CDL internet protocol - what is it (used for) ?

[R.Wieser]

Hello all,

While looking at some web protocol names in te registery I found one named
CDL ( CLSID {3dd53d40-7b8b-11D0-b013-00aa0059ce02}). Other than that a
google shows its a miltitary "Common Data Link" protocol I've not been able
to find anything about it.

Does anyone know what its used for / why its on my computer ?

Looking at that list again I can see a few others that I have never heard
of. Like "its", "mk", "msdaip", "ms-its" and "wia" (all under
HKEY_CLASSES_ROOT\PROTOCOLS\Handler)

Can I just kill the ones I do not remember of having ever used (removing
their CLSIDs from the registry, effectivily making them unaccessible), or do
they actually have a purpose on a users computer ?

Regards,
Rudy Wieser

[philo]

If you go that route you are most certainly going to destroy your
operating system.

Should you wish to state the specific problem you are having with your
machine, I'm sure someone here will be able to help you

[R.Wieser]

philo,

> If you go that route you are most certainly going to
> destroy your operating system.

That is what backups are for. :-)

But ... that is exactly why I'm asking before doing anything. Duh.

> Should you wish to state the specific problem you are having with

> your machine, I'm sure someone here will be able to help you.

My problem is that I see internet-facing stuff on my machine which I have
never even heard about and could be used as an entry point for things I'd
rather not see happen. Stuff which I wish to disable.

Regards,
Rudy Wieser


-- origional message:
philo <ph...@privacy.net> schreef in berichtnieuws
nan49f$hv6$1...@dont-email.me...

[philo]

On 02/25/2016 09:31 AM, R.Wieser wrote:
> philo,
>
>> If you go that route you are most certainly going to
>> destroy your operating system.
>
> That is what backups are for. :-)
>
> But ... that is exactly why I'm asking before doing anything. Duh.
>
>> Should you wish to state the specific problem you are having with
>> your machine, I'm sure someone here will be able to help you.
>
> My problem is that I see internet-facing stuff on my machine which I have
> never even heard about and could be used as an entry point for things I'd
> rather not see happen. Stuff which I wish to disable.
>
> Regards,
> Rudy Wieser
>
>

If you are concerned with vulnerabilities I'm not sure why you are using
an unsupported operating system.
To use XP you may be better off installing and configuring a firewall
than worrying about one specific registry key.

[R.Wieser]

philo,

> If you are concerned with vulnerabilities I'm not sure why
> you are using an unsupported operating system.

You do not seem to have any intention to help. You're only bitching on
his-and-that. Why the heck, if you think XP is that insecure, do you still
visit this newsgroup ? To gloat ?

Goodbye.

Regards,
Rudy Wieser



-- Origional message:

philo <ph...@privacy.net> schreef in berichtnieuws

nanhkc$96s$1...@dont-email.me...

[VanguardLH]

R.Wieser wrote on 2016/02/25:

> My problem is that I see internet-facing stuff on my machine which I have
> never even heard about and could be used as an entry point for things I'd
> rather not see happen. Stuff which I wish to disable.

Protocols are definitions pointing to handlers that SOME PROGRAM will
use (when it is loaded hence why the handlers are identified in an
InProcServer key). So start looking at what programs you installed and
what processes are running.

Not all protocols will be listed here. For example, if you install the
Steam client (i.e., you bought a game from them) then it creates the
"steam:" protocol. CCleaner and many other programs will install a
protocol often of the URL type. Norton AV used to installed a protocol
needed to address methods in its library because their UI was written as
an HTA (HTML Application). Those protocols are defined under the class
type definition but under a key identifying the program's (handler's)
descriptive name, not necessarily under the key you mentioned. Do a
search on "URL Protocol" and you will find many programs with a class
definition that defines a handler for that protocol type. When Windows
loads, it scans the registry and finds these protocols defined there to
keep in memory, and why you may have to reboot Windows to get it to
rescan the registry to obtain newly created protocol definitions. If
you use regedit to change settings, it will refresh the in-memory copy
of the settings. Programs that use the registry API often do not touch
the in-memory copy, just directly modify the registry files that are on
the disk. So there are lot more protocols than those listed under the
key you mention (which appears to be the standard list provided by
Windows) which is the default set of asynchronous pluggable protocols.

https://msdn.microsoft.com/en-us/library/aa767916%28v=vs.85%29.aspx
https://msdn.microsoft.com/en-us/library/aa767743%28v=vs.85%29.aspx

You will NOT determine what program is coded to use a particular
protocol. The registry does not peer back into the machine code of
program files. You might be able to use a registry monitor to see which
processes (loaded programs) are access the inprocserver defined for the
class assigned to a protocol.

If you are worried about unknown or uncontrolled (non-configurable)
outbound connects from your host, why aren't you using a 3rd party
firewall configured for paranoia mode (where YOU have to decide whether
to temporarily or permanently allow the outbound connection from the
identified process)?

[VanguardLH]

R.Wieser wrote on 2016/02/25:

> philo,
>
>> If you are concerned with vulnerabilities I'm not sure why
>> you are using an unsupported operating system.
>
> You do not seem to have any intention to help. You're only bitching on
> his-and-that. Why the heck, if you think XP is that insecure, do you still
> visit this newsgroup ? To gloat ?

Be careful in burning your bridges. While philo made an assumption (on
a supposition you did not mention), how many respondents here do you see
willing to address your concerns? He might've made a wrong assumption.
You could have said that you were not looking to plug up Windows XP but
are concerned about OTHER processes (programs) that might get installed
on your host that might make outbound connections (for that, see the
last part of my reply - and protocols is NOT where you should be looking
to determine what process(es) is(are) attempting outbound connections).

[philo]

On 02/25/2016 03:04 PM, VanguardLH wrote:
> R.Wieser wrote on 2016/02/25:
>
>> My problem is that I see internet-facing stuff on my machine which I have
>> never even heard about and could be used as an entry point for things I'd
>> rather not see happen. Stuff which I wish to disable.
>
> P

I believe he was trolling so I put him in my kf

[VanguardLH]

philo wrote on 2016/02/25:

> VanguardLH wrote:
>
>> R.Wieser wrote on 2016/02/25:
>>
>>> My problem is that I see internet-facing stuff on my machine which I have
>>> never even heard about and could be used as an entry point for things I'd
>>> rather not see happen. Stuff which I wish to disable.
>

> I believe he was trolling so I put him in my kf

A program does not require a protocol be registered in Windows for it to
make an outbound connection or act as a listener for unsolicited inbound
connects (which the upstream firewall in his router should take care of
- unless he has punched holes in the firewall to reroute inbound
requests). Protocols are defined to point at handlers. A program
doesn't need to find a handler in the registry if it *is* the handler
hence why he should be using a firewall (on his host or upstream).

[Paul]

While I could find "military" references to that acronym, they were
also associated with "Ku" band.

I found another reference

https://www.winehq.org/pipermail/wine-patches/2005-July/018793.html

+ INF_SET_CLSID(CdlProtocol);
+ INF_SET_CLSID(FileProtocol);
+ INF_SET_CLSID(FtpProtocol);
+ INF_SET_CLSID(GopherProtocol);
+ INF_SET_CLSID(HttpProtocol);
+ INF_SET_CLSID(HttpsProtocol);
+ INF_SET_CLSID(MkProtocol);

Now, because it's grouped with some other early browser
protocols, the implication is that whatever CDL is,
it was part of some previous generation. I mean,
nobody uses gopher any more. Perhaps some of those
things, were from another time.

Paul

[philo]

On 02/25/2016 04:39 PM, VanguardLH wrote:

>> I believe he was trolling so I put him in my kf
>
> A program does not require a protocol be registered in Windows for it to
> make an outbound connection or act as a listener for unsolicited inbound
> connects (which the upstream firewall in his router should take care of
> - unless he has punched holes in the firewall to reroute inbound
> requests). Protocols are defined to point at handlers. A program
> doesn't need to find a handler in the registry if it *is* the handler
> hence why he should be using a firewall (on his host or upstream).
>

That's why all he is doing is trolling.

He ignored all advice and did nothing but shoot off his mouth.

