[etc] archive category

LinkedIn now with less salt!

Funny tweets about LinkedIn

Even the finest sword plunged into salt water will eventually rust.     Sun Tzu *

Yesterday, the word of the day at LinkedIn was “Salt” (in the cryptographic sense and not the NaCl sense). Some dodgy fellow made off with at least some of the LinkedIn password database. Those passwords were not stored in cleartext (thank Jupiter) but the hashes weren’t salted. This means tools like John The Ripper can be used to find the original password and that is exactly what happened.

If you are a software developer and you work on public facing web sites, here is the LinkedIn lesson:

  1. Always use salt with your password hashing scheme
  2. Use slow hashing functions like bcrypt or scrypt rather than faster hashing functions like MD5, SHA, etc.

* Note on epigram: Security nerds love to quote Sun Tzu and this was the only Sun Tzu quote I could find that had some salt in it.

Github says: Please audit your SSH keys

I got the following from Github after their benign hacker incident:

Please audit your SSH keys
On Sunday March 4, 2012 a security vulnerability related to SSH keys (public keys) was discovered. For your protection and to prevent unauthorized access we have disabled your public keys until you approve them.

They want me to audit my SSH keys (a simple process). First, find your public key that you use on GitHub (probably in your .ssh directory if you are using a Mac). Then get its fingerprint. Here’s how you do that on a Mac:

Trinity:~ kelvin$ ls -l .ssh/id_rsa*
-rw-------  1 kelvin  staff  1743 Sep 11  2009 .ssh/id_rsa
-rw-r--r--  1 kelvin  staff   400 Sep 11  2009 .ssh/id_rsa.pub
Trinity:~ kelvin$ ssh-keygen -lf .ssh/id_rsa
2048 XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX .ssh/id_rsa.pub (RSA)
Trinity:~ kelvin$

Using ssh-keygen you can get the fingerprint from your private key filename (it will look for your public key for you). That long list of “XX:XX” things will be a hexadecimal number that matches the key fingerprint at the bottom of the GitHub SSH audit page. If it doesn’t match then either Egor hacked you or you might have used a different key (keep looking!).

Tags: , , , , ,

HMCS Corner Brook rechristened HMCS Smiley

HMCS Corner Brook as smiley

Offered without comment. Original here.

Tags: ,

Hacked on a Friday

It’s not the first time that I’ve been hacked and I’m quite sure that it won’t be the last time either. Today, I found out that my web host (Dreamhost) was hacked.

Part of being hacked is trying to figure out what was taken. It takes time to review logs, so I’m not too concerned that Dreamhost can’t answer questions about what data was compromised.

The thing that gets me is that they never emailed me to let me know what was going on. I found out about the breach by reading Tech Crunch. That’s really what I’m grumpy about tonight…that and the passwords I have to reset.

Update > 12h on

Dreamhost sent an email overnight with password advice. I’m still not impressed by the 12-hour delay.

Tags: , ,

The Burzynski Clinic

Dr Stanislaw Burzynski runs an alternative cancer treatment clinic in Texas. Someone claiming to represent the Burzynski Clinic tried to silence teenage blogger/skeptic Rhys Morgan in a fascinating email exchange:

You probably haven’t heard of a man named Stanislaw Burzynski. He offers a treatment called antineoplaston therapy, which he claims can treat cancer, in a centre called the Burzynski Clinic in Houston, Texas. That’s quite a claim, but the Nobel Prize Committee does not need to convene quite yet, because this treatment has been in non-randomised clinical trials since its discovery by Burzynski some 34 years ago.

Tags: ,

The Register Hacked & Defaced

Screen grab of the Register defaced

Today The Register was defaced by a Turkish group of hackers. It looks like the DNS was changed to point to the hacker’s nameservers.

$ whois theregister.co.uk

    Domain name:
        theregister.co.uk

    Registrant:
        Linus Birtles

    Trading as:
        The Register

    Registrant type:
        UK Sole Trader

    Registrant's address:
        Situation Publishing Limited
        PO Box 478
        Southport
        PR8 2ZW
        United Kingdom

    Registered through:
        NetNames Limited
        URL: http://www.netnames.co.uk

    Registrar:
        Ascio Technologies Inc t/a Ascio Technologies inc [Tag = ASCIO]
        URL: http://www.ascio.com

    Relevant dates:
        Registered on: before Aug-1996
        Renewal date:  14-Mar-2012
        Last updated:  04-Sep-2011

    Registration status:
        Registered until renewal date.

