Tuesday, February 24, 2015

Noodling down in the Bayou for Superfish-like SSL Shenanigans

Come on in and get mucky. The Bayou water is cold but fine. Nothing in here that won’t probably bite you (hard enough to draw blood) or cause weird growths (on your system) if you dip in.

When we last hauled in the Superfish mess, Lenovo had ping-ponged back and forth about it not being a problem, then conceding it was a problem, issuing a removal tool, and now going into apology-mode.

Great. We are making progress.

Only as time goes on and the security folks noodle the bayou, they keep hauling out additional examples of this exploit and the mess grows deeper.

I don’t Twitter but do manually follow InfoSec Taylor Swift (@SwiftOnSecurity) and found this mindful tweet in the stream:

I think it is a great point of context with all the SuperCookies, mobile-app ID trackers, and the whole Internet of Things (IoT) we now live with daily.

So were are we now with this Superfish story?

This post is excellent (and highly Valca recommended for IT readers of all age levels) to bring everyone up to speed on the dangers of third-party “enhanced” download and installer file bundling.

Even more companies are using the same technique as Superfish and doing HTTPS-Hijacking & HTTPS-validation disabling.

The post goes in ways to check your Trusted Root Certification Authorities store and check around for some HTTPS MITM hijackers that are listed.

Then there are some very good recommendations and reminders for protection against that threat.

Test to see if your browser(s) are vulnerable:

Superfish, Komodia, PrivDog vulnerability test – Filippo.IO

Filippo Valsorda has coded up a page that allows you to visit it with EACH of your installed web-browsers to see if they are vulnerable to the Superfish, Komodia, PrivDog vulnerability. Easy to do and a great place to start assessing your system’s security.

Now for noodling in deeper waters:

Feed Me!

I want to highlight these blogs which much of the research and analysis documentation listed here. Some offer RSS feeds and have ongoing posts of themes that may be useful for the for/sec crowd. I’m always on the lookout and want to draw attention to the work behind great technical writers and researchers.

Constant Vigilance!

--Claus Valca

Saturday, February 21, 2015

Time to set up a CERT/CSIRT? Yes!

One clear lesson learned organizationally from fighting a Hydra named Drye/Dyreza/Upatre is that while a entity can have clearly defined security groups and functions, unless there is a mechanism in place to bring them all together in unified communication and intelligence sharing, coordination of response can be seriously hampered.

Precious time may be lost as each group (network ops, AV ops, board of directors, executive branch, field staff) focuses the response effort based on their skill set and operational authority.

Communications and threat-intelligence may not make it to key decision-makers, general employees, or remediation responders.  This can provide just enough head-room for the threat to grow, morph, and dig-in.

It is mission critical that some structure be available for everyone to come together so the incident response can be coordinated and laser-focused; not just to block and remediate the incident, but to understand if it was a opportunistic attack, collateral damage, or a probe as part of a wider and more stealthy attack campaign.

I am happy to report that efforts are now underway on the ranch to get the fencing crews, the coyote kill-squad, and the herd wranglers all talking to one-another and develop our very own CERT/CSIRT team.

To that end, I’m dropping the following linkages as a starting place for reference as the workgroup forms.

I have found these resources make an excellent starting point for gaining foundational understanding of what an effective CERT/CSIRT team looks like and the many ways it can be structured depending on the organization’s needs/limitations.

Obviously this is just the tip of the iceberg, but I have found that as my knowledge of key CERT/CSIRT concepts and terminology has grown, so has my ability to find more advanced material on particular related items of interest.

If any CERT/CSIRT team leaders or members happen to be reading GSD, I would deeply appreciate any additional resources URL’s or links from you in the comments that could be valuable to those just getting started in CERT/CSIRT formation and operations.

ENISA - European Union Agency for Network and Information Security – Yes they are from across the pond but this is some of the very best publically available material I have found (so far) on CERT concepts and operations.

And here are additional reading resources for CERT/CSIRT teams; raging from basic to complex.

One crazy-big tome for Cybersecurity Operations

The SANS Institute InfoSec Reading Room (link) has lots of great material

Another training resource for CERT team-members is OpenSecurityTraining.info

One course of particular note there might be the Certified Information Systems Security Professional (CISSP)® Common Body of Knowledge (CBK)® Review

Finally, for some “perspective” I found these posts to be insightful and encouraging as this daunting task is considered.


