Kalimat al-Mutafalsif

I'm posting this as is, since time is key on this post. My CSS is screwed somehow, have to fix that, also it appears they caught on to my trick, and might validate now.

So... one big caveat of 'secure programming" is to validate anything you're given. if you don't check that you get what you expect, well, people will give you something you don't, and Bad Things happen. The worst offender of this little problem is the internet. Yup, a lot of web sites figure "We'll put a cap on the web form's input, and not check server side, that'd be inefficient." Interesting theory, lets see what happens when you make this assumption on http://www.ratemydesktop.co.uk, where I posted a screenshot of my desktop.

First off, quick HTMl lesson for those of you who don't know. To display a form, a form being a place the user can input data, on a website, you use the

<form>

tag. So, a full form might look something like


<form>
<input type='radio' onClick="window.location='index.php?ac=0&id=165&rating=1';">1
<input type='radio' onClick="window.location='index.php?ac=0&id=165&rating=2';">2
<input type='radio' onClick="window.location='index.php?ac=0&id=165&rating=3';">3
<input type='radio' onClick="window.location='index.php?ac=0&id=165&rating=4';">4
<input type='radio' onClick="window.location='index.php?ac=0&id=165&rating=5';">5
<input type='radio' onClick="window.location='index.php?ac=0&id=165&rating=6';">6
<input type='radio' onClick="window.location='index.php?ac=0&id=165&rating=7';">7
<input type='radio' onClick="window.location='index.php?ac=0&id=165&rating=8';">8
<input type='radio' onClick="window.location='index.php?ac=0&id=165&rating=9';">9
<input type='radio' onClick="window.location='index.php?ac=0&id=165&rating=10';">10
<input type='radio' onClick="window.location='index.php?ac=2&id=165';">Don't vote
</form>


So, the above is an example of a bad form, but a form none the less, for a poll. You have 10 radio buttons, and when you click any of them, it sends you to a page that adds the vote. This is kind of a bad way to do things, I'd make those regular buttons, not rado buttons, but that's just me.

Now, where's the hack here? Can anyone spot why this is a horrible form? I'll give you a hint, it's in "window.location='index.php?ac=0&id=165&rating=8". window.location is javascript that sends you to another page. So what this does is sends you to index.php, and passes it a few variables. now do you see it? It, first off, just sends the data as GET variables. That can be easily faked. Second it sends the rating as a variable too. Now, to make this secure, you should check that the rating is between 1 and 10. Also, send this as POST, so people can't just send the data in the URL bar as a fake. Finally, whatever page you send it to should have some sort of limit on connections from one IP, and votes per IP at the very least. Otherwise, people do stupid things like this. Note both the number of votes as compared to others, as well as the rating. (It's trending to 31337, just for fun).

So, how'd I do that? I used a fun perl module called WWW::Mechanize (overkill, I know), and made it go to the webpage on rating 10. (Those links above, they're for my desktop). The whole thing is 11 lines, with some that can easily cut out (I think it could easily be only 6). Here it is:

#!/usr/bin/perl

use WWW::Mechanize;
my $mech = WWW::Mechanize->new( autocheck => 1 );
$vote_page = "http://www.ratemydesktop.co.uk/index.php?ac=4&id=165&rating=31337&tp=4&sstr=155";
$x = 1;
while($x ne -1) {
        print "Voting - $x\n";
        $mech->get( $vote_page );
        $x++;
}

Finally, I ssh'd into my box at home, where I wrote the above script, and started it running a coupla times.

I realize this post is kinda rambling, but I'm writing it as I do this, and I've gotta get off to class. It appears they did kill my connections just now, all of them at once, but I was able to start them right back up. However, I stopped influencing the rating a while ago, so they might indeed have some sort of check in place. No matter, I've got enough IPs to get it to 31337 soon enough.

Well, it finally hit the papers today (ok, yesterday, this has been a draft for a day). A phishing email went out, and instead of asking you to login to a bad site, it changed the legit phone number to a false one. They wanted you to call this fake number tor eactivate your account. Now, I've known that phishing is not just limited to email, that's why I define it as "Scamming other people out of their credentials". Hopefully, this'll make mainstream media rethink their definition of phishing, and stop giving the false pretense of "ignore email, and you're safe". No one is safe, ever from frauds.

