Archive

Archive for the ‘Hacking’ Category

Security.. what me worry?

July 14th, 2009 2 comments

It’s been a watershed moment for our startup over the weekend. I got the components for the server from TigerDirect.ca and put it all together.  It’s a sexy system,  i7 CPU, 8cores, 12 GB DDR3 ram, lots of cooling,  RAID5 configuration with terabytes reliable drive space. It literally floats an inch in the air through it own power, and emits a wicked blue glow. This is more powerful than a dozen of the servers that Google started out with. It only set me back around $1,700, and is a performance machine architected to withstand loads of queries.

I’ll get this machine collocated at a managed site later (once we get some revenue coming in), but for now, I have it in my basement, and accessible via dynamic DNS.

I was super-excited to get started and created three accounts for my collaborators and mailed the info out. Within 10 minutes, I noticed using the ‘w’ command that one of my collaborators had logged in. I tried to talk to him via the console ‘talk’ command and my attempt to talk was refused. I figured that it was a configuration issue and fired up Skype to talk to him. The conversation went as below:

[10:25:56 AM] Shahzad Khan says: Hi AL
[10:26:04 AM] Shahzad Khan says: How is the connection to the server?
[10:26:11 AM] Shahzad Khan says: Is it at a workable speed ?
[10:26:49 AM] AL says: Oh, I had not even seen that e. mail.
[10:26:53 AM] AL says: Let me check.

Ok, at this point, I’m perplexed. What’s going on? He’s already logged in!

I double-checked, and another of my collaborators was logged in. I now fired up the ‘who’ command to see where they were coming in from. Well, they were apparently no longer in Ontario, and were coming in from Spain!

In a blinding flash, I realized that 10 minutes after setting up the servers and accounts, we’d already been hacked!

I booted the ‘unwanted guests’ off, and changed the passwords to the AOL style pw, rather than the throwaway ones that I shared with my friends. Paranoai is my new watchword now ! I haven’t been hacked in 14 years, since the core wars that used to take place between the IRC junkies… and that was all good fun among friends. These hackers who tried to hijack my previous server are professionals. They’re either scanning the block of IP’s that my ISP uses for their DSL customers, or the Dynamic DNS server that I employ to keep my server’s name updated for the world. There is a standard going rate for ‘bots’ and ‘smurfs’ that are harvested this way, and my poor server was about to be kidnapped and sold into slavery.

My mistake was to believe in ‘security by obscurity’ and not worry about the strength of the credential. It’s only my instincts on ‘normal’ server operation (and noticing something amiss) that saved us this time. Next time could be messier. I noticed that only the two accounts with usernames that are common were compromised. The other accounts were not broken into, as the username was different. This leads me to suspect that this incident was the outcome of a plain vanilla dictionary attack on my citadel. Oh the shame of it all!

How’s that for baptism by fire? 10 minutes! Real life can be so brutal.

Firefox Historian Released

May 12th, 2009 1 comment

I’ve been working on a personal search engine project in my spare time for the past few weeks. This is a Firefox add-on which records your browsing history, and builds a full-text search index.

Basically, the value proposition of this site is that you’ll never need to try and remember individual sites or try and rediscover them through ‘public’ search engines. I only index publicly accessible sites that you may visit, and thus your email etc will never be indexed (as the server does not have your login information, or an implementation of the login protocol).

As far as search engines go, this is quite spartan for now. However, if there is enough interest, I’ll be happy to add enhancements and make the search better and more intuitive. The index updates every five minutes for now. If you need faster indexing, drop me a line and we can work out way to make this possible for you.

For now, you can get the Firefox add-on from here

Feedback is most welcome, but please be gentle and expect bugs, this is an early beta!

Tags:

Conquering Twitter Information Overload: Synching Tweetdeck Settings

April 16th, 2009 No comments

If you’re anything like me, you get around a thousand tweets a day, and have a small set of messages you definitely want to read, and have a huge river of messages that you can live without (but which you’d like to dip into occasionally). In short, you need to construct a filter to retain tweets that are interesting to you, and relegate to the junk mail status those that are not. It’s like a spam filters for your friends chatter!

I’m working on a smart way of doing this, based on profiling myself(or other interested users) and the individuals in their networks (learned from their Mozilla Firefox bookmarks). Meanwhile, I need a quick and dirty solution that can filter by source (i.e. person) based on my impression of the relevance and quality of their tweets (learned via meatspace processing, i.e. manually!).

Well, my tool of choice for this operation is Tweetdeck. This serves my needs well; I simply created a group, and add people to this group when their postings are useful, and occasionally drop individuals when the number of participants in the group crosses a tolerable threshold.

However, once again, if you’re anything like me, you work on at least four different computers, because of your need to work at different locations and operating system (I find laptops are not powerful enough for my needs). So, in the absence of the ability to sync Tweetdeck settings across machines, what’s an overwhelmed Twitteraholic to do?

Well, if you’re tech-savvy, you have to assume that your preferences are stored somewhere, in a file, in a database, in the registry or perhaps the web! .. knowing that this is a light and relatively recent application, you can assume that it’ll be somewhere quite obvious.

Lo and behold, the seeker shall always find! A bit of poking around shows me that on Windows, it’s stored in a file:

td_26_[username].db

Copy the td_26_[username].db from the following directory on the source PC to the same directory on the destination PC.

C:\Documents and Settings\[Windows User]\Application Data\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1\Local Store

.. and voila, you have just transitioned your valuable, I-invested-time-in-this, settings over to the new location.

Let me know if this helps you (via your comments) and also please let me know if anything blows up !

Tags:

Firefox’s Built in SQLite History Database

March 31st, 2009 No comments

As of Firefox 3.0, the history and bookmarks have been stored in an SQLite instance that is natively available. You can actually interact with this database using the following JavaScript code snippet.  Now all you need is the person’s name, and voila, you know their entire browsing history !

How do you get their name, well, ask them! Provide a textbox and some incentive, and you’ll have their name and email soon enough.

Warning: I have only run this script locally, and do not know as yet how it behaves if you load it off a remotely accessed web page. If you do manage to get this working remotely, please leave a note in the comments.

Querying the Mozilla Places SQLite Datastructure

//Create Useful Shorthand Notations
var Cc = Components.classes;
var Ci = Components.interfaces;
var rc = Cc[“@mozilla.org/browser/nav-history-service;1”];
var rs = rc.getService(Ci.nsINavHistoryService);
var myquery = rs.getNewQuery(); //returns nsINavHistoryQuery
var myqueryoptions = rs.getNewQueryOptions(); // return sINavHistoryQueryOptions

//Execute the query on the History Object

var myresult = rs.executeQuery(
myquery,
myqueryoptions
); // returns nsINavHistoryResult

var node = myresult.root; //Of type nsINavHistoryResultNode;

//Parse the results, and collect the URLS in the following string

var collect_string = “”;

//var node = result.root;
node.containerOpen = true;
for (var i = 0; i < node.childCount; i ++) {
var node_new = node.getChild(i);
collect_string += node_new.uri + “\n”;
}
node.containerOpen = false;

alert(collect_string);

Tags: