Kalimat al-Mutafalsif

Ok, the title lies. but I'm cleaning up my desktop, and came across a screenshot from a few days ago. It is a CAPTCHA that I, for the life of me, could only make sense of as: Six E Pi Pi. So, in this case it worked, right? The human figured out what the letters should be, except as clearly as those are Pi's, Pi is not a letter on my keyboard. I figured I should get a screenshot to show where CAPTCHAs are going:

Sadly, CAPTCHAs are a technology we need to combat spam, which accounts for at least 80% of email today, not to mention message boards, instant messages, or text-messages. However, we're merely engaged in a technology arms race with spammers, this is *not* a technology that is winning any fights, we just try to stay one step ahead. This is increasingly hard with CAPTCHA entry being a job in countries with lower incomes, spammers cheating by offering porn in return for solving a CAPTCHA, and (in a case that doesn't just apply humans) CAPTCHA breaking drives AI research. Basically, no 'new' CAPTCHA technology is going to keep spammers out for long. A bleak future indeed. On the other hand, we already have 80%, how much worse can it get? I think the real answer lies in spam filters, although for the most part those are also in a mere arms race, but at least then you can control your own computer, not just leave the image out there for another human to crack.

Tragically, there was another school shooting at the beginning of this week. This one was in Finland, and their second in 12 months which left 10 dead, 11 including the shooter. We can expect the cry for more gun control, both domestically, and in Finland, so I pulled out a post I've been saving due to not having time to finish it.

Finland

First I want to address the Finland shooting. Finland is third in the world in terms of gun ownership per capita, behind the US, and Yemen. This is because hunting is huge in Finnish culture, as one person puts it, "the national sport". And yet more people are killed by knives than guns (according to that article). The youth are raised around weapons, they can legally own a firearm at 15 with parental permission, and for handguns they must be a member of a gun club. Yet until 12 months ago, they'd never had a tragedy like this.

The conclusion we should be able to come to, is its not the gun's fault, its the human's. You have a person capable of cold-blooded, calculated murder, and no amount of laws will stop them from carrying out what they want to do. It requires human intervention: Parents who care, friends who realize when someone's hurting inside, kids that are strong enough in their self-image that they can get through school without bullying. As many are so fond of criticizing the War on Terror, its more than just people with guns, its a social problem that requires compassion, and understanding. However, if those fail, you had better be prepared to fight for what you love, because when a person reaches the utter mental darkness these killers were in, there's going to be no reasoning.

Its worth pointing out that in this most recent case the killer had homemade bombs with him, as did the Columbine shooters, if they had no access to guns, they would have still been able to kill.

But that brings us to Gun Control.

Gun Control

Gun Control: At its heart, the idea is fairly basic, to control the guns that are in public circulation so that bad people can't get them. While I know people who would argue against any limitation on weapons, I think most will agree that there are people out there who shouldn't own firearms, just like there are people who shouldn't be able to drive, people who shouldn't be allowed to practice law, and people who shouldn't be allowed to practice medicine. One obvious answer here is felons, if you're convicted of a violent crime, you forfeit your right to bear arms.

Unfortunately, in recent years gun 'control' goes way beyond 'control'. Now people want a gun ban in the name of gun control in some places, such as the District of Columbia (recently overturned), and Britain. Yes, this will keep guns out of the hands of law-abiding citizens, unfortunately we have to remember that these guys who shot up their schools were not law-abiding. They committed many acts of cold-blooded murder, and no gun ban would have prevented that. Now, it would have made it harder to get the gun, but as we can see from Britain, it would by no means have stopped them from getting guns. There violence went up once private citizens lost the right to bear handguns. I've heard first hand accounts from friends that if they ever did something wrong, and the bobbies wanted to stop them, they'd simply run, since the worst they had to face is a night stick, and they could out run the cops.

Piracy

Now, I'm going to play to my (intended) audience for a while. You know I'm not just some crazy gun nut, I also fancy myself a (white hat) hacker, and know most of the arguments for and against music|software piracy. What does that have to do with gun control? Lets examine DRM, or "music piracy control". DRM is a system whereby a company can have "absolute" control over their intellectual property, in this case lets say music. If I went to any hacker, and said that Congress passed a law requiring DRM on every digital music download, to prevent piracy, do you think they'd be put out at all? No, they'd laugh, and explain how in 3 minutes or less they'd be able to bypass the DRM (I'll refrain to linking to those news stories... I value my freedom). I know, I know, this is completely unrelated! Or is it?

