Droid Incredible - Not Seeing MP3s
Dropped a bunch of MP3s in the exiting Music folder in an organization structure similar to the existing one. It’s seeing none of the files that I added. If I figure out the issue I’ll post the solution. Sending the sound output playing the songs that were there to my care stereo via bluetooth went seemlessly.
Oh, it was me be stupid. I was using Amarok to copy media to it and adjusting the naming. I failed to put .mp3 on the end of the naming template. I don’t think I should have to. After all, what if I’m copying media of different formats?
Droid Incredible
Got a Droid Incredible this morning, upgrading from a first grn iPhone. This thing is sweet. Hopefully it will still be after the honeymoon is over.
Oh yeah, except that the mail app silently errors how when connecting to my mail systems which have certs signed by my private CA. and it won’t let me click through. People on the tubez say it won’t do self-signed either. I’ve imported my CA cert into the browser but that has not affected the mail application. And since I don’t know which CAs the mail client trusts I don’t know where I can try to get a free/cheap cert for my mail servers.
Studio Diner in Kearny Mesa. Friday night special was Sea Bass. It was excellent.
AssRace: Possible Advantage For A Rogue DHCP Server
One method for MITM attacks is to set up a rogue DHCP server. In this situation you’re in a race with the real DHCP server and you may not always (if ever) win.
I’ve been sitting on an idea for a couple weeks where under certain circumstances you could have a distinct advantage in the race. Specifically when the DHCP client is on WiFi. Before WiFi clients pull DHCP they usually have to associate with the access point which involves an exchange of packets. The idea was that you could have your rogue DHCP server listen for clients associating then immediately start spamming the client with appropriate DHCP replies. In this scenario you may be able to get your reply in before the client has even finished sending the request. The cool thing here is that if the network is encrypted but you’re wired in and the wireless just bridges to the wired network you don’t necessarily need the encryption key. You can see the association in the clear then start sending your DHCP messages on the wired network destined for the new client on the wireless network. Because that MAC address hasn’t been seen yet the switching infrastructure should just unicast flood the message everywhere so it should get to the target.
This morning I realized I’d probably never get around to actually implementing this idea, which is a shame given the snazzy name. I was looking at the RFCs for DHCP and it looks like the client picks an ID number and if your replies didn’t have that ID number then the attack probably wouldn’t work. Since you’re sending replies before you’ve seen the request you can’t know what the request is. Perhaps if you’re on the wireless network and the DHCP server is on the wired network you have a few microseconds of a head start. Perhaps you could guess the ID number the client will use somehow. Perhaps I’ve misinterpreted the RFC, I didn’t read through it closely. All that aside, maybe this will give someone else some workable ideas.
Gentoo is Dead, Long Live Debian!
I had decommed my old gentoo home server that hadn’t been patched in around three years a few weeks ago. A week or so ago I wiped the drives as best I could since they were malfunctioning. I installed my new drives this evening: 2 80GB and 2 500GB SATA drives. They’re RAID1 together in pairs. The 80s will hold the OS and home directories, the 500s are all for media. Right now I have everything on another box with home directories on a VMWare host, media on a USB drive attached to the host, and all the services running in guests. I’m looking forward to migrating things back so I can rebuild the host as Debain 64 bit with VirtualBox.
I wrote about this before. Gentoo was great when I was in college and had plenty of time to muck about with things and get it just the way I want it. Having a full-time job I just don’t have the time.
From Stored XSS to DDoS, almost
The backbone of science is sharing your failed experiments so here goes.
I was a little frightened when directed to RFC 2397. Basically it says that included objects that you would reference by a URL can be provided inline in one or more forms. It looks like this:
<img src=”data:image/png;base64,alkj2K09…..” />
Try it. It’s kind of neat-o. The idea I had was that maybe you could provide a java applet that way. You can already deliver an applet by reference with XSS but an applet is only supposed to be able to make connections back to the site that it was downloaded from. If you try to connect to anything else, like the target site, it generates a pop message that the user has to click through. If I could get the target site to provide the applet it should be able to connect back to the target site without the user being aware.
The fun idea I had was to write a java applet implementation of the slowloris attack. The really awesome thing if this were possible is that if you find a stored XSS vulnerability in the target site you could get the legitimate users of the site to DDoS it indefinitely. Beyond that, you may be able to make SSH or other authenticated connections back for random password guessing; perhaps the results could be reported back to the attacker via DNS requests. The difficulty (if it worked) is that the target site would have to allow a pretty large stored XSS. If the stored XSS vulnerability is against a TEXT database column you’re fine. If it’s against a VARCHAR(128) and you’re trying to deliver a 1.2KB jar file it’s not going to work.
I could get the applet to work flawlessly at attacking my test web server. It would sometimes even do so without the socket connection sandbox permission dialog from popping up. It wouldn’t work properly with the inline jar file though. Eventually I tried Firefox+Sun JRE on windows and it gave me the error message I needed: unknown protocol: data or something similar.
