Kalimat al-Mutafalsif

I just threw the new theme on my website and was poking around making tweaks this afternoon. I wanted slightly different colors, wanted to make the picture look cooler, maybe edit the footer to change the whole "Made by" to me, and give credit for being based on the theme I based it on. However, upon opening the footer.php, I found a very weird comment:

 
/* V8 - WARNING: This file is protected by copyright law.
To reverse engineer or decode this file is strictly prohibited. */
 

Well that's weird, because in the style.css we read:

/*The CSS, XHTML and design is released under GPL*/

(Side note, if you don't know what we mean by GPL, check out their site.)

No, they don't say PHP in there, however I read that (because 'design' is included) as "This theme is GPL'd". Poking around their website, I see no mention that you're required to keep any part of the theme the same.

If we read past the warning about reverse engineering, we see why they included it, a nasty big base64 encoded blob, then an eval command. Pastebin paste is here.

This piqued my interest, as I can think of very few legitimate reasons to do such obfuscation, or why there should be so much (footer.php is 47kb!). My initial thought was that I'd opened a backdoor into my site, with lesser thoughts to them being able to push random stuff into my footer (the last way I was infected), and finally just trying to control the links on the bottom of the page so that even if I were to edit their theme (as is my right under the GPL) I couldn't take credit for it myself, they'd always have credit for it. None of those sat right with me, so I hit up the local IRC channel, and we started puzzling.

Read More »

Everyone knows that if you play certain Beatle's records backwards you can uncover the conspiracy that Paul McCartney died and was replaced. There are other albums, especially metal albums, that make use of this technique, called Backmasking. In it a sound is placed into the music that means nothing played forwards, but played backwards its intelligible.

In order to find Backmasking, one must either already know to look for it, randomly play everything backwards, or hear something that sounds interesting and essentially just stumble upon it.

In regards to stumbling across almost subliminal messages, I just found a funny one. I use the Famfamfam Silk icon pack a lot. I mean a LOT. Just about any website I set up will use at least a few of them because they're so clean and, well, free! (And since I'm plugging him, I'll point out that these are licensed under the CC Attribution 2.5 license, so if you end up using them, make sure to attribute!)

Browsing through the big ol' image of all icons I came across this:

(Don't) Drink and drive!

I've browsed through here may times before, but this time I read that as "drink and drive", and then I just couldn't help but notice the hidden commands.

1) Get a drink.
2) Empty drink.
3) Drive! (and you'll notice later on there's drive_error, and drive_burn... as such I highly do NOT recommend actual drinking and driving).

Hope you get a chuckle out of it as well.

(DISCLAIMER: Neither I, nor Mark James/Famfamfam, would ever encourage any form of dangerous or illegal behavior. Do not drink and drive... period)

Ok, the title lies. but I'm cleaning up my desktop, and came across a screenshot from a few days ago. It is a CAPTCHA that I, for the life of me, could only make sense of as: Six E Pi Pi. So, in this case it worked, right? The human figured out what the letters should be, except as clearly as those are Pi's, Pi is not a letter on my keyboard. I figured I should get a screenshot to show where CAPTCHAs are going:

Sadly, CAPTCHAs are a technology we need to combat spam, which accounts for at least 80% of email today, not to mention message boards, instant messages, or text-messages. However, we're merely engaged in a technology arms race with spammers, this is *not* a technology that is winning any fights, we just try to stay one step ahead. This is increasingly hard with CAPTCHA entry being a job in countries with lower incomes, spammers cheating by offering porn in return for solving a CAPTCHA, and (in a case that doesn't just apply humans) CAPTCHA breaking drives AI research. Basically, no 'new' CAPTCHA technology is going to keep spammers out for long. A bleak future indeed. On the other hand, we already have 80%, how much worse can it get? I think the real answer lies in spam filters, although for the most part those are also in a mere arms race, but at least then you can control your own computer, not just leave the image out there for another human to crack.

Tragically, there was another school shooting at the beginning of this week. This one was in Finland, and their second in 12 months which left 10 dead, 11 including the shooter. We can expect the cry for more gun control, both domestically, and in Finland, so I pulled out a post I've been saving due to not having time to finish it.

Finland

First I want to address the Finland shooting. Finland is third in the world in terms of gun ownership per capita, behind the US, and Yemen. This is because hunting is huge in Finnish culture, as one person puts it, "the national sport". And yet more people are killed by knives than guns (according to that article). The youth are raised around weapons, they can legally own a firearm at 15 with parental permission, and for handguns they must be a member of a gun club. Yet until 12 months ago, they'd never had a tragedy like this.

The conclusion we should be able to come to, is its not the gun's fault, its the human's. You have a person capable of cold-blooded, calculated murder, and no amount of laws will stop them from carrying out what they want to do. It requires human intervention: Parents who care, friends who realize when someone's hurting inside, kids that are strong enough in their self-image that they can get through school without bullying. As many are so fond of criticizing the War on Terror, its more than just people with guns, its a social problem that requires compassion, and understanding. However, if those fail, you had better be prepared to fight for what you love, because when a person reaches the utter mental darkness these killers were in, there's going to be no reasoning.

Its worth pointing out that in this most recent case the killer had homemade bombs with him, as did the Columbine shooters, if they had no access to guns, they would have still been able to kill.

But that brings us to Gun Control.

Gun Control

Gun Control: At its heart, the idea is fairly basic, to control the guns that are in public circulation so that bad people can't get them. While I know people who would argue against any limitation on weapons, I think most will agree that there are people out there who shouldn't own firearms, just like there are people who shouldn't be able to drive, people who shouldn't be allowed to practice law, and people who shouldn't be allowed to practice medicine. One obvious answer here is felons, if you're convicted of a violent crime, you forfeit your right to bear arms.

Unfortunately, in recent years gun 'control' goes way beyond 'control'. Now people want a gun ban in the name of gun control in some places, such as the District of Columbia (recently overturned), and Britain. Yes, this will keep guns out of the hands of law-abiding citizens, unfortunately we have to remember that these guys who shot up their schools were not law-abiding. They committed many acts of cold-blooded murder, and no gun ban would have prevented that. Now, it would have made it harder to get the gun, but as we can see from Britain, it would by no means have stopped them from getting guns. There violence went up once private citizens lost the right to bear handguns. I've heard first hand accounts from friends that if they ever did something wrong, and the bobbies wanted to stop them, they'd simply run, since the worst they had to face is a night stick, and they could out run the cops.

Piracy

Now, I'm going to play to my (intended) audience for a while. You know I'm not just some crazy gun nut, I also fancy myself a (white hat) hacker, and know most of the arguments for and against music|software piracy. What does that have to do with gun control? Lets examine DRM, or "music piracy control". DRM is a system whereby a company can have "absolute" control over their intellectual property, in this case lets say music. If I went to any hacker, and said that Congress passed a law requiring DRM on every digital music download, to prevent piracy, do you think they'd be put out at all? No, they'd laugh, and explain how in 3 minutes or less they'd be able to bypass the DRM (I'll refrain to linking to those news stories... I value my freedom). I know, I know, this is completely unrelated! Or is it?

In both cases we have an arbitrary control system, X, designed to stop the user from doing Y. In the case of gun control, X is "legal ramifications" and Y is "buying guns", and in the case of DRM, X is "DRM", and Y is "copying the music". In both cases it is the honest people that suffer here from a lack of freedom and security. In the case of guns its physical security and the freedom to defend yourself, and in the case of DRM its the lack of freedom to use what you've bought and the security that if your computer dies you can have a backup. So why is it that one of these is a perfectly smart move, and the other will never work?

As a security professional I know that there's no such thing as a secure system, I don't believe that for a computer with limited physical access and a decent firewall. So why would I believe that any country, or even any city, could pull off a complete gun ban, eliminating the ability for criminals to get their hands on them? Now, in the case of my computer, I plan for Bad Things to happen. I keep backups, I make sure there's spare hardware around just in case, and I look at my security logs to make sure. But how do we plan for Bad Things to happen when the gun ban falls through? Should we sit around, and pray the cops come quicker than the 5 minute average? I've had my car trashed before, had two friends of the criminal take their time, and walk away right past the cops who took 10 minutes to get to my call. Do I have faith that they'll be that much quicker when I call and say someone's held me up at gun point? Or that Someone's broken in and has a gun? Of course not! I'm not saying citizens should take the law into their own hands, just be given a chance to defend themselves until the cops can show up.