Or: Why I Hate English.

Some of you may know I have.... problems when I it comes to English. My spelling is atrocious, and grammar is worse. I can't learn the vocabulary because it amounts to route memorization, and most rules have more exceptions then there are rules! What a poor system! But wait... I have a soltuion.

It's called Arabic. Imagine this: A system where knowing the root of a word gurantees the meaning of the word. In English is a Pedophile someone who likes little kids, or feet? Ped is the root for both. Seeing as we have laws against one, and not the other, its kind of important to be clear.

Prereqs
I'll be referring to specific roots using capital letters of the English equivalent. Any old root is referred to as CCC (standing for consonant 1 consonant 2 consonant 3). Lowercase letters indicate vowels, with one letter being short, and two being long.

Roots
Arabic is structured around three letter (ok, there's also four and maybe five letter, but mainly three letter) roots. That's it. Memorize that KTB deals with writing, and you can accurately guess any derived form.

Forms
There are many derived forms for Arabic. Each of these takes one of the roots, and manipulates it in such a way as to get a set meaning. Always, no exceptions. If you know DRS deals with learning, and form 1 verbs (CaCaCa) are just the action, then DaRaSa would be to learn. Form 2 you know is to make someone do something(CaC-CaCa), then DaRRaSa would be to teach (make someone learn). Each form has a specific meaning that adds to the meaning of the form before it. Form 6 extends form 3 by adding a "ta" to the begininng of the word. Form 5 does the same for form 2, in both cases the "ta" makes it reflexive.

Derived Words
Just as there are forms for deriving verbs, there are forms for deriving all the nouns and adjectives. Forinstance, we already learned that CaCaCa means to do the verb, and I'll tell you that maCCaCa is the place of doing the verb. From this, and knowing the root DRS, you can guess that maDRaSa means "school" (the place of learning). To derive it, the thought process is "DRS->DaRaSa->maDRaSa". Taking first the root, plugging it into form 1, then the form for a noun meaning place. Simple, right? You can do this with any verb, and at least technically it is correct. KTB is to write, so maKTaB is a place of writing, an office.

There are many forms to derive nouns. There's specific ones for meaning a small version of the noun, for a habitual doer of the verb, for just about anything. This makes it simple to take any nun you see, derive the root, and hence the meaning.

Adjectives are formed the same way. You take the root, and add a certain ending (ii). So, if brown is BuN, then to say something is brown, you'd say it's "BuNii". This holds for all adjectives. In fact, it holds for all words, if you want to use it as an adjective, you can. Just add ii to the end, and its understood to be an adjective.

In Conclusion
Now, can you see why I like this language? Reading it is a matter of matching the word up with your hueristics of forms, and deriving the root. Then, once you know that meaning, you can derive the meaning of the word you wanted. It is a system that I think would kill English, or any romance language if more people knew Arabic.

So, I (think I) coined a new phrase today. Passive Identity Theft. It's not illegal, as you're not actually stealing someone's identity. However, you are posing as them by not saying you are them. Confused? I'll explain.

Around December of last [My first year of college] year I got an email, it said that my school parking pass had come in. It interested me because it had my name on it, but was for a campus that I don't attend. I did some research and found out that, surprise surprise, there's another person with my name, and an almost identical username. He just attends a different campus. I emailed back the parking operations people, and informed them of their mistake, told them who to contact, and thought nothing of it.

Earlier this semester I was "hired" by a professor as a research assistant at roughly enough to pay my internet bill each month [Edit: It turned out that this was actually substantially more than I had anticipated...]. Now, even though I emailed the lady who should have my contract, she never got back to me. I heard no more about it, and assumed things had fallen through, and I wasn't really "hired".