In both cases we have an arbitrary control system, X, designed to stop the user from doing Y. In the case of gun control, X is "legal ramifications" and Y is "buying guns", and in the case of DRM, X is "DRM", and Y is "copying the music". In both cases it is the honest people that suffer here from a lack of freedom and security. In the case of guns its physical security and the freedom to defend yourself, and in the case of DRM its the lack of freedom to use what you've bought and the security that if your computer dies you can have a backup. So why is it that one of these is a perfectly smart move, and the other will never work?

As a security professional I know that there's no such thing as a secure system, I don't believe that for a computer with limited physical access and a decent firewall. So why would I believe that any country, or even any city, could pull off a complete gun ban, eliminating the ability for criminals to get their hands on them? Now, in the case of my computer, I plan for Bad Things to happen. I keep backups, I make sure there's spare hardware around just in case, and I look at my security logs to make sure. But how do we plan for Bad Things to happen when the gun ban falls through? Should we sit around, and pray the cops come quicker than the 5 minute average? I've had my car trashed before, had two friends of the criminal take their time, and walk away right past the cops who took 10 minutes to get to my call. Do I have faith that they'll be that much quicker when I call and say someone's held me up at gun point? Or that Someone's broken in and has a gun? Of course not! I'm not saying citizens should take the law into their own hands, just be given a chance to defend themselves until the cops can show up.

Deal with the Problem
For the sake of the argument, I'll say we have a completely 100% secure gun ban in effect in America. This won't stop violence, as Britain has shown us, there must be another cause. In the end, crime is a human (not social, humans created society, therefore its a human problem at its root) problem, and will be around as long as humanity is. What we, as a society and a race, need to do is recognize those human problems, and combat them, not the weapons used. When guns are banned, knives will be used. When knives are banned, shanks will be made (look at prison), when all sharp objects are eliminated from our society, ropes will be used to strangle (again, look at prison). There's no end to violence, the best we can hope to do is recognize what causes humans to become killers, and fix it.

The most obvious period, is during childhood. There's a recurring pattern of these school shootings where the kids doing the shooting were "outcasts" in their school, or were ridiculed, or bullied. Those are by no means reasons for murder, not even for retaliation! But, those killers should stand out to school counselors as people who need extra concern (not pills, actual human care), and stand out to the students as people who need their compassion. We're a society who wants to do away with moral and personal responsibility, when what we should be doing is recognizing that a successful society will care for each other.

Conclusion
In conclusion, I feel that the true control needed in our society, is that of controlling ourselves. Guns are regulated enough, we need to turn ourselves now to the people next to us in society, that man on the bus who's always looking sad, that driver who just cut you off, the quiet kid in your class that you all think is just a bit odd. Take it upon yourself to say hi, or not flick off the driver, or ask him to sit with you at lunch. Not because this may prevent a shooting, or a suicide, or an incident of road rage, just because they're humans too, and we all know the dark places a human mind can go to when depressed. I guarantee you, if we spent as much time and focus on helping those next to us in society (I don't mean hand outs, socialized health care, or any of that, I mean honest to goodness one citizen helping another kindness) then violence will go down in a way we'll never know through straight gun control.

As I mentioned before, I'm putting together an AR-15, and my next few posts will be the story of how its been put together. I'm also using this project to test out Picasa, so I'll use that to post my images (just as soon as it finishes scanning a few of my automated rip folders, such as icanhascheezburger, forgot I had all them!)

Before I begin, I'd like to link to a schematic which can be found here. This way when I mention random parts you can find them and play along!

This first post is about the lower assembly, which is the buttstock, lower receiver (has the hammer, trigger, magazine well, etc). At this point I'd like to note I'm using a great book by Walt Kuleck and Clint McKee, The AR-15 Complete Assembly Guide, its got nice pictures and very very good detail on how you'll screw stuff up if you don't listen. Well worth the $17!

Parts

Lower Receiver
I bought a DPMS stripped lower receiver from a local gun enthusiast, which cost $158.73 after taxes, cable lock fee, etc. On the AR, this stripped lower receiver, meaning it is just the frame, no trigger, hammer, nothing on it, counts on its own as an assault rifle, because it has the serial number on it. So I walked out of there with a piece of metal in a locked dry box with a cable lock through the mag well, to make it 'safe' to transport.

Lower Receiver Bits
I'm not too particular about my trigger yet, so I also picked up a DPMS Lower Receiver Parts Kit for $56.99 (Don't buy anything direct from DPMS by the way, you can always find it cheaper). Some may ask why I didn't just buy a completed lower receiver, but I wanted to understand how everything works, and say I built every inch of this gun.

Buttstock
All that was left was the stock, and I snagged a Command Arms 6-position stock assembly, for $92.99. Its a very nice stock, and am quite happy with the sturdiness of it, as well as the function. It has rails on the right side, and a 4 battery storage area on the left side (can be swapped for more rails) which is more functionality than I'll need for a while. Went on in about 5 minutes, including forgetting to put a detent in, and having to redo it.

