Skip to Content

Internet

xrayspx's picture

Presidential Candidate Questions

Fri, 01/06/2012 - 5:23pm — xrayspx

There are several pointed questions I'd like to see people ask our presidential candidates. I'm going to start a list below, if anyone goes to an event, and can get one of these off before being tossed out, I'll buy you a coke. If it gets a reasonable answer, I'll buy you two cokes. If anyone has anything to add, tell me and I'll add it.

I'm going to do them by issue type and candidate, I guess. Most of them are probably pretty interchangeable. I started thinking of these in the context of "questions I would want to ask Rick Santorum", so I'm starting with him.

Civil Rights / Social issues

Rick Santorum

  • Make a case against gay marriage that wasn't also made against interracial marriage
  • ...Or in defense of slavery for that matter
  • Give Three non-biblical reasons to prevent two consenting adults from marrying the person they love.

    • Note: Dogs cannot enter into contracts. Neither can minors. Don't let him pull that pedo/bestial nonsense. No state with legal same sex marriage has 4 partners getting married, or people marrying dogs or children

  • Ask why his wife's abortion was more moral than any other doctor trying to save a mother's life

    • Fiscal Issues / Debt & Deficit Reduction

    Newt Gingrich

  • You're very focused on Food Stamp and welfare reform. Can you address your position on farm subsidies, which take the form of direct handouts to farmers and result in artificial price inflation at the point-of-sale for consumers?

    • National Security /

    Barack Obama

  • Please justify the targeted killing of an American citizen without due process of law in the case of Anwar al-Awlaki. -- I get that there are bad people, and bad people must be stopped, but there is a world of difference between targeting a camp in which there may be a US citizen, and targeting that individual. If they can target him for death, they can target him for capture and repatriation to face a court.

    • Ron Paul

  • Are you really this fucking nuts, really?
    • xrayspx's picture

    Once again with security Spam

    Tue, 11/15/2011 - 12:36am — xrayspx

    Why can't we pay attention to FB hacking warnings?

    People do hack FB profiles, it happens every day. They often do it by inducing the target user into clicking a link that can steal their login information in any number of ways. This happens. It's a Big, Bad Internet, and in all likelihood at some point you will:

  • Have your bank information stolen
  • Have your FB, Twitter, etc. account password stolen
  • Have your machine used in a botnet, used as a spam relay, or hacked in one of countless other ways

    • This sort of thing happens every day, to all of us. There are people deeply involved in network security who accidentally click some link and their profile gets hacked.

    Occasionally, you see status updates like this:

    BEWARE ATTENTION: THE HACKERS ARE PUTTING SEXUAL VIDEOS TO YOUR NAME IN THE WALLS / PROFILES OF YOUR FRIENDS WITHOUT YOU KNOWING IT. YOU DONT SEE IT, BUT OTHER PEOPLE CAN SEE IT, AS IF THESE WERE A PUBLICATION THAT YOU MADE! ALSO, THEY'RE SENDING INBOX MSGS TO YOUR FRIENDS ASKING YOU TO CLICK A LINK. DON'T DO IT!! SO IF YOU RECEIVE SOMETHING FROM ME ABOUT A VIDEO OR A STRANGE INBOX MESSAGE, IT'S NOT ME! copy this in your wall. It is for the security of YOUR OWN IMAGE!!! And REPORT IT!!!!! ALSO IF U ARE ASKED TO VOTE ON A PICTURE. DO NOT GO & VOTE: IT'S A HACKER!! POST THIS TO YOUR WALL FOR YOUR FRIENDS

    There are so many problems with this they're hard to count. It's no different from a chain email warning of some vague threat from some somewhat familiar antagonist, like FEMA camp emails. It's so vague as to be meaningless, and just screams BE AFRAID literally as loudly as possible. ZOMGFEMAGONNATAKEAWAYMYGUNSANDLOCKUPOURFAMILIES.

    ZOMGHACKERZONTHEINTERNETSWTFBBQ.