Yesterday I got a forwarded email from her saying "Does he [me] work for you [professor I'm working with]"? I promptly replied saying I'd like to, but that I wasn't yet, as I hadn't been able to sign a contract. So, I talked with her today, and she explained the whole deal to me:

After she filed my paperwork she looked "me" up in the system (when she already had my email, I don't know why) and sent "me" an email telling me to get the contract. I never responded (obviously, as it was the other me's email, in case you haven't caught on). She repeatedly emailed "me" trying to get "me" to come in and pick up my (not in quotes as it is my money) contract/pay stubs (pay goes out even without a signed contract). Well, this guy ignored it. He must have known what it was about, as he got paid for three months, all the while ignoring her emails. Finally, just now, he came forward and said he wasn't me.

So, I signed my contract finally, and hopefully things'll work out for the rest of the semester. But lets take a look at this.

He never claimed to be me. So, its not identity theft. But he knew he was getting someone else's money (or thought he had a job he never attended at a campus he doesn't live near) and never reported it. He also didn't respond to the lady telling him where the money was coming from. Now, he did in the end, but he owes the school 3 months pay since he accepted it. I consider that identity theft. I'm calling it passive because he did nothing more then sit back, and watch the checks roll in. Thankfully, I'm not a petty man, because I have his user id,full name, and student number. If I anted to... gee... I could phish him for his identity and use it. But I'm a bigger man then that.

So, remember, you can hurt people by not doing anything just as much as by stealing their identity. If you're in the situation I described above, do the right thing and report it, as I did in the first case, don't ignore it.

In an attempt to bee productive with the whole Linux, not Windows, thing, I've decided to give a wee bit back to the Linux community. Specifically by trying to draw in new users. So, to that end, I've started a page of different Linux desktops, and what they run on (screenshots of the actual desktop and window manager) to show those who don't know just how customizable Linux is, even to a newbie. To check it out, go to the right panel, and click the "Infinite Linux Desktop" link. Or, for now, you can go here. I hope for this to be updated regularly, and submission instructions are provided on the bottom of the page, so check back often!

Kalas, I'm through. You've all heard my cry and complain about Windows. You've seen more posts in recent weeks about Linux, and its joys, well, this is it. I'm through with Windows. This amateur excuse of an Operating System. This aborted joke of DRMd'd crap code designed with money, not user experiece, or security in mind. This tribute to capitalistic sentiment exploiting end users who have no clue the atrocious code they were just sold.

Anyways, let me start over. Blizzard just released a new pacth for World of Warcraft. I installed it, and started up the game. played a while, and crash. Big ol' blue screen, not of death... just my screen went blue. I rebooted, and it gave me the beep POST code for no power. On the monitor it displayed "Please connect the power to your video card". I did nothing besides install that patch. So, I figure its WoW. I try Battlefield 2, and same thing, just immediate this time. Well... now I'm worried about my hard drive because whenever this happens it makes a really sick click as it seeks to the end of the drive in about a millisecond, then spins down. It'll boot every other time... and every time it freezes, I have to wait 5 minutes to boot. So I bought a new hard drive, and loaded Linux on it. Linux worked perfectly.... huh.

So I installed the new drive, and remember how nice it is to play WoW and BF2 at 1600x1400 with 7.1 surround sound on a 19" CRT. Gorgeous. Then I plug my Linux boot back in (the old hard drive), and BAM. Same old ----- junk. This pissed me off. I went ballistic. Not because its broken again, but because the new hard drie had the same problem, only it wouldn't freeze. There must be some sort of error checking. So Windows requires the drive to have error checking to boot? That's it. Amatuer hour is over, I'm mailing back the new drive, and I'm done with Windows. It gets a 20GB game partition on my crappy laptop and that's only because I still need to finish a website in Flash for a friend.

After this... if the game won't run under WINE, screw it, its not getting on. I've had more fun in the past 20 hours with Linux on this desktop then I ever had with Windows. It looks more gorgeous then Windows ever did. And this time 'round (With Fedorwa Core 5) it was easier to setup the hardware. No more excuses. It's boycott time. I'm not buying another system that comes with Windows preloaded. I'm not using any Microsoft products on my computers except those required for freelance work. (Which is the OS, only). I will adamently tell others about the crap that is Windows, and advise them not to buy it, as well as provide Linux free and tech support for Linux free. I'm sick of this. A major company gets away with poor code merely because it owns the market. People need to realize this is it. If we keep accepting the crap they feed us, they'll keep feeding crap. I... I have no more coherant words to add to this rant. That's it... I'm done

You know what happens when you assume, right? Maybe you do, maybe you don't. I've spent the day musing over various assumptions, how I've used them, and how they can be used, and I think its something everyone should know.

