The Caffeinated Penguin

musings of a crackpot hacker

Can't say I didn't warn you

| June 26, 2004

So, someone has finally put 2 + 2 together, using vulnerabilities in MS's IIS to infect IIS servers, which then infect people who visit them through unpatched vulnerabilities in MS IE. The result? Identity theft, password snarfing, the whole deal.

Solutions: 1.) Buy a Mac. 2.) Install Linux (or BSD or whatever) on a computer you have already, or buy one with Linux (or BSD or whatever) on it. 3.) At least install a different browser and use it instead. FireFox is my preference for web browsing, and Thunderbird is my preference for email. It's MUCH safer than IE/OE.

In other news, the Senate has passed a bill allowing criminal prosecution of people who record movies within theaters. Now, I don't have a problem with this being a criminal offense. What I do have a problem with is that the penalties are 3-5 years for a first time, and 10 for the second. Isn't this a little bit out of the mold of “punishment fits the crime”? Don't you get in less trouble for various drug offenses? What about carrying a weapon without permit / illegal posession of a firearm? I would call those far worse on the “damage to society” scale than simply affecting some megacorp's bottom line, wouldn't you?

Windows boxen = 80% of spam

| June 8, 2004

Linkage

In a nutshell, virus/worm/trojan infected Windows machines are being used to spam people.

As I've said before – Windows represents a clear an present danger to the stability of the internet.

Oh, and I love this bit:

“As a complement to existing mail server and client based tools, service providers need to arm themselves with network-based anti-spam defences and combat this growing form of malicious traffic.”

  • Marc Morin, Sandvine (the guys who posted these numbers), quoted here.

Not anything akin to “we need to stop Windows Losers from getting their machines compromised” or anything like that.

Come on folks – these boxes are getting rooted and no one cares. It's like MS is completely off the hook here. WTF?

Gentoo "Whoa" moment of the night

| March 29, 2004

bash-2.05b# ifconfig eth0 Link encap:Ethernet HWaddr 00:02:2D:39:55:4E
inet addr:192.168.1.106 Bcast:192.168.1.255 Mask:255.255.255.0 ...

bash-2.05b# nmap 192.168.1.106

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-03-29 23:37 EST All 1659 scanned ports on 192.168.1.106 are: closed

Nmap run completed -- 1 IP address (1 host up) scanned in 2.426 seconds

bash-2.05b# cat /etc/X11/gdm/gdm.conf | grep nolisten command=/usr/X11R6/bin/X -nolisten tcp -audit 0 -terminate

This is the most secure Linux distro OOB that I've ever seen… Not even X is listening (which is the first thing that I turn off).

Damn.

Meanwhile, I'm bulding myself a system – compiling and installing huge numbers of packages and all the packages on which they depend. Real work intensive, right? Wrong – I'm reading a novel. Now, I'm going to bed. It will compile, and be ready for me in the morning.

Gentoo: They do the drudge work. You do the hacking.

Methinks I need some pimp Gentoo stickers.

Hey, – how do you make a computer go “Woof”?

Set it for 115V and plug it in to 230V.

Yes, this happened at work today.

Fun's over…

| January 8, 2004

I need to quit my job and find something else to do. Maybe jump on the IBM bandwagon, considering that they want to do a corporate migration to Linux over the next year.

Meanwhile, where am I? I was working for a company where I thought I could make a difference. It was a daily struggle to try and make things better. It was very frustrating for awhile, but then things started to turn around – we got new servers, a real sysadmin, and I was rewriting the driver. I've put a lot of effort into trying to make the company better. What happens? We get bought by a bunch of fucktards who don't seem to have half a brain among them. They want a bunch of little picayune changes made, whilst neglecting the things that really matter. They want to replace our new servers with HP's costing three times as much for the same functionality, because our servers are not their standard. That's it, no other reason. Oh, and they want to migrate us back to their standard corporate system – Windows servers, Outlook for email, etc. Of course, this is all protected by a pantload of Cisco firewalls, because that's the only way to not have it shit itself when the next Windows worm comes along. Meanwhile, their reliance on Office/Outlook/IE means that there are about half a dozen ways I can kill their whole system, including servers. They focus on one area of security and neglect the rest. Oh, but they're considering moving to Linux, but they would have to move us off Linux to make the company the same, then back to Linux when the company moves back.