Deal with the Problem
For the sake of the argument, I'll say we have a completely 100% secure gun ban in effect in America. This won't stop violence, as Britain has shown us, there must be another cause. In the end, crime is a human (not social, humans created society, therefore its a human problem at its root) problem, and will be around as long as humanity is. What we, as a society and a race, need to do is recognize those human problems, and combat them, not the weapons used. When guns are banned, knives will be used. When knives are banned, shanks will be made (look at prison), when all sharp objects are eliminated from our society, ropes will be used to strangle (again, look at prison). There's no end to violence, the best we can hope to do is recognize what causes humans to become killers, and fix it.

The most obvious period, is during childhood. There's a recurring pattern of these school shootings where the kids doing the shooting were "outcasts" in their school, or were ridiculed, or bullied. Those are by no means reasons for murder, not even for retaliation! But, those killers should stand out to school counselors as people who need extra concern (not pills, actual human care), and stand out to the students as people who need their compassion. We're a society who wants to do away with moral and personal responsibility, when what we should be doing is recognizing that a successful society will care for each other.

Conclusion
In conclusion, I feel that the true control needed in our society, is that of controlling ourselves. Guns are regulated enough, we need to turn ourselves now to the people next to us in society, that man on the bus who's always looking sad, that driver who just cut you off, the quiet kid in your class that you all think is just a bit odd. Take it upon yourself to say hi, or not flick off the driver, or ask him to sit with you at lunch. Not because this may prevent a shooting, or a suicide, or an incident of road rage, just because they're humans too, and we all know the dark places a human mind can go to when depressed. I guarantee you, if we spent as much time and focus on helping those next to us in society (I don't mean hand outs, socialized health care, or any of that, I mean honest to goodness one citizen helping another kindness) then violence will go down in a way we'll never know through straight gun control.

A year ago today the Virginia Tech shootings occurred. As I mentioned a year ago, it somewhat surprises me at the sadness today has evoked in me, considering I was hundreds of miles away that day, and still am. It didn't seem like it was a year already, but I was reminded this morning when I turned on the TV to see an image that's been stuck in my mind ever since. I poked around on the Virginia Tech Memorial site, but couldn't find it for some odd reason, which is a shame because I think that image captures the moment perfectly.

The morning news had that Bugler image up this morning, and immediately the first two lines of the following poem popped into my head:

Blow, Bugler, Blow

Blow, Bugler, blow, let all hear you play,
The hope of our nation's enshrined in your lay.
The notes flow like tears poured out from your horn,
Splashing our souls and hearts, broken and torn.
Floating past candles held high in the sky,
Twinkling like stars who whisper "Good-bye."
Tonight there'll be pain, and tomorrow the same,
But during it all, we stand and proclaim:
"We are Hokies, America, as strong as they come,
From the siblings who visit to the oldest alum,
We know our potential, what we can become,
We'll always fight on, we'll never succumb!"
So blow, bugler, blow, let all hear you play,
The hope of our nation's enshrined in your lay.

ADMIN EDIT: Missed a line in there, had to add it.

This past week saw the release of Geert Wilders' "Fitna". I'd like to quickly say this post is not endorsing that film, the author of it, or any specific religion. I hope, instead, to point out what the film has actually accomplished, and look at the issues surrounding it. I'd also like to point out that I fully support all basic human rights, including those of Freedom of Speech and Religion. I won't be giving a link to the video as I don't support it. In addition, those viewing it might be disturbed by a few scenes (beheadings, hangings, close range gun shots) and I don't want my site affiliated with any of that. Read below the cut to see my analysis.

Read More »

At some point in the recent past my site was compromised by WordPress.net.in spam. I don't know exactly when the back door was put in place since I haven't been very active on this site, though I do know that on March 20th 194.110.162.23 hit default-filters.php and uploaded the malicious code to inject spam into the footer of my pages. Unfortunately the attack is for a different version of WordPress so rather than infect me with ads, it just screwed things up royally. Maybe that's a good thing as I noticed it.

A great write up of how to clean this mess up can be found here.

To sum it up:

• Remove wp-includes/class-mail.php, its fake.
• Take out the lines hooking into the footer in wp-includes/default-filters.php
• Remove the line from the top of wp-includes/default-filters.php that accepts a file given a random GET variable.

The take away lesson here is: Even if you're not actively publishing on your blog, you better make sure your software is up to date. I've been busy with other stuff and neglected mine, unfortunately.

