Life For Rent

I keep reading bout this ‘tag’ thing in live journal. Although I still have no idea what this means but I am supposed to post 6 weird stuff about myself. I shall try and see what I can come up with. There were weird incidents but it seems this is on personality so here goes:

1. I am an extremist. Contradiction must have been my middle name. I swing both ways literally. I don’t like to watch movies alone nor eat alone (getting used to this though) but I like traveling on buses, going to work and stuff alone. I like to be lost in my world of music, or just have sometime to sort out my thoughts. Generally, my own personal private time which I find disturbance an annoyance. But I do not like to roam around outdoors alone without any purpose.

2. I developed a liking for sweet carbonated soft drinks only in BMT. I guess it was such a treat to have a nice cold can of pepsi after a ‘shiong’ session that it is seen as something that makes me happier when needed. Sugar rush maybe!

3. My work involves looking at monitors all the time but when I come home I am either on the comp or watching TV. Screen-staring do not appear to bore me and everyone seems to wonder how it is so. *shrug*

4. I am attracted to scents, not looks. My sense of smell is greater than my ability to see.

5. I am hairy in some places but bald in others. Try not to go too much into this

6. My preference in music is rather selective. I do house, but do not like R&B/Trance/Hip-Hop one bit. That includes the ‘screaming’ I hear on the dreamgirls soundtrack. But I’ll do Freemasons, certain remixes, Antoine Clamaran, Hed Kandi and MOS compilations of different remixes. Did I mention freemasons yet?

Indeed, the patch for the animated cursor vulnerability is out since Tuesday, so please patch your systems. If you have automatic download and install function enabled, it would have been done by now.

This makes me think of the old saying, “Trust, but verify”. It is somewhat like the analogy of the ATM vs friend. Will you give your friend your ATM card and pin number? You trust the person that he/she won’t do anything funny, but you wouldn’t do that. If and only if, something goes amiss, the suspicions will be on that friend since he/she is the only other person who knows of the details. So why go through all that stress? The person could be innocent, but it will take the yellow river to clean up the misunderstanding and mess.

In InfoSec, we talk about trust but verify. We trust the source but checks still need to be done to validate. That is the whole point.

This brings me to Vista. As seen by the latest vulnerability stated above, even Vista is vulnerable. Why? I think they broke that fundamental of trust but verify rule. Too much security is based on assumptions. Assumptions that what isn’t broken is not vulnerable. And these assumptions are not validated, not till someone decides to break it and everyone goes “oh here we go”. The idea is, what isn’t broken does not imply it is secure. It is secure today, and right up to the second before it is broken. That is how things are. No one will ever guarantee their product is 100% secure. That is asking for trouble.

So we see links in Vista that were ported over literally with that flaw. So what happens is, any vulnerability found in the older OS, could impact Vista too. The good thing is, Vista has mitigating features built in. Eg, while all other OS are vulnerable to the .ANI exploit, IE7 in vista isn’t as long as it is in protected mode. This is because anything that attemps to install, will have to be explictly approved by the user. This isn’t so in earlier versions of IE7 and below. But the thing to note is, there are so many pop ups here and there, asking the user if he wants to continue, and of course we just want to get on our way so we click OK before knowing what is really happening. So this may ultimately defeat the purpose right? Right. So Vista also decides to strip the default user of administrator privileges. We are so used to admin privileges. XP and below, the default user is an administrator. This also means whatever exploits run with or without user’s interaction will also have admin privileges. Definitely NOT a good idea, so Vista is pretty good in the sense, but don’t expect too much out of it. The most secure OS? Perhaps, but only for so long…and so little.

Moving on, I am soooo glad it is a Friday tomorrow. It is Good Friday! One week away from Friday the 13th hah hah… for those who are superstitious, time to plan your schedule..

I nearly forgot my lil rach sis is turning 21 this year. If she didn’t mention it I wouldn’t have realised even. Everyone’s all grown up now and no one’s still a kid. So we are all equal!

Yeah right. Till I hit 30 and the whole shit starts again.. *grin*

I can only imagine how these comedians would have said the jokes out in person. I would probably have ROTFL…. haha

From stand-up comedian Hossan Leong -

Why is The Merlion throwing up all the time?

Because across the river the two durians are very smelly.

Favourite joke of actress Irene Ang -

What did the number zero say to the number eight?

So fat already, why still wear belt?

Hi all,

My colleagues and I are working on a standby allowance and if you do have one too or you are familiar of different models, please share!

There is a requirement to be on standby. Let us set aside the cost needed for activation, just the cost for being on standby after office hours.

My calculation is in terms of hours, while my colleague goes by a fixed amount so the more models we have the more we can propose.