They also don't realize that they have two people (Liz and I) who might actually be willing to commit long term to the company if we were allowed to be their Windows -> Unix migration people, but that doesn't seem to be what they want to do.

Instead, they're just giving us a hard time and destroying everything we've worked for, and causing us to be pissed off. I'd give us 2 years at the outset, probably sooner. For awhile I was sad Liz was going to grad school, because I was starting to enjoy my job. Now I can't wait for her to go, so I can follow.

It's just so stupid of them, and it's not like people at my company don't see it – they think our drive, enthusiasm and talent is a welcome change. We at least get shit done. But, these new owners just don't seem to care.

I think the rest of my life will end up in small companies, startups, and academia, or a r & d offshoot of a very large company. That's where all the real shit happens anyway.

Aaah. Weekend

| October 31, 2003

So it's the weekend. Yayyy! 🙂


News:

Apple is not so bad. They've changed their mind and are releasing patches.

But iDVD is still broken.

Bill G. talks about security.

Specifically: …there are two other techniques [to increase security]: one is called firewalling and the other is called keeping the software up to date. None of these problems (viruses and worms) happened to people who did either one of those things. If you had your firewall set up the right way — and when I say firewall I include scanning e-mail and scanning file transfer — you wouldn't have had a problem.

(emphasis mine)

Now, I agree with the “patch your system” idea, but firewalling? Not just firewalling, but one that actually scans and filters email and file transfers? So, basically what he's saying is that you shouldn't connect a Windows machine to the internet, right? Or, no, wait, you can – just make sure to put it through a firewall and mail/web/ftp proxy and virus scanner. Well, wait – you can do this fairly cheaply with a Linux box. That's ironic – the only secure way to connect your Windows box to the internet is to go through a Linux box. You know, maybe if your email reader didn't let an email destroy your computer, Windows wouldn't have these problems. I mean, to mess up a Linux machine, you have to save the executable, chmod u+x filename, then run it, and even then, it only runs as you, not root, and therefore you can't destroy your system. Pah, the hell with it. Here's how you secure a Windows system:

Secure Windows

And, SCO is now blatantly violating the GPL. Don't you love it? They sell Linux, make money off it, then decide they don't like the terms that people wrote the software under, so they just steal it and make it their own. Time for Linux developers to sue them for violation of license agreements. Hell, can't the FSF sue them? They've been called “Linux's Hit Men” so why not live up to it?


On the “I need to write some more letters” department: RIAA has filed 80 more lawsuits Now, I don't have a problem with them suing people for copyright infringement, but here is the deal:

  • If you settle immediately, it will only cost you a couple thousand dollars
  • If you fight them and lose, you have to pay the settlement (which, it has been threatened, will be many thousands more), plus their court costs.
  • If you fight them and win, you still have to pay your lawyers fees, which will probably be more than the cost of the settlement
  • Unless you countersue and get them to pay your fees for frivolous lawsuits.

Now, if copyright infringement is criminally illegal, why don't they arrest you? Well, because suing works better – if they criminally charge you, the state is involved and they are subject to oversight. Additionally, you can get a public defender. In a civil suit, you don't have any of this; they can do whatever they can get away with.

Corporations were created to protect the owners from losing everything if they get sued.

Shouldn't there be a similar protection for average citizens getting sued by corportations? Otherwise, deep-pocketed corportations can do whatever they want.

Breathe….

| October 31, 2003

Been a busy couple of days.

