Tuesday, 24 February 2009

Jack Straw, Facebook and his Hotmail account...

Yes Jack Straw (that Jack Straw) is on Facebook, liberal trendy that he is (what do you mean, he's just the oldest swinger in town?).

It's no surprise really since Jack Straw was so clued up on WMD in Iraq that he was similarly confident about combining his Facebook account with a Hotmail one. Jack should have remembered how Facebook trawled his address book as soon as he signed up, without so much as a by-your-leave. And now some Nigerian scammers have done the same.

I suspect that Jack has been relying on his beautiful colleague Harriet for computing security tips. Yes, that Harriet, the one who thought that username 'Harriet' and password 'Harman' would keep her blog safe from the unsolicited ministrations of her Parliamentary colleagues.

Sadly Hotmail is simply long past its best and hopelessly open to hackers; best to avoid.

Friday, 20 February 2009

Running Windows in 'Safe' mode

Windows offers users the option of running in 'safe mode'. With this, only the barest of essential components of the OS start running on boot up. You would never want to use this for normal computing (the very basic graphics would deter you for starters) but safe mode does have its uses. For example, if you install software on your computer that causes your computer to crash every time you boot up, you can start in safe mode and then uninstall the software in question (or use your system restore function to achieve the same result). It also means that you can delete files that otherwise won't let you, a problem that often catches people out otherwise.

So here are some instructions on how you can start your computer in safe mode. Screenshots were not possible so I've taken photographs. Be warned! The quality of these is not good - I could only handhold my camera and I couldn't use flash because of reflection off the screen. The black & white screens needed a very long exposure and are quite blurred as a result. Nevertheless, I think that they'll be visible enough to be helpful.

To access Windows boot menu, you have to press the F8 key just before your computer reaches the Windows 'splash' screen (that's when the flag starts displaying). So firstly you need to determine how exactly you use the F8 key. That may sound stupid as it is entirely straightforward on a basic keyboard, but some are more sophisticated and offer dual function keys, where the F is not the default. Here is a photo of the keyboard I use:



On the left-hand side of the picture I have ringed the F8 key, which by default acts as a 'Fwd' key for email. To make the keys function as F keys, I have to have pressed the 'F Lock'key (ringed at the right of the picture). This works the same as the 'Caps Lock' key, and once again there is a light to show its status. So check your keyboard.

Now you boot your computer. As soon as the computer has started press your 'F Lock' key or equivalent if you need to, check that the light to show it as being in 'F' status, and now start pressing the F8 key repeatedly until the following screen appears:



Towards the bottom of that list, you will see 'Start Windows normally' highlighted. Use your up and down arrow keys (well, the up one) to navigate to 'Safe Mode' which is right at the top of the list.

Now press enter and you get taken to a second screen (sorry about the photo):



This simply asks you to confirm your operating system (Mine is Microsoft Windows XP Professional). Your Windows OS will be highlighted by default so you simply press enter again. Be aware that you may get taken to this screen ahead of the earlier one. If that happens, simply press F8 again to go back to the first screen.

Now your computer will start booting into Windows. This lacks nearly all graphics, and can take longer than a normal boot, but eventually you get to the login screen:



Note the unusually large graphics, and also that you can only log in to the (normally hidden) Administrator Account or your earliest user account that enjoys administrative priveleges (here it's the account 'Admin').

Now you're in; once again there are very large basic graphics - this picture shows the full screen width:



From this point you can use your computer normally to do whatever you had gone into safe mode for in the first place. Switching your computer off when you've finished is the same as normal, although the PC will not turn itself off after shutting down, you will have to do this manually.

Thursday, 29 January 2009

Platte and privacy: user accounts and the winlogon.exe file

Why does the pm_proc1 executable continually try to access the Winlogon.exe file while it is running? I can think of no legitimate reason why it should do so; perhaps you could enlighten me.

Our software does not attempt to access Winlogon.exe.


