The Boston Diaries

The ongoing saga of a programmer who doesn't live in Boston, nor does he even like Boston, but yet named his weblog/journal “The Boston Diaries.”

Go figure.

Wednesday, February 04, 2009

MTV's The Real World: “The Scott & Ryan Show, starring Chet”

It's the fifth week and finally we get a Scott episode in “The Scott & Ryan Show, Starring Chet,” this week on The Real World.

So Scott, who last week thwarted Devyn's attentions by mentioning a girl friend, got dumped, and then proceeded to bring home several different girls, thwarting Devyn's attentions this week. It's clear that Devyn wants Scott, but it's still not clear if Scott wants Devyn, although—straight male model (he hasn't pegged my gaydar, unlike Chet, but more on him later), straight beauty queen—seems quite natural to me. But perhaps MTV is trying to avoid that particular cliché (this week doesn't appear as scripted as last week but that thought is still in the back of my mind). Or perhaps he's not into Devyn all that much.

We also get some Scott cheesecake as he models in his Calvin Kleins.

Ryan didn't quite blow up as last week's preview lead us to believe, but it appears that while he loves pulling pranks, he doesn't quite love having them pulled on him. Or perhaps pulled on him as he sleeps (the whole “flashbacks to Vietman Iraq” thing). He can play the guitar though, I'll give him that (and thankfully, he wasn't singing this time). He's also melancholy over a friend committing suicide and the upcoming anniversary of 9/11.

Chet is trying to break into television. He wanted to be a host of Total Request Live, but showed up at the studio just after it was cancelled.

Bummer.

He does, however, get a chance to interview Pete Wentz for FNMTV while stylishly dressed as Orville Redenbacher.

JD, Sarah and Baya have minor roles this week. Blink, and you missed Katelynn's cameo.

Next week: Looks like “Kiss Me, Kate.”

Thursday, February 05, 2009

I did forget to factor in union labor though …

Yes, Septillion, that is a 1, followed by 24 zeros.

A very, VERY large number, especially when it concerns money. And why is it a deal? Because that figure ignores a lot of very important costs. Costs for what? Why to build a Death Star of course!

Via my good friend Hoade, One Death Star for $15 Septillion? What a deal!

Not quite. Ryszard Gold there seriously overcalculated the price of the Death Star, by several orders of magnitude.

First off, his figure of 17,157,284,678,805,056 cubic meters is too high, and I think I know his mistake. The volume of a sphere is (roughly) the radius cubed. Ryszard used a figure of 160km (or 160,000m) for the diameter, and cubed that (160,000m) instead of the actual radius (80,000m), so his Death Star is 8 times too large. It's actually 2,144,660,584,850,632 cubic meters.

So his cost of the raw steel, $1.3×1019, is too high—it's closer to $1.6×1018—an order of magnitude cheaper. But that's the cost of steel made on earth (excluding shipping, which is $1.2×1025, or $12 septillion dollars). But if you're shipping that much steel up to Earth orbit, you're doing it wrong. It'd be way cheaper to ship steel in from the Asteroid Belt than to lift it to Earth orbit. Or heck, cheaper still to find some asteroid and build the Death Star right there. It'll only take a medium sized asteroid.

Taking Ryszard's figure of 1/10 the mass as structural, and assuming that asteroids are 80% pure ore (which isn't all that unreasonable) then all you need is an asteroid 80km in diameter. Plenty of candidates to choose from. And it wouldn't surprise me if there aren't a few, or a score, of asteroids made out of CHON, so no need ship air or water up from Earth either.

So yes, the price tag of the Death Star is up there, but nowhere near the $1.5×1025.


And no, this isn't the Onion.

Hope and Change.

The election of Barack Obama was supposed to lead us out of confusion and into the dawn of a new age, away from The Dark Days where Satire Was Dead.

Darn it! The Real World™ isn't supposed to trump satire!

So you have a former Weather Underground member who now is pro-military, throwing shoes at the anti-military Socialist Mayor, in a protest that would fall under the "community of sanctuary" protection if the protester still was a member of the Weather Underground and protesting against the Iraq war. Only in Ithaca.

Via Instapundit, Le·gal In·sur·rec·tion: Pro-Military Protestor Throws Shoes At Socialist Mayor

Sigh.

Wednesday, February 11, 2009

MTV's The Real World: “Kiss Me, Kate”

Week six and it's “Kiss Me, Kate” on The Real World.