    There are legitimate people doing hard work daily to make web browsing safer for everyone. These sorts of ridiculous "warnings" do a serious disservice to everyone in the community and lowers awareness among those people we should all be trying to reach. The more people keep re-forwarding this stuff, the more it becomes just "noise", and people start paying even less attention to their security than ever. People see this stuff as 2012 Mayan calendar doomsday predictions, as urban legends, and as plain SPAM, and tune it out, and they're not wrong to do so.

    Real threat alerts look much more like this (from the NIST CVE database for CVE-2011-2383):

    Vulnerability Summary for CVE-2011-2383
    Original release date:06/03/2011
    Last revised:09/27/2011
    Source: US-CERT/NIST

    Overview:
    Microsoft Internet Explorer 9 and earlier does not properly restrict cross-zone drag-and-drop actions, which allows user-assisted remote attackers to read cookie files via vectors involving an IFRAME element with a SRC attribute containing an http: URL that redirects to a file: URL, as demonstrated by a Facebook game, related to a "cookiejacking" issue, aka "Drag and Drop Information Disclosure Vulnerability." NOTE: this vulnerability exists because of an incomplete fix in the Internet Explorer 9 release.

    Impact:
    CVSS Severity (version 2.0):
    CVSS v2 Base Score:4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:N/A:N) (legend)
    Impact Subscore: 2.9
    Exploitability Subscore: 8.6
    CVSS Version 2 Metrics:
    Access Vector: Network exploitable
    Access Complexity: Medium
    Authentication: Not required to exploit
    Impact Type:Allows unauthorized disclosure of information

    What that means is "Someone can steal your cookies, and can gain lots of information about you, including usernames, passwords, session IDs".

    You'll see that the CVE ticket is pretty dry, considering the potential impact, but they have lots of corroborating evidence, even videos to show you how easy it is to accomplish. And all they have to do is get you to click on a link.

    The point is to always be aware before clicking on anything. If something is unusual, or sent by someone you almost never hear from, don't click it. If it's misspelled, has bad grammar, ALLCAPSALLTHETIME, don't click it. If you really, really just need to see what some near-stranger who can't spell needs you to click on so badly, then you should be aware of the risk you're taking.

    For what it's worth folks; I'm unlikely to send you a link to porn, unless I'm really, really drunk. If I do, you I'll just go ahead and apologize now.

    xrayspx's picture

    Hey Hey RSA

    Fri, 08/05/2011 - 7:23pm — xrayspx

    Today I got a customer satisfaction survey from EMC. It was specifically about RSA and how we like their products and the company in general. Cynically, I have to believe that it's not entirely a coincidence that they did this survey during BlackHat & DefCon because, well jeez maybe because half of the people receiving this aren't even in their home fucking state? There was a comment field to one of these asking "why do you feel this way". All I could muster was that they utterly blew it with me when they didn't immediately own up to what we all knew from day one: That their "Two Factor" auth SecurIDs were really now "One Factor" auth.

    It's not gone well:

    Clicky biggy:

    xrayspx's picture

    Yay Yay RSA!

    Fri, 03/18/2011 - 10:56pm — xrayspx

    The key point I took away from RSA's communications today is that all implications are that it's likely their token seed database was taken and that token codes are predictable, and may be able to be matched to customers.

    They didn't say this, clearly, but every action they suggest to mitigate risk points to the fact. The mitigation steps they give are:

  • Consider changing PINs
  • Remove all remote access from your Auth Management servers. This was key, they said "turn off telnet, ftp, yadda yadda", but they also said "disable ssh". Meaning you should only be able to login from the console, period.
  • Watch for strange access elevations of users that would put them in a group that can see the database mapping tokens to users/PINs
  • Evaluate and audit your helpdesk procedures to make sure your helpdesk folks aren't potentially leaking information that could be valuable in an attack. So if your Helldesk people are chatting with users, they might tell that user slightly more than they need to know about our auth process or other salient fact that could be combined with other information to escalate access.
  • Institute training on social networking and make sure both your Helldesk staff and userbase are always on their toes and verifying who they're talking with.