Assembly
The assembly was easier than I expected in terms of simplicity (piece X goes in slot Y), but harder in terms of executing it (piece X really does not want to go into slot Y, and X's spring is fighting me too). It took about two hours, including redoing a few steps to make sure it was right, flinging detents all over the room as I learned why they say to do something one way, and searching my house for various tools I thought I already had.

The trigger guard's been the hardest part so far, since its roll pin just did not want to go in, and required a "motivator". After that went in, I put in the magazine catch, so I could mount the gun on a handy little bench I have, and then moved on to the trigger and disconnecter. Somewhere in there the bolt catch went in, and that's where I stopped last night. This morning I got up and put in the hammer, safety, pistol grip, and buttstock. It was very straight forward, but like I said above, there are a few places where you really should get a tool to do the job for ya, like the front take-down pin. Otherwise you're gonna shoot the spring all over the room, and don't even think about finding the darn detent afterwards!

So now I've gotta go order all the upper parts, a receiver, bolt/bolt carrier, barrel, and some hand guards. I'll be getting a scope eventually, but may pick up flip up sights due to cost for this first build, not sure. I have pictures of the whole process, if you know how to get a hold of me in real life I'll pass on the URL.

At some point in the recent past my site was compromised by WordPress.net.in spam. I don't know exactly when the back door was put in place since I haven't been very active on this site, though I do know that on March 20th 194.110.162.23 hit default-filters.php and uploaded the malicious code to inject spam into the footer of my pages. Unfortunately the attack is for a different version of WordPress so rather than infect me with ads, it just screwed things up royally. Maybe that's a good thing as I noticed it.

A great write up of how to clean this mess up can be found here.

To sum it up:

• Remove wp-includes/class-mail.php, its fake.
• Take out the lines hooking into the footer in wp-includes/default-filters.php
• Remove the line from the top of wp-includes/default-filters.php that accepts a file given a random GET variable.

The take away lesson here is: Even if you're not actively publishing on your blog, you better make sure your software is up to date. I've been busy with other stuff and neglected mine, unfortunately.

EDIT: I've done some poking. 194.110.162.23 is out of "Extended Host" in New York City. I'll refrain from scanning it, though I am darn tempted to see what back doors were opened on that box. As it is, I'll just email the host and inform them of the troubles.

Happy Thanksgiving! I'm spending the break catching back up on the state of Bluetooth security because, hey, I love the subject. Everyone has a phone with Bluetooth, just about, and many overlook it as a security hole because they feel there's nothing insidious that can be done with just replacing wires with some radio broadcasts. I'll give a quick rundown on how to get Bluetooth working under Linux, then the software I use, and finally give a tool I wrote watching the Dallas Game to speed up identification of Bluetooth devices.
Read More »

A friend of mine passed on his used 60GB video iPod to me, which was very much appreciated as my old Sony MD-Walkman still works (God bless duct tape), but is hindered by all kinds of nasty DRM. Nasty enough that I have been unable to even change any songs on there in the past three years as I lost the software. Nasty enough that nobody has bothered to reverse engineer it because even with documentation it's a bear. So I had been planning on getting something, and this was quite a nice graduation present. I immediately replaced the firmware with something a bit more "free", Rockbox, and named her 'Katana'. Now I've got a nice flat file browser that lets me drop in almost any type of file I want. This doesn't stop at music and videos, I can also read text files, view pictures, etc. Naturally, that's not enough for me *wicked grin*. Read on to see some fun hacks that can be had with your iPod.
Read More »

I saw a commercial on TV the other day that made me laugh. I'm sure normal people see this commercial as a sign of how advanced our technology is, and how convenient modern life is, but all I see is theft.

Here's the video

Watch that through, then think about this. Elephants can't obtain credit cards, so that must have been the trainer's card. Not one clerk ever thought to get a signature for their sales. The elephant spent $40 without ever having an ID checked or even needing to know a PIN.

To quote Mastercard's offer: "Signature is not required for purchases under $25 at participating locations. PIN may be required for debit transactions," so this would be fairly limited in the US, aside from doing a bunch of small purchases stealing groceries or small items.

But this card is valid in the United States, Canada, the United Kingdom, Japan, Korea, Thailand, Turkey, Lebanon, Malaysia, Australia, Taiwan, the Philippines, and South Africa. Some of those places are hardly known for being safe to not have your credit cards stolen, and I'm sure shop keepers would be fairly lax regarding getting signatures for large purchases.

Anyways, I just found it really funny that Mastercard touts this great new service, when in reality its showing how easy it is to use their service to steal!

If you follow my blog, and sadly most of my readers have stopped checking, you'll remember the security hole I found on a major website around Valentine's Day. You should also remember I had a very good experience with the developers there, in terms of their competance and politness.

