The Caffeinated Penguin

musings of a crackpot hacker

So, it’s been a few months

| June 6, 2013

It looks like September was my last blog post.

The problem with trying to keep up with blogging about things is that it proves difficult when one is actually doing things.

Firstly, I want to apologize for flooding various folks’ LJ friends page with an “all Matt, all the time” session. When I set up my new blog software, I imported my LJ posts with generic categories. In fits and spurts, I’ve been going through and recategorizing them. However, I still have something like 500 old posts to go through and fix up. Apparently, however, when I do that, it causes them to be ordered by modification date, not original posting date, in some peoples feeds. In the future, when I make those changes, I won’t go changing the LJ side of things, just the wordpress side.

In other news, after getting fed up with my venerable WRT54G routers running out of RAM and periodically rebooting, I bought A TP-Link WDR4300, selected because of its large amount of RAM and the fact that it runs OpenmWrt.

Finally, in case anyone ever doubted that my paranoia and predilection towards cryptofetishism was justified, they are watching. Not that this is new, of course – Carnivore, anyone?

Anyway, I will endeavor to publish more frequently – I’ve just been busy living life and all that jazz. Perhaps I shall install the WordPress app on my tablet, and that will make life easier.

Public service announcement

| June 8, 2011

Skimmers and keypad overlays installed on ATMs, on the swipe cards to get in to the ATM area, and on fuel pumps.

Be paranoid.

Scary, scary security stuff

| February 21, 2009

Stuff from BlackHat

  1. SSL Man in the Middle attack which comes really close to being an undetectable sniffing of your SSL traffic. This is, of course, the problem with the “web of trust”, which was always the problem I had with using it for email. Let’s back up a step. If you want to go buy something from a shop, you have an idea that the shop is more reputable than the guy selling things out of the back of a van. Why? Think about it – there’s nothing intrinsically bad about people selling things out of tables and carts – look at street food vendors vs. restaurants. Folks are okay with both. Why aren’t shops the same way? The actual answer is not relevant – we have our own heuristic way of dealing with reputation, our own little warning bells. To an extent, some of this transcends to online shops as well – shady websites which look like a scam make you more nervous than ones which look proper. However, the real metric is word of mouth. Why do you trust Amazon? Because other people do? Because it’s so big? Isn’t that just the same as “because other people do”? Now, this is how the certificate web of trust works. You trust that a certificate is genuine because it is signed by someone who, at some level, you trust (or, more likely, Microsoft or Firefox trusts and includes by default in your browser). The problem with this attack is that you don’t really now who these people you are trusting are. So, the attack is predicated on the idea that they pretend to be someone trusted, make everything look right, and get everything that you would be sending to the website you thought you could trust (username, password, credit card information). For email, I don’t really like the web of trust. I like the “I know you. We’ve met. We’ve exchanged PGP keys.” Very short web. Of course, this doesn’t really work for e-commerce. Advice: Look at the “lock” icon in the bottom right of the browser really carefully.
  2. Another guy found vulnerabilities in various offline webapps. This is basically a problem with those apps and the complexity introduced by offline modes, and isn’t really so scary as the above – especially if you don’t use them.
  3. Finally, some researchers have found out that you can fool the facial recognition used to authenticate people to their laptops using the built in webcam by having a picture of the person. This is actually just like the old idea of lifting people’s fingerprints and using them to defeat fingerprint scanners. Biometrics is fine for one component of two-factor authentication, but simply not good enough to be your sole authentication method.

Security fail

| February 17, 2009

People can send an email and p0wn your Exchange server.

Meanwhile, an enterprising individual has found a way to compromise Linux boxen, and talks about how Linux users should stop being so haughty, because they're not invulnerable either.

Let's see.. remote server compromise from anyone sending an email to your server vs. an exploit where you have to trick a user into opening an email, saving the attachment, and then clicking on it.

I think I'll continue to be haughty, thanks.