So, let's see. is apparently involved in a new student group that I'm going to be an associate member in. It's called “QRI for the straight guy” or something akin to that. Basically, it's a bunch of eclectic sex stuff without being full of drama queens. For example, there will be roundtable discussions on legalizing homosexual marriages and such. Of course, I may have to play the “straight man” (pun intended) and argue against them, since a group of people who all agree is kind of boring.

And Simon scored some digits tonight. He was happy. I got to do a little matchmakerish stuff.

Then we went back to his dorm and laughed at the drunken freshmen on his floor.

And I had ginger beer for the first time. I liked it.


In the news:

Apple is not my favorite group of people, considering that when they released the new version of their OS, they basically said “yeah, there were some major security holes in the old one, but we're not going to fix them, buy the new one”. Not even MS does that. (link) Note that the “major hole” is major in the Unix sense of “if you enable this thing that's enabled by default, and do this other thing, you might be able to exploit this bug which allows you to become the user that the thing runs as, which is usually someone with no permissions on your computer”, as opposed to the standard Windows flaws of “don't open any email or surf the web because people can destroy your computer”.

Oh, and iDVD is crippled to only let you record 1.5 hour DVD's. To record more, you need to buy their $400 pro tools thing. Or, just download some free software tools that work properly.

Vietnam says: stop piracy, eliminate Microsoft and are moving their whole government and (and this is the kicker) all PC's made in Vietnam, to Free/Open Source Software.

SCO is more nuts than we all thought. Best quote: “From the outside, it appears so bizarre and so ridiculous that I fear their argument is being misstated”. The sad thing is, I don't think it has. I think they really are serious, at least serious enough to drive stock prices up.


In the blogging is dangerous dept: MS Fires temp for what he said in his blog and Blogger threatened with a libel suit”.

I can see the second one, maybe, but the first one? He basically said “look, MS buys G5's too”. People KNOW THIS. They make Office for OS X. Doesn't it make sense that they have Macs to test it on?


And, it looks like I'm going to give Debian a shot again, as a candidate for the file server. I've always preferred the Debian layout to RedHat's, as it's more classic Unix, like Solaris. However, 3.0r0 had nasty installer issues. Liz used 3.0r1 at work and had no problems, so I guess they must have fixed it. So, I'm going to grab her cd's and give it a whirl.


At URI, 2 students have been kicked out of the dorms for anti-semitic graffiti under the school's “hate crime” rules (they're not called that. They have a nicer name, I forget what).

This brings up the whole idea of hate crimes again. I think hate crime laws are stupid. What's the difference if I spray paint “die whitey” on your door vs. if I splay paint “die fatty” on your door? Oh, the first is a hate crime because it's racial in nature, but the second isn't? Come on, they should both be equally serious. Race/sexual orientation/religion/etc. are all arbitrary conditions that should have as little effect on penalties for crimes as hair color/eye color/weight/etc. They are all equally serious crimes.

The above said, I have no problem with them being kicked out for graffiti, I have a problem that it was because of what they wrote, not that they wrote it.

But, what do you expect, it's URI. They're a bunch of touchey-feelies, make you feel good, enforce diversity, etc. anyway.

I need to repost my criticism of the College of Engineering's Acceptable Use Policy. It was great. I basically objected to the wording because it said “don't do anything that might offend anyone”. Well, I have no idea what might offend anyone, so I asked. I basically got told “You're a white male. You therefore cannot be offended, your opinions of decency don't matter.” Malcom J. Spaulding, who was representing the COE's diversity committee. (And don't even think about suing me for libel- I have witnesses who were in that meeting.)

And just remember folks, we have the Society of Women Engineers, the National Society of Black Engineers, and the Society of Hispanic Professional Engineers, but is there a Society of White Engineers? Of course not; that would be racist and you would get called a Nazi.