Yup, this week's episode centers on Katelynn, whereby all the cast members come to know her (but not in the Biblical sense). It finally comes out that Katelynn is a transgendered person, thanks to JD informing everybody behind Katelynn's back (“You didn't hear it from me!” he says at one point).

We also get to know Katelynn, perhaps more than we, the audience really care for, as we see her walking around the house in her underwear and see her practicing pole dancing. The rest in the house are scandalized at her walking around in her underwear, and are really scandalized when Katelynn does her pole dancing at a bar in Gettysburg (the cast is there to help with a bicycle race to raise AIDS awareness), especially since the pole is a structural member, not something used for dancing (and as much as I like Katelynn, this was very painful to watch … why Katelynn? Why?).

Now, while it's clear that Ryan is a jerk (or the show is edited in such a way as to make it seem that way), JD is coming across as the real untrustworthy one in the house. He broke Devyn's trust, and now he broke Katelynn's trust. So while Ryan may be a jerk, he's an honest jerk, if you know what I mean. He is what he is. JD … isn't. It'll be interesting to see how things develop with him over the remaining episodes.

Friday, February 13, 2009

Goin' Phishing

I've spend the past few days battling a cracker on our system, a nice change (in an intellectual capacity mind you) over the typical script kiddies I've had to clean up after.

We were first made aware of the issue with the following ticket:

XXXXXXXXXXXXX XXXXXX XXX
Managed Security Service Provider
on behalf of XXX XXXXX

Subject: Notification of redirection site using a wildcard in your DNS (Phishing)

Dear Sirs,

The Urls http://XXXXXXXXXXXXXXXXXXX, with the only exception of http://XXXXXXXXXXXX, which is a website hosted at IP address XXX.XXX.XXX.XXX, all redirect on a copy (phishing site) of XXXXXXXXX site, one of the banks of our group. It appears that your name server (DNS) is using a wildcard to redirect any Url in the form:

http://[something].XXXXXXXXXXXXXXXXX

to a phishing web site located at:

http://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXX XXXXXX XXX, is assisting the group and its related entities in preventing or terminating any online activity that targets XXX XXXXXX clients for potential fraud. This activity violates XXX XXXXXX copyright, trademark and other intellectual property rights and may violate the criminal laws of the United States and other Nations.

E-mail messages have been broadly distributed to individuals by a person or entity pretending to be XXX XXXXX. These e-mails use XXX XXXXXX name and identity (including trademarks) without authorization.

The e-mails request recipients to verify and submit sensitive details related to their XXX XXXXX accounts. Within this message, there is a a hidden link that sends to a fraudulent web site displaying XXX XXXXXX copyrighted materials and trademarks.

The redirect mechanism shown above originates from a DNS server that is under your control. Its main purpose is to improperly obtain personal information of clients in order to illegally access their bank accounts.

The owners of these web sites typically perpetrate identity-theft related activities, such as using customers credit cards or bank accounts without authorization. Furthermore, since the vast majority of the e-mails are not sent to actual XXX XXXXX customers, these actions can damage the reputation and image of XXX XXXXX.

Please take all the necessary steps to immediately shut down the redirect web site, terminate its availability to the Internet and discontinue the transmission of any e-mails associated with this web site. We understand that you may not be aware of this improper use of your services and we appreciate your cooperation.

Thank you for your cooperation to prevent and terminate this fraudulent activity.

Sincerely,
XXXXXXXXXXXXX XXXXXX XXX
Managed Security Service Provider
on behalf of XXX XXXXX
Email XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

I won't say our DNS system is unique in the way it's set up. We have one master DNS server for all our zones (domains). The zones from this machine are pushed out to four DNS slave servers, two in one domain, the other two in another domain (and for illustrative purposes, I'll use example.net and example.org for the domains we use to resolve DNS for our customers). The four machines are split between two data centers, with one machine from each domain in each data center. The master is never queried from the internet; all Internet queries for our zone information go to the four slaves, and zones are pretty much equally divided between the two domains.

I check the master DNS server, and the zone in question has no DNS wildcard record. I then check the slave DNS servers, and well:

$ORIGIN .
$TTL 598        ; 9 minutes 58 seconds
XXXXXXXX IN SOA ns1.example.net. root.ns1.example.net. (
			2008101001 ; serial
			10800	   ; refresh (3 hours)
			3600	   ; retry (1 hour)
			604800	   ; expire (1 week)
			598	   ; minimum (9 minutes 58 seconds)
			)
			NS	XXXXXXXXXXXXXXXXX.
			NS	XXXXXXXXXXXXXXXXX.
			A	10.11.224.198
			MX	30 XXXXXXXXXXXXX.
$ORIGIN XXXXXXXX.
mail			A	10.11.224.198
old			A	10.11.224.226
www			A	10.11.224.198
*			A	192.168.1.15

(IP addresses have been changed to private IP addresses for illustrative purposes.)