--Claus Valca

Fighting a Hydra named Drye/Dyreza/Upatre

So pretty much for the past month across the ranchlands, we have been doing non-stop battle with a nasty piece of work known as Drye/Dyreza/Upatre.

From all appearances it slipped in past the security perimeters via an outside email source and bundled with a simple social-engineering attack email body, the trap was laid.

Patient-zero clicked the attachment to view a “fax message” helpfully attached to the email and the game was on.

Gradually the various security and response teams were able to tighten the noose and finally gain the upper hand.

Our network deep-packet inspection tools were quickly refined and able to better hone-in and identify infected systems’ communications so they could be targeted for remediation.

The noose tightened as our email systems were able to be updated to filter out emails containing these payloads and prevent them from reaching employees.

Momentum mounted as our AV providers’ signature detection file sets caught up and became sharper and significantly more effective with on-system detection.

Fast responding network administrators were able to use the gathered incident intelligence and track down infected systems showing up in various reports and disable them from the networks.

Relentlessly persistent technical first-line teams were able to secure-wipe and reimage infected systems as they were detected and eventually return the users to production capability.

Passwords were changed and users of infected systems strongly encouraged to change any personal passwords as well if they had logged into any non-business secure websites – say online banking or bill-paying sites.

So here are some resources regarding this particular type of malware; it pays to know your enemy.

Constant Vigilance!

--Claus Valca

First (or Second) Pass AV/AM Scanner Tools

This past week at the church house, one of the secretaries reported some slowness on her system.

We did some troubleshooting and fixed a number of obvious issues, however the slowness persisted.

It was running Symantec AV and it had quarantined a few things. Those were deleted and removed, but time did not allow a second pass with a different AV/AM tool.

A few days later (and a few new SAV update packages) Symantec reported some more items were detected and quarantined.

I wasn’t able to get back to the system but another IT administrator at the church house did. This time Symantec reported finding a possible threat called “Kaeria Dust Remover”.

The core file name was “mvsbtej.exe” and here is some limited information on I was able to uncover:

To be sure things were cleaned, he installed (alongside Symantec) the 30-day trial of Kaspersky AV and kicked off a scan.

The user did report that once that malware was pulled off, the system performance returned to normal and things were so much better again.

While I don’t usually recommend installing more than one AV/AM product on a system at the same time (Malwarebytes excepted), if you aren’t planning on “nuking” a system (zero-out the drive, and reinstall the OS from source disks) it always is good to run a second or third AV scan from a different AV/AM vendor on a system.

There are some “standalone\light-install” and “cloud” based AV/AM scanners that can be used independently of the primary AV/AM software installed on a Windows system. I find these provide the perfect solution to getting a second/third opinion of a system’s post-infection status. Download or copy over to a system from a USB drive. Most do a temporary unpacking of the core scan engine files, may download the latest DAT files, and scan away. They typically quarantine anything they find, then you can delete the files once everything is done. 

Some other products pack the DAT files together with the scan engine. This can be handy if you don’t have a network connection either due to the attack or because you don’t want to place the system back on your network until you are sure it is remediated.

Then there are the cloud-based solutions than you can run and will upload the scan results to the vendor’s cloud server and match the files looking for issues. These may have a benefit of using the newest signature detection patterns available.

And by being “standalone\light-install” tools, the impact/conflict with an already-installed AV/AM product might be minimized.

And here are some “cloud-based” AV/AM scanners. They typically still download some components to the local system before doing the threat-analysis work in the cloud.

For a deeper look


--Claus Valca

Lenovo Superfish – Cleanup in Seafood Isle Needed!

What a mess.

I guess there is something to be said about “clean” OS installs…even for brand-spanking-new hardware.

What I find interesting in this particular event (now that the initial dust seems to have settled) are both the analysis of the threat created and the removal techniques; especially the manual removal process.

For Cleanup

For Background

Better bring an extra mop…

--Claus Valca

Monday, February 16, 2015

Anti-Virus Software Update - GSD Thoughts

Quick post.

I’ve been doing some PC support for friends and family these past few weeks.

Some have had expired ($) AV products on their systems and weren’t getting current DAT downloads. Others were running good free solutions.

I’ve continued to use Microsoft Security Essentials on all our home systems coupled with a paid version of Malwarebytes Anti-Malware. I also run EMET so there is that.