[R.Wieser]

VanguardLH,

> Protocols are definitions pointing to handlers that
> SOME PROGRAM will use

Hello ? MicroSoft there. It installs and enables-by-default all kind of
unneccessary programs in its OS-es.

> So start looking at what programs you installed

From which I can guess that they need the internet ? FireFox. Thats it.

> and what processes are running.

Systray. Explorer. Atiptaxx. An USB driver program, MS-DOS prompt. OE.

Regards,
Rudy Wieser


-- Origional message:

VanguardLH <V...@nguard.LH> schreef in berichtnieuws
dj98i8...@mid.individual.net...

[R.Wieser]

VanguardLH,

> Be careful in burning your bridges.

True, and I considered that beforehand.

> While philo made an assumption (on a supposition you
> did not mention), how many respondents here do you see
> willing to address your concerns?

None, including Philo. :-(

Mind you, my question was *what are they/are they used for*, with a
secondary question in regard to the possibility of shutting them down if
they are not used for anything.

My "concerns" where just a bit of an afterthought, *not* the main part.

> You could have said that you were not looking to plug up
> Windows XP but are concerned about OTHER processes
> (programs) that might get installed on your host that might
> make outbound connections

Nope. Those protocols might be used to *sneak into* a machine (not checked
as much, having received fewer bugfixes -- if any). What the snuck-in
programs might than do ? What *couldn't* they than do would be a much
shorter list. :-)

Bottom line: I'm *NOT* out to receive a generic lecture about securing ones
machine. I'm *REALLY* looking for information on the usage of that CDL
protocol, and possibly those others too.

Regards,
Rudy Wieser


-- Origional message:

VanguardLH <V...@nguard.LH> schreef in berichtnieuws

dj98p7...@mid.individual.net...

[R.Wieser]

Paul,

> Now, because it's grouped with some other early
> browser protocols, the implication is that whatever
> CDL is, it was part of some previous generation.

I got the same feeling, but did not want to act too rash.

Thanks for the link. Alas, I cannot seem to be able to extract anything
usefull (for me) from it.

Before anyone tries, I've (ofcourse) also searched for the class id of the
protocol. No luck there either.

Thanks for the help.

Regards,
Rudy Wieser


-- Origional message:

Paul <nos...@needed.com> schreef in berichtnieuws
nao11s$agm$1...@dont-email.me...

[R.Wieser]

Philo,

> He ignored all advice and did nothing but shoot off his mouth.

Answer the question first, *only than* come with advice.

Definitily *do not* replace someones question with one you "are just sure
of" he's actually asking.

Your "advice" had *absolutily nothing* to do with my question. Your "why
do you still use XP" had nothing to do with the matter either.


Bottom line: You have showed all the signs of someone who "knows better" and
for that reason thinks he may hijack the question. Better to cut that
short than to, after a couple of messages, be left with a lot of irrelevant,
and therefore quite wortless "suggestions".

Regards,
Rudy Wieser


-- Origional mesage:

philo <ph...@privacy.net> schreef in berichtnieuws

nao35u$gmh$1...@dont-email.me...

[Micky]

[Default] On Fri, 26 Feb 2016 11:45:45 +0100, in
microsoft.public.windowsxp.general "R.Wieser" <add...@not.available>
wrote:

>Paul,
>
>> Now, because it's grouped with some other early
>> browser protocols, the implication is that whatever
>> CDL is, it was part of some previous generation.
>
>I got the same feeling, but did not want to act too rash.
>
>Thanks for the link. Alas, I cannot seem to be able to extract anything
>usefull (for me) from it.

Have you been attacked lately? Even if you have, the entry point
probably was not these whatevers, because there are so many things
running. So the trouble is that if you remove these things, you
probably won't miss them for weeks or months. And when you do, you
may not have the backup you made weeks earlier before removing them,
and even if you do, it won't have changes you made since then.

You'll be stuck doing some very complicated restore, if you even can
get back to where you were.

[Micky]

[Default] On Fri, 26 Feb 2016 12:13:49 +0100, in
microsoft.public.windowsxp.general "R.Wieser" <add...@not.available>
wrote:

>Philo,
>
>> He ignored all advice and did nothing but shoot off his mouth.
>
>Answer the question first, *only than* come with advice.
>
>Definitily *do not* replace someones question with one you "are just sure
>of" he's actually asking.
>
>Your "advice" had *absolutily nothing* to do with my question. Your "why
>do you still use XP" had nothing to do with the matter either.

People, most people, do all these things all the time on Usenet, in
groups of all sorts, while intending to be helpful. I know you've
been posting for years and I'm surprised you're not used to it, in
reply to your posts and others' too.

Maybe you didn't sleep well last night.

[R.Wieser]

Micky,

> So the trouble is that if you remove these things, you
> probably won't miss them for weeks or months.

I'm not really in the habit of making irreversible changes. Mostly I just
rename the involved parts (or in this case: the registry entry pointing to
the involved DLL/COM object), document it so I know what I changed, and see
what happens. In the case of any usage and/or problems with it it will be
quite easy to reverse. Don't worry about that. But thanks for the warning,
appreciate it.

Regards,
Rudy Wieser


-- Origional message:

Micky <NONONO...@bigfoot.com> schreef in berichtnieuws
d1l0dbhmrph0cbtov...@4ax.com...

[philo]

On 02/26/2016 07:38 AM, Micky wrote:
h.
>>
>> Answer the question first, *only than* come with advice.
>>
>> Definitily *do not* replace someones question with one you "are just sure
>> of" he's actually asking.
>>
>> Your "advice" had *absolutily nothing* to do with my question. Your "why
>> do you still use XP" had nothing to do with the matter either.
>
> People, most people, do all these things all the time on Usenet, in
> groups of all sorts, while intending to be helpful. I know you've
> been posting for years and I'm surprised you're not used to it, in
> reply to your posts and others' too.
>
> Maybe you didn't sleep well last night.
>>
>>
>

To properly answer any question one needs to know what one is really
asking...or what the ultimate goal is.

If one uses an engineer's approach, the answer may very well be nothing
to do with the original question.


My initial thought was that the OP was naive, but he was just trolling.,


Yep, you are right I should have figured that out after his first reply
rather than the second.

[R.Wieser]

Philo,

> To properly answer any question one needs to know what
> one is really asking...or what the ultimate goal is.

Than ask. And even more important, *listen*.

> If one uses an engineer's approach, the answer may very well
> be nothing to do with the original question.

Possible. Again, just ask. But do yourself a favour, and do not assume
that whomever is asking a question has no clue to what he's asking /what he
really wants to have answered.

In my case you certainly misjudged. I still want to know what those
protocols are used for, even if I have already rerouted the paths for them
in the registry to a dummy "hey, I'm called!" DLL (and ofcourse checked if
that works. It does seem to).

> My initial thought was that the OP was naive, but he was just trolling.,

Neither. But if that will help you sleep at night, be my guest.

Regards,
Rudy Wieser


-- Origional message:

philo <ph...@privacy.net> schreef in berichtnieuws

napmrk$8m9$1...@dont-email.me...

[R.Wieser]

Micky,

> I know you've been posting for years and I'm surprised
> you're not used to it,

Used to it ? Never. It does become harder-and-harder over time to even
tolerate.

> Maybe you didn't sleep well last night.

Or maybe just *yet another* "helpfull" person I *ofourse* have to handle
with velvet gloves, trying to guide him to the answer I already said I was
looking for ... Just assume something broke.

Does that really change anything to what I said ? And can you even guess
the frustration I feel having to deal with such "helpfull" people ?
Having a lengthy exchange with them trying to get them to answer the goddamn
question and in the end being shown all kinds of irrelevant places, but not
even having gotten near to it ?

Not funny at all.

Regards,
Rudy Wieser

-- Origional message:
Micky <NONONO...@bigfoot.com> schreef in berichtnieuws

nnk0db5ftcugsbqsp...@4ax.com...

[VanguardLH]

R.Wieser wrote on 2016/02/26:

> Nope. Those protocols might be used to *sneak into* a machine (not checked
> as much, having received fewer bugfixes -- if any). What the snuck-in
> programs might than do ? What *couldn't* they than do would be a much
> shorter list. :-)

Can't sneak into a machine without a socket hence why I mentioned
watching with a firewall.