    Those glaringly point to the possibility that the only thing protecting clients are their PIN codes. If someone has a predictable database of token codes, what do they need to attack to gain access? PINs. What are we told to protect to our last breath? The database of PINs on the Auth Management servers and stop Helldesk people blabbing about things users don't need to know. Also, stop Helldesk people resetting PINs for folks. Scenario:

    Caller: Hi this is Bob, I can't log into the VPN.

    Helldesk: Are you sure you're putting the token code in right, can I have the Serial?

    Caller: Sure, serial is 928374

    Helldesk: Have you checked CAPS lock, blah blah num lock etc, yadda yadda

    Caller: I know I'm putting the token code in right, can you reset my PIN?

    Helldesk: sure

    pwnd.

    RSA are saying that the data which was copied "cannot directly lead to a compromise, but can lower the effectiveness of current two-factor auth deployments". The only thing that can mean is that those deployments are now actually one-factor deployments.

    They have lowered the attack plane with a 4 digit PIN from 1/10,000,000,000 over a 60 second or so span until the token code changes, to a 1/10000 chance of guessing over a much more manageable timeframe, since they don't have to worry about the code rolling over.

    Even in the case that you have token lockouts after a certain number of failed attempts, this also appears to be time-sensitive. In tests, I went 4 or 5 failed attempts past the limit on a test device, then entered my PIN correctly, and it let me in. 2 minutes later, my token was locked out. So it seems it does not lock immediately on the 6th failed attempt if you have max failures set to 5. If that's actually the case, then an attacker could try their 10000 PINs in a very short period of time and perhaps squeak in before they get locked out.

    • xrayspx's picture

    Help me kill this window

    Sat, 03/12/2011 - 2:27pm — xrayspx

    I have a bash script on my work Mac which creates an ssh tunnel to my home machine, then runs the Mac ScreenSharing.app VNC client so I can VNC home without opening VNC externally. All this works great with key based auth and stuff for the ssh session, so I just get a login prompt for the VNC session and I'm on my way.

    At the end, I try to have it clean up after itself, I've tried using waits and then killing the PIDs associated with things like the tunnel, so when Screen Sharing closes, it tears down the SSH tunnel.

    The one thing left is that it opens in a Terminal.app window, which it leaves behind at the end with a [process completed] message. I'd love to be able to kill that window, but I can't tell what PID is associated with that specific window, so I'm left with just closing it later. It's no big deal, but it's just an annoyance.

    I have it killing the PID of the bash shell it's using, but the window itself remains...

    #! /bin/bash

    for pid in `ps -A | grep localhost\:5901 | grep my-home-machine | awk '{print $1}'`
    do
    echo $pid
    kill $pid
    done
    ssh -c arcfour,blowfish-cbc -N -L 5903:localhost:5901 xrayspx@my-home-machine &

    sshpid=`jobs -p`
    echo $sshpid
    shellpid=`echo $$`
    echo $shellpid
    sleep 5

    /System/Library/CoreServices/Screen\ Sharing.app/Contents/MacOS/Screen\ Sharing /Users/xrayspx/Launchers/vnc--127.0.0.1-5903.inetloc

    #kill $sshpid
    kill $shellpid

    FIXED:
    There is a setting in Terminal.app's preference to close windows when the shell exits cleanly, takes care of that. It's the next best thing to not having the terminal window open at all.

    Thanks Matt!

    xrayspx's picture

    A new job for the little Asus

    Sun, 02/20/2011 - 4:40pm — xrayspx

    I think I've finally found the perfect job for the little Asus EEE, since it's just too weak to show good video. It has the following tasks:

    • Linux machine I can ssh to
    • Spam Sorter and mail filter
    • Tor Exit Relay
    • CIFS fileserver for my CD collection

    Using this as the "Linux machine I can ssh to" means I'm not running a 4 core Mac Pro keeping all those disks spinning all the time anymore. This works out great, and the Pro can hibernate 95% of the time now, which should do good things for the electric bill.

    I'm doing the laziest mail filtering ever. I'm running X11VNC with a Thunderbird instance doing spam filtering on my IMAP account. I don't care how lame, that was just easiest, and it works.

