Why can't we pay attention to FB hacking warnings?

People do hack FB profiles, it happens every day. They often do it by inducing the target user into clicking a link that can steal their login information in any number of ways. This happens. It's a Big, Bad Internet, and in all likelihood at some point you will:

This sort of thing happens every day, to all of us. There are people deeply involved in network security who accidentally click some link and their profile gets hacked.

Occasionally, you see status updates like this:

BEWARE ATTENTION: THE HACKERS ARE PUTTING SEXUAL VIDEOS TO YOUR NAME IN THE WALLS / PROFILES OF YOUR FRIENDS WITHOUT YOU KNOWING IT. YOU DONT SEE IT, BUT OTHER PEOPLE CAN SEE IT, AS IF THESE WERE A PUBLICATION THAT YOU MADE! ALSO, THEY'RE SENDING INBOX MSGS TO YOUR FRIENDS ASKING YOU TO CLICK A LINK. DON'T DO IT!! SO IF YOU RECEIVE SOMETHING FROM ME ABOUT A VIDEO OR A STRANGE INBOX MESSAGE, IT'S NOT ME! copy this in your wall. It is for the security of YOUR OWN IMAGE!!! And REPORT IT!!!!! ALSO IF U ARE ASKED TO VOTE ON A PICTURE. DO NOT GO & VOTE: IT'S A HACKER!! POST THIS TO YOUR WALL FOR YOUR FRIENDS

There are so many problems with this they're hard to count. It's no different from a chain email warning of some vague threat from some somewhat familiar antagonist, like FEMA camp emails. It's so vague as to be meaningless, and just screams BE AFRAID literally as loudly as possible. ZOMGFEMAGONNATAKEAWAYMYGUNSANDLOCKUPOURFAMILIES.

ZOMGHACKERZONTHEINTERNETSWTFBBQ.

There are legitimate people doing hard work daily to make web browsing safer for everyone. These sorts of ridiculous "warnings" do a serious disservice to everyone in the community and lowers awareness among those people we should all be trying to reach. The more people keep re-forwarding this stuff, the more it becomes just "noise", and people start paying even less attention to their security than ever. People see this stuff as 2012 Mayan calendar doomsday predictions, as urban legends, and as plain SPAM, and tune it out, and they're not wrong to do so.

Real threat alerts look much more like this (from the NIST CVE database for CVE-2011-2383):

Vulnerability Summary for CVE-2011-2383
Original release date:06/03/2011
Last revised:09/27/2011
Source: US-CERT/NIST

Overview:
Microsoft Internet Explorer 9 and earlier does not properly restrict cross-zone drag-and-drop actions, which allows user-assisted remote attackers to read cookie files via vectors involving an IFRAME element with a SRC attribute containing an http: URL that redirects to a file: URL, as demonstrated by a Facebook game, related to a "cookiejacking" issue, aka "Drag and Drop Information Disclosure Vulnerability." NOTE: this vulnerability exists because of an incomplete fix in the Internet Explorer 9 release.

Impact:
CVSS Severity (version 2.0):
CVSS v2 Base Score:4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:N/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type:Allows unauthorized disclosure of information

What that means is "Someone can steal your cookies, and can gain lots of information about you, including usernames, passwords, session IDs".

You'll see that the CVE ticket is pretty dry, considering the potential impact, but they have lots of corroborating evidence, even videos to show you how easy it is to accomplish. And all they have to do is get you to click on a link.

The point is to always be aware before clicking on anything. If something is unusual, or sent by someone you almost never hear from, don't click it. If it's misspelled, has bad grammar, ALLCAPSALLTHETIME, don't click it. If you really, really just need to see what some near-stranger who can't spell needs you to click on so badly, then you should be aware of the risk you're taking.

For what it's worth folks; I'm unlikely to send you a link to porn, unless I'm really, really drunk. If I do, you I'll just go ahead and apologize now.

People noticed I seemed kind of testy for on-vacation-guy last week, here's why.

We got to the hotel at 10:30am, so effectively 5:30 EST. Our room wasn't done,so we walked around and waited for my mom's plane to land. We didn't want to get too far from the hotel in case my mom showed up, which she kept not doing, so we started to get kind of worried. Around 1 we decided to just hang out in the lobby and wait for the room. I slept, Natalie walked around some more.

Our room was ready at 3 and we went upstairs. I went to plug in my laptop and stuff and get set up and realized I'd forgotten our power outlet converter, so we took the one from the minibar for the low-low price of £11.50. Plugged my power strip into that, plugged the converter into the wall, and all the electicity fell out all at once. My power strip was on fire and smoke coming from the receptacles. I guess "surge protector" isn't all that accurate, since it didn't just flip. Then we noticed that as we would turn off lights, they stopped coming back on again, so not only did I flip the circuit breaker for the outlet I was using, all the rest of them started popping too.

So we went to the desk and they sent maintenance up. It was right around this point that I noticed the very fine print on the converter that said "this is not a transformer, you still need that".