The 10.11.224.x addresses are ours, but that 192.168.1.15 isn't. I know there have been some recent attacks against DNS and I assumed that the cracker in question may have exploited DNS to add the record. I upgraded all our DNS servers to the lastest version of bind, fixed the zone and called it a day. The only services on the slave DNS servers is DNS and SSH, so those are the only two things that could be compromised.

The next day, a reply to the ticket:

We are sorry to inform you that the redirect we described in the ticket is still working.

We kindly ask you to take action as quickly as possible to terminate it.

Thank you,

...

The zone on the master wasn't modified; it was modified on the slaves. I poke around some more, and notice that the updates for the compromised zone are being rejected by the slaves. It turns out the cracker had protected that zone using the Linux command chattr to protect the file from changes. And that can only happen at the command line.

XXXX!

I never liked the “Nuke and Pave” approach to security issues, since without knowledge about how they got in, how do I know I fixed the exploit? And given that the cracker had only modified this one file meant the attack was narrowly focused on propping up a phishing site. So I changed the extended attributes on the file to allow updates, made sure the zone data was fixed, and went about my business trying to figure out how they got in.

Next day, the wildcard DNS record was back, but changes on the master (and the master was never compromised, only the slave DNS servers serving up this domain) again weren't showing up on the slaves. The extended attributes on the file on the slaves where normal, but then I noticed the attributes on the directory! They were modified, and the chattr program (along with grep) were deleted from the machine.

Nice.

I never did figure out how they got in, and it appeared they were persistent enough to keep coming back (which was odd—I would think that they would realize the jig was up and move on; also odd was the zone they picked—one of the more popular websites we host (lots of pictures of bikini-clad models). So it was clear the only answer was to “Nuke and Pave,” but until I got a chance to do that, I needed to do something on a box the cracker has root access to.

So, while bind couldn't modify the file, I could edit it directly. After about fifteen minutes of thinking, I came up with what I think was the perfect response—I didn't delete the wildcard DNS record, I modified it:

*	IN	A	127.0.0.1

Rationale: Obviously, each time I deleted the record, they came back to “fix” it. So they must have some sort of automated process to check, and getting rid of it triggered that process. Here, I haven't removed the record, just changed it to something useless for their purposes. I was working on the assumption of their automated monitoring process to just check for the existance of the record and not the actual contents, so they wouldn't come back.

They didn't.

And in the meantime, I did the “Nuke and Pave” patch to security on the slaves. And not only did I update bind, but sshd and severely restricted who could log onto the DNS servers.

Saturday, February 14, 2009

Oh, today is a holiday, isn't it?

Yup, just checked. It's “Buy A Diamond or Die Alone Day” (via felisdemens). Thank you so much DeBeers.


Notes on an overheard conversation at 7:30 am on Buy A Diamand or Die Alone Day

“See! I wanted to get here early so I could be first! But look at all these people!”

“Where?”

“The cars? Lined up here.”

“Those are called ‘workers.’ They work here.”

“Oh.”

“And you better hurry up, before that customer walks in first.”

“Thhbtbtbtbtbtbtbt.”

Monday, February 16, 2009

Satire done right

Several days ago I bemoaned the death of satire, but lest you forget what satire is:

Edie Oats, WI—First-year teacher Susan Potts was placed on unpaid administrative leave pending termination from her position at Forked Tongue Middle School for paying for a lunchtime snack with a Massachusetts state quarter.

“We have a strict zero-tolerance policy regarding firearms, and the Massachusetts quarter has a firearm depicted on it. A teacher, of all people, should know better than to bring such items on campus,” said Superintendent Stew Pid.

Pid was referring to the Massachusetts quarter, released in 2000 as part of the US Mint's extremely popular 50 State Quarters Program. The Massachusetts quarter clearly shows a minuteman carrying a firearm.

“I thought all money was acceptable at school,” said Potts. “I just wanted a rice cake and gave the cafeteria lady some coins, one of which was the quarter in question. It never occurred to me to ‘screen’ my money, and I had no idea the cafeteria ladies were trained to look for people spending this particular quarter.”

Potts referred to a recently-instituted anti-violence program at school, the Cafeteria Workers Against Rotten Teachers Endorsing Rifles, or CWARTER.