> Bottom line: I'm *NOT* out to receive a generic lecture about securing ones
> machine. I'm *REALLY* looking for information on the usage of that CDL
> protocol, and possibly those others too.

Then, as mentioned, you might want to use a registry monitor to see
which process touches those registry keys defining the protocols. (too
late to see who created them so see who reads them). There are lots
more places to look for where protocols are defined than the key you
mention.

[R.Wieser]

VanguardLH,

> Can't sneak into a machine without a socket hence why I
> mentioned watching with a firewall.

Why put guards next to a door when you can also just remove it and brick the
hole up ? :-)

> Then, as mentioned, you might want to use a registry monitor
> to see which process touches those registry keys defining the
> protocols.

There is no indication that those protocols I named are actually in use.
Monitoring them would most likely not show anything happening.

Also, I've redirected which DLL will be used by them, and by that way will
be alerted to any attempted usage of them.

But... I will see if I can find anything about a registry monitor which
also can keep an eye on those registry entries.

Regards,
Rudy Wieser

[VanguardLH]

R.Wieser wrote on 2016/02/26:

> VanguardLH,
>
>> Can't sneak into a machine without a socket hence why I
>> mentioned watching with a firewall.
>
> Why put guards next to a door when you can also just remove it and brick the
> hole up ? :-)

I'm not the one concerned over what unwanted people want to use your
door. Your analogy means you disable your network (yank the cable) to
prevent all use of the door by ALL processes. Yet you are posting here
so you do still want to use the door.

Instead having guards at the [network] door, you want to have guards at
the registry door but for definitions you don't what they are for yet
you intend to blindly modify them.

>> Then, as mentioned, you might want to use a registry monitor
>> to see which process touches those registry keys defining the
>> protocols.
>
> There is no indication that those protocols I named are actually in use.
> Monitoring them would most likely not show anything happening.
>
> Also, I've redirected which DLL will be used by them, and by that way will
> be alerted to any attempted usage of them.

Since the CDL protocol points to urlmon.dll, you will be affecting a ton
of network-centric processes, including those that merely talk themself
on a port on localhost. URLMON is a library (OLE32 extensions later
renamed to ActiveX) to extend the Win32 API.

https://msdn.microsoft.com/en-us/library/aa939357%28v=WinEmbedded.5%29.aspx

You will find programs that use the URLmon library to perform their
functions, like downloading files in your web browser. For example:

https://msdn.microsoft.com/en-us/library/ms775123%28v=vs.85%29.aspx

That calls the urlmon.h header file to define calls to the URLMON
library. Although there might be a Microsoft Technet or MSDN article
listing the exports (entry points to the DLL that are the methods or
functions the DLL provides to caller processes), I found lists at:

https://source.winehq.org/WineAPI/urlmon.html
http://www.geoffchappell.com/studies/windows/ie/urlmon/api/index.htm

Just how are you "redirecting" processes that access the registry to
lookup a protocol definition? There are multiple protocols (most of
which are not defined under the key you mentioned) that point to
urlmon.dll. Use regedit.exe to search on "URL Protocol". Nirsoft's
RegScanner found 70 occurrences.

Perhaps instead of asking in a newsgroup that discusses of an operating
system, you should ask in an OS programming newsgroup. Those that
actually code with calls to urlmon.dll might provide you with more
information about what that library is for although I suspect that
discussion could quickly go outside your (and my) expertise. For
example, urlmon.dll is statically linked to:

mscvrt.dll (Microsoft C runtine)
ntdll.dll (NT kernel functions)
ole32.dll (Object Linking Embedding aka ActiveX)
oleaut32.dll (core OLE functions)
rpcrt4.dll (Remote Procedure Calls)
shlwapi.dll (https://msdn.microsoft.com/en-us/library/windows/desktop/bb759845%28v=vs.85%29.aspx)
user32.dll (WinAPI to user interface functions)
advapi32.dll (security calls; e.g., registry calls)
kernel32.dll (obvious)
iertutil.dll (runtime lib starting with IE7, used by HTAs to create
their UIs and by the Windows Graphical Shell for desktop,
start menu, file manager)

Most of them are system-level (OS core) libraries and you will monkeying
around with their integration with urlmon.dll.

[R.Wieser]

VanguardLH,

> Your analogy means you disable your network (yank the cable) to
> prevent all use of the door by ALL processes. Yet you are posting
> here so you do still want to use the door.

My house has got ... about 10 different doors to enter it, many of which I
have no idea of if they are resistant against break-ins, and nobody I ask
has got any clue of what they made of and if their locks are any good. I
think that having I can live with a (quite a) few less and *still* enter my
house at my leisure.

In other words: I have *no* intention to bar *all* doors. Just the ones I
can't find any documented purpose of.

> Instead having guards at the [network] door, you want to have

> guards at the registry door ...

No, I do not. Though I did not directly want to reject that possibility.

I've choosen to bar the door and instead of an active "you shall not pass!"
guard use someone who only needs to jot down any attempt to use that door.
I think the end effect is quite similar, but I do not need to wonder if that
guard actually does its job every time.

> Since the CDL protocol points to urlmon.dll, you will be affecting
> a ton of network-centric processes,

If any process will try to use that protocol I will be notified immediately.
That much I've already made sure of.

> You will find programs that use the URLmon library to perform
> their functions, like downloading files in your web browser. For
> example:

You have not understood: I'm *not* blocking/renaming URLMON.DLL itself, I
just let a *specific* protocol (like the CDL one) point to another DLL (a
dummy one).

> Just how are you "redirecting" processes that access the
> registry to lookup a protocol definition?

Now thats a sensible question. :-)

-- Registry entry for: CDL: Asychronous Pluggable Protocol Handler
HKEY_CLASSES_ROOT\CLSID\{3dd53d40-7b8b-11D0-b013-00aa0059ce02}\InprocServer3
2

Replacing the default keys characterstring value of
"C:\WINDOWS\SYSTEM32\urlmon.dll" with the path and filename of of own, dummy
DLL.

> Perhaps instead of asking in a newsgroup that discusses of
> an operating system, you should ask in an OS programming
> newsgroup.

No.

Its only because of your questions that we have veered into the realm of the
technical details. I've been answering them because I did not really see
a reason not to. I've gotten pretty-much zero usefull information from it
(other than the idea of using a registry-key monitoring program to find out
which programs are sniffing at the CLSID key for a certain protocol.
Something which could be usefull to know).

All *I* want to know is, as in the subject line, what that CDL protocol is
used for. As of yet I still have zero idea. :-\

But.... Thanks for trying to warn me for the negative effects of judiciously
mucking about with OS related stuff. Though I think I'm rather carefull in
that regard I appreciate the sentiment.

Regards,
Rudy Wieser

P.s.
The CDL protocol is present in MS OS versions ranging from Win98 (and
probably '95 too) upto and including Win10.


-- Origional mesage:

VanguardLH <V...@nguard.LH> schreef in berichtnieuws

djcds6...@mid.individual.net...

[R.Wieser]

Quoting myself:

> But.... Thanks for trying to warn me for the negative effects
> of judiciously mucking about with OS related stuff.

"Of UN-judiciously mucking about" ofcourse. Sheesh ...

Regards,
Rudy Wieser

[VanguardLH]

I'm sure back in '91 that Microsoft did not want to exclude themselves
from sales to the military. CDL is used for encryption between UAVs and
the controller but I'm sure there were controllers that were linked to a
computer for both local/remote control and statistics logging. Just
because the military first came up with a networking spec doesn't
preclude private businesses from utilizing it. After all, networking
originated from Arpanet funded by the DOD.

Caterpillar had a CDL port on their controller for the ECMs on their
huge tractors; however, the acronym CDL here means CAT (Caterpillar)
Data Link. I see mention of J1939 for those discussing Caterpillar
controllers (https://en.wikipedia.org/wiki/SAE_J1939 and
http://www.j1939.org/). Apparently Caterpillar used CDL to communicate
between their ECM (electronics control module aka engine computer
module) to use encryption to prevent interference with its operation.
J1939 is the newer protocol for ECM communications while CDL is an older
spec.