As a broad overview I'll go over the different types of assumptions, as I see them. Then talk about how the fit into hacking, and finally examples from my life that back this up.

Safe Assumptions
What do you think when you see a pretty girl with a ring on her left ring finger? She's married.
How does the assumption change if its a diamond on a silver band, versus a plain gold band? She's only engaged.
Two people holding hands somewhere? They must be dating.

Are the above always true? No. I have friends that wear rings on that finger, who are single. I know others who just like to hold something, so holding hands or linking arms means nothing to them. In the Middle East it is quite common for close male friends to hold hands. Doesn't mean they're dating, just they're close friends.

I'm calling these "safe assumptions" however, because you're almost always going to be right.

Weaker Assumptions
Now, for a weaker assumption, lets use context. I see a person, early 20s on a college campus.

How would they consider themselves politically? Good guess, would be liberal.
What year are they? If near dorms, guess underclassman, if near off campus living, guess upperclassman.
Dressed really fancy? If there's no obvious parties going on, I'd guess in their final year, and going to a job interview.

Poor Assumptions
These are the basis of more hacks and cracks then anything else. I speak, of course, of the buffer overflow, where a programmer assumed "That could never happen", "Who would input that", or "Why would someone try that?!"

These are really, really bad, as assuming someone won't try something, or something won't happen is begging for something bad to happen if it does.

Hacking
Some, especially the political, of the above assumptions people will jump on me for. "You can't assume that!" or "How do you know that's true?!" Answer is, I don't, I assume it to be true. And that's where, with a little luck, this plays into hacking. By hacking, I should clarify that I mean both cracking other systems, as well as social engineering.

So, how can assuming something to be true, versus knowing its truth value, help you? Let me go back to my basic assumptions. You see a young woman, she has a gold band on her finger. I could tell her I know her husband. She'll think "I never told him I have a husband" and might believe you. She wouldn't stop to think she's telling the world she has one. I do say young here, because the two ways this breaks down is if the husband has already died, or she's married to a woman. Can't do anything about the latter, but unless it was an accident, if she's young the husband will still be alive.

So who cares if I can guess she has a husband? I could pose as someone who knows him, if I wanted to kidnap her (notice how big of a problem this is in other places of the world, and a DEFINATE source of money). Or, perhaps, I just want to make myself seem friendly so that she'll listen to a sales pitch.

Ok, I might be stretching that one. But here's a way it pertains to hacking. If you buy a Linksys router the default wireless ESSID is linksys. The default login is admin:admin. Unless you know to change that those values stay forever. So, one might work at Best Buy, and note who buys linksys routers. You could also just go war driving for "linksys" access points, but that doesn't help my argument. Find people with a linksys router, you can assume the default login is still good if they've not changed the ESSID. Login to the router, and do whatever you want. I'd recomend DNS pharming them just because its a trick I came up with (attacking DNS settings on wifinetworks for the purpose of farming).

better, its a safe bet that a new Windows machine is not setup to prevent access physically. By default there's no login manager, so if you notice Dell boxes outside of a company, you might be able to walk up, and login to the new system. Throw an admin account on there, hide it, and walk out.

But, I want to stay mainly with social engineerring. So here's how I use it

My Games
I love games. I also love hacking. So i combine them to make my life one gigantic war game of hacking. Social, computer, whatever. I keep it legal, mostly, and only go so far... not over the line.

To that end, my goal is always to make as many "safe" assumptions as possible. This is almost never possible, as whenever I run an "op" on someone, by which i mean guessing as much about their life as possible or hacking in some other way, I almost never know them ahead of time. That's where context comes in. You may notice under "Weaker" assumptions I give context. I do that because without context, guessing a random person's political afifliation is neigh impossible. However, adding in that most young people are liberal, as well as most college campuses voted democratically in the last election (check for yourself), it becomes almost a safe bet a college student would consider themselves liberal. It is also important how you phrase this. Note that I did not say "Is liberal", I said "consider themselves liberal". Because most are also going to care what their peers think, they won't say "conservative" because they're afraid people will associate htem with the present administration. So here, how you pose the assumption is also quite important.