“The CWARTER program is an effective anti-violence campaign implemented at all our schools,” according to Superintendent Pid. “We've trained all our cafeteria ladies to be on the lookout for money with weaponry on it.”

After spending the inappropriate quarter, Ms. Potts was placed on unpaid administrative leave. Next Tuesday she will plead her case before the school board, which is expected to terminate her employment immediately.

Right on the Left Coast: Views From a Conservative Teacher: Teacher Fired For Spending A Quarter At School

But the actual story being satirized is just as pathetic. And soon, teachers in Wisconsin will have to follow a policy about what they can and can't publish on their private Facebook page (no, really! Unless you're a member of Facebook, and are explicitely allowed by a fellow user, you can't see their page!).

Welcome to the Nanny State.


Governments aren't the only ones that are Balkanizing the Internet

It must have been, oh, 1993 or 1994. I had just logged into the computer in my office at college (a very sweet SGI Personal Iris 4D/35) when I noticed something rather odd—I was already logged in. Upon further inspection, it appeared I was logged in from Russia.

Oh. How nice.

I don't pick easy passwords (just ask Smirk—he bitches everytime I pick a new root password that he has to memorize). They really are a random pick of letters, numbers and punctuation with no rhyme or reason.

And yet, here was someone in Russia, logged into my computer.

This was before ssh was even released, so everybody either used rsh (which I couldn't stand) or telnet. And the problem with both was that passwords were passed across the network in plaintext. And that was the problem.

At the time, I was working in the Math Department. On the other side of the building you had the Geology Department. And I should mention that at the time, the second floor was wired for 10Base-2 (all computers on a network segment share a single communications wire—think of a party line for computers).

Unbeknownst to me (or in fact, most of the people in the second floor) someone in the Geology department had decided to install a Unix system, only they didn't quite realize what they were doing because they left the root account without a password! And because the network was 10Base-2, it was real easy for a hacker to install a network sniffer and grab passwords as they were sent across the network.

Not much to guard against that type of attack.

Fast forward ten years, and my account is again hacked. This time it was an inside job—that is, a server I was maintaining for a company had been hacked by someone in said company (not really “hacked” as in he obtained the passwords) and compromised (backdoors and password loggers installed).

And again, not much I could have done to guard against that type of attack, except maybe to not log into personal machines from a work machine.

Fast forward to today. Saw the following on an internal trouble ticket from P:

[New SSH-only server] hacked?

What is /root/send/send.php? Looks like some type of spamming script.

I check, and sure enough, my account had been compromised. And this on a new server installed, with the absolutely latest version of ssh (compiled from source!) and only one of three programs running (syslogd which wasn't listening for a network connection, and crond, which doesn't listen on the network).

And there it was, sending out spam.

Nuke. Pave. Do not pass Go. Do not collect $200.00.

Sigh.

Tuesday, February 17, 2009

The Greylist Daemon: The “We only accept() invitations for 10 seconds” Version

Two quick notes.

One, the latest version of the greylist daemon has been released. 'Twas a small issue of bulk data transfers failing leaving a process that was hard to kill. And 'twas an easy fix (basically, don't ignore EINTR when calling accept(), and make sure we have a timeout on the call to accept()).

Two, apparently the version of xsltproc I have on lucy doesn't like the XSL files for my site (as I found out when trying to update the software page), which means I have some hideous debugging to do (and if you've ever seen XSL, you'll know what I mean).

Wednesday, February 18, 2009

MTV's The Real World: “A Rat In The House”

I think (or rather, hope) we're at the halfway point with tonight's episode of MTV's “The Real World”—aka “A Rat In The House.”

Is it Devyn who is stringing along two men, David, her “semi-fiance” and Jim, her “um, friend?”

Is it JD who came up with the prank to put a rat in Devyn's bed?

Is it Chet, who was the one who actually put said rat in Devyn's bed? And later shames Devyn into picking one of her two men (she drops the “semi-fiance”).

Is it Ryan, who decides to take the same rat and put it in Sarah's bed?

Or could it be the pack of mice that have invaded the house?

It's like I've died and gone to high school. Or maybe a high schooler's perception of college.

Anyway, it's getting to be quite the chore watching this show week to week and realizing that unlike every other so called “reality show,” no one is getting voted off this particular island. And it might not be so bad, but the sole reason Bunny and I are watching this is to see Katelynn, and so far, there's very little Katelynn to be seen (although we did see more than we wanted of Katelynn in last week's episode). You almost forget she's there, and I have to wonder if she was aloof from the rest of the cast (or of the producers), or if she just didn't participate in enough “drama” to make good television.