I liked Bitdefender Antivirus Free when I ran it on my primary laptop at home for a while, but the whitelisting management was frustrating, particularly with my special tools that are often treated as PUP’s.

So I pondered this How to Install Free, Effective Antivirus Software (for Beginners) - post at Lifehacker that recommended Bitdefender Free again for general users and Avast Free for advanced users.

I then encountered an installation of Avast (2014) Free that one of those family members had on a PC they brought me. I upgraded it to Avast 2015 Free so it was current and generally liked what I saw.

It seems to have been since forever when I posted Freeware Anti-Virus Solutions for Windows so that led to this updated quick-reference post for Freeware AV solutions.

First, I recommend starting with the following resources to get some understanding of AV products and their general ratings/evaluations.

Neither of these will point you magically to the “perfect” solution, but it will give you some background on the lay-of-the-land across different AV vendor products.

My layered use of the following products meets my own household needs but may not be adequate for less-than-advanced users.

  1. Free Firewall Software by GlassWire - Monitors and logs network connections…more used for logging than “active firewall blocking”.
  2. Sysmon - Sysinternals core service to log application/network executions
  3. Enhanced Mitigation Experience Toolkit - EMET - TechNet Security
  4. Microsoft Security Essentials - Microsoft Windows - Core AV protection
  5. Malwarebytes Premium - Supplemental real-time AV/AM protection
  6. (Optionally) Malwarebytes Anti-Exploit - Free Zero-Day Exploit Protection - browser layer protection

However, if all this is too much, and I had to offer alternative AV/AM freeware products for family or friends, here is what I would go with:

I don’t tend to lean to the “Cloud-AV” protection camp, however, these cloud-based free AV/AM products might be worth considering.

Not directly related but I saw news this week that Google and Microsoft are working to create better whitelists for good files.

Constant Vigilance!

--Claus Valca

Virtual Grumbles

So I saw this past week that Oracle had come out with a new build of VirtualBox.

Downloads – Oracle VM VirtualBox - version 4.3.22

I’ve had some real headaches lately with recent VirtualBox builds so I should have known better.

The upgrade went first onto my “Alister” laptop and in less than a minute the update process had smoothly completed.  That gave me hope and confidence.

Then I tried it the following day on my “Tatiana” laptop. That took over 15 minutes, (apparently) stalled update applications, one very exciting BSOD, multiple repair/install/remove routines, and significant banging of forehead on desk surface.

I did manage to get VirtualBox pulled off Tatiana, and to recover with no lingering harm from the BSOD, but as Tatiana remains my “primary” beloved system, VirtualBox is now “VERBOTEN” on Tatiana.

I do still need access to it on Tatiana, so I’m going to stick with VMware Player 6.0 only which I’ve had no issues with, and then run VirtualBox inside one of my tester Windows VM’s.

It’s a long tail solution, but it’s the safest, and with an i7 processor, 8 GB of RAM, and careful selection of the VM RAM allocations, Tatiana should be up to the task.


--Claus V.

Presidential (Day) Sysadmin Links

Yes indeed. It is Washington’s Birthday Day (a.k.a.Presidents’ Day ) here stateside.

So while I try to find balance on this odd day off (but on call), running errands around town, lightly blogging, and doing “honey-please-do-for-me’s” around the house, I thought I would “celebrate” by dropping some linkage for the sysadmin crowd.


I’ve been using a very old x64 build release with no issues, but decided it was finally time to go back to the updated x32 release line. So, Saturday I downloaded the FreeCommander PortableApps version and got busy rebuilding my FreeCommanderXE + Total7zip Plugin mods. Worked just fine when I was finally done.

  • DriverBackup! - SourceForge.net - New driver backup utility find.
  • Double Driver - BooZet Freeware - Old standby to backup and restore installed drivers.

I mention these as while it is always a good idea to do a full system backup periodically, and make sure you have valid OS re-installation media, the core installation media will not usually have all the custom drivers for your system and unless you do a driver back up in advance, you will spend tons of time tracking down needed drives when you restore your system. Just saying.

Looking at the Korora project got me thinking about the many, many various Linux LiveCD and desktop project out there. I recently downloaded a “lite” distro LiveCD to give to a family friend in case the old Windows (Vista) PC they pulled out of mothballs (when their primary system got handed to me for service) didn’t load. These are the ones that I recommend and carry an ISO for around with me; just in case.