Here is an example of a Caterpillar controller with a CDL port:
http://www.monicoinc.com/cdl-gateway/main-products/cdl-gateway

Because of the other ports affording networking to a computer running
some OS, I would expect CDL (CATDL) still be used to transmit and
receive in the network connection between OS and controller. That
device is called a gateway. The product's description also mentions
"used to set up an efficient and effective CAT monitoring system". That
indicates the device gateways to elsewhere where is the monitoring.

So as Paul surmised, it is likely an old protocol that has lingered into
later versions of Windows. The history of the CDL protocol and its
intended purpose and usage has probably been long lost or it is so
esoteric that few, like in avionics, know about it or use it. Also, CDL
seems to always point at military use of UAVs and other avionics so
there may still be some shroud of secrecy associated with CDL. Maybe a
job at the C4ISR division of Cubic (https://www.cubic.com/) might reveal
more tentacles (ancient or still active) between the military and
Microsoft.

I doubt Microsoft knows anything about Caterpillar's proprietary
communications protocol but I added that as an example that CDL may not
mean what you think it means (which was Common Data Link). As for
Common Data Link, which has us all presuming it is the CDL you found:

https://web.archive.org/web/20111003180634/http://www.assconline.co.uk/documents/ASSC_Study_Application_MPEG2_Digital_Video_Compression_Standard.pdf
Section 3.4.11

So why cannot a base station be an OS running on a general-purpose
computer (operating and logging use of microwave transceivers)? I don't
really believe you will find something from Microsoft documenting
something they added to Windows back in 1991 for this protocol. That
was before Mosaic showed up in '92, Netscape in '94, and when the
Internet just started to take off but still long before everything
started to get cataloged. I remember back then you had to pay some
company (only remember it started with "D") to access their database to
get at their archived data.

http://www.idlsoc.com/Documents/Symposiums/IDLS2007/IDLS2007_CDL.pdf

That has a data linkk model diagram. That seems to show what the CDL
controller (hardware as the base station) would have but also indicates
that data can also come from or go to a network - which then means an OS
might be involved on some general-purpose (or even specific-purpose)
host (aka computer).

CDL might mean Common Data Link, CAT's CDL, even how to handle CDL files
(http://www.solvusoft.com/en/file-extensions/file-extension-cdl/). So
far, all we can tell is that the CDL protocol defined in the Windows
registry points at urlmon.dll. Monitoring what exports are called by a
process that found urlmon.dll through the CDL protocol definition might
give a clue as the function of the caller process.

What are you using to detect when your dummy file gets accessed when
something attempts to use the CDL protocol that would've pointed to
urlmon?

[R.Wieser]

VanguardLH,

> I'm sure back in '91 that Microsoft did not want to exclude

> themselves from sales to the military. [snip]

Yes, that was something I was also thinking of.

> Caterpillar had a CDL port on their controller for the ECMs
> on their huge tractors; however, the acronym CDL here means
> CAT (Caterpillar) Data Link.

Although they have (share) the same acronym I'm not at all sure they are
about even the same thing ...

> So as Paul surmised, it is likely an old protocol that has lingered
> into later versions of Windows.

Most likely.

> As for Common Data Link, which has us all presuming it is
> the CDL you found:

Shucks. I'm not in the habit of downloading PDFs (active contents and all
that. Yes, my AV is installed between my ears :-) ). But ... I've used
the name to google it, and landed here:
http://dbpedia.org/page/Common_Data_Link

If anything, I think I may conclude that CDL never had any meaning on a
civilian users computer.

> What are you using to detect when your dummy file gets accessed
> when something attempts to use the CDL protocol that would've
> pointed to urlmon?

As I mentioned before, a dummy DLL. One with no externally callable
functions. In its "Process Attach" initialisation I've used
GetModuleFilename to figure out which program tries to use it. It shows
that string in a message box. Thats all. Rather KISS, don't you think ?
:-)

Regards,
Rudy Wieser



-- Origional message:

VanguardLH <V...@nguard.LH> schreef in berichtnieuws

djedii...@mid.individual.net...

[VanguardLH]

R.Wieser wrote on 2016/02/28:

> I'm not in the habit of downloading PDFs (active contents and all
> that.

Don't know which PDF viewer you use. Even Adobe's can be locked down.
I use PDFxchange and configure it for: disable Javascript (the biggie
vunerability), opening any non-PDF attachments in the PDF, disable
launch actions.

Disabling Javascript is probably the best security measure; however, it
will kill any active PDFs that, for example, do input validation. If it
has a form for you to fill in, they can use Javascript to validate you
entered the correct type of data, like a number in a number field and
not an alphabetic character. I've run into very few of those and only
for PDFs distributed within the company to its employees.

PDFs can have attachments. Yep, just like e-mails, you can embed an
attached file into a .pdf file. For example, this can be used to track
changes in a document. You send someone a PDF, they edit it and send it
back to you and maybe to someone else in your team. The other team
member may not have the original so they attach the original .pdf to
their modified .pdf file. However, unfortunately any filetype can be
attached to a PDF, including executables. So I configure my PDF viewer
to only allow PDF attachments to PDFs.

You wouldn't think Adobe would do this but they allow a PDF to define a
launch action. When you load a .pdf, and if it defines a launch action,
it can run a command (which can run any executable) just by loading the
PDF. Very dangerous. So that definitely gets disabled.

Most PDF viewers support all the features of PDF. Yep, the above
features are in the PDF specifications. There are some PDF viewers that
deliberately do NOT support the above features hence they are safer. I
prefer to use a more robust PDF viewer with options to let me disable
all that crap.

There was a vulnerability that was attributed to PDFs regarding a
vulnerability in fonts (somehow using corrupt ones that caused calling
Adobe's font program - long dead). The vulnerability wasn't actually in
the PDF but in Adobe's font manager (Adobe Type Manager) program; see
https://technet.microsoft.com/en-us/library/security/ms15-078.aspx. The
PDF just happen to carry the font vulnerability because the reader had
to pass the font to ATM to render it in the PDF viewer. Any doc viewer
could express that font vulnerability in ATM. The fix was to get
disable the ancient ATM program or get an update to it that closed the
vulnerability (I think Microsoft actually passed out that patch). Does
anyone still use Type 1 fonts (over 20 years old)?

https://en.wikipedia.org/wiki/Adobe_Type_Manager

I'm using Windows 7 Home Edition x64 Sp-1 and, yep, there are still
atm*.dll files lingering under the \system32 and \SysWOW64 folder. I
don't have any Type 1 fonts so I don't need their ATM software yet
Microsoft leaves it in Windows (just like the likely dead CDL protocol).
Just more cholesterol plugging the arteries. The security bulletin says
how to disable but Microsoft really should list it in the Add/Remove
Programs applet so users can uninstall it. It used to be uninstallable
from there; see http://www.adobe.com/support/techdocs/328603.html.

> As I mentioned before, a dummy DLL. One with no externally callable
> functions. In its "Process Attach" initialisation I've used
> GetModuleFilename to figure out which program tries to use it. It
> shows that string in a message box. Thats all. Rather KISS, don't
> you think ?

Smart. About the only additional feature you might want is it to log
the accesses rather than annoy you with popups - if you ever get any.

I take it you have not yet seen your popup alert?

[R.Wieser]

VanguardLH,

> Don't know which PDF viewer you use.

The best know, and rather default one, Adobes one.

> ... and configure it for: disable Javascript (the biggie vunerability),

> opening any non-PDF attachments in the PDF, disable launch
> actions.

I would prefer a *reader* to behave like one. Seeing the never-ending
stream of bug and security fixes going into "it must be able to do
everything" (aka: feature creep encumbered) software I do not believe such
programs will *ever* be even decently secure. Combine that with throwing
active content at it that is found laying on the internet highway somewhere
and you have a recepy for disaster.

I always find it odd: If I pick up some candy from the ground (or appear
to do so :-) ) and offer it to someone they most always decline ....

> There are some PDF viewers that deliberately do NOT support
> the above features hence they are safer.