Well, I just tried to log in to that site on an account I haven't used in... well.. a long time, lets leave it at that. Sadly, I'd forgotten my password, and they do a very smart thing in limiting how many failed logings one can have before resetting the password, forcing me to reset my password. Up to this point, everything is working as it should, removing the possibility of brute force attacks with only limited user annoyance every few months.

Then I noticed that... uh-oh... the reset page wasn't SSL. I thought "Oh, don't worry, I'll bet its posted to an SSL domain," but grepping the source proved otherwise. Bugged, I decided to sniff my traffic and see what was happening, and sure enough, my password flew by in plaintext. This time it wasn't anything as stupid as a "Mother's Maiden Name" type question that also requires a little social engineering, this is MY PASSWORD, and MY USERNAME flying by.

Here's a look at a sanitized version of the information in the packet that gives it all away.

Content-Type:application/x-www-form-urlencoded
Content-Length:102
submitok=1
cc=ff6cda68ba7b4c
tt=1180114618
email=****@****.***
newpass1=PLAINTEXT
newpass2=PLAINTEXT

The Impact:
If I have to be sniffing the traffic in order to catch the password, this isn't as effective as, say, just phishing for the credentials, but this attack doesn't require any human stupidity.

However, this again is a very effective attack for large networks. ARP Poisoning is fairly trivial in this day and age, so even on a switched network one can grab these credentials. On a large network such as a dormitory, or campus this attack will work on as many people as are connected to the router you have access to. Worse, combine this with a botnet or other malware on a victim's machine, and it'll work on everyone who logs on to the site on an infected computer.

Another fun trick, as identified by the researchers at Indiana University, is subverting routers. If one subverts a router to modify the firmware, such an attack could easily be set up to happen on all traffic passing through the router, eliminating the need for ARP Poisoning. However, this requires an insecure router to start with, and the target would be a much smaller number.

The Attack:
I'll talk through an attack from a dormitory, as that's the first I thought of. Once you're set up with your ARP Poisoning, its time to get users to reset their password. Get a large list of email addresses from your school (this is very, very easy to script, you should be able to get tons of addresses. Now, you can either exploit the password reset security feature, or simply hit the reset.php page with each email address. Once you've reset the password, sit and sniff the network for any packets going to the page that actually does the resetting. Save all those packets, and you have all the information you need to compromise the accounts of everyone in your dorm!

I happen to know (whipped up a script to prove it) that this can quite easily be done in Perl where you never have to do anything, just sit and watch the logins go by.

The Payoff:
Once you have all the logins, you can either be very malicious and overt, or very subtle and clever. One might immediately hit the account page to change the password to something to lock out the legitimate user, or maybe even delete the account. Or, to be clever, throw all the logins into a database for later exploitation. It'd be smarter to do the second, because then the attack will go unnoticed for a while.

My Actions:
As usual, I'm accompanying this post with an email to the development squad of that website. I'm not releasing the name of the site, will delete any comments that say what site it is, and won't make my exploit code available anywhere. I will speak for the quality of the site's developers, from my last dealings with them, and know this will be fixed before any real attacks can be launched.

I'm in a bad way right now. Personal issues just about every week have made this semester the semester from Hell. Well, today was the worst, I've almost snapped from stress, depression, lots of stuff. Not meaning for this to be emo, just want to set up what goes into these posts more. Anyways I went running tonight. Car's messed up, needed to get out so I just lit out runnin. Ended up (so far, no where near done) at the school library, wanting to do some hacking. A lot of my hacking is done when I'm trying to clear my mind of larger issues, which is how I get issues so bottled up inside that I can snap. This is an problem, but tonight, I just need an escape. So I *just* hit publish on a semi-decent write up of fun I've had with printers, I want to show you some more in depth.

I'd like to start with saying I'm not doing this to be malicious... I'm just curious about these printers. Nothing I do will be aimed at hurting the printer in any way, nor the school network. I'm not doing anything here because I'm bitter or have pent up stress, I need an escape, and here's a great way to spend 30 minutes off in a wonderful world of binary choices where everything works out right. Without further ado: a look at my schools printers.
Read More »

So, if you've never read this blog before, quick fact: I have issues with my school's networks. I've been kicked off them before for "SSH brute forcing" a server set up to BE brute forced. I've been denied various requests for accounts being transferred to me due to being a student and the the administration not thinking I need said account. I've had money paid to other people with almost my same name because the administration was too lazy to use my email address.... or something, still not sure how that happened. Moral of the story, there's a lot of annoyances I deal with regarding this network, though its probably mainly my fault for being the way I am.

Now, for the lighter side of things, fun times that can be had with large networks of computers.
Read More »