EDIT: I've done some poking. 194.110.162.23 is out of "Extended Host" in New York City. I'll refrain from scanning it, though I am darn tempted to see what back doors were opened on that box. As it is, I'll just email the host and inform them of the troubles.

Note: This post somewhat breaks my "No politics" rule. If you don't want to hear it, don't read it. If you have an opinion, leave a comment. I'm about freedom of speech and if you want to say "You suck" or "Amen to that" you can feel free to email me at snarky(at)thesnarky.com just please don't leave that as a comment since I want comments to go somewhere discussion wise. Oh, and Kanye if you read this, please drop me a line.
Read More »

Man, I just got an amazing deal on some printer ink for my nice Dell A920 All-in-one printer! I was going to have to buy the ink off dell.com at $31 for the color, and $28 for the black and white cartridges. Quite steep paying $60 just to print, huh? I can't just get them locally because Dell only sells their ink on their website. Then I walked into Walmart trying to find some power strips. Right next to the door they had the Lexmark X1240 All-in-one printer (link is for its big brother, and the reason it was so cheap). This printer cost only $25, cheaper than even one of Dell's cartridges so I grabbed it.

The irony...
The irony is that Dell uses rebranded printers for their own. This means they take the other company's printer, make it look a bit different and only accept Dell ink. More to the point, my "A920" is a Lexmark X1150... basically the little brother of the printer I just bought. Yup, I got my "Dell" ink real cheap this year, and I'll never buy their ink again! Oh, and Lexmark ink is $20 a cartridge, but thanks to some places giving coupons in return for empty ink cartridges and refilling empty cartridges, this becomes much cheaper.
Read More »

For the past few weeks I've been working for Harkins, specifically for NearbyGamers, to build a Facebook application. Work was going nicely, and this afternoon I finally got close enough to being done to set a release date for myself: Friday afternoon. Now, if that went as planned, would I be writing this post? I left my SSH session open, grabbed some dinner, and sat down to play Chez Geek with a friend. I wandered back about an hour later to find my SSH session hung. This happens often, not sure why, so I thought nothing of it, closed the terminal and logged back in. But when I got to the file I'd been working on, it appeared to hang again. Maybe the file was getting too big to load in a quick manner? 10 seconds later and vi still showed no data. Then, to my horror, I realized it was because the file was empty. A quick ls -al showed the following:

<18:00:53 nearbygamers>$ ls -al
...
-rw-r--r-- 1 snarky pg4xxxx 9548 Jul 15 17:42 facebook.php
-rwxr-xr-x 1 snarky pg4xxxx 23146 Jul 15 17:42 facebookapi_php5_restlib.php
-rw-rw-r-- 1 snarky pg4xxxx 0 Jul 15 17:42 functions.php
drwxrwxr-x 3 snarky pg4xxxx 4096 Jul 15 17:42 images
-rw-rw-r-- 1 snarky pg4xxxx 2154 Jul 15 17:42 index.php
...

The file was zeroed. And it happened, according to the timestamp, just 15 minutes before I got back to my computer. How or why that happened, I have no clue, and this shouldn't really matter except I had no version control. That's right, I once again decided that this project would be over before any catastrophes could happen. Man was I wrong. To say I freaked out would be an understatement, and finally I filed a ticket with my host, Dreamhost, pleading with them for any backups they might have. Literally within a minute I got a response which pointed to a page on their wiki about a wonderful (and secretive) backup system of theirs. After a little digging and a call to Harkins, I was able to pull a file out of thin air. During the time that I had waited before submitting the ticket I set up the SVN repo for this project, it took a whopping 2 minutes to create, move my files, check out in place, and do an initial import of all the other files. All that grief to save 2 minutes, I'll never make that mistake again.

Now, at this point I have to give major kudos to Dreamhost. Not only do they have the system in place to save my butt when its my fault and they don't owe me any help, but their crack support team was able to get back to me minutes after submitting my ticket, and I'm writing this just about half an hour after I submitted that ticket. I have my file back (minus maybe an hour or two) and my peace of mind to sleep tonight.

I've been a Dreamhost fan for a long time, they've got great servers for the sites I build, very decent uptime, and Shell access that I oh so love. This may just be the last in a series of events that made me love their service, but it is by far the most important, and telling about their service and their customer-oriented mindset in general.

Thanks Dreamhost, you've got a customer as long as you're in service!