    I decided a few weeks ago at the start of the Egyptian uprising that the good that can be done by providing a Tor exit relay is worth the risk of people using it for bad things, and the risk of a knock on my own door for activity originating from my IP. Now that feeling is stronger since people in more and more countries are standing up and trying to topple dictators, and are getting slaughtered in the streets for it. These governments might permit access to Twitter and FB and Google, but believe they're only doing so so they can track activity and target individual Twitter users. If you're in danger from your government, and more importantly, if your government is in danger from you, always use Tor.

    So there it is, it took six months to find a niche for this machine, but once found, it's filling the niche perfectly.

    I have a bunch of Amex gift cards which amount to about 2/3 the price of a Mac Mini. I'm on the fence about whether a Mini, even at 2/3 off, is worth it. My T60 solution seems to be running great for the time being.

    Sphere of Inconvenience

    Thu, 12/09/2010 - 6:11pm — shart

    So... As I was putting together my most recent post regarding IPv6 I got to thinking about how many computers I use every day. It started as I counted up how many things in my house use IP addresses. From here forward I will refer to anything that uses an IP address as a computer for simplicity (yes, that means that in this context my iPhone is a computer, as is my Tivo, and my Linksys wireless access point).

    Then I started to think... How many computers do I inconvenience on any given day? If you think of every website you go to in a day, plus the server that serves up those ads on those sites, plus all of the routers in between. And then add in the fact that most sites actually have more than one server behind a load balancer and have back-end services that the front end talks to and probably a separate database (or 3) and your connection gets logged and put in a database for somebody to write reports about and, and and... Phew... That's probably a lot of computers.

    So I decided to count what I could. There is no way to know how many servers at google are required for my request, or what google analytics is going to do with it, but I /can/ count the external IP that I hit. So here's what I did. I created a cron job that looked at all established IP connections, logged them, and spat out only unique IP addresses. That took care of all of the things that I connected to. Then I took that output and ran a traceroute to each of those IPs, took that output and spat out the unique IPs there, and counted them up. Obviously, there's a huge margin for error here due to a lot of routers that won't respond to my traceroutes, but it gives me a little insight.

    And what did I end up with?
    1 Day: 404 connections for a total of 1107 including routers
    2 Days: 728 connections for a total of 1744 including routers

    Wow. Over one thousand machines per day are touched by my daily activities from my laptop alone. And I don't BitTorrent or Skype or use any other P2P app. I also don't social network. And I don't /think/ I'm a heavy web surfer...

    IPv6

    Wed, 12/08/2010 - 3:35pm — shart

    IPv6

    There has been a lot of chatter on the CentOS list lately regarding the ups and downs of IPv6. It has not quite boiled down to a flame war yet, but now is a good time to start distilling down what everybody has had to say.

    To start, what IS IPv6? Simply put, it is a newer implementation of IP addressing that allows for many more hosts, as we have been running out of IPv4 addresses and will come to the end shortly. In fact, it allows for more than 2^95 or 5x10^28 addresses per person alive on planet earth today. "Overkill!!!" you might exclaim. In the 70s, when IPv4 was designed, and there were less than 1000 hosts internetworked, you would have said the same thing about the mere 4 billion addresses allowed in that system. In an age where having your toaster internet accessible is not unheard of, you'd be surprised at how many you might use.

    xrayspx's picture

    A week with the Asus EB1006

    Thu, 08/19/2010 - 9:52pm — xrayspx

    Just bought an Asus EB-1006, and wanted to post how it works rather than send one email to half a dozen folks. I got it working pretty well with XP for HD movies and MAME, here's what I did:

    • Set res to 720p, actually a little higher, 1360x768, 1080p will display, but large MKVs have problems. My test video is a 4.5GB 2 hour movie.
      (*note, you can play these just fine at 1080p with the ArcSoft Total Theater 3 that comes bundled, but there is no ability to skip within the file)
    • In the ATI video driver, set all settings to lowest quality, highest performance.
    • Disable all AV, Windows Search, Windows FW, anything else that might use any amount of RAM or CPU at all
    • I've got a 2GB DIMM on the way, I'll throw it in but I don't see it making a huge difference, since I am baseline at 450MB utilization, and even playing video only raises that slightly.
    • Disabled the RealTek sound card in the machine's BIOS. (To get to BIOS, go past the initial screen with ExpressGate stuff, then it's the Delete key to get into BIOS) This was for Linux, but there's no need for it since we're using HDMI for sound here.