I would love to know which ones they are. Some time ago I though to try
FoxIt -- regarded by its own site as a "Secure PDF Reader", and the first
damn thing it tried to do when I started it was to try to go on-line. That
was enough for me to directly de-install it. :-(

> About the only additional feature you might want is it to log the
> accesses rather than annoy you with popups - if you ever get any.

Not really needed. All the message box is good for is so that I, in the
next few weeks/months, become instantly aware if-and-when something uses
that CDL protocol. If the protocol is not used than I can leave the
message box in for the chance it will get used somewhere (far) in the future
(when I've forgotten I've disabled it).

If it however starts to throw lots of message boxes at me I will know that
there is a problematic program, and will either tame the program itself, or
black-list the programs name in the dummy DLL, bypassing the message box.

Besides, if a program notices that it can't connect thru that CDL (or other)
protocol it will most likely throw an error. The message box is ment as a
kind of fail-safe for the programs which than silently don't.

> I take it you have not yet seen your popup alert?

I've seen it once. That was when I entered an URL stating with the CDL
protocol into my browser (hey, I had to test if would actually work. :-) )

Regards,
Rudy Wieser


-- Origional message:
VanguardLH <V...@nguard.LH> schreef in berichtnieuws

djfvfc...@mid.individual.net...

[VanguardLH]

R.Wieser wrote on 2016/02/28:

> VanguardLH,

>
>> There are some PDF viewers that deliberately do NOT support the above
>> features hence they are safer.
>
> I would love to know which ones they are.

Probably the best place to ask for a minimalist PDF viewer that is
lacking the extra (but security risk) functions, like launch on load,
file attachments, and Javascript, would be in the alt.comp.freeware
newsgroup. I remember being in some discussions over there that
mentioned some of them. I think (but you would have to check) that
SumatraPDF (https://en.wikipedia.org/wiki/Sumatra_PDF) was one of the
minimalist PDF viewers. SumatraPDF is portable so you don't even
install it, just copy its file and run that.

I don't what the PDF viewers can do that are now built into web browsers
(Google Chrome, Firefox). I turn those off as soon as I remember or
when I want to view a PDF and it shows inside the web browser. I then
configure the web browser to use an external PDF viewer. I also disable
web browser integration in the config of the PDF viewer so it does NOT
display the .pdf inside the web browser (by using a plug-in). I don't
want to use the inbuilt PDF viewer in the web browser and I don't want
the PDF viewer to use a plug-in to display the PDF inside a web browser.

> If it however starts to throw lots of message boxes at me I will know that
> there is a problematic program, and will either tame the program itself, or
> black-list the programs name in the dummy DLL, bypassing the message box.

While that would eliminate the untamed process access to its protocol
handler, it doesn't stop the untamed process from loading. Do you know
about SRPs (Software Restriction Policies) that you can define in the
registry using the Group Policy Editor (gpedit.msc)?

Back in Windows XP, you could only Allow or Block a program from
loading. You had to do a registry edit to add Basic which runs the
program under a limited user access (LUA) token to reduce its privileges
to what they would be if I had logged under a normal/restricted user
account. I used SRPs to force reduced privileges on web-centric apps
(web browser, e-mail). Vista, and later, have all three privilege modes
(Allow, Block, Basic) for SRPs. Alas, the Home editions of Windows
don't have the group or local policy editors. Some have suggested
stealing gpedit.msc from Windows XP except that the downloads others
have offered for gpedit.msc is for the 32-bit version which doesn't know
about the 64-bit section of the registry. All policies are registry
entries and Microsoft has an Excel spreadsheet listing them all but it's
a pain to go through all that manual manipulation. I ain't ever using a
Home edition again (but then I may never be using another version of
Windows if Windows 10 is it and Microsoft doesn't change their rude
behaviors regarding licensing and, ahem, "telemetry").

Before I knew about SRPs, I used 3rd party firewalls that had HIPS (Host
Intrustion Protection System) that let me block unwanted programs from
loading. So that's another way to kill the unwanted programs. I used
MagicJack (VOIP) awhile ago and it was nasty in auto-updating itself
without permission and even without prompt. That screwed up my dialer
setup (I used a different one than theirs). So I used a Path SRP to
prevent their setup program from running. They retaliated after a
couple years by having their server check the client's version and would
"suddenly" stop working if you didn't have their latest version or a
version within their check range. A nice feature of using a firewall
with HIPS was I could allow the VOIP connections but block their update
connections which included their client downloading ads to display
within a frame of their client's UI; however, I got rid of MagicJack.

[J. P. Gilliver (John)]

In message <56d30c71$0$24084$e4fe...@news.xs4all.nl>, R.Wieser
<add...@not.available> writes:
>VanguardLH,
[]

>> There are some PDF viewers that deliberately do NOT support
>> the above features hence they are safer.
>
>I would love to know which ones they are. Some time ago I though to try
>FoxIt -- regarded by its own site as a "Secure PDF Reader", and the first
>damn thing it tried to do when I started it was to try to go on-line. That
>was enough for me to directly de-install it. :-(

To be fair, that's probably just checking for updates, which seems
reasonable - when you've installed something, possibly from an ancient
installer, it's reasonable for it to check whether it _is_ ancient.
(Having said that, Foxit got bloaty a while back, though nothing like as
big as Acrobat; old versions [I have 5.4.3.0920, and earlier was faster]
are good, and also fast.)
[]
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

I hate people who quote Shakespeare at you but are proud that they can't add
up. Stupid People. - Carol Vorderman (Radio Times, 1-7 March 2003)

[R.Wieser]

VanguardLH,

> SumatraPDF is portable so you don't even install it, just copy
> its file and run that.

Now *thats* something I like. Yes, even if used stationary. "Un-install"
a program ? Ha! Just delete the folder its in. Never understood MSes
preoccupation with putting *everything* in the registry.

> I also disable web browser integration in the config of the PDF
> viewer so it does NOT display the .pdf inside the web browser
> (by using a plug-in).

Same here. If-and-when I want to view a PDF its quite likely I want to
view it again. So, (after much deliberation) I first download and store it.
Although on later browsers viewing PDFs locally might be, security wise,
worse than viewing it in the sandboxes those browsers provide ...

> While that would eliminate the untamed process access to its
> protocol > handler, it doesn't stop the untamed process from
> loading.

Correct. Step two in the proces will probably be to try to figure out
*why* that program needs that protocol and what it does with the data. If
I do not like the answer I could, if possible, end up removing the program
altogether.

> Do you know about SRPs (Software Restriction Policies)
> that you can define in the registry using the Group Policy
> Editor (gpedit.msc)?

Ehrm ... I've heard of it, but never had, on my single-user computer, the
need to use it. I have absolutily no idea how I would need to use it to
reign a mal-behaving program in.

> Back in Windows XP, you could only Allow or Block a
> program from loading.

Ehhh ... I hope you are aware that you're posting in a newsgroup dedicated
to XP ? So whats that "back in XP" about ? I'm still using it ! :-)

> Before I knew about SRPs, I used 3rd party firewalls that had
> HIPS (Host Intrustion Protection System) that let me block
> unwanted programs from loading.

I'm not sure I understand the above: Why block an unwanted program if you
can (simply?) remove it ?

Oh shucks: You're talking about a multi-user environment, where the users
have different privileges (admin, power-user, user, guest), and
low-privilege users must/should/need to be stopped from using programs (like
regedit) the high-privilege users might have need of.

In my case I think that that does not really apply (but correct me if I'm
wrong about that), as I'm the sole user of my 'puter.

> I used MagicJack (VOIP) awhile ago and it was nasty in
> auto-updating itself without permission and even without
> prompt.

Yuck! That would be a program I would try to get rid of as fast as I
could. Ofcourse, neccessity sometimes forces us to play the kind of doging
game you described. But again, yuck! :-\

Regards,
Rudy Wieser


-- Origional message
VanguardLH <V...@nguard.LH> schreef in berichtnieuws

djgumn...@mid.individual.net...

[R.Wieser]

John,

> To be fair, that's probably just checking for updates,
> which seems reasonable

Nope. Not when its done without even 1) asking me first 2) allowing me to
set/change any preferences in that regard. Currently I start to habitually
disable the internet connection (yank the ethernet cable) before installing
anything because of it.

