries like the Ukraine.

Blocking those nasty IPs

I run a Linux web server, as well as several Internet-enabled services, at my home office. All of the communications between my server and the Internet pass through a router, making it the ideal place to block unwanted traffic for my entire network, which includes media computers, development systems, and the Windows computer on which I’m writing this.

I’m using a commercial router, but I’ve replaced the original firmware with Advanced Tomato. Doing this provides many benefits, including making it easier to manage the router’s firewall, IPTABLES. Here’s a typical IPTABLES command to block an IP address from the router’s Linux command line:
iptables -I FORWARD -s 185.219.52.90 -j DROP

The DROP directive tells the router to unceremoniously drop any traffic from the specified IP, without logging this action. Traffic can also be logged when it’s dropped, but excessive logging can cause performance problems and fill up logs with junk, so I just drop this traffic.

I issue commands like the one above at my router’s command line to block the traffic immediately, and then I update the router’s startup firewall script with the same command, so that it persists after the next router restart.

So there’s this one guy

There’s been one particularly persistent attacker in the last year or so. This person wants desperately to gain access to one of my Internet-accessible services, but he’s not particularly intelligent, because he keeps trying the same things over and over, in rapid succession. So much so, that at times the traffic he generates comes within shouting distance of a DDoS attack.

I started paying particular attention to traffic associated with a series of ports that are used by the service, and blocking the IP addresses at the other end of that traffic. Whereupon we embarked upon a long game of whac-a-mole, in which I blocked an IP or IP range, and the attacker moved to another host or VPN provider and resumed his attacks from there. It seems clear that this was all being done by one attacker, based on his quick reactions to my blocking.

This went on for several months, but now he appears to have given up. Or at least he’s moved on to other methods.

In the process of blocking all these IPs and networks, the attacker has also helpfully provided me with a list of VPN providers that should be blocked by, well, everyone. Everyone who doesn’t specifically need to allow them.

IP addresses and ranges I’m blocking

Almost all of these IPs and IP ranges are in Russia and the Ukraine. A few are elsewhere in Asia. Most of the ranges are VPN providers.
103.48.51.116
104.129.18.0/23
104.237.192.0/19
104.237.203.0/24
141.98.10.0/24
173.244.208.60
176.67.85.0/24
185.156.72.0/24
185.156.74.0/24
185.193.88.0/24
185.217.69.157
185.219.52.112
185.219.52.90
185.219.52.91
193.106.191.25
193.106.191.35
193.106.191.41
193.32.164.85
193.93.62.0/24
195.54.160.27
198.8.81.220
216.131.114.0/24
216.131.116.0/23
216.131.68.0/24
216.131.88.0/23
217.138.255.202
31.43.185.29
31.43.185.9
37.120.218.0/24
45.134.26.0/24
45.143.203.121
45.145.64.0/23
45.145.65.11
45.146.164.0/23
45.146.166.0/23
45.155.204.0/24
45.155.205.0/24
45.227.253.0/24
45.9.20.0/24
5.188.206.230
71.19.251.0/24
76.180.16.74
77.243.191.120
77.83.36.0/24
78.128.112.18
82.145.32.0/19
84.17.41.141
84.17.41.151
87.251.75.0/24
89.187.182.87
89.187.183.76
91.191.209.110
92.204.240.75
92.255.85.0/24
94.232.40.0/21
98.175.213.148

Here are a few other ranges I’m blocking for various reasons:

  • Hungarian ISP MAGYAR-TELEKOM-MAIN-AS IP range (unceasing garbage): 94.27.128.0/17
  • MediaLand BPH IP range (generally just horrible): 45.141.84.0/24
  • EE-GIGAHOSTINGSERVICES (constant email relay attempts): 176.111.173.0/24
Edge, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for December 2021

Leave a comment

Time for another thrilling game of I Hope These Critical Security Updates Don’t Break Anything On My Computer with your permanent host, Microsoft.

This month’s edition includes approximately thirty-seven updates, with fixes for eighty-eight vulnerabilities, in Office, Defender, Edge, SharePoint, Visual Studio, Visual Studio Code, and Windows.

The challenge of counting the number of updates and vulnerabilities each month isn’t getting any easier, as some Microsoft applications (especially Edge) now update themselves outside of the monthly cycle. The source of both information and confusion about Microsoft updates is the Security Update Guide.

Microsoft isn’t showing any signs of giving up their ultimate power over your PC, and will continue to install updates pretty much at their whim, for the foreseeable future. Those of us still running Windows versions that are unsupported (7, XP), and soon-to-be-unsupported (8.x) are starting to seem like the last holdouts in a battle that’s already lost. The battle for control over our own computers.

Or maybe that’s just hyperbole.

Regardless of the status of automatic updates on your version of Windows, at this time of the month it’s a good idea to head over to the Windows Control Panel (or Settings), find Windows Update, and check for new updates.

Edge, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for November 2021

Leave a comment

To paraphrase butcher Oscar Wilde: the only thing worse than having to install security updates every month is having no security updates at all. If you’re not getting a steady supply of security updates, your software is probably no longer being developed or supported. If you’re just choosing not to install the available updates, you’re asking for trouble. Either is bad, but at least you can do something about the latter.

It’s my duty to inform you that — at least by my count — Microsoft has made available this day approximately twenty-nine updates for Windows, Office, Edge, Visual Studio, Exchange Server, SharePoint, Visual Studio Code, and Windows Server. A total of fifty-five vulnerabilities are fixed by the updates.

The source of this information is Microsoft’s Security Update Guide (SUG). It’s a sluggish and weirdly complicated system to navigate, but does seem to contain the necessary information.

As usual, this month’s collection includes updates for Windows 7, but those updates remain tantalizingly out of reach for most Windows 7 users, because obtaining them involves entering into a special agreement with Microsoft that’s way too expensive for regular folks.

Windows 10 systems get the updates automatically, and Windows 8.1 users — if automatic updates are disabled — should navigate to the Windows Control Panel and Windows Update to install them.

Java, Patches and updates, Security

Java 8 update 311

Leave a comment

Oracle just released its quarterly Critical Patch Update Advisory for October 2021.

As usual, there’s a section in the advisory for Java. The details show that previous versions of Java, including Java 8 Update 301, have fifteen known security vulnerabilities.

Java: What is it and why do I need it?

There’s a new version of Java that addresses the vulnerabilities in version 8u301: Java 8 Update 311.

If Java is installed on your computer, it’s a good idea to keep it up to date. If you’re not sure whether Java is installed, go to the Windows Control Panel and look for a Java entry. If it’s not there, great! You don’t use (or apparently need) Java.

Otherwise, click the Java Control Panel entry and go to the Update tab. Click the Update Now button to start the update process.