    That setup lets me play any movie I've tried, 720p Youtube is usually OK. Just as importantly, MAME works just fine, though it's really right on the edge. Without the ATI driver tweaks and disabling of services, I would get sound duplication in some games, notably Sega games (OutRun), which is apparently an indicator that your framerate isn't what it should be.

    Getting things going in Linux hasn't been quite as easy as all that. It's mainly down to the video driver. The drivers from AMD suck, but radeonHD hasn't really been my friend yet either. The machine works fine, but with no or poor 3D acceleration, video and flash are pointless. The AMD driver made this a little more bearable, but not much, so I trashed it. Sound is also a bit of an issue. I had HDMI sound working somewhat with the AMD driver, but haven't gotten it working with the Open Source driver yet. This is probably because I haven't really tried, not because it won't work. I imagine I'll use Windows until I get nailed with malware for the first time and then dump some time into making Linux work properly.

    Here are some more un-ordered thoughts:

    The bundled wireless keyboard and mouse seem to be working great so far, I may look for a wireless touchpad, but they're not going to be cheap, so I probably won't bother for a while. The mouse has an off switch so it's not constantly sucking batteries while the machine isn't in use, the keyboard does not though.

    The power button and all lights are behind a door on the EB1006, which is good, because that means you can put electrical tape on the inside of the door and block all light without having to get goo all over the power button.

    The case only takes two screws to open, but there are also clips all around the edges, meaning you have to dig around with a screwdriver, meaning you'll end up dinging up the case a little if you're anal about that sort of thing, which I am not.

    Wireless looks like it only has 1 antenna, unless there's a second one buried inside. I connected to 802.11n at 65Mb/sec. It seemed rather sluggish but I didn't really "test it" test it since I have a Gb switch in my TV stand anyway, so I've just been using gig ether.

    As you would hope, the machine's absolutely silent.

    Also, let me take a moment to evangelize for the Logitech Dual Action Gamepad. This thing is friggin sweet, especially for like the $15 or whatever I paid at Best Buy. You'll want to make sure you have a nice long USB extension cable though. Huh, the one on the site seems to have a different d-pad than the one I have, which looks like it might be better. The only complaint I have is that with MAME, and especially the ST and 8-bit games, most things are looking for a digital joystick. The problem with the analog sticks is that games like BoulderDash for instance, suck with them because the game only expects cardinal directions, they don't know what to do with a 15 degree angle on an analog joystick, so they're not very responsive. They also suck to play with a d-pad because you can't (I can't) change direction as fast with a pad as with a joystick. I don't like the idea of the Wireless one on principle alone, they're probably fine.

    xrayspx's picture

    The Goth Militia Is Rising!

    Mon, 03/29/2010 - 1:36am — xrayspx

    This past weekend the feds conducted raids in three states targeting the Hutaree militia group. These guys are Christian survivalist extremists, "Preparing for the end time battles to keep the testimony of Jesus Christ alive". They believe the Anti-Christ walks among us, that kind of thing. Nevermind that as I understand it, if the Anti-Christ is walking among us, that means the rapture has already happened, which means "You Lose".

    Other militia groups want nothing to do with these guys apparently, so they've definitely at least won the Nutjob Arms Race.

    Anyway, I found their site and they had a training video posted on the front page:

    That's right, they're Sisters of Mercy fans! Of course, they think it's "weird 80's music from Germany", but still, that's the greatest thing I've seen. I wish it was Pet Shop Boys, or Erasure, but this will definitely do nicely.

    I'm sure that video won't be sticking around YouTube for too long, but I did download it locally, so if it goes away, I can always put it back.

    Syndicate content


    Theme by Dr. Radut.