(And with regards to that compromise, I'll just say that “you can't fix stupid”.)

Windows (in)security

| January 25, 2009

I know I harp on this a lot, and make broad, sweeping statements about “Windows is insecure as a side-effect of its design and it's really hard to make it secure without breaking stuff”.

Well, don't take my word for it, read what this guy, who used to write adware says.

Specifically, things like:

At the same time, we also made a virtual process executable. I’ve never heard of anybody else doing this before. Windows has this thing called Create Remote Thread. Basically, the semantics of Create Remote Thread are: You’re a process, I’m a different process. I call you and say “Hey! I have this bit of code. I’d really like it if you’d run this.” You’d say, “Sure,” because you’re a Windows process– you’re all hippie-like and free love. Windows processes, by the way, are insanely promiscuous. So! We would call a bunch of processes, hand them all a gob of code, and they would all run it. Each process would all know about two of the other ones. This allowed them to set up a ring … mutual support, right?


We also wrote a device driver and then a printer driver. When you write a device driver you get to do all sorts of crazy things, even crazier than the things you typically get to do in Windows.

Now, I'm not saying Unix (either System V or BSD, the latter which includes OSX) or Linux are perfect. However, the fact that all of these systems were designed from the get-go as multi-user, and a lot of time and effort has been paid to protect and isolate processes from each other, puts them ahead of Windows in this regard.

Remember, when Microsoft advertising talks about how great Windows is as a platform, and how it's easy to attach to and debug running processes and write multiprocess applications with easy interprocess communication, this should translate to: It allows one application to steal data from another!

(Processes talking to each other is fine, but the danger is when any process can talk to any other running process, without both processes expecting/wanting it. Another facet of this are various DLL injection techniques).

SSH Badassery

| January 18, 2009

Dynamic Forwarding:

Proxying about:

  • SSH to a machine via other machines. This is very useful when hitting machines through the one machine with port 22 forwarded to it. Sure, you can specify an alternate port, but this would allow you to set up convenient aliases ahead of time, which is nice.


Set up pam_ssh – login automatically unlocks your key (which is, likely not a good idea).

SSH ControlMaster:

Logical fallacy

| December 21, 2008

The pastor for the church running this gun turn in was on the news saying “each one of these guns turned in saved someone's life”.

Congratulations – you just called everyone who turned in a gun a murderer.



| August 9, 2008

Following various vulnerabilities recently in Firefox (which concerns me) and IE (which doesn't, but it might concern you) which allow for the stealing of all saved passwords from your browser, regardless of whether you've set a master password or not, I have decided that it is not safe to store passwords in your browser (and likely never was), because of the potential ability of things to steal them.

Further, there are applications for which one needs to save passwords but are not accessed through a browser. Quite frankly, I'm running out of brain space for all my passwords, and have started to re-use the same ones. This is not good.

Enter Keepassx, which is a *nix port of Keepass. The version in hardy is pretty old, so I've added this PPA to my sources.list which has an updated version. Further, I've managed to import all my saved passwords by exporting them using password exporter fed into a modified version of this script which I have reposted here.

Seems to be working well.

I need to go make pizza for supper now.

Vewwy intewwesting

| May 3, 2008

I was issued a new Discover card. I call in to activate the new card and actually have to talk to a rep instead of using the automatic menu system.

This is annoying, and I mention it.

I was told that the reason I had to talk with a rep was because of the security issue.

What security issue?

Well, apparently, someone with whom I did business got hacked and my information may or may not have been leaked.

Hmmm.. Will they tell me who it is?


That should be illegal. They should be required by law to disclose potential security breaches of which they have been advised related to my account.

But, of course they don't want to. One, it would scare folks into not using their Credit Cards. Two, it would negatively affect the company which had the breach, and they don't want to be responsible for that.


This public service announcement brought to you by HSBC

| February 28, 2008

Confirmation of customer card data compromise leading to loss of money