  • PCLinuxOS - In KDE, LXDE, MATE, or “FullMonty” desktop editions.
  • Ubuntu PC operating system -Well rounded and very compatible.
  • Linux Mint - In Cinnamon, MATE, KDE, and Xfce versions
  • SymphonyOS - uses the Mezzo desktop
  • Kali Linux - Advanced Penetration Testing Distribution - Not for general users but is super-powerful when you need extra tools for sysadmin/sec work.


--Claus V.

SpeedyFox and Vivaldi browser

I use the freeware tool SpeedyFox from CRYSTALIDEA Software to keep my Firefox and Chrome/Chromium browser databases optimized.

Here is a link to SpeedyFox Portable hosted at PortableApps that I actually use.

So I was think-ing.

  1. SpeedyFox supports Chrome/Chromium browsers.
  2. The new Vivaldi browser I’m watching in development is based on Chromium.
  3. SpeedyFox doesn’t explicitly say they support Vivaldi, yet, but…
  4. SpeedyFox does support Chrome/Chromium based browsers.
  5. Vivaldi is based on Chromium.
  6. What happens if I just point SpeedyFox to the data profile store of my Vivaldi installation?

This happens.

  1. SpeedyFox recognizes the data store as “Chrome”, and
  2. It optimizes it with no fuss.


--Claus V.

Microsoft Patching Problems - Feb 2015 Edition

The SANS InfoSec community has been busy with notifications that some recent February 2015 Windows patches pushed from Microsoft are doing bad things.

The top link is the best for a quick rundown of the problematic patches and impacts.


Claus V.

Tiny iOS News - Outlook for iOS & Firefox mockup

I don’t think this update actually solves a core issue with the Outlook for iOS app. But it does signal to me that the development team for the product is at work so maybe a more secure solution could be coming, eventually.

The other thing (I think) I am waiting for is a Firefox app for iOS. Unfortunately, the way I understand it, third-party iOS browsers still need to use the browser rendering engine from Apple. So even though I use Chrome for iOS, at the core it is still powered the same as Safari for iOS.  Firefox has to comply as well.

There isn’t a good way to tell if the final product will look anything like these images. I’m not really certain I like the result; seems very busy with all the different modal views.

Still, I’ll give it a shot if/when the final product comes out.

I do like the Chrome iOS feature that allows me to synchronize my settings and bookmarks between the iPad and iPhone. That is handy and looking at one of the rows of screenshots, Mozilla will have a similar feature in their release.


--Claus Valca

Vivaldi browser - Snapshot release

If you have been following the development of a Chromium-based browser Vivaldi you may be interested to see that a new “snapshot” release is available.

Do note; the snapshots are even “fresher” versions of Vivaldi browser releases…and not the more stable “public” Technical Preview release version (currently available on the main Vivaldi browser page.

What I really like most about Vivaldi is the promise of an integrated bookmark side-bar in a Chromium browser engine. Something I find is a must-have due to my long standing use of that feature in Mozilla Firefox.

In my various GSD Vivaldi posts, I’ve mentioned the challenges of monitoring the lookout for Vivaldi news and updates.  I prefer to monitor them in my RSS feeds but that hasn’t been easy with this particular project, requiring stops to multiple pages, forums, and blog sites to cover all the bases.

My first attempt to find a good RSS feed link was this Vivaldi.net - Featured entries page. Unfortunately it is a bit of a mess and my feed was filled with all kinds of random posts from various Vivaldi blog site bloggers. Most are in a foreign language. I don’t mind that specifically as I have more than a few native-foreign-language blog RSS feeds I follow, but I was constantly having to sort wheat-from-chaff with this RSS source.

The Vivaldi Team Blog held content on updates for the project more to my liking…but it doesn’t have an RSS feed link. Bummer.

However! I did find two key RSS feeds I could use for the material I was interested in by chasing down the category links:

  • Vivaldi updates - Snag the RSS feed this page offers specifically for Vivaldi update notices.
  • News - Snag the RSS feed this page offers for more general news postings on the Vivaldi project.

So anyway, there you go.


--Claus Valca

M7CL Word Clock Error

All week long the sound crew guys in the church-house have been troubleshooting an issue with our Yamaha M7CL-48 digital mixing board.

I’ve only got rudimentary skills for working the board, but has a super-neat digital touch-sensitive display, lots of sliders, more that a few knobs and lots and lots of blinky-lights.