Today's news brief

| October 22, 2003

Lots of news today:

Diebold maker of e-voting systems has come under scrutiny for things like miscounts and other “glitches” that affect the output of elections. Some of their internal memos were leaked to the press (it ends up being like 5 years of mailing list archives), and of course, then came the cease and decist messages. But, Swarthmore Students are mirroring it, along with other people. This is important folks; they are up for use in something like 37 states. Here are Slashdot's articles on them. Read.

AT&T is switching to an all-whitelist email setup. (Link) This means that any ISP who doesn't email them and say “hey, this is my mailserver and it's real” and gets approved by AT&T won't be able to send email to people at AT&T email addresses. So, AT&T will be added to the “ISP's are trying to break the internet in the guise of stopping spam, which is arguably a free speech right anyway” email.

Speaking of spam – I get an email (on my Linux box) that says “we've detected your computer is vulnerable – buy Norton Antivirus for Windows”.

SCO sez: I owe them $699 because of some code in the Linux kernel, but they don't want my money now, because I'm not a Fortune 1000 company. They'll get to me later.

And, on the Microsoft front, Windows is more secure than Linux, but old versions of MS Office sucked, so people should upgrade. (Link)

OpenOffice. Yes, it is free. Yes, it makes pdf's. Yes, they have it for Windows.

So, it was just kind of a screwed up day.

I'm sleepy now. Night.

Posted my PGP key

| October 17, 2003

For people who want to send me secrets…

http://www.mattcaron.net/pgp_key.txt

I should be in bed

| October 15, 2003

But instead I'm playing with crypto:

http://enigmail.mozdev.org/thunderbird.html

It's an extension for Mozilla/Thunderbird which allows you to use OpenPGP (embodied in GnuPG) or S/MIME to send email.

I've used GnuPG before, but not S/MIME. It looks like it does a certificate-based encryption, like SSL. Not sure, though.

Need to go to bed now.

Nice Long Weekend

| October 13, 2003

So, I put a quick and dirty website up here. I'm going to make a nicer one, eventually. Still trying to get email stuff worked out – I can get mail, but I can't sent mail, because Cox filters port 25, and I have to get the hosting company to open up another nonstandard port (which, 2525 ends up being pretty standard, because so many ISP's are doing this). This, of course is something that really pisses me off.

See, spammers send out mail destined for port 25 on other servers. Cox blocks this by ditching all traffic going to port 25, except from their legitimate email servers, of course. However, that is how other people (like me) use outside email providers – like the one that I want to use. Of course, what are you going to do? Ditch Cox? That would mean NO high speed internet. Aren't local monopolies grand?

Anyway, went to see Kill Bill. Not bad. Lots of spraying blood and gore, so not for the weak of stomach. Also, it could be called “Quentin sees one to many Kurosawa movies”, but I have to say that it was probably the best non-Kurosawa samurai movie I've seen.

Liz and I also watched Secretary. She wasn't too keen on it; she didn't really like any of the people in the movie.

Speaking of Liz, she got a kitten. Her name is Mikey.

And what else. Oh yes, I bought a Cast Iron Skillet. See, I have a full set of Simply Calphalon Nonstick which are great pans, but with two downsides:

1.) They're aluminum, which means that you can adjust heat rapidly, but it also means that they don't hold heat well. This makes them good for delicate things like eggs or toasted cheese sandwiches, but it also makes them poor for massive things, like steaks. Dropping a room temperature steak into an aluminum pan just sucks the heat right out of the pan.

2.) They're nonstick, which means that they're great for the aforementioned things like eggs and toasted cheese, as well as pancakes and all that. However, they're poor for things like meat; meat doesn't brown as nicely in nonstick pans.

So, I broke it in and made a great steak the other night. I started with a big skillet; I'll probably get a couple more. The upside to them is that they're cheap. Downside is that they can't go in the dishwasher – it takes the seasoning off.

I also got a nice vertial wire basket arrangement for holding fresh vegetables (primarily tomatoes and onions, but in different baskets, of course). Definitely classier than than just leaving them in bags on the counter,