So, I opened a bank account recently. I didn't much like the service I was given. So, instead of being my normal polite self I only spoke when I abslutely had to, and spent the rest of the time analyzing the lady who was making the account. I'd say she had one kid, middle school aged, and a husband that worked. I made this assumption because she had kids artowrk in teh walls, and someone called to tell her they were home. For a more detailed analysis of how I came to the conclusion, feel free to get in touch with me, but take my word for it they were really safe assumptions.

This is just a broad overview of what I've been thinking about today, and as always is designed to make you think about it and come to your own conclusions. I'd welcome comments expanding on this, as I've just begun to think about it today.

Well, some of you know why I like Linux. I've got another to add today, the amazing, gorgeous Graphical user Interface (GUI). What? Did he just say Linux's GUI was better then Windows? Yes, yes I did. I finally believe it too.

To explain why, I just installed the new Fedora Core 5. Its been out, oh, 15 days so far. Fedora is the bleeding edge version of Red Hat, and as such is jam packed with drivers. First off, the install actualy looks new, which is a major plus. Second, it was easy as anything, much more so then Windows, as it doesn't interrupt you in the middle. Also a plus. Finally, it recognized my ATI video card right off (ATI sucks with Linux), and I got 1900x1400 resolution with no work on my part, other then sliding the slider up from a measly 1280x1024.

Then I spent the next few hours tweaking the themes, login screens, and everything I could find. Here's that I've got for a desktop right now. (Warning!!! Large picture, it's at my 1900 resolution!) I've got a cycle of 4 login screens, all darker colors, and as I get more, I'll add screenshots here.

Well, last night I saw a news story that got me really fired up. I wrote a rather lengthy post about it, saved the draft, and went to sleep. I'm glad I did. I got up today thinking a bit more rationally, and trying to determine the purpose of this blog. So far I've used it to talk (rant) about various tech decisions and products, gaming I do, and things I've done. I've tried my best to keep religion and politics out of it, for those are two subjects that tend to tear societies apart. My post last night would have infringed a little on those, but it was more of a semantics argument that I feel would be out of place on this website, which I'm trying to keep moderate. I did, however, decide that, due to the hacker nature I lean towards, posing it as questions would be a lot more helpful. I won't tell you my answers, but these are things you should think about, as the term is used a lot in today's American culture.

What makes a "hero"?
Does dieing for any reason make one a "hero"?
Are you automatically a "hero" if your job puts you in harms way?
Can you be a "hero" when not in any danger?
If you know what your job requires, and you accept it, are you a "hero"?
Does telling someone you can't do anything make one a "hero"?

I found that these are good questions to muse on, and also that the answer is not black and white. What I consider a "hero" can be radically different from how you define it. I've always had a problem seeing things in black and white, ones and zeroes, which has actually caused some problems for me. So, I end this post urging you to think about everything around you. Don't accept what you hear in the media, from the government, from your peers, but only what you accept for yourself. I'm not a conspiracy theorist, I'm not trying to say the government's trying to keep the people down, what I'm saying is everything you hear is coming from another person's perspective, question it before accepting it.

So, some of my friends, in the past, have asked me to teach them how to hack. I normally agree, depending on who it is, to give them the tools. Teach them UNIX, show them how to find stuff online, etc. What I can't teach, however, is the mentality. I had some fun last night, and I figured I'd share it with you, give you a feel for how a hacker thinks.

First, I have to tell you a little bit about myself.

See, hacking, in its purest form, is not what the government, hollywood, or the media want you to believe. Hacking is merely finding a creative solution to a problem. You might remember my post about Hacking Your GPA. I never once talk about actually cracking a system, except to say it's illegal, instead I focus on how an individual can get the GPA they want with a whole lot less work. I want to make a clear difference right now between "hacking" meaning a creative solution and the "media hacking" meaning click a button, and make a botnet (we call them script kiddies).