Yamaha also offers a M7CL StageMix app for iOS that lets me adjust the computer sound output from my iPad without having to get up and walk over to the board itself. Handy the few times I have to perform double/triple duty running the projectionist PC, the video camera mixing board, and the sound board all at once.

Anyway, the mixing board was displaying a banner error message at the bottom of the digital display along the lines of there being a “word clock error”.  The different sound board operators fiddled with it off-and-on during the week but weren’t able to clear the message. It didn’t seem to stop the board from otherwise working normally but was a nuisance when it rhythmically popped up.

So last night they were talking about it again and I just did a quick visual inspection “chasing the wires” and the various components.

I quickly noticed that our media input deck (CD track player unit, dual cassette deck player, and PreSonus Light Pipe unit) was powered off. Hmmm.  I flicked the main rack on-switch and everything sprung to life.

And the error went away.

Turns out the digital sound mixing board was connected into the PreSonus FireStudio 32x32 ADAT Lightpipe unit so we can output into a different PC (oft forgotten) to do 32-track audio recordings directly to the PC for super-important audio captures. It eats up a LOT of HDD space with the files but is really cool if you want to do some serious audio-editing. Of course it is almost always forgotten as a capture source so recordings on it are few-and-far between.

I digress.

The board has been set up in such as way as it looks for the Lightpipe unit for the word-clock signal. No Lightpipe then you get the word clock error on  the mixing board display.

Case solved and black electrical tape has now been placed over the rack master power button to prevent accidental power shutdowns.


--Claus V.

Sunday, February 08, 2015

Links for the Sysadmin crowd

Here is the last push linkfest for the day.

Mostly geared to system administrators but – hey – who knows, even you might find something useful here!

Have a brilliant week!


--Claus Valca

Network Tools and Tips – Linkfest

Here are a bunch of tools and tips for you network support geeks.


--Claus Valca

System Stress Testing – 2015 Edition

Was it almost 5 years ago when I last posted some system stress testing tools? Wow!

grand stream dreams: System Stress Testing Suites

Since that time I still find myself reaching for specialized tools to stress test system hardware and components when troubleshooting a system.

Being able to stress a system when you are looking for performance or stability issues is critical. Having tools that you can run while monitoring the system are super-useful to see if you can force a problem to exhibit or if you want to be certain your solution has fixed the issue.

Back in the day, I recommended Bart's Stuff Test 5 but it doesn’t say it supports “modern” Windows systems any longer.

Funnily enough, this post What is New in Windows Application Execution? from the SANS Digital Forensics and Incident Response Blog jogged my memory when it mentioned a new-to-me SuperFetch parsing tool.

That tool doesn’t necessarily apply here, but the developer TMurgent does provide a ton of updated free tools that fit great with performance testing and stressing Windows systems.

New and Updated (Free) Tools – Confessions of a Guru blog

Performance tools – TMurgent Technologies

Here are the other stress testing tools I keep on my USB stick

More sources where I found some of these tools listed:

In addition to these Windows platform tools, LiveCD packages are available to boot your hardware system with a Linux-based OS and run additional stress test suites.

Happy Stressing!

--Claus Valca

New Software Finds – late edition

Honesty in blog titles here. Most of these finds came in late last month.

Turn ordinary photos into panoramas with Image Composite Editor updates from Microsoft - Next at Microsoft

The interface is seriously updated!

New ICE version 2.0.2 below


Old ICE version 1.4.4 below


If you do find you pine for the older version 1.4.4 version, Download.com has the older versions still available for now.

More fun tools and utilities

Note, I’ve long been a fan of and used eXpress FreshFiles Finder (XFFF) to accomplish the same thing. However Recent FIle Seeker seems to support some more advanced search options and is a more sophisticated utility.


--Claus Valca

Misc PXE/USB/HDD booting tips and tricks – Linkfest

Here is a mini linkfest of articles I have collected over the past month.

They generally deal with “specialized” booting of Windows systems.

Note: I love Kanguru flash drives, primarily because of the physical read/write lock switch their models provide. It is IMHO a must-have when responding to incidents or cleaning infected systems.

The last link above is more of a product announcement but it does claim to address one new trend in USB technology – BadUSB attacks where the USB firmware is compromised when the USB stick is attached to an infected host. What I don’t know is if their FlashTrust technology still allows the drive to be configured as a “bootable” USB drive or not. I’ve found that some natively (firmware/hardware based) encrypted USB flash drives cannot be used as bootable USB drives for – say – WinPE building and boot usage.