> when you've installed something, possibly from an ancient
> installer, it's reasonable for it to check whether it _is_ ancient.

Again, No. You do*not* go outside my local computer without my explicit
say-so. Especially when what is done is not what I acquired the product for.

Its like inviting a repairman (of any kind) in, who than just grabs your
personal phone to check in with its boss. Thats not aceptable in the real
world, and its not acceptable (at least to me) in the computer world.

The only reason this abysmal behaviour has become wide-spread is because
most people are not even aware of that it happens (when installing firewalls
are silently(!) configured to let the program thru), and if they are have no
clue what to do about it (and if they figure it out its too late anyway).

Next to that, what about *my choice* to actually download and use "an
ancient" version ? Somehow software companies seem to be blithefully
unaware (willfully or otherwise) that, for instance, not everyone runs the
latest version of the MS operating system ...

> Having said that, Foxit got bloaty a while back

Just as FireFox got that advertisment crap included, which is a *very good*
reason not wanting to upgrade.

Regards,
Rudy Wieser


-- Origional message:

J. P. Gilliver (John) <G6...@soft255.demon.co.uk> schreef in berichtnieuws
fYDM2Szz...@soft255.demon.co.uk...

[VanguardLH]

R.Wieser wrote on 2016/02/29:

> VanguardLH,
>
>> SumatraPDF is portable so you don't even install it, just copy
>> its file and run that.
>
> Now *thats* something I like. Yes, even if used stationary. "Un-install"
> a program ? Ha! Just delete the folder its in. Never understood MSes
> preoccupation with putting *everything* in the registry.
>
>> I also disable web browser integration in the config of the PDF
>> viewer so it does NOT display the .pdf inside the web browser
>> (by using a plug-in).
>
> Same here. If-and-when I want to view a PDF its quite likely I want to
> view it again. So, (after much deliberation) I first download and store it.
> Although on later browsers viewing PDFs locally might be, security wise,
> worse than viewing it in the sandboxes those browsers provide ...

I know a lot of folks like to bash Adobe Reader due to its past history
but that program has had a sandbox for quite awhile now. I forget the
option but you could make Adobe Reader more secure but you had to enable
some option under the "Security (Enhanced)" section (that is not enabled
by default probably to ensure widest usability). With enhanced security
(http://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/Acrobat_Enhanced_Security_FAQ.pdf),
high-privilege Javascript is disable; however, you can completely
disable Javascript, too. I don't remember the default but make sure
under Security (Enhanced) that the "Automatically trust sites from my
Win OS security zone" (which means sites you whitelist in the Internet
Options' Trusted Sites security zone would have their PDFs trusted - but
bad PDFs or rude authors exist everywhere, including sites you trust).

Most times when someone nags about Adobe Reader being insecure, they
haven't even bothered to view the options available and investigate
them. They haven't gone into Security (Enhanced) to make sure it is
enabled, and also ensured Protected Mode is enabled (the sandbox you
mentioned but here instead of by a web browser). See
http://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/index.html. As
yet, I don't that anyone has proven Adobe Reader with both enhanced and
protected mode enabled and with disabling other features, like
Javascript, is any more insecure than other PDF readers. Yes, you can
find lists of open tickets against Adobe Reader. Have you EVER found a
bug tracking database that is publicly accessible for the other PDF
readers? You don't know how bad they are for vulnerabilities. That
info remains hidden. So you could be using a highly vulnerable
alternative PDF reader and your only blind hope is that it doesn't get
targeted because it isn't the big target.

The reason why some still nag about how big it is don't realize that it
has code to parse ancient PDFs (old versions of PDF specs). Most users
don't need to view PDFs that were created 2 decades ago but Adobe needs
to remain compatible with their old stuff. They could offer an install-
time option to let users discard support for specific old PDF versions
but that would require users be educated on what was different between
each PDF version. I suspect, besides momentum, that companies prefer to
have Adobe Reader on their workstations because group policies can be
pushed onto those workstations that control how Adobe Reader behaves,
like disabling its update checking. It is an enterprise-centric product
to control property that belongs to them, not the employees, whereas the
other are designed for personal use on computers that are the property
of the user.

Not sure how a sandbox would help if launch action, Javascript, and
attachments were disable (or not supported) in the PDF viewer. That
would be like claiming some guy with no testicles was the father of a
child. A program issuing a system call to a font API or ancilliary
program isn't going to pull it into the sandbox. You would need to use
a virtual machine to do that level of isolation; however, those who use
VMs to detect malware don't realize that many of those will remain
quiescent or behaved when they detect they are ran inside an VM. Worked
okay inside the VM so they install it in their real host OS and then the
malware becomes potent.

>> Do you know about SRPs (Software Restriction Policies)
>> that you can define in the registry using the Group Policy
>> Editor (gpedit.msc)?
>
> Ehrm ... I've heard of it, but never had, on my single-user computer, the
> need to use it. I have absolutily no idea how I would need to use it to
> reign a mal-behaving program in.

You would use a 3rd party firewall with HIPS to control unwanted
networking behavior for a program. SRPs are used to prevent the program
from even loading (Path rule set to Block) or to throttle its privileges
(Path rule set to Basic).

>
>> Back in Windows XP, you could only Allow or Block a
>> program from loading.
>
> Ehhh ... I hope you are aware that you're posting in a newsgroup
> dedicated to XP ? So whats that "back in XP" about ? I'm still
> using it ! :-)

Yes, I am responding in a WinXP group but that doesn't mean I use that
OS anymore. I also respond in the WLM (Windows Live Mail) newsgroup but
I only used that program for a few months awhile ago - because sometimes
the questions don't really involve the program but are about e-mail
itself.

SRPs have been available since Windows XP and that's where I first
learned about them. They are still available in later versions of
Windows to which I moved to awhile ago. Since I no longer have any
WinXP hosts at home or even at work, much of what I mention is from
memory or I have to go look it up again.

I did find an old Usenet post of mine that mentions the registry hack,
at:

https://groups.google.com/d/msg/microsoft.public.windowsxp.help_and_support/iFdHbt-Hf1k/mttUNl3kpXMJ

>> Before I knew about SRPs, I used 3rd party firewalls that had
>> HIPS (Host Intrustion Protection System) that let me block
>> unwanted programs from loading.
>
> I'm not sure I understand the above: Why block an unwanted program if you
> can (simply?) remove it ?

Don't know what to remove until you catch it. In the example that I
gave, I did NOT want to remove MagicJack because, at that time, I wanted
to use their VOIP service. I just did not want it automatically and
covertly updating until I was prepared (with an image backup) and had
the time and was ready for any behavior change in the new version of
their VOIP software.

So why not just rename or delete their setup.exe program? Because it
doesn't exist until they want to do an update. Not all programs come
with separate .exe files to perform setup, updates, or other functions.
Instead those "programs" are code tables inside the program that get
rolled out into files and then executed. So there was no setup.exe file
for me to rename or delete. However, because I knew where they created
the setup.exe into which they rolled out that code from the main
program, I could use an SRP Path rule to keep the generated setup.exe
from loading. You can also define hash rules to catch a program when
you don't know where it might be (in the future) but I never used that
feature.

> Oh shucks: You're talking about a multi-user environment, where the users
> have different privileges (admin, power-user, user, guest), and
> low-privilege users must/should/need to be stopped from using programs (like
> regedit) the high-privilege users might have need of.

Nope, I'm the only user of my home PC. I found logging in under a
restricted account too often got in my way, like not being able to edit
the registry, define SRPs (because all policies are registry entries),
or perform other admin-level tasks. I wasn't logging out or even using
FUS (Fast User Switching - which leaves programs running under the other
account). Do you ALWAYS close the bedroom door when you enter or leave?
Of course not because that would be too much nuisance.

However, I did not want all web-centric processes to have admin
privileges so I used SRPs to throttle them down using a LUA (limited
user access) token. There have been 3rd party programs to do the same
thing but some only work when a specific shortcut is used. For example,
I can throttle privileges on the specified program when using
SysInterna's psexec utility; however, that only applies limited
privileges to the program that *it* loaded. I could have it throttle
the web browser but that wouldn't help when the we browser was called as
a child process, like when clicking a hyperlink in an e-mail. SRPs get
applied to a program no matter who called it.