And Bunny is completely convinced the entire show is scripted.

Perhaps it's the producer who's the rat.

Thursday, February 19, 2009

“Where have you gone, Milton Friedman, Our nation turns it's lonely eyes to you.”

A-XXXXXXX-men! (link via Instapundit)

No, really! Watch the whole half hour video of Milton Friedman rippping into Socialism with eloquence that President Obama could only dream about.

And if you don't have half an hour, here's two and a half minutes of Milton Friedman eloquently shredding Phil Donahue into pieces.

Wednesday, February 25, 2009

Yeah, but is it art?

Bunny and I went to the Boca Raton Museum of Art. Bunny was interested in seeing their current exhibitions, “Shock of the Real” and “Duane Hanson: Sculpture and Photographs 1978–1995.

Bunny had initially thought that the “Shock of the Real” was a photography exhibit, but instead it turned out to be a series of photo-realistic paintings by several artists. She was amazed at the level of detail until I told her that most of the paintings were probably done by projecting the image onto the canvas and traced (only a few were described as being done this way, but I suspect most of them were done that way), as many Renaissance artists are suspected of using the camera obscura. This upset her quite a bit.

You see, we'd been having a months long discussion on artistic endeavours, the use of tools and the necessity of talent in artistic expression, and even the actual definition of “art” (one of my art teachers in FAU defined art as “that which is useless for survival”—an apt definition when you think about it). It would be difficult for me to sum up the current state of our debate and our individual stances (Bunny was initially horrified at the very thought of Microsoft's Songsmith, yet I loved the idea, but she understands musical theory and I don't, and she's softening her stance on that particular piece of software; I loathe PHP, but I understand programming, yet PHP allows non-programmers the ability to create dynamic websites, which I think is pretty neat (but I still wouldn't want to work with such code)—told you it was difficult to explain, much less sum up).

She felt at first that the photo-realistic artists were cheating by tracing photographs in oil, acrylic or watercolors (and man, some of them were hard to tell from photographs up close), but I reminded her of my final project in Drawing I at college—a self portrait, I totally cheated. I photocopied my hand (it was on an older photocopier—high contrast black and white). I then smeared powered graphite over drawing paper, then “traced” the photocpy on a light box using an eraser. Not only did I get an “A” on the project, but it was later stolen out of my office at IBM when I worked there (not only did I create “art” but I've had my “art” stolen!). Bunny thought I took a novel approach though, and this, coupled with a few more hours of discussion, began to soften her opinion on the cheating photo-realistic artists.

We both found the Duane Hanson exhibit less controversial, although still very interesting.

Saturday, February 28, 2009

All I want to do is log in …

Gah! Computer security is annoying!

Due to some recent attacks, we've implemented some ad-hoc changes to network security until we can get something better into place. Right now, we're filtering all ssh traffic on our routers, as well as on some individual servers, in addition to single packet authentication on one of our servers.

And I don't know what's more annoying—the script kiddies or our ad-hoc security measures.

I wasted today just trying to get this “single packet authentication” thingy working (since I need to work on “Project: Leaflet” and it would make my life a whole lot easier if I could log in directly) only to have it fail.

Miserably. (How miserably? I turned off the filtering on the router, the firewall on the physical server, the actual single packet authentication daemon, allowed anyone to log in via ssh, and I still wasn't getting through. Aaaaaaaaaaaaaaaaaaaaaaahhhhhhh!)

Obligatory Picture

[Here I am, enjoying my vacaton in a rain forest.]

Obligatory Links

Obligatory Miscellaneous

You have my permission to link freely to any entry here. Go ahead, I won't bite. I promise.

The dates are the permanent links to that day's entries (or entry, if there is only one entry). The titles are the permanent links to that entry only. The format for the links are simple: Start with the base link for this site: http://boston.conman.org/, then add the date you are interested in, say 2000/08/01, so that would make the final URL:

http://boston.conman.org/2000/08/01

You can also specify the entire month by leaving off the day portion. You can even select an arbitrary portion of time.

You may also note subtle shading of the links and that's intentional: the “closer” the link is (relative to the page) the “brighter” it appears. It's an experiment in using color shading to denote the distance a link is from here. If you don't notice it, don't worry; it's not all that important.

It is assumed that every brand name, slogan, corporate name, symbol, design element, et cetera mentioned in these pages is a protected and/or trademarked entity, the sole property of its owner(s), and acknowledgement of this status is implied.

Copyright © 1999-2017 by Sean Conner. All Rights Reserved.