I don’t have a Kanguru FlashTrust drive to test drive or review for you but I’ll be looking to add one to my collection since my trusted 16 GB Kanguru Flashblu II 2.0 device is getting filled close to max capacity. This new USB 3.0 drive looks really nice and a 32 GB version should do nicely.


--Claus Valca.

Getting at your Windows 8 OS key

This was new to me!

Up until a few weeks ago, my experience with Windows license keys has been either to get it in the retail box, access it from the COA sticker on the OEM PC case, find it on the underside of the laptop or in the battery well. Of course if you are doing an enterprise-wide deployment you probably already know your volume activation product key as part of your support documentation.

But where do you find the OS license key on a Windows 8 system?

Turns out, it goes along with something I had missed during the Windows 8 rollout – it typically is now embedded in the BIOS of modern system boards once installed.

If you haven’t run into this problem because your Win 8 systems are running fine, then there is a good chance – like me – your first introduction to this new model can be a bit shocking.

If it is OEM purchase (Dell/HP/etc.) then you probably won’t find it on a sticker any longer, however, you can use NirSoft’s ProduKey to get it before hand for archival purposes in case you need to reinstall the OS.

This happed to a co-worker so here are the specifics.

The user had purchased a OEM Windows 8 system from a big-box store.  The HDD had failed miserably so there was no chance at even trying to get the key from the OS using ProduKey.

The user didn’t have any system restore or OS restore disks. And you can’t easily download the Windows OS install disks from DigitalRiver like you can for Windows 7 OS systems.

Option 1) – Build a WinPE boot disk and then download RWEverything | Read & Write Everything utility and stick it on a USB key. Then boot the (former) Win 8/8.1 system with the WinPE disk and run the RWEverything app from the USB to access and note the Win 8/8.1 BIOS-embedded OS key. Then download the Windows 8/8.1 ISO file from Microsoft and use the recovered key to enable the download to occur.

Option 2) – Download the Windows 8/8.1 ISO file and use the appropriate Windows 8/8.1 “trial” key to get the ISO file. Then when you go to activate the product, it should pick up the original OEM key embedded in the BIOS.

Option 3) – Just download and build a Windows 8.1 installation set using the Windows Installation Media Creation Tool. Boot the impacted system, install Windows, once running it should pick up the BIOS embedded Windows 8/8.1 license key and keep moving.

Because my friend already had a WinPE-based boot disk, he went with Option 1 and was eventually able to download the Windows 8 ISO files needed to set the system up, activate it again, then spend tons of time trolling the OEM’s site downloading the additional custom drivers needed to clear the issues in the device manager. It was a hassle but it was possible.

So now I have backed up Lavie’s new’ish Dell laptop Win 8 key to save future headaches. And I have stowed a portable version of RWEverything on my WinPE bootable service USB stick.

More resources and references for Win 8 BIOS-embedded keys, key recovery tools, and Windows 8 ISO download links and trial keys.

Super-special hat tip to Philip Yip who produces amazing Windows support guides over on his Unofficial Windows Guides blog. Extensive documentation and support material is here – very well organized – a must-bookmark site for anyone supporting Windows OS’s.


--Claus Valca

Shade-tree Saturn Ion Mechanic Tips #1

Wow. I just realized that about eleven years ago to the month I purchased a brand new Saturn Ion 3.

It was involved in one rather substantial front-end collision (I was stopped at a stop-sign and a collision in cross-street traffic spun a vehicle into mine). Repaired.

It was involved in one rather substantial rear end collision where two drivers coming off pit row…no wait..where two drivers merging onto the freeway via an on-ramp where traffic was stopped crashed into each other, and pushed into my stopped Saturn. Repaired.

I’ve been tagged from behind a few more times by other drivers where after consultation with the responding officers and the driver that rear-ended me, we all decided to call it a “tap” and call it a day. No harm no foul.

It has seen a few recalls, something with bushings, something with headlamp wiring harnesses, and just this past week or two, the ignition switch.

I decided to “punt” and let the dealer service department fix the issue with the driver/passenger door locks. Turns out (both sides) that it was the connecting rod from the main electronic switch assembly to the lock cylinders that had come loose and was obstructing my power window travel up and down (and inside lock latches). That is a cheap part and can often be fixed with some pliers. Unfortunately, in my case, when it broke it tore the connecting plastic to the lock cylinders. Those had to be replaced and they were not cheap. And then the labor costs!