I do many tasks on my home PC that require admin privileges so logging
in under a restricted user account was not only a nuisance but not an
option since it would interfere way too often with my workflow. Do some
work, gotta stop to log under another account, do some tasks there, go
back to the other account to do more tasks. This would be like making
dinner involving heated cookware but having to use 2 different kitchens:
one with oven mitts and another without. No thanks.

> In my case I think that that does not really apply (but correct me if I'm
> wrong about that), as I'm the sole user of my 'puter.

I was the sole user, too, but SRPs (or HIPS in 3rd party security
software) gave me more control over rude or unwanted behavior without
necessitating removal of software that had other features that I did
want. I got more choice than I was given by default.

>> I used MagicJack (VOIP) awhile ago and it was nasty in
>> auto-updating itself without permission and even without
>> prompt.
>
> Yuck! That would be a program I would try to get rid of as fast as I
> could. Ofcourse, neccessity sometimes forces us to play the kind of doging
> game you described. But again, yuck! :-\

That's fine if you have the money for other telecommunication options.
it was very cheap. Cheaper than the old POTS telco, far cheaper than my
ISP's VOIP service, and even cheaper than a cell phone (although
Tracfone is very cost effective). Plus the VOIP call quality was better
than my cell phone so I would use it while at home instead of relying on
my cell phone.

Where can YOU find 5 years of phone service with better than cell phone
quality that would only cost $100 for those 5 years (or $20 for a WHOLE
year)? So, yeah, I managed to kill some unwanted features of their
client program (ads and covert auto-update) without losing the cheap
phone service. If you are using POTS, look at your monthly bill and
multiply by 12 to see how much you are spending on that. After all fee
and taxes, mine was $26/month (back then). That's $312/year. How much
are you spending for your cell phone service? Tracfone is cheap (but
with limited minutes) at $200 for 2 years at 1000 minutes. That would
be $500 for 5 years whereas Magicjack was $40 the 1st year and $20 each
year thereafter (by buying the $100 for 5 year plan). While I don't
have to go cheap, I also don't see the need to throw money away.
However, I eventually decided to pay a bit more for my ISP's VOIP
service and still do have a cell phone. Back then I didn't need a cell
phone but do now for business mostly; however, I keep calls to a minimum
and don't need any "data" (Internet) so Tracfone is a cheap choice. My
ISP's VOIP service is a shared cost. So I'm still going cheap (as much
as I can).

If you were so picky about not using and removing anything that had
behaviors that you don't want, why are you still using Windows? All
those tweaks you do for the OS and installing 3rd party program to
supplant those include with the OS is you having fun playing with the OS
to bend it more to how you want it. Same for me when I had MagicJack.
Just because it had some bad behaviors did not preclude me from pulling
in its reins to do it more my way.

[J. P. Gilliver (John)]

In message <56d42e45$0$24010$e4fe...@news.xs4all.nl>, R.Wieser

<add...@not.available> writes:
>John,
>
>> To be fair, that's probably just checking for updates,
>> which seems reasonable
>
>Nope. Not when its done without even 1) asking me first 2) allowing me to
>set/change any preferences in that regard. Currently I start to habitually

Agreed. I suppose since my firewall catches them, I'd forgotten they
don't ask.
[]

>Its like inviting a repairman (of any kind) in, who than just grabs your
>personal phone to check in with its boss. Thats not aceptable in the real

Good analogy.

>world, and its not acceptable (at least to me) in the computer world.
>
>The only reason this abysmal behaviour has become wide-spread is because
>most people are not even aware of that it happens (when installing firewalls
>are silently(!) configured to let the program thru), and if they are have no
>clue what to do about it (and if they figure it out its too late anyway).

I use a particularly ancient firewall, which doesn't seem to be hackable
by such software: obviously nothing is fireproof, but I can't remember
ever having a software call home after installation without triggering
the firewall. (And before you say would I know - I also have a - also
fairly old, but not as old - BitMeter, which I have the audio monitor
on, so I know whenever _anything_ is using the link, including things I
_do_ allow. The beeping would drive many people nuts, but I live alone,
and I like it.)

>
>Next to that, what about *my choice* to actually download and use "an
>ancient" version ? Somehow software companies seem to be blithefully
>unaware (willfully or otherwise) that, for instance, not everyone runs the
>latest version of the MS operating system ...

Indeed! XP here. (And I do have a '98SElite system that I go online with
occasionally.)

>
>> Having said that, Foxit got bloaty a while back
>
>Just as FireFox got that advertisment crap included, which is a *very good*
>reason not wanting to upgrade.

Using Firefox 26.0 here ... (-:
>
>Regards,
>Rudy Wieser
[]
I think we're closer together than might first appear!

--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

"... all your hard work in the hands of twelve people too stupid to get off jury
duty." CSI, 200x

[R.Wieser]

John,

> I use a particularly ancient firewall, which doesn't seem to be
> hackable by such software:

I should have been more specific: I was talking about XP's inbuild firewall
here. I've several times seen it to be populated with exeptions for a
program/game I was installing.

> Indeed! XP here. (And I do have a '98SElite system that I go
> online with occasionally.)

XP here too, and also 98Se (which I'm currently writing this reply on).

> Using Firefox 26.0 here ... (-:

FF 1.5 on 98se. Can update to 2.0 or maybe 3.0 (afaik no further), but that
does not give me any extras. Still use it regulary. FF 16 on XP. Done
that quite recently, because of the higher encryption that the web currently
seems to be mandating (no idea why though: what kind of "secure connection"
does an Avatar image need ? Or a humor site ? ) :-\

Question: Have you ever found a list of requirements and capabilities for
the different versions of FF ?

Before updating to FF 16 I tried to find the "best fitting" version (high
encryption, no DRM support, no inbuild advertising-centric crapware), but
was quite unsuccessfull in that regard. At the end I did choose FF 16
because it seemed to work well on a computer somewhere.

> I think we're closer together than might first appear!

Which is quite refreshing. More often than not I'm running into people who
think that only the last version of {fill in your poisson} is at all
usefull. Oh well, their loss I guess. But still not funny to be talking
with them. :-\

Regards,
Rudy Wieser


-- Origional message:
J. P. Gilliver (John) <G6...@soft255.demon.co.uk> schreef in berichtnieuws

q1QRNOC6...@soft255.demon.co.uk...

[VanguardLH]

R.Wieser wrote on 2016/03/01:

> John,
>
>> I use a particularly ancient firewall, which doesn't seem to be
>> hackable by such software:
>
> I should have been more specific: I was talking about XP's inbuild firewall
> here. I've several times seen it to be populated with exeptions for a
> program/game I was installing.

Rules in the Windows Firewall are registry entries. If you install a
game, or any software, while logged under an admin-level account then it
can write to the registry - which means it can change anything there,
including the rules for the Windows Firewall. That is why some
installers will demand that you be logged in as an admin because they
need to add registry entries (sometimes good, sometimes not so good).

3rd party firewalls with HIPS don't allow that except via user prompt to
Allow/Block the change. They have their own separate settings store and
they protect themselves, even by admins that run installers that want to
change firewall settings. So installers that change rules for Windows
Firewall will be touching the wrong part of the registry versus the
portion of the registry (that is hash protected and sometimes set for
permissions only to the System account, not to a user's account or even
to the Administrators security group) to detect changes and not allow
direct access for a 3rd party firewall. With a 3rd party firewall,
installers (and malware) cannot covertly change settings in that
software.

The firewall in Windows XP is really only for protection against
unsolicited inbound connects. It will NOT protect you from programs
with admin privileges that are running on your computer from changing
its settings. The Windows XP firewall is for inbound control, not for
outbound control or for self-protection. Not even the Windows Firewall
in later versions of Windows affords self-protection (and can do
outbound control but only with changes in its default settings and
triggering on Windows events; see the Windows Firewall Notifier at
http://wfn.codeplex.com/ on how this can be done but only with Windows
Vista, and later). On Windows XP and if you want outbound control along
with the firewall to protect itself, you need a 3rd party firewall.

I wish I could remember which one it was but I recall a security program
(probably an anti-virus) that would monitor certain registry keys and
not allow changes except by user prompt. I remember a discussion where
I asked about protecting the registry keys for the Windows Firewall and
was pointing to the program's registry configuration as to what parts of
the registry it would protect. And there I saw a parent key listed that
including the Windows Firewall rules. I'll come back if I remember what
that security software was that showed me what registry parts it
protected, how I could add my own restrictions, and that it already
included the Windows Firewall rules.

[VanguardLH]

VanguardLH wrote on 2016/03/01:

> I wish I could remember which one it was but I recall a security program
> (probably an anti-virus) that would monitor certain registry keys and
> not allow changes except by user prompt. I remember a discussion where
> I asked about protecting the registry keys for the Windows Firewall and
> was pointing to the program's registry configuration as to what parts of

> the registry it would protect. ...

Ah, I thought it was Comodo Firewall but wasn't sure.

https://help.comodo.com/topic-72-1-451-4765-Protected-Registry-Keys.html

Besides a conversation about protecting the Windows Firewall settings,
including its rules, I recall asking about protecting the registry
entries dealing with DNS settings (to thwart DNS changers) but don't
remember the outcome of that discussion. I would have to install Comodo
Firewall again (just their free firewall and omit their anti-virus) to
see what registry entries were protected to see if they include the
Windows Firewall (probably irrelevant since you would be using their
firewall), DNS settings, Internet proxy (since some programs forget to
reset after they exit and malware can change it so you cannot connect
anywhere), and so on.

Don't bother installing their CAV (Comodo AntiVirus) component. It is
weak and never any good. They left it in beta status for over 3 years
to keep it out of the anti-virus comparison benchmarks. They used their
user community to build their virus signature database. They kept
promising to add the HIPS component from their firewall into CAV to give
it better detection. Instead they rolled it into their Firewall product
to use its HIPS component, but CAV is still weak. You won't see it in
any AV benchmarks. Use some other AV program for that type of
protection.

Comodo Firewall: good.
Comodo AntiVirus: junk.

[J. P. Gilliver (John)]

In message <56d56982$0$24011$e4fe...@news.xs4all.nl>, R.Wieser
<add...@not.available> writes:
>John,
>

>> I use a particularly ancient firewall, which doesn't seem to be
>> hackable by such software:
>
>I should have been more specific: I was talking about XP's inbuild firewall

Ah.
[]

>> Indeed! XP here. (And I do have a '98SElite system that I go
>> online with occasionally.)
>
>XP here too, and also 98Se (which I'm currently writing this reply on).
>
>> Using Firefox 26.0 here ... (-:
>
>FF 1.5 on 98se. Can update to 2.0 or maybe 3.0 (afaik no further), but that

2 - actually, something like 2.0.0.5, I forget exactly - without
Kernelex or whatever it's called; 3.x with. I never got Kernelex to work
properly - though didn't try very hard. (It possibly fought with my
lite.)

>does not give me any extras. Still use it regulary. FF 16 on XP. Done
>that quite recently, because of the higher encryption that the web currently
>seems to be mandating (no idea why though: what kind of "secure connection"
>does an Avatar image need ? Or a humor site ? ) :-\

Indeed )-:.

>
>Question: Have you ever found a list of requirements and capabilities for
>the different versions of FF ?

No, but I've not looked for one; I wouldn't be surprised if someone
somewhere has compiled one. Possibly on wikipedia: folks do seem to put
such things there.

>
>Before updating to FF 16 I tried to find the "best fitting" version (high
>encryption, no DRM support, no inbuild advertising-centric crapware), but
>was quite unsuccessfull in that regard. At the end I did choose FF 16
>because it seemed to work well on a computer somewhere.

Ditto with 25/26 here. (Plus I didn't want to go Australis, which I
think came in with 29. Yes, I could use Classic Restorer - but that
seemed a bit of an odd thing to do!)

>
>> I think we're closer together than might first appear!
>
>Which is quite refreshing. More often than not I'm running into people who
>think that only the last version of {fill in your poisson} is at all
>usefull. Oh well, their loss I guess. But still not funny to be talking
>with them. :-\

Indeed. This computer does nearly all I need it for (mainly genealogy),
and plays videos well enough. I do have a nice W7 machine, but rarely
use it - mainly for Skype and (giving) TeamViewer support. In fact this
evening was the first time I've turned it on since early January (my
blind friend wanted to Skype so I could read some groceries for her).
>
>Regards,
>Rudy Wieser
[]
John

--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

Play dirty. If a fellow contestant asks the audience if they've got any
requests for what he or she should play, reply, "Yeah... Monopoly."

[gnk...@gmail.com]

On Thursday, February 25, 2016 at 4:22:46 AM UTC-8, R.Wieser wrote:
> Hello all,
>
> While looking at some web protocol names in te registery I found one named
> CDL ( CLSID {3dd53d40-7b8b-11D0-b013-00aa0059ce02}). Other than that a
> google shows its a miltitary "Common Data Link" protocol I've not been able
> to find anything about it.
>
> Does anyone know what its used for / why its on my computer ?
>
> Looking at that list again I can see a few others that I have never heard
> of. Like "its", "mk", "msdaip", "ms-its" and "wia" (all under
> HKEY_CLASSES_ROOT\PROTOCOLS\Handler)
>
> Can I just kill the ones I do not remember of having ever used (removing
> their CLSIDs from the registry, effectivily making them unaccessible), or do
> they actually have a purpose on a users computer ?
>
> Regards,
> Rudy Wieser

Rudy,

Head on over to www.nirsoft.net and, in the search box, enter URLProtocolView. Download a copy of this neat little utility. As with all Nirsoft utilities, it's a portable app that requires no installation. Simply unzip the file you downloaded (Download the Unicode version.) and run the program.

It will bring up a list of every single URL protocol installed on your system, showing, among other things, which company's software is responsible for each protocol.

Specifically, it will show you that the CDL: protocol comes from Internet Explorer, along with file:, ftp:, http:, etc.

Honestly, I can't tell you exactly what that protocol is. I don't believe that it refers to the military Common Data Link, which is transmitted over the air on the Ku microwave band.

While I don't know the purpose of all of these unknown protocols, they are not something you need to worry about. Regardless, you SHOULD NOT disable them!! Unless you know exactly what you're doing, you really can do an enormous amount of damage to your system!

What's more likely, however, is that you'll do nothing whatsoever to your system, either positive or negative.

As a system administrator for more than 30 years, I can tell you that, in that case, it's best to leave well enough alone.

I hope this helps!

-geo

[Reinhard Skarbal]

In article <6a640c8e-fcbf-4099...@googlegroups.com>,
gnk...@gmail.com says...

Hi

I found in
https://groups.google.com/forum/#!
msg/microsoft.public.windowsxp.general/E_x0-kfAMAI/FHGDPO5aBQAJ

A long description with ... Caterpillar ...

With regards
Reinhard

[R.Wieser]

Geo,

> Head on over to www.nirsoft.net and, in the search box,
> enter URLProtocolView. Download a copy of this neat
> little utility.

Thanks for that suggestion. I was hoping someone knew about an RFC or
alike, but as nothing of the kind seems to be available and not even google
seems to know anything about it maybe I will try it (even though I rather
dislike having to run random software to get simple info ...)

> While I don't know the purpose of all of these unknown protocols,
> they are not something you need to worry about.

You're right, I *should* not need to worry about them. Neither *should* I
need to worry about certain non-executable file-formats, or if MS
(security-)updates carry company-created malware, or ...

Oh, wait .... :-(

> Regardless, you SHOULD NOT disable them!!

Why not ? Because some kind of (unknown by me, and possibly unwanted)
communication could than not take place ? My good man, thats exactly what
I'm hoping for. :-)


By the way: You probably have read that I redirected the involved registry
entry to a dummy object which would just show a popup box ? A week ago it
did (show that popup box), and you never guess why ... It happened when I
opened up an old-style help-file/program (AutoIt3Help.exe), which seems to
use a "webbrowser object" to display its contents.

Regards,
Rudy Wieser


-- Origional message:

<gnk...@gmail.com> schreef in berichtnieuws
6a640c8e-fcbf-4099...@googlegroups.com...