Why did I ask Platte that question? I hope you'll bear with me while I give a little background since that will help in following this discussion. Although my computer expertise is somewhat limited, I do enjoy playing with them, and my 10 year old PC has been tinkered with primarily so that I can run a choice of operating systems. As a result it contains a stack of hard drives most of which are also partioned. My original 13GB drive is still my 'C' Drive though, even if it distinctly temperamental these days. Having more than one hard drive offers other advantages beyond easily being able to install a new OS if the fancy takes me. I'm able to store my personal files on a different drive to the one used by the OS which means they don't go down if my OS gets corrupted. Most importantly, it means that I can back up files (or entire disks) from one drive to another. If a hard drive were to fail completely, I can entirely restore its content onto a replacement (that's saved my life on a couple of occasions). That's the reason I'm able to switch between running Windows with Platte installed and running it without. I run Windows XP Pro (my main OS) on my C drive, which also has most of the other software I run, but it does not have personal files for any of the User Accounts; my own 'Stephen's Documents' for example is two hard disks further down on my 'G' drive.

When I installed the Platte software, I created a new User Account specifically for the purpose. That account, including its personal files is entirely on the 'C' drive, as is the Platte software. Since Windows, the Platte files and all the necessary user account files are on the 'C' drive, it should not be necessary for the Platte software to access any of my other disks.

Among the diagnostic utilities I enjoy playing with are several from the wonderful Sysinternals website (linked on my sidebar); it's such a useful site I'll put up a separate post about it in due course. Their 'Process Monitor' utility is probably definitive in that it displays a list of every action taken by the processor in real time; it quickly becomes a staggeringly long list.

I was running Process Monitor one day for some other reason (but when Platte was on my PC) and I noticed that Platte's main executable file, the pm_proc1.exe, was referencing the winlogon.exe file found in the System32 folder at regular intervals (approximately 1 minute apart). So what is the winlogon.exe file? It's part of Windows, and it's an extremely important one; it is Windows own security system. It stores the user passwords and is the file that controls the permissions; that means that it determines which user is able to access which files or programs, and which programs are themselves able to access other files. Essentially, it's the file that is able to grant 'access all areas' passes or not as appropriate; 'Guest' users get 'upper balcony, rear' and no more .

Since I didn't really understand why the Platte software should wish to access the file, I asked Platte about this when I sent them a list of queries recently. As you will have seen at the top of this post, their answer was unequivocal; their software "does not attempt to access Winlogon.exe".

Well, here's a screenshot, taken from a process log generated by Process Monitor. Look at sequence number 354571:




I have to admit that the process logs tend to be pretty much at the limit of my computing knowledge and sometimes slightly beyond it. More often than not I can follow a process through easily but not always. But even with my limited ability in this area it does look as though pm_proc1 is indeed accessing in some way the winlogon.exe file. I don't know why it should do so but it may well have a link with the following -

At present I have set my PC to start Process Monitor running each time I log in. I have put a filter on the logs, so that they only shows activity by the Platte software (this is an awful lot easier than trawling through a list that may consist of upward of a million actions, believe me). The following screenshots were taken a couple of evenings ago, all the accounts had already displayed billing reminders earlier in the day.

First I opened the account that I had installed Platte in. There is minimal activity (there would be more if a bill were to be displaying, but even then that is easy enough to follow):



Only 6 actions, two clusters of 3, and nothing to be concerned about. I had allowed the log to cover a full 10 minutes since I logged in, and those 6 actions are drawn from a total of 702,099 processor actions (displayed in the bottom left-hand corner of the window).

Next I re-ran the Process Monitor software, and went across and opened my own account. Much more activity; when I returned this is what I saw:



pm_proc1.exe appears to be checking out all my disks, C, F, G, H, I and J (look at the top half of the log). A couple of seconds later (that's a long time in computing terms) it's carrying out another check:



Then it moves on with Registry activity before checking out each partition individually:



And again:



Now we find it looking at the winlogon.exe (starting with sequence number 283927):



Now though, we come to the bit that concerns me. The Platte software shows an interest in my personal Documents folder (sequence number 611057 at the top, then 611067):



Now that I certainly don't understand. Why on earth should the Platte software want to show any sort of interest whatever in my Documents folder? Is that why it's referencing the winlogon.exe file?