Also, we found a regular 110v outlet, not located where the UK and Euro ones were, but under the desk, behind the bed. Unfortunately it didn't work. Maintenance came and just reset breakers and got the UK power back, though the 110 didn't work, and stayed not-working the rest of the trip. Luckily both my laptop and camera battery chargers will do 220v, unluckily, Natalie's camera battery charger does not. We were told we could have a knock down transformer for the duration of the stay, but it never showed and the reception desk staff seemed to have all the engineering acumen of a 6 year old blonde girl, so we didn't push the issue.

It was around this time that my mom finally showed up. We knew her flight had been pushed 3 hours, they called her at home before she ewnt to the airport. What we didn't know was that when they finally boarded, they sat at the gate for 7 hours in Charlotte before finally taking off at ~4am EST.

At least her room had partially-working 110 that we could use to charge Natalie's batteries.

Dinner was shitty chain Italian, I had a pretty inexcusable steak, and left my hat, never to be retrieved because I didn't want to go in that building ever again for fear that I might demonstrate to the cook how to make a rare steak. Grab him by the neck, put his face by the grille and say "SO DO YOU WANT TO BE 'RARE'? OR DO YOU WANT TO BE WHAT YOU DID TO MY STEAK"?

Power was a running joke through our stay. Days 2 and 3 we also lost power to the room. There is no way that was all my doing.

I have a bash script on my work Mac which creates an ssh tunnel to my home machine, then runs the Mac ScreenSharing.app VNC client so I can VNC home without opening VNC externally. All this works great with key based auth and stuff for the ssh session, so I just get a login prompt for the VNC session and I'm on my way.

At the end, I try to have it clean up after itself, I've tried using waits and then killing the PIDs associated with things like the tunnel, so when Screen Sharing closes, it tears down the SSH tunnel.

The one thing left is that it opens in a Terminal.app window, which it leaves behind at the end with a [process completed] message. I'd love to be able to kill that window, but I can't tell what PID is associated with that specific window, so I'm left with just closing it later. It's no big deal, but it's just an annoyance.

I have it killing the PID of the bash shell it's using, but the window itself remains...

#! /bin/bash

for pid in `ps -A | grep localhost\:5901 | grep my-home-machine | awk '{print $1}'`
do
echo $pid
kill $pid
done
ssh -c arcfour,blowfish-cbc -N -L 5903:localhost:5901 xrayspx@my-home-machine &

sshpid=`jobs -p`
echo $sshpid
shellpid=`echo $$`
echo $shellpid
sleep 5

/System/Library/CoreServices/Screen\ Sharing.app/Contents/MacOS/Screen\ Sharing /Users/xrayspx/Launchers/vnc--127.0.0.1-5903.inetloc

#kill $sshpid
kill $shellpid

FIXED:
There is a setting in Terminal.app's preference to close windows when the shell exits cleanly, takes care of that. It's the next best thing to not having the terminal window open at all.

Thanks Matt!

I've spent some time with the Asus EEE 1006. It was one of those almost there, maybe if I tweak... situations, and I've given up wasting time tweaking.

I have replaced it with a Lenovo X60, which has proved itself capable of 1080p fullscreen video with no issues. The Lenovo has a dual core Centrino Pro 2.0Ghz, more memory (4GB), just as quiet at least as far as I can hear, which is not very well. I threw a couple of large MKV files at it, played them flawlessly in the player of my choosing (VLC), which can't be said of the Asus.

When it's all said and done, I believe the real problem is driver support. The Asus (like the Lenovo), has a Radeon Mobility card. The problem here is that ATI does not release current reference drivers for their Mobility series due to pressure from laptop manufacturers. Unfortunately this means that features which work on a desktop part, like VLC GPU acceleration aren't available because the drivers are years out of date. The Lenovo can make up for this, just barely, with CPU power, the Asus, with its single core CPU, could not. NVidia seems not to restrict their driver releases in this way, so probably another Asus with an NVidia card would have worked just fine.

I believe that I'll stick with the laptop for a while until manufacturers start shipping reasonably powerful small PCs with BluRay drives. Hello! Apple! Asus! You listening? What the hell!

So now I have a EEE that does nothing. I think I'm going to use it to replace my Mac Pro as "Unixy machine I can get to from outside and test crap". We use the Pro rarely enough that having it sleep most of the time will probably make a pretty huge dent in the power bill. Maybe it will be enough to justify another EEE or Mac Mini in a few months when/if they include BluRay.

IPv6

There has been a lot of chatter on the CentOS list lately regarding the ups and downs of IPv6. It has not quite boiled down to a flame war yet, but now is a good time to start distilling down what everybody has had to say.

To start, what IS IPv6? Simply put, it is a newer implementation of IP addressing that allows for many more hosts, as we have been running out of IPv4 addresses and will come to the end shortly. In fact, it allows for more than 2^95 or 5x10^28 addresses per person alive on planet earth today. "Overkill!!!" you might exclaim. In the 70s, when IPv4 was designed, and there were less than 1000 hosts internetworked, you would have said the same thing about the mere 4 billion addresses allowed in that system. In an age where having your toaster internet accessible is not unheard of, you'd be surprised at how many you might use.