Entries for January 2006
Security, Physical and Virtual
You know, just when I was about to write that the new Case Phonebook bot hadn't experienced any hiccups yet, I looked at my buddy list and noticed that it was offline. I just ran the script again and it's back up, so this could just be due to a brief network outage or something.
Anyway, a couple of admittedly uninteresting things happened today that triggered this post.
Today my girlfriend told me that while she was messing around with her grad school app to the Winterthur program at University of Delaware, simply pressing the Back button in her browser let her view the status of other people's applications and various "leftover" information, presumably from other sessions. This is obviously not what is supposed to happen.
The other thing was that I needed to get a pair of shoes from her apartment, but nobody was there to let me in. I actually had to skip all my classes one day last semester because I left my shoes in there! Anyway, this time I took it upon myself to get what I needed. Did you know that you can get into any room or apartment in the Village with just a coat hanger? I opened her door in about 5 seconds and was able to retrieve my shoes. (Don't look at me, this was documented in the Athenian months ago.)
So I wonder, are we any more secure than 5, 10, 50 years ago? I'd like to think that our web applications are more secure. Web applications were so primordial ten years ago that I hope we've learned a lot about web vulnerabilities and web programming since then. But then again, new web development frameworks keep popping up, and security holes with them. Remember when a bunch of Drupal sites were defaced or wiped out last summer? Are our web services even more secure than the pen & paper alternatives they are intended to replace?
As for physical security, I have a hard time believing this has improved much either, although maybe I'm not looking far back enough for this one. These fancy ID card door locks in the Village are clearly less secure than the lock-and-key doors they replaced, which couldn't be defeated by any shmuck with a coat hanger. Likewise, a couple years ago I published a web site that chronicled my adventures of getting into any building on campus after-hours (I was forced to take this down, which was probably for the better).
If even a big university with expensive research labs and sensitive student information can't keep its buildings locked up, I wonder what security measures (both virtual and physical) will look like in the future?
While re-reading this in the morning, I laughed at the thought of physical CAPTCHAs to keep real-life spam-bots out of buildings... man, the future is awesome.
AIM Bot Redux
The phonebook bot is back online, this time at Case Phonebook. The code isn't on Subversion this time and I changed all my passwords, so let's sit back and see what happens...
Being Hacked is Fun
Well, I hope someone is satisfied after hacking the Find Case People bot. Here's what I think happened...
A few days ago I noticed that the bot was mysteriously offline. The bot's log didn't seem to think it was offline, but it was. After trying to log it back on, no luck...
For a while I thought it was being rate limited, or that someone might have warned the hell out of it. But hours later it still couldn't get on. So I used AIM's Lost Password thinger to reveal the password, just in case.
The resulting password was random. I checked to make sure AIM sends you your current password and not a newly generated one. It does. Shit.
Bemused, I explored the possibilities...
- Some bizarre protocol event in the incomplete and patched-together OSCAR library I'm using randomized the password by accident
- Someone cleverly found a way to execute code by talking to the bot
- Someone obtained the code (with plaintext password) from Subversion
- Someone knows my Gmail password and had it sent
- Someone knows my SSH password and obtained the code (with plaintext password)
- Someone happened to browse to exogen.case.edu/now last week and obtained the code (with plaintext password)
- Some other wacky vulnerability
Anyway, I logged in with the new password, changed it to something new, and the bot was back online.
A few days later, the same thing happened again, only this time Lost Password requests weren't being sent to my e-mail address. This ruled out the "random" option, I think, since the e-mail address changed as well.
1. Some bizarre protocol event in the incomplete and patched-together OSCAR library I'm using randomized the password by accident
The fun part, of course, is that now I get to change all my passwords and play detective.
The bot's log showed that no one tried anything suspicious when playing with the bot. This also revealed that no one else signed on as the bot while it was running, since that would have resulted in a message from AOL System Msg.
2. Someone cleverly found a way to execute code by talking to the bot
The Subversion option is completely possible. I'm using a (trusted) friend's Subversion server, and sharing it with another (trusted) friend. So I could have him check some logs if they exist, but I can't do it myself.
Sadly, Google does not cater to the paranoid among us so I can't see who else was logging into my Gmail account, if anyone. But that feature would be pretty awesome.
My SSH log shows that only two IPs had accepted logins for the past couple weeks, and they were both mine. That was a relief. Unless they were really sneaky and messed with the logs.
5. Someone knows my SSH password and obtained the code (with plaintext password)
My lighttpd log shows that only two IPs had requested anything at exogen.case.edu/now ever, and they were both mine.
6. Someone happened to browse to exogen.case.edu/now last week and obtained the code (with plaintext password)
So, either Subversion or Gmail or something wacky is to blame. Dear Reader: can you think of any other possible points of security breach?
If you have any information regarding the mysterious disappearance of Find Case People, feel free to share it with the rest of us. Until then, I'm afraid the bot's out of commission.
A random tour of Winter Break
It amazes me that completely automated airline ticketing can still screw up a simple flight arrangement. The Continental folks (including my boarding pass) were completely convinced that I was scheduled for a different flight, despite my itinerary (and memory) having the correct flight. Thankfully there was an open seat on the right plane (well duh, it was my seat to begin with) so I made them give it to me.
In the process of designing an experimental little web service, my friend Mike suggested making an AIM bot to go along with it. So to test out simple bot making with Twisted I made a little bot called Find Case People, which took about ten minutes before I added some features. It's like the Case phone book with the minor advantage of also searching e-mail aliases, and might be quicker if you happen to be using AIM. You can tell it who you are and have it list your screen name in search results as well (although there's nothing to prevent hijacking entries currently). Give it a try.
I split the cost of a five piece drum set with Mike and Spiros. We got it for $225 from a girl in Providence using craigslist. Now we have an instrument or two for everyone to enjoy and can participate in totally rocking out which I hear is popular these days.
You should see Patty's hair.
I am now banned from OiNK, including their IRC server. The admins enjoy being huge jerks, apparently. Here's a hint, guys: BitTorrent is designed to work better with more people. So don't ban people when they're seeding.
Laptop Linux woes: framebuffer won't start with 2.6.14 kernel, so I just have to guess at what's scrolling by and that I'm logging in and starting X without typos. Also, after spending all night updating all my packages, I realized that somehow the random mirror I had synced from was out of date, so all those "fresh" packages were actually all outdated. I didn't even know this was possible... thanks, portage!
I stayed up until 10 AM traversing this list of 2005's Best Links. Maybe you will, too.
Here are some of my favorite songs of 2005, in no particular order:
- Did You See the Words (Animal Collective)
- Patriarch on a Vespa (Metric)
- TV Dogs (Jackson & His Computer Band)
- It's 5! (Architecture in Helsinki)
- Come on! Feel the Illinoise! (Sufjan Stevens)
- Dilaudid (The Mountain Goats)
- Sweet Spots (The Fiery Furnaces)