Maybe this could still work with Flash or some funky contortions with JNLP. I, however, am done working on it.
Ohh...: Does anyone ever talk about what sort of psychological relief Walmart...
Does anyone ever talk about what sort of psychological relief Walmart brought to the individual in the small town, in terms of alleviating the burden of over-judgmental townies who ran the local Rx, hardware, grocery, etc., by offering purchasing anonymity (I mean socially; not in terms of…
Everything lost is something else gained, and vice versa. Walmart has a lot of detractors and a lot of promoters. I haven’t seen this side of the debate before.
DoSassination Market
From Wikipedia:
An assassination market is a prediction market where any party can place a bet (using anonymous electronic money, and pseudonymous remailers) on the date of death of a given individual, and collect a payoff if they “guess” the date accurately. This would incentivise assassination of individuals because the assassin, knowing when the action would take place, could profit by making an accurate bet on the time of the subject’s death. Because the payoff is for knowing the date rather than performing the action of the assassin, it is substantially more difficult to assign criminal liability for the assassination.
What if a site existed where there would be various pools for betting on when a given site’s Denial of Service attack would end. The rules would state that the betting pool site would attempt to retrieve a given site’s root page in its entirety. If it succeeded it would make 9 more attempts randomly dispersed over the next five-minute period. If all of those subsequent attempts succeeded the site would be considered “up”. If any of them failed, the test would begin again after a random delay of between 5 and 60 minutes.
To win the betting pool, Bob has to add to the pool and he has to guess when the DoS will end. The best way for him to make that guess is to extend the current DoS attack with his own and then end his on the moment of his prediction, hoping that any other ongoing attacks have also ceased. As more people participate in this flash DoS, the betting pool grows, bringing more interest to the “contest” and more people who will try their own DoS to win the pool.
So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users
If you have to deal with security in any kind of professional capacity it is worth your time to read the the 10.5 pages of text in tihs paper.
elitehackercontest.meh
Brilliant idea of the day.
I register the domain, “elitehackingcontest.org” or somesuch nonesense. I make sure the website says that the target sites are “realistically simulated Internet sites”. I then just pick random sites on the internet and point target1.elitehackingcontest.org.
I then advertise the crap out of it and let hilarity ensue.
Alice In Wonderland
Saw “Alice In Wonderland”. Meh. Glad I didn’t pay to see it in sphincter-puckering IMAX 3D. The casting was good, the acting was good… I just felt that it wasn’t engaging.
Properly Deploying a Private CA Cert in Ubuntu
I think the true strength of the certificate PKI is the ability to set up a CA for your organization and mint your own certs. You get the advantage of proper certificate validation without the cost of paying a third party to validate your identity (snicker).
There are copious sets of instructions on how to create your own CA but I had a very difficult time finding proper instructions on deploying the cert to clients. Most of them simply say, “post it on your web server, visit it in your browser, then click Trust.” That’s fine on your computer but what about a larger organization. Are you going to just tell all your users to do this and expect them to get it done? What about multiple browsers? That kind of solution just doesn’t scale.
In my personal environment my clients are Ubuntu Karmic. I’ve seen some kind of hackish solutions where you put the cert in /etc/ssl/certs then add softlinks or run c_rehash if you’ve read some man pages. After searching the Internet and not getting far I finally started digging through /usr/share/doc/ca-certificates and found the README.Debian file. It states that the proper way to install private CA certs is to put them in /usr/local/share/ca-certificates and ensure that the names end in .crt. Once that’s done you run update-ca-certificates and the appropriate linking is done for you. With that complete you may need to start your various clients but it should be working for your command line web tools and graphical browsers.
I said visiting a URL in the browser and having users click through dialog boxes was unrealistic. Frankly, it’s cumbersome, but is copying the file out to each machine and running a command any better? Because I run cfengine, absolutely! My additions look something like this:
control:
AddInstallable = ( ... NewCACert )
...
directories:
/usr/local/share/ca-certificates owner=root group=root mode=0666
...
files:
...
$(masterfiles)/CA/cacert.pem
dest=/usr/local/share/ca-certificates/lub-dub_CA.crt
mode=0444
owner=root
group=root
inform=true
encrypt=true
define=NewCACert
server=$(policyhost)
...
shellcommands:
...
NewCACert::
"/usr/sbin/update-ca-certificates"
The only thing missing is the fact that while my desktop systems are Ubuntu my server systems are Debian Lenny. The Karmic version of ca-certificates is 20090814 while the Lenny version is only 20070303. The update-ca-certificates script in the Lenny version doesn’t look in /usr/local/share/ca-certificates so I’ve had to add that myself.
The Secret Life of Chaos
If you’re even remotely interested in science or mathematics, set aside an hour to watch this.
About Me
You're under attack!!! X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* Eleventy!!!