Hours wise, it will be 16 hours per weekday (covering 6pm-9am the next day), and 24 hours weekends and public holidays. I am looking at doubling the rate for weekends, hence for a Saturday for example, it will be 48 hours.

So for 1 week of standby duty, 16*5 + 48 +48 = 176 hours. If we ask for $5 for an hour, one week will be $880.

Is this figure reasonable?

Pls do share of various models if you know, thanks!

I walked into the office and was faced with yellow threat alerts from security websites, due to a exploit code being released in public. This means everyone can have the code and use it to compromise systems, while Microsoft is still working on a patch. So this means the scale of attacks can be quite massive.

This threat exploits a vulnerability in the animated cursor in windows system. For those of you who got a Mac based on my recommendation, good for you. But don’t be too happy cause they have been exploited actively in the past 2 months. I don’t really talk much about vulnerabilities on the Mac cause it doesn’t apply at my work place so I don’t keep an eye on it that much. Other than the fact that a couple months ago, someone posted a vulnerability in the Mac everyday for the whole month. So that is quite a lot and he did it because Mac wasn’t acting on his emails reporting the vulnerabilities. And now he is facing a lawsuit by Mac, last I know. Dumb.

Anyway, back to Animated Cursors. Animated cursors are a feature that allows a series of frames, one after another, to appear at the mouse pointer location instead of a single image, thus producing a short loop of animation. The Animated Cursors feature is designated by the .ani suffix.An attacker could try to exploit the vulnerability by creating a specially crafted web page. An attacker could also create a specially-crafted email message and send it to an affected system. Upon viewing a web page, previewing or reading a specially crafted message, or opening a specially crafted email attachment the attacker could cause the affected system to execute code. While animated cursors typically are associated with the .ani file extension, a successful attack is not constrained by this file type. What I see is in the wild, they are renaming .ani files to .jpeg and other extentions, so blocking out .ani is not going to work anymore. The threat is caused by insufficient format validation prior to rendering cursors, animated cursors, and icons. An Animated cursor is that little mouse cursor thing you see when you move your mouse. That is an .ani file. Some people may like their own custom made cursor. Even the hourglass that turns repeatedly when your system is working on something and is asking you to wait, is all done in .ANI format.

I have a list of websites that are known to be exploiting this code but I won’t put them out here.

Tips:

- Do not access unknown websites for now. In particular, websites that look like the real thing, eg microfsot.com.
- Remember what I said a long time ago? Do not click on links in emails. For the above exploit, this is yet another way this is being spread.
- Keep all your AV signatures and patches up to date as far as possible. This is probably the one and only thing that will protect you as a home user. No one knows which website is next, or if they come up with a new way to exploit.
- Reading email in plaintext does NOT work as outlook/OE will still parse the ANI (or any file/extention it has been renamed to) and hit the exploit.
- Last known, firefox 2.0 is not vulnerable, neither are XP SP0 and SP1. But don’t count on it.

The exploit works on :
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 2
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows Vista

While NT and below are not listed as they are no longer supported, do not assume they are not vulnerable.

It has been reported that users of Internet Explorer 7 with Protection Mode are protected from active exploitation.

Here is what happens:

- You click on an email link/surf onto the ‘wrong’ website.
- The .ani exploit is done silently, ie you won’t even know.
- It attempts to download an executable, WINCF.EXE

For some, you get infected with a trojan, as detected by AV software. For others, dropping the malicious .ANI file will cause a DoS or a reboot(crash restart) loop (system crash), but this won’t happen to most as their attacks will usually come via a web browser.

Goodness what a tiring week it has been, that ended all good with ceddy’s bday gathering. I don’t remember going to a friend’s place (aside from colin) as much as I have been to ceddy’s.

Photoshop class was fun, but being exhausted I drew no inspiration to create anything really. Anyone heard of Casey? I can’t remember his surname but he does have a url and all. I will put it up sometime. Too lazy to do it now… haha

The MRT ride from Jurong East to AMK was pretty interesting. You see, my MRT rides are seldom above ground. My usual trips are between Newton and Orchard to Raffles Place where I work. So things are never above land. The ride somewhat reminds me of the BTS in Bangkok. Same type of crowd, same number, just as noisy. The working crowd is usually packed and quiet. Everyone keeps to themselves and lost in their own world. I too, join them in the ‘train of thoughts’.