I have to admit that I don't entirely follow what Platte is attempting to do here. But I do know that the other software I run on my computer hasn't shown any similar unexplained search round my computer, nor interest in my Documents folder. So why should the Platte?

It seem to me that Platte have some serious explaining to do if those who choose to install their software are to feel entirely safe in doing so. Hopefully they will read this and come up with an explanation.

(31st January): I have now taken a different route into my accounts and got slightly different results. I started this time by going into the account I administer my computer from and got a third sequence (I've adjusted column widths to help with reading all the full paths):



This time the route to the documents folder is significantly quicker (sequence number 199600) and no referencing of the different drives precedes it - there's predominantly registry activity. The Admin Documents folder is three disks down from the C drive. When I subsequently went into the account where Platte had been installed, there was merely the six lines of processing that turned up four days ago. So why does the Platte account not attract the same level of activity from the Platte software?




For those with an interest in such matters, the Process Monitor software downloads here.

These remaining screenshots follow on from the original sequence and show the activity when my account displays that repeat bill reminder; I find this entirely straightforward and easy to follow:








Comment on this post (particularly technically informed comment) is welcome. Please make it via my email, indicating any linkback URL you would like included.

Monday, 26 January 2009

Platte and privacy: user accounts and repeating bills

Following on from my previous post, I need to say some more about the frequency of Platte's bills, both adding somewhat to my earlier response to Platte's explanation that when you install the software it installs across all user accounts on the PC. This is because it is the PC owner that is responsible for the account and also returning to a point I made in my original post on Platte all those months ago, that the software throws up more than one bill a day.

I have taken a series of screenshots this morning to illustrate what actually happens.

At 08.55 I logged into the account where Platte was installed and got this bill:




At 08.58 I logged into the computer's 'Guest' account and this bill displayed:



At 09.01 I logged into my own account, and again I got a bill:




When I returned to the first account (the one I had used to install the Platte software) no further bill displayed. However, when I went back to the 'Guest' account at 09.16 a bill displayed once again:




Logging back into the same account 15 minutes later I got yet another bill:




So it is fairly clear what happens: if you install Platte's software into your account on a PC you will receive one bill a day. However other users of the computer receive bills every time they log in, regardless of how often a day they do so. Actually, it's slightly more complicated than that. The account I installed Platte into is an 'administrator' account, where my own account is a 'power user' account while the guest account is just that. There is another 'administrator' account on the computer and when I went into that I got no bill. So what actually happens seems to be this: The computer administrator receives one bill a day, but all other users receive bills every time they log in.

But there's more... there's actually a significant difference between the bill displayed on the account where Platte was installed and all those other multiple repeat bills to the other accounts. The bill sent to the user who installed Platte simply tells them:

Invoice
Thank you for subscribing to a Platte Media Entertainment website. Your Platte Media membership is due for payment

Account Information
Your account is due for payment. To make a payment please select one of the payment options or contact us on 0845 017 8386
.


However, the bill sent to the other users of the computer is not so polite:

Important Overdue Notice
Your account is overdue.
Please contact credit control on 0845 017 8389

Account Information
Your computer was recently used to subscribe to a Platte Media website and your account now requires payment

YOUR ACCOUNT HAS BEEN SUSPENDED UNTIL PAYMENT IS MADE

IMPORTANT: Your account is now overdue, failure to settle your account may result in us or our appointed agents taking legal action against you.

Please call our credit control department on 0845 017 8389


So clearly not only is Platte's software able to distinguish between the account that installed the software and those that didn't, but it only serves up threats of legal action on the bills to those that didn't (and are therefore more likely to be frightened by the bills and intimidated into paying). Note also that the two telephone numbers are different. This means that Platte can tell when you phone in whether or not you might have installed their software or are another user. I wonder if you get different responses depending which of the numbers you call?

Platte's contract (or at least the one I agreed to) clearly stated that I would receive only one bill reminder in any 24 hour period. Far more importantly, they have given specific assurances to the OFT that this is the case, although as I have shown, it is patently untrue.

I am inviting Platte to comment on this and will post their response when I receive it.


Go to my next post on Platte Media