    Name servers:
        ns1.yumurtakabugu.com
        ns2.yumurtakabugu.com

    WHOIS lookup made at 21:42:31 04-Sep-2011

--
This WHOIS information is provided for free by Nominet UK the central registry
for .uk domain names. This information and the .uk WHOIS are:

    Copyright Nominet UK 1996 - 2011.

You may not access the .uk WHOIS or use any data from it except as permitted
by the terms of use available in full at http://www.nominet.org.uk/whois, which
includes restrictions on: (A) use of the data for advertising, or its
repackaging, recompilation, redistribution or reuse (B) obscuring, removing
or hiding any or all of this notice and (C) exceeding query rate or volume
limits. The data is provided on an 'as-is' basis and may lag behind the
register. Access may be withdrawn or restricted at any time.

Yumurta kabuğu? It mean “eggshell” if you believe this Turkish-English dictionary.

And if you are wondering who is yumurtakabugu.com then you won’t get far:

$ whois yumurtakabugu.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: YUMURTAKABUGU.COM
   Registrar: ACTIVE REGISTRAR, INC.
   Whois Server: whois.activeregistrar.com
   Referral URL: http://www.activeregistrar.com
   Name Server: NS1.ACTIVE-DNS.COM
   Name Server: NS2.ACTIVE-DNS.COM
   Status: clientTransferProhibited
   Updated Date: 03-sep-2011
   Creation Date: 16-apr-2010
   Expiration Date: 16-apr-2020

>>> Last update of whois database: Sun, 04 Sep 2011 20:45:33 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Registration Service Provided By: Active-Domain LLC
Contact:  http://www.active-domain.com

Domain Name: yumurtakabugu.com
Expiry Date: 16-Apr-2020
Creation Date: 16-Apr-2010

Name servers:
ns1.active-dns.com
ns2.active-dns.com

Registrant Name: Whois Manager
Registrant Company: Whois Proof LLP
Registrant Email Address: m4l0j36f5ks@whoisproof.com
Registrant Address: PO Box 4120
Registrant City: Portland
Registrant State/Region/Province: OR
Registrant Postal Code: 97208-4120
Registrant Country: US
Registrant Tel No: +1.2024700599
Registrant Fax No: +1.8663666681

Admin Name: Whois Manager
Admin Company: Whois Proof LLP
Admin Email Address: m4l0j36f5ks@whoisproof.com
Admin Address: PO Box 4120
Admin City: Portland
Admin State/Region/Province: OR
Admin Postal Code: 97208-4120
Admin Country: US
Admin Tel No: +1.2024700599
Admin Fax No: +1.8663666681

Tech Name: Whois Manager
Tech Company: Whois Proof LLP
Tech Email Address: m4l0j36f5ks@whoisproof.com
Tech Address: PO Box 4120
Tech City: Portland
Tech State/Region/Province: OR
Tech Postal Code: 97208-4120
Tech Country: US
Tech Tel No: +1.2024700599
Tech Fax No: +1.8663666681


The data in this whois database is provided to you for information purposes only, that is, to assist you in obtaining information about or related to a domain name registration record. We make this information available "as is," and do not guarantee its accuracy. By submitting a whois query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (1) enable high volume, automated, electronic processes that stress or load this whois database system providing you this information; or (2) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone. The compilation, repackaging, dissemination or other use of this data is expressly prohibited without prior written consent from us. The registrar of record is Active Registrar, Inc. We reserve the right to modify these terms at any time. By submitting this query, you agree to abide by these terms.

Tags: , ,

Testing Marriage Equality in Python (aka I ♥ NY)

I ran the following code tonight and ran into some problems. I hope that this solution will help others:

Trinity:marriage_test kelvin$ python marriage.py 
F
======================================================================
FAIL: testEquality (__main__.equalityTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "marriage.py", line 24, in testEquality
    self.assertEqual(a, b, "Marriages not equal")
AssertionError: Marriages not equal
 
----------------------------------------------------------------------
Ran 1 test in 0.000s
 
FAILED (failures=1)
Trinity:marriage_test kelvin$

This is the test that was failing:

class equalityTests(unittest.TestCase):
 
  def testEquality(self):
    a = OppositeSexMarriage()
    b = SameSexMarriage()
    self.assertEqual(a, b, "Marriages not equal")

Fortunately the fix is straightforward (base Marriage on GoodLegislation):

class GoodLegislation(object):
  def __eq__(self, other):
    return self.__dict__ == other.__dict__
 
class Marriage(GoodLegislation):
  pass

This is the result that we were after:

Trinity:marriage_test kelvin$ python marriage.py
.
----------------------------------------------------------------------
Ran 1 test in 0.000s
 
OK
Trinity:marriage_test kelvin$

Congratulations to the good people of New York state. They became the sixth state to allow same-sex marriage.