I am not a mechanic but am pretty handy. I’ve pulled motors and transmissions before and have regularly changed belts, plugs, starters, alternators, and pumps. Unfortunately, major service just isn’t practical as the neighbors around the Valca micro-ranch generally frown upon major vehicle repair during daylight or nighttime hours.

However, I’ve decided that I really want to continue in a long-term relationship with the Ion so I’m regaining my confidence in fixing more of its parts.

Take for instance the side-door rear-view mirrors.

To do the door lock/cylinder repair work, the dealer shop had to remove the side mirrors and the door panels.image

Only on the driver’s side, they failed to reinstall the side-view mirror properly and there was a 1/4” gap at the leading edge to the window frame.  Sure I could have taken a few hours off work, driven half-way across the Houston-Metro area back to the dealership, and gotten “warranty” service for shoddy craftsmanship, but hey…today was a sunny day!

I was all-in for the challenge of refitting the side mirror mounting to restore the fit.

The mirror unit was firmly attached to the door frame and there was no change of firmly pushing it back into place without some disassembly work.

I’d already done research a few month’s ago on how to remove the door panels when I debated taking on the door latch rod repair so I was already familiar with the general process.

A simple search and I had found some specific videos regarding the side view mirrors as well.

Those gave me the remaining info I needed, though the detailed close-up views are a bit lacking in the videos.

So here are some up-close photos just in case someone needs to reference them.


First remove this plastic panel piece.  You can do it with your hands. Pull (peel) it down from the top. There is a single metal clip holding it in place up in the top left 3/4 area. the bottom edge has some plastic tabs that hook into the inner door panel so don’t pull/pry from the bottom or sides. Peel-pull it downward. If you must pry, do so from the top and use a putty knife to avoid messing up the plastic trim edge.  After a little bit of firm resistance the clip released and it popped right of in my hands.

Behind it you will see a foam sound deadening insert that can be removed by gently pulling on the finger holes.  You will see also where the mounting clip slot is so that is why you want to focus your pull at the top and not the bottom.


Here are the parts removed.


Now you can see how the side-view mirror mounts with three attachment bolts and nuts.


It is simply a matter of gently removing the nuts from the bolts; being VERY careful to not drop them into the door when removing.

What I found was the cause of the 1/4-inch fitting gap in my case was the third bolt to the right.

What happened is important to understand.

When the mechanic attempted to back off the nut, it seems to have been stuck tightly to the bolt. This cased the nut to remain fixed. The back-side of that bolt is actually a wide-threaded screw similar to what you might find when you assemble furniture from IKEA. That wide thread on the back-side screws into a plastic post on the side-view mirror.

In this case, the nut didn’t budge from the post but actually backed the rear screw out of the plastic post. When the mirror was reattached, the mechanic failed to realize (or care?) what had happened so the screw never went back into the post stood proud of it, keeping the mirror housing about 1/4-inch forward of the door frame! Nice.

Rather than bust the plastic post, I gripped the bolt stud tip with some vice grips (it has a handy star end likely used to screw the bolt into the plastic in the first place), and then used my crescent wrench to break the sized nut loose so I could then remove it and clean the post with a wire brush.  Don’t forget you are dealing with plastic posts on the hidden side so hand-tighten the nuts on the posts right up to the metal door frame surface, then turn them just a bit more with the wrench and don’t over-tighten or you might crack/break the plastic posts they screw into!

Close up view below from the inside.


Once I had the post issue repaired, I just positioned the mirror back in place and made sure it was fitting tightly against the door frame as it should have been.

I retightened the nuts on the posts by hand and then just a 1/4-1/2 turn more with my wrench and it was done.  Replaced the foam insert and snapped the cover in place.  Repair done and no more gap. See the very first photo in the series for the final result.

Total service time, probably about 10 minutes because I was being careful.

Surprisingly (or not I guess) you can even pick up replacement Ion side view mirror parts on Amazon.com. I didn’t need one but if you break your plastic mounting posts you might.

