Saturday, 16 February 2013

When Computers Lie



It’s been said that as computers simply process data they are incapable of lying, but ever since HAL 9000 started murdering its crew in  2001: A Space Odyssey I’ve never trusted them. Simply put – while they may follow clear rules and be incapable of deviating from a set of instructions, if those instruction are telling them to lie, then lie they will.

Take for example one we see quite often : “Your Computer has 2,120 Viruses on it. Do you want Windows Antivirus 2013 to remove them?”.

Or the infamous “Metropolitan Police: Attention! Illegal activity was revealed! Your operational system is locked as a result of Great Britain law violation!”. I mean – seriously – would the police really use that many exclamation marks?

But malware excepted, our operating systems regularly deceive us in order to improve the ‘user experience’ by concealing information from us. One feature of all PC operating systems since windows XP has been the default behaviour of hiding file extensions from us. The extensions usually take the form of a dot with three letters, so a program would typically be called ‘program.exe’, but all Windows shows us is ‘program’.

This feature has regularly been exploited by malware authors – typically by attaching files that we see as something like ‘report.doc’ when in fact the file is really called ‘report.doc.vbs’, where vbs indicates a script that will run and probably compromise your PC if you try to open it.

Before Mac users get all smug, I’d like to point out that there’s another piece of subterfuge that has been built into operating systems since the days of ARPANET and actually predates the mechanisms of networking and the internet itself. It’s on your Mac. It’s on your PC. It’s probably on your iPad too if only you could access the file system to find it. Welcome to the hosts file.

When you clicked on the link to load this web page a bunch of clever things happened. The link, blogger.com, was converted to a network address that is a 32-bit binary number which for ease of reading we convert into human-readable notation. For blogger.com this is  173.194.78.191. Your computer knows that Blogger.com resides at this network address thanks to the magic of The DomainName System (DNS) which you can think of as a huge distributed telephone directory of every computer or network device on the internet. This is a complex but interesting subject that I’m not going to explain in detail, but click though the links if you want to know more.

In the beginning, though when the earliest computers wanted to communicate by TCP/IP, there was no automated directory. Instead, just as the earliest telephone exchanges were operated manually, so a single file was used to maintain the directory of computers and network addresses. When you imagine that we are talking about tens or dozens of computers then you will see that it made perfect sense to manually create and maintain this system. And the name of that file was ‘hosts’. No file extension.

If you want to look for your hosts file and you use a PC you should find it at C:\Windows\system32\drivers\etc\hosts ;  on a MAC look in private/etc/hosts. I regularly look here if I’m working on an infected computer because it’s a simple and effective way for malware authors to hijack network traffic, so last week it was one of the first places I looked. I double clicked on the hosts file – as it has no file extension I usually have to select notepad to open it, but this time it obligingly opened in notepad without me having to do this. This struck me as very slightly odd, but the penny didn’t drop just then. The hosts file was clean, and I removed the malware without a hitch, expecting this to resolve the browser pop-ups that were irritating the hell out of my client.

I really thought I‘d cracked it and was preparing to leave when suddenly, against all expectations,  a pop-up appeared bottom left of the web page I was testing. I delved a little deeper in to page code, and it seemed as if the problem was being caused by, of all things, the Google Analytics hooks that were embedded in the code of the web page. Could Google themselves have been compromised? Then, thankfully, the penny dropped.

I returned to the hosts file in Windows Explorer, switched on file extensions, and also asked it to show hidden and system files. All was revealed. The hosts file I had looked at had a .txt file extension that had been hidden from me. This is why it had opened in notepad without prompting. Alongside it was the real hosts file; this one was flagged as hidden and marked as a system file, meaning that windows would normally hide it from me. The file was also flagged as read-only and locked down to be as difficult to access as possible, but once I knew what I was dealing with it was a simple case of firing up the  command prompt, changing permissions and attributes to return the file to normal, and in a minute or so it I was able to open it to reveal…. nothing.

Seriously, after all that trouble the hosts file looked to be devoid of any spurious entries. For a full minute I failed to spot the scroll bar on the right. Then the second penny dropped, and I actually laughed. About a thousand lines of blank space below the standard hosts file entries I found half a dozen entries that were telling the PC that the network addresses for Google Analytics, as well some other embedded features were actually a server in China. Honestly.  With a few deft keystrokes these lies were gone, and the problem was solved.

So the moral of the story is that our computers do lie to us. They do so all the time, and it’s usually to make things easier for us as computers are insanely complicated, and the networks they connect to are unimaginably huge. It’s important to remember  this – particularly if you work in our field, because once in a while you need to unravel some of these lies to get to the root of the problems.

If you’re an end user you probably think the hosts file is of absolutely no interest to you. But consider the dilemma of a parent who wants to keep their child away from Facebook, for example. By navigating to C:\Windows\system32\drivers\etc\, opening the hosts file in notepad, and adding the line ‘127.0.0.1  www.facebook.com’, then restarting the PC they can block this page. This works for Macs too, see above for the location of the hosts file. And iIn the unlikely event that their child manages to discover this little trick the parents should immediately contact Computer Angels so that I can offer their child an internship.

No comments:

Post a Comment