Code available here!

Tags: , , , ,

Doctoring EXIF data for Sun Media (aka Ignatieff in Kuwait)

Not Iggy

A lot hinged on the veracity of the picture — the low-resolution image furnished to Teneycke lacked critical metadata that would have helped determine the time the picture was taken. However, the report that accompanied the picture referred to those metadata. (Pierre Karl Peladeau
President and CEO of Sun Media Corporation
)

Before sending your hoax photos to anybody at Sun Media, you better make sure that you doctor the EXIF metadata because they will check – trust me. You’re a busy lobbyist and you don’t have time to learn all about this nerdy stuff (metadata wazzat???). No problem, this is what you do.

First, get your doctored photo and open it with a metadata editor like ExifTool There are others available but you’re in a rush and there is an election afoot and you have a ton of disinformation that has to get out – today!

Well, as luck would have it, there is no metadata on your pic. Don’t panic! Your Iggy pic backstory is that he was in Kuwait so you need to copy legit metadata from a pic taken in Kuwait. Go ask Google Image search, type “Kuwait army” and restrict your results to large pictures. The reason that we are selecting only “large” images is that we want the original/unedited large size pics taken by some US military photographer – the exact ones downloaded off the camera. They are always huge files. I found one from Military Sealift Command from 2007 which is good enough for our demo. Save it to your current working directory as we are going to copy the EXIF metadata to make it look like our hoax pic was taken in Kuwait.

Using ExifTool, copy all the metadata from the authentic Kuwait photo to your fake Iggy pic (only one command – w00t):

$ exiftool -tagsFromFile metadata_source.jpg not_ignatieff_exif.jpg

Now, if you’re particularly lazy or busy you can stop there since the metadata is now copied. If you have more time on your hands you can actually edit the individual entries and geocode the photo. Check out what we did:

$ exiftool -list not_ignatieff_exif.jpg
ExifTool Version Number         : 8.56
File Name                       : not_ignatieff_exif.jpg
Directory                       : .
File Size                       : 78 kB
File Modification Date/Time     : 2011:04:27 13:18:53-07:00
File Permissions                : rw-r--r--
File Type                       : JPEG
MIME Type                       : image/jpeg
JFIF Version                    : 1.02
Exif Byte Order                 : Little-endian (Intel, II)
Make                            : NIKON CORPORATION
Camera Model Name               : NIKON D2X
Orientation                     : Horizontal (normal)
X Resolution                    : 300
Y Resolution                    : 300
Resolution Unit                 : inches
Software                        : Adobe Photoshop CS2 Windows
Modify Date                     : 2007:09:24 12:06:07
Y Cb Cr Positioning             : Centered
Exposure Time                   : 1/180
F Number                        : 13.0
Exposure Program                : Aperture-priority AE
ISO                             : 100
Exif Version                    : 0221
Date/Time Original              : 2007:08:29 10:47:40
Create Date                     : 2007:08:29 10:47:40
Components Configuration        : Y, Cb, Cr, -
Exposure Compensation           : -2/3
Max Aperture Value              : 4.0
Metering Mode                   : Multi-segment
Light Source                    : Unknown
Flash                           : No Flash
Focal Length                    : 20.0 mm
User Comment                    : 
Sub Sec Time                    : 00
Sub Sec Time Original           : 00
Sub Sec Time Digitized          : 00
Flashpix Version                : 0100
Color Space                     : sRGB
Exif Image Width                : 2100
Exif Image Height               : 1395
Sensing Method                  : One-chip color area
File Source                     : Digital Camera
Scene Type                      : Directly photographed
CFA Pattern                     : [Red,Green][Green,Blue]
Custom Rendered                 : Normal
Exposure Mode                   : Auto
White Balance                   : Auto
Digital Zoom Ratio              : 1
Focal Length In 35mm Format     : 30 mm
Scene Capture Type              : Standard
Gain Control                    : None
Contrast                        : Normal
Saturation                      : Normal
Sharpness                       : Normal
Subject Distance Range          : Unknown
GPS Version ID                  : 2.2.0.0
Compression                     : JPEG (old-style)
Thumbnail Offset                : 934
Thumbnail Length                : 5386
Current IPTC Digest             : 460cf28926b856dab09c01a1b0a79077
Application Record Version      : 2
Copyright Flag                  : False
Global Angle                    : 30
Global Altitude                 : 30
XMP Toolkit                     : Image::ExifTool 8.56
Format                          : image/jpeg
Compressed Bits Per Pixel       : 2
Date/Time Digitized             : 2007:08:29 10:47:40-04:00
Flash Fired                     : False
Flash Function                  : False
Flash Mode                      : Unknown
Flash Red Eye Mode              : False
Flash Return                    : No return detection
Color Mode                      : RGB
ICC Profile Name                : sRGB IEC61966-2.1
Creator Tool                    : Adobe Photoshop CS2 Windows
Metadata Date                   : 2007:09:24 12:06:07-04:00
Derived From Document ID        : adobe:docid:photoshop:0f10c753-6154-11dc-9f27-a9bb9c4b68e4
Derived From Instance ID        : adobe:docid:photoshop:0f10c753-6154-11dc-9f27-a9bb9c4b68e4
Document ID                     : uuid:FF3F520BB86ADC11827AB2BAB20EBAFA
Instance ID                     : uuid:319A5A0FB86ADC11827AB2BAB20EBAFA
History                         : 
Quality                         : 60%
DCT Encode Version              : 100
APP14 Flags 0                   : [14], Encoded with Blend=1 downsampling
APP14 Flags 1                   : (none)
Color Transform                 : YCbCr
Image Width                     : 640
Image Height                    : 480
Encoding Process                : Progressive DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Aperture                        : 13.0
Shutter Speed                   : 1/180
Create Date                     : 2007:08:29 10:47:40.00
Date/Time Original              : 2007:08:29 10:47:40.00
Modify Date                     : 2007:09:24 12:06:07.00
Thumbnail Image                 : (Binary data 5386 bytes, use -b option to extract)
Image Size                      : 640x480
Light Value                     : 14.9
Scale Factor To 35 mm Equivalent: 1.5
Circle Of Confusion             : 0.020 mm
Field Of View                   : 61.9 deg
Focal Length                    : 20.0 mm (35 mm equivalent: 30.0 mm)
Hyperfocal Distance             : 1.54 m

Note: This is a parody entry. Don’t send any doctored pics to Sun Media. Also, don’t trust metadata as proof of anything.

Tags: , , , , , , ,

Nobel Peace Prize vs Confucius Peace Prize Primer

Just in case you missed it, China is behaving like a spoiled baby over the awarding of the Nobel Peace Prize to Liu Xiaobo. Frankly, he’s a guy that I never heard of before last week but the more I read about him the more I like him. Need help figuring this out? Me too!

What is it? Scandinavian award for peace established by Alfred Nobel. Chinese award for peace established by obscure NGO to deflect attention from Nobel award.
Established 1901 Last week maybe? (Dec 2010)
2010 recipient Liu Xiaobo (Chinese literary critic, writer, professor, human rights activist, and dissident) Lien Chan (Taiwanese politician and China apologist)
Reason Trying to bring democracy to a backwards ass nation. Publishing manifesto. Human rights work. Not being Liu Xiabo.
2010 nominees Liu Xiaobo, Morgan Tsvangirai, Svetlana Gannushkina, The Special Court for Sierra Leone, Democratic Voice of Burma, Sima Samar, Tony Blair, Bill Clinton, Denis Mukwege, Grandmothers Of The Plaza De Mayo, Lien Chan, Jimmy Carter, Bill Gates, Panchen Lama
Prize Medal, scroll and USD$1.4 million approx. USD$15,000 approx. (100,000 yuan)
Accepted by Empty chair Empty chair (or terrified child)
Disposition In jail in China Surprised in Taiwan
Aspect Nobel Peace Prize Confucius Peace Prize

Tags: , , ,

960gs Grid Templates for Fireworks

When starting a new grid-based design I use Adobe Fireworks for the initial screens. Here are my starter files for the 960 grid system in 12-column, 16-column and 24-column formats. I actually have never used the 24-column one but I made it anyway. Right click these and save them to your local drive.

Vertical guides only

Vertical and horizontal guides

Licensed under MIT & GPL licenses (your choice)

Tags: , , ,