Amazon.com: 2003-2007 Saturn Ion 4-Door Sedan Power Without Heat Black Textured Non-Heated Rear View Mirror Left Driver Side (2003 03 2004 04 2005 05 2006 06 2007 07): Automotive


--Claus Valca

Fallout continues on the Outlook mobile app

I didn’t really bring my waders out so I’m remaining on the bank for now but here are some updates to the Outlook (Acompli-based) mobile app chatter.

If you are new to the discussion…maybe refer to this past GSD post: Outlook iOS App – Nice try but with caveats

First, Microsoft has released an update to their app to bring it to 1.0.2. Mostly UI and some feature/bug fixes.

OK, René Winkelmeyer hasn’t had any new blog posts on the subject, but remains very (kindly) engaged in the comments on his last blog post on the issue; Updates on the latest Outlook iOS App issues. So keep dropping in there for now to see where the discussion is going.

Apparently the European Union Parliament's IT department has decided that the Outlook app isn’t ready for prime-time use by it’s supported user base.

My 2¢ ?

I continue to use it on my personal phone with a throwaway Outlook.com account just to use for testing the app. I’m still not using it now for any of my core personal email accounts, nor would I even consider using it – no matter how much better the GUI is than the stock iOS mail app – on my work-issued & MDM administered phone.


--Claus Valca

New Vivaldi TP release + Miscellaneous web browser bits

Last week I posted about a new Chromium-based web-browser that has an integrated bookmark side-bar like Firefox.

It doesn’t seem to yet have an (active) self-updating feature yet, so how does one tell if/when to update?

It appears that for now you have two options

  1. Monitor the Vivaldi Forums – and look for a new topic post announcing a release update, or
  2. Monitor the Vivaldi.net blog – and look for a new blog post announcing a release update.

Had you done either this week you would have seen a new Technical Preview version came out.

  1. Vivaldi Forum - Topic: Feedback for Weekly build (1/7)
  2. First Snapshot Vivaldi - Vivaldi.net blog

Vivaldi - Download

I did find this part interesting, after downloading the updated setup file from Vivaldi, I was curious how it would handle the updating of my standalone version.  When I clicked the “Advanced” button after launching the installer, I found it had already pre-populated the values to use my previous standalone location and settings.  That was kinda nice…though it would have been nice to give me a tip that it already had it covered.

Update install went smoothly and preserved all my limited customizations.

Lavie’s frustration with Firefox has been growing. She is one of the many web-browser users who opens new tabs for all the links she wants to get to read (eventually) but doesn’t bookmark them. So when the browser crashes (as it inevitably will do), sometimes she cannot restore her session and she looses those open tabs since we don’t apparently have Session Manager Add-on installed on her system. She liked Chrome but the lack of a bookmark sidebar really frustrated her (like me) and the many tab-bar add-ons for Chrome just didn’t satisfy the same experience we like for the bookmarks side bar presentation in Firefox.

So finger’s are crossed that Vivaldi will mature quickly and be ready for some prime-time usage one it pushes past the technical preview stages.

In other browser news, chron.com’s TechBlog writer Dwight Silverman recently encountered browser-malware distribution hijacking from an unexpected source, the Chrome Sync feature!

Mr. Silverman’s approach to remediation was pretty straightforward, uninstall the core problem app via the Windows “Programs and Features” list, then do some scans with Microsoft Security Essentials and Malwarebytes.  Some more uninstall work was required on the Macbook Pro and a Google browser “settings reset” brought the Google browser back to a clean state.

Don’t forget for Windows users, Google also provides their Software Removal Tool to clean up their browser from malware that is entrenched in the Chrome browser/system. I’ve used it on a few systems that had both Chrome and malware but whatever it looks for didn’t get an alert.

The takeaway?

Beware of browser sync features…they could cause more issues than you would expect across synced platforms. All it takes is one water-hole poisoning and everyone who drinks from it can get sick.

Moving on…

It really isn’t a secret but few non-technical AdBlock Plus users realize that it uses a whitelist where some companies have paid to be included on so that “non-intrusive ads” can continue to be served, bypassing the normal protections offered by AdBlock Plus.

What's the point of AdBlock Plus if Google, Microsoft and Amazon can pay to bypass it? – Brian Wilson – BetaNews

My personal experience is that 1) I already knew about this so I am not shocked and, 2) the effect of leaving the feature enabled for my browsing experience has been negligible so far.

However, if 1) you did not actually know about this and, 2) you either want to disable this feature or understand it more for yourself –- see the pile of links below.

Stay informed!

--Claus Valca