I'm a big fan of 2600, the hacker magazine (side note, I love the google impersenation they have up right now) and buy every new issue when it comes out. I do, however, pay cash, just in case it is tracked. Every time I buy it, I end up in the same conversation with the cashier.

"So, this is a hacking magazine?"
"Yea."
"So, you're a hacker?"
"Yea."
"Isn't that illegal?"
"Nope, I hack my own systems, do security audits, anything when I have permission beforehand."
"Oh."
"Why are you a hacker?"
"Because its how I think. I like information, knowing how things work, and it drives me crazy if I can't figure it out. have a nice day."

Some things change, others remain the same. There's always an incredulence to their voice when I admit I'm a hacker, as if I should be scared. At first this scared me. What if they recorded who buys this? What if the media gets the government to go on a hacker witch hunt? Then it pissed me off. These people judge what I do. Assume I'm a no talent script-kiddie, and that I only look to hurt people. Now, I enjoy it. Every conversation I get to enlighten one more person that hackers aren't evil. We're normal people, blessed with an inquiring mind. So, after my last conversation, no one was in line, and I opened up to the cashier. Told her about hacking. Pretty much all of the above. Her response?

"Oh, I never knew that's what hacking was. Thank's for telling me."

It was a good feeling, standing up for a whole culture that gets a bad rap. So, that's what I think of when I say "hacker". I know people assume we're script-kiddies, just looking to hurt people. Dirty guys sitting in dark rooms laughing as they take down government systems. But I have to say I'm a hacker because I have the questioning mentality of needing to know how stuff works, and I'm proud of it.

Background aside, yesterday in my phishing class a guy stood up, and told us of a phishing email his sistere got. How he'd now have to talk to his family about Phishing, and all that. I decided to check out this company (name not mentioned to protect them, and me). Here's how I was thinking.

Reasons
The entire reason I did this was to find out if my classmate's sister was in trouble from these

Recon
First I did a dig on the domain name. Found who's it was registered to, and where it was located. Turns out, it was off shore. later I found an IP on one of their pages, did both a dig, as well as a traceroute on it, to find out where it was located, and how it got into the country.

Next I visited the website, and found it was a gambling site. Interesting.

Cracking
While I was trying to get into the page, I ran into the problem that they actually verified credit card info. Since falsifying that is a crime in this country, I had to find a work around. First thing I did was check the source of the page. It normally yields at least the next place to check, if not the answer. Sure enough they had a poor coding scheme, intro page was 1.asp... I was on 3.asp... so I tried 4.asp. Bingo, it welcomed me, and sent me to their main page. This yielded the IP I tracked down later.

Where to go?
So, you're into the site, where do I go from here? So far everything's looked like it's legit, and I wasn't sure if I needed to poke around more. But, all their gambling programs were flash programs. I like messing with that, so I grepped the source again, and found the name of the files. They were fairly decent in security, in the fact that I couldn't use wget to traverse their file structure. Kinda a setback, but I got around it. The goal here was to prove the flash files were fakes. Turns out, after decompiling, they weren't. This was a legit site.

So what?
Well, I got out of the site, and thought about what I'd learned. As an aside, every hacker should learn something from everything. If its the millionth time you've played this game, look at the one spot you never look at. Analyze your own game play. You'll find something to learn. Anyways, I came to the conclusion that this site had some tricks to it... they made it look like it was secure when it wasn't, and had some nasty stuff in the EULA but was legit. So, it wasn't a phishing scam, the guy's sister and family had no reason to worry, but regular users, if they didn't read the EULA, would get screwed out of a ton of money. Well, if you're frequenting off shore gambling sites, you're probably already losing money.

I realize I mention a lot of UNIX command tools, and general network stuff, so if you're unsure of something, feel free to ask. If anyone wants to learn how to hack, feel free to ask, but I can't teach the thought process, so if you're not naturally inquisitive, forget about it. I feel I should say I didn't break any laws doing the above, and I don't support illegal actions (gotta say that to not get sued/arrested).