During BBQ, I felt my body slowly falling apart. I could hear something moving in my left year, my left eye was itchy and I was rubbing it red and as the night grew on I began to sneeze and sneeze. Stayed away from alcohol for I knew it would take just a minute amount to knock me out, in a very bad way. Was quite surprised to meet Lewis. I knew him online for a very long time but never really spoke to him. Just on and off.. the last time I spoke to him was to see if he has my BMT buddy’s number. Odds had it that my buddy was his roomate in OCS. But I do perceive him as a nice chap, and probably intimidated by our nonsense hahaa.. and yeah, the prince is seldom friendly ‘when his body is falling apart’, but I think things are alright. I had a tummy load of chicken wings (I love them at BBQs, although they are one of the hardest to do right) and corn. Yum. Unfortunately (or fortunately?) when my dear, Ceddy and Lewis were up doing the BBQing, one of the pits exploded. We had put it on a tiled counter and I guess the heat made it expand so much it exploded. It was quite scary, but no one got hurt which was the most important thing. As how gerald put it, sparks flew (double meaning). Gerald and Jia yan were sent out to get a birthday cake when I remembered I forgot to ask Ced if he had one and when we realised he didn’t have, we gotta get one. I knew ceddy knew the 2 of them got sent out to get the cake but what the heck, better one than none at all. I personally don’t like blowing birthday cakes, especially if it is my own but I love to see others blow theirs. I wonder why..

The only one missing was rach probably. She’s usually the noisest so her lack of presence was quite noticable, to me at least. Half the night went to bitching about customer service while I listened on. I would have loads of comments to make if I wasn’t weak enough.

The question I would have asked was, do people working in the service industry make the worst customers? I think I aint a bad customer. For one I have never had the need to call for the store manager to file a complaint. Usually if I know a place as lousy customer service, I just avoid it. I hear of people trying to call SIA booking hotline and it takes them 3 hours to answer the phone, I don’t even bother calling. I remember years ago when I was working and a colleague had to make some bookings for the boss, and she would dial the number, put it on speaker phone and go about her work till the background music finishes and a voice comes on to answer the call. That took around 2 hours. Geez. This is NOT good customer service and if I were to be a customer there I will be making a LOT of noise. So to save myself and everyone else some sanity, I just avoid them.

I am usually kind to most service providers. if I see that the problem was with the management then it is not fair to take it out on the human providing the service. It is not his/her fault. But if it is just some bad service and someone giving me bad attitude of his or her own, then I feel the person deserves to be rebuked. Sorry mate, having a bad day or a quarrel with the wife is NOT a valid reason to giving bad service. If you can’t get over it, then take the day off. The customer is not obliged to understand the shit you got. Your job is to provide assistance to me as a customer, period. Heck we all know, bringing personal problems to work is just being unprofessional. So if you want to be unprofessional, then I will treat you as so. I treat professionals differently. I can understand a person can be upset and that affects her quality of work, but I cannot accept that as a reason for poor service. Providing service is his or her primary function. So to give bad service = failed as a worker? I think so. Not everyone can be in the service industry. I can’t. Been there done that. So if you can’t, don’t be in it.

As for our night out last night, I got a little present from ceddy too that he has kept since my last birthday! He gave me a nice red voodoo doll keychain that represents health and protection.. Pretty cute I must say! And.. I got away without eating any cake. hahahaha!!!

Sorry la… Not I don’t want to. I can’t liao.

But I am much better today after sleeping 13 hours. And my chest is sore from some training i did 3 days ago. 3 days! Muscles feel sore after a good rest due to recovery. It means for the past 3 days my body did not have the ability to recover. Poor body…

And I do realise, we do have quite a few cancerians around us. Maybe the july babies should just do a big gathering together.

We have, Rach, Keita, Queenin and myself. One on the 8th, 13th (Keita’s?), 19th for me, and 23rd for Queenin. I thought the cancer sign stops on Jul 22 all these while… hmm.

So how is that for an idea. A big party before rach usually leaves to return to perth. I’ll bring it up when the time comes again. It is nice to gather around and stuff. And since I knew all these people from rach’s side of friends, I guess I represent her when she is not around…

I wonder how my mei mei is doing back there. I saw her blog entry and I have zero idea on what she is talking about. I must have been outdated since the last time she spoke to me. Indeed the issue back then was that I didn’t want her disadvantaged, that is all. I don’t really care what happens and what people do. She should know by now I aint someone to judge another as if I was the saint and the other is a cheap/whore/slut/dumb [fill in the blanks]. It is just me that I don’t like to see people disadvantaged, or being conned into something for that matter. While a lot of things have changed over the years, guys still out favor girls in so many ways. From career all the way to one’s social life. Girls do get away with a lot of things, but with everything else they lose out to the guys. So no one goes messing around with my mei mei and expect to get away with it.

The thing to learn here is, if you want to bully a service provider, make sure he/she is not a cancerian. If you wanna mess with someone, make sure he/she is not a cancerian either.

I only realised keita and queenin were both cancerians. There is a lot I could say about that, but I won’t do it here due to privacy.

Almost time to head back to the gym and brace myself for another week. It is gonna be busy from now